diff -Nru apparmor-2.10/debian/changelog apparmor-2.10/debian/changelog --- apparmor-2.10/debian/changelog 2015-09-02 14:13:41.000000000 +0000 +++ apparmor-2.10/debian/changelog 2015-09-03 02:27:03.000000000 +0000 @@ -1,4 +1,4 @@ -apparmor (2.10-0ubuntu5) wily; urgency=medium +apparmor (2.10-0ubuntu6) wily; urgency=medium * debian/libapparmor-dev.manpages: add 5 missing libapparmor manpages (LP: #1491147, LP: #1384431) diff -Nru apparmor-2.10/debian/changelog.BASE apparmor-2.10/debian/changelog.BASE --- apparmor-2.10/debian/changelog.BASE 2015-09-01 21:16:56.000000000 +0000 +++ apparmor-2.10/debian/changelog.BASE 1970-01-01 00:00:00.000000000 +0000 @@ -1,3226 +0,0 @@ -apparmor (2.10-0ubuntu2) wily; urgency=medium - - * debian/patches/aa-status-dont_require_python3-apparmor.patch: - make aa-status(8) work even when python3-apparmor is not installed, - otherwise dh_apparmor postinst snippets can fail (LP: #1480492) - * debian/control: make apparmor-utils depend on the same package - version of python3-apparmor - - -- Steve Beattie Fri, 31 Jul 2015 16:35:03 -0700 - -apparmor (2.10-0ubuntu1) wily; urgency=medium - - * Update to apparmor 2.10 - - libapparmor added functions to ease loading profile cache files to - help support systemd on-demand load of policy (LP: #1385414) - - apparmor parser: fixed policy generation to allow matching - embedded NULs in abstract unix socket names (LP: #1413410) - - aa-status: don't traceback when not permitted to read current - set of apparmor policy (LP: #1466768) - - aa-logprof: don't crash on policies that have an #include of a - directory (LP: #1471425) - - aa-logprof: fix crash when network rejections occur when file - operations are performed on network sockets (LP: #1466812) - * dropped reproducible-pdf.patch, incorporated upstream - * debian/patches/tests-fix_sysctl_test.patch: fix sysctl test failure - with 4.1 kernel and newer. - * debian/control: add alternate dependency on linux-initramfs-tool - (LP: #1109029) - * debian/libapparmor1.symbols: update symbols file for added symbols - in libapparmor - - -- Steve Beattie Thu, 23 Jul 2015 01:57:43 -0700 - -apparmor (2.9.2-0ubuntu2) wily; urgency=medium - - * No-change rebuild for python3.5 transition - - -- Steve Langasek Wed, 22 Jul 2015 04:07:28 +0000 - -apparmor (2.9.2-0ubuntu1) wily; urgency=medium - - * Update to apparmor 2.9.2 - - Fix minitools to work with multiple profiles at once (LP: #1378095) - - Parse mounts that have non-ascii UTF-8 chars (LP: #1310598) - - Update dovecot profiles (LP: #1296667) - - Allow ubuntu-helpers to build texlive fonts (LP: #1010909) - * dropped patches incorporated upstream: - add-mir-abstraction-lp1422521.patch, systemd-dev-log-lp1413232.patch - parser-fix_modifier_compilation_+_tests.patch, - tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch, - GDM_X_authority-lp1432126.patch, and - debian/patches/easyprof-framework-policy.patch - * Partial merge with debian apparmor package: - - debian/rules: enable the bindnow hardening flag during build. - - debian/upstream/signing-key.asc: add new upstream public - signing key - - debian/watch: fix watch file, add gpg signature checking - - install libapparmor.so dev symlink under /usr not /lib - - debian/patches/reproducible-pdf.patch: make techdoc.pdf - reproducible even in face of timezone variations. - - debian/control: sync fields - - debian/debhelper/postrm-apparmor: remove - /etc/apparmor.d/{disable,} on package purge - - debian/libapache2-mod-apparmor.postrm: on package purge, delete - /etc/apparmor.d/{,disable} if empty - - debian/libapparmor1.symbols: Use Build-Depends-Package in the - symbols file. - - debian/copyright: sync - - -- Steve Beattie Mon, 11 May 2015 22:03:04 -0700 - -apparmor (2.9.1-0ubuntu9) vivid; urgency=medium - - * Make debian/lib/apparmor/profile-load executable. - - -- Serge Hallyn Thu, 02 Apr 2015 13:00:35 -0500 - -apparmor (2.9.1-0ubuntu8) vivid; urgency=medium - - [ Steve Beattie ] - * debian/rules: run make check on the libapparmor library - * add-chromium-browser.patch: add support for chromium policies - (LP: #1419294) - * debian/apparmor.{init,upstart}: add support for triggering - aa-profile-hook runs when packages are updated via snappy system - image updates (LP: #1434143) - * parser-fix_modifier_compilation_+_tests.patch: fix compilation - of audit modifiers for exec and pivot_root and deny modifiers on - link rules as well as significantly expand related tests - (LP: #1431717, LP: #1432045, LP: #1433829) - * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work - around pivot_root test failures due to init=systemd (LP: #1436109) - * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority - file to X abstraction (LP: #1432126) - - [ Jamie Strandboge ] - * easyprof-framework-policy.patch: add --include-templates-dir and - --include-policy-groups-dir options to easyprof to support framework - policy on snappy - - [ Robie Basak ] - * Add /lib/apparmor/profile-load; moved from - /lib/init/apparmor-profile-load from the upstart package. A wrapper at - the original path is now provided by init-system-helpers. (LP: #1432683) - - -- Jamie Strandboge Sat, 28 Mar 2015 07:22:30 -0500 - -apparmor (2.9.1-0ubuntu7) vivid; urgency=medium - - * systemd-dev-log-lp1413232.patch: Allow writes to the systemd journal - socket /{,var}/run/systemd/journal/dev-log. This can be dropped with - with AppArmor 2.9.2. (LP: #1413232) - - -- Jamie Strandboge Fri, 06 Mar 2015 06:22:34 -0600 - -apparmor (2.9.1-0ubuntu6) vivid; urgency=medium - - * add-mir-abstractions-lp1422521.patch: add correct location of - mir specific libraries and mir unprivileged client socket - to mir abstraction (LP: #1422521) - - -- Steve Beattie Tue, 03 Mar 2015 10:42:24 -0800 - -apparmor (2.9.1-0ubuntu5) vivid; urgency=medium - - * debian/apparmor.init: Replace unnecessary $remote_fs dependency with - $local_fs. This is sufficient as during boot we don't use anything from - /usr. It's also necessary to avoid dependency cycles when using NFS (as - its dependencies should be covered by AppArmor). (LP: #1312976) - - -- Martin Pitt Tue, 03 Mar 2015 08:54:33 +0100 - -apparmor (2.9.1-0ubuntu4) vivid; urgency=medium - - * Update to apparmor 2.9.1 - - make parser mount rule options consistent with documentation - (LP: #1401619) - - make parser fail if unknown mount options are encountered - (LP: #1401621) - - stop aa-logprof from asking about already allowed network rules - (LP: #1380367) - - make utils offer abstractions for network rules (LP: #1380367) - - make libapparmor understand logs generated by syslog-ng - (LP: #1399027) - - stop python utilities from adding duplicate quotes (LP: #1328707) - - work around aa-cleanprof crashes (LP: #1382236) - - other bug fixes, performance improvements, and testcases added to - the python utils. - - policy updates for dnsmasq, nscd, and others - - translation updates - * Partial sync with debian apparmor package: - - debian/apparmor-profiles.install: add additional dovecot and - smbldap-useradd profiles - - debian/control: fix typo in apparmor-docs description, fix file - overwrite issues with python-apparmor, apparmor-docs - - debian/rules: improved repeat-build cleanup logic. - - Add Turkish translation of debconf messages. Thanks to - Mert Dirik for the patch! - - debian/apparmor.postrm: Remove - /var/lib/apparmor/profiles/.apparmor.md5sums and parent - directories on package purge. - * add-mir-abstractions-lp1422521.patch: add mir abstraction to cover - mir specific libraries (LP: #1422521) - * debian/rules: remove no longer needed references to PERLDIR when - installing from utils/ - - -- Steve Beattie Tue, 17 Feb 2015 16:31:25 -0800 - -apparmor (2.8.98-0ubuntu4) vivid; urgency=medium - - * Ship libapparmor in /lib instead of /usr as we want to use it in systemd - now. (LP: #1397960) - - -- Martin Pitt Mon, 01 Dec 2014 15:37:32 +0100 - -apparmor (2.8.98-0ubuntu3) vivid; urgency=medium - - * debian/lib/apparmor/functions: disable expr tree simplification for - /var/lib/apparmor/profiles (LP: #1383858) - * parser-dont-skip-read-cache-with-optimizations.patch: don't skip read - cache when specifying '-O' (LP: #1385947) - - -- Jamie Strandboge Tue, 28 Oct 2014 17:41:08 -0500 - -apparmor (2.8.98-0ubuntu2) utopic; urgency=medium - - * Updated to apparmor 2.9.beta4 (aka apparmor 2.8.98) - - fix logparsing memory leak (LP: #1340927) - - incorporate fixes to regression testsuite to compensate for - af_unix mediation, as well as extend test coverage - (LP: #1375403, LP: #1375516) - - fix libapparmor's log parsing code to accept additional rejection - types (LP: #1375413) - - fix X abstraction for changed lightdm xauthority file locations - (LP: #1339727) - - parser: disable downgrade and not enforced rule messages - by default (LP: #1302735) - - fix error when using regex profile names in IPC rules - (LP: #1373085) - - update base abstraction for /proc/sys/kernel/cap_last_cap for dnsmasq - (LP: #1378977) - - update freedesktop.org for @{HOME}/.config/mimeapps.list (LP: #1377140) - - update gnome abstraction for access to @/dbus-vfs-daemon/socket-* - (LP: #1375067) - - update ubuntu-browsers.d/java abstraction for icedtea plugin access - in /{,var/}run/user/*/icedteaplugin-* (LP: #1293439) - - update user-mail abstraction for /var/mail (LP: #1192965) - - updates and fixes to the python utilities - - translation updates - - [ Steve Beattie ] - * Removed upstreamed patches: - drop-peer_addr-with-local-addr-in-base.patch, - update_socketpair_tests_for_af_unix.patch, - fix_socketpair_tests.patch, sanitized-helpers-updates.patch, - 01-tests-unix_socket_lists.patch, - 02-tests-accept_unix_rules_in_mkprofile.patch, - 03-tests-unix_sockets_v7_pathnames.patch, - 04-tests-migrate_from_poll_to_sockio_timeout.patch, - 05-tests-add_abstract_socket_tests.patch, - 06-tests-use_socketpair_and_none.patch, - 07-parser-fix_local_perms.patch, - 08-phpsysinfo-policy-updates.patch, - 09-apache2-policy-instructions.patch, - 10-lp1371771.patch, 11-lp1371765.patch, - lp1169881.patch - * refreshed etc-writable.patch and libapparmor-layout-deb.patch - * debian/control: add breaks on python3-apparmor against older - apparmor-utils that used to be where python bits lived - (LP: #1373259) - * debian/apport/source_apparmor.py: - - fixes the apparmor apport hook so it does not raise an exception if - a non-unicode character is found in /var/log/kern.log or in - /var/log/syslog. This should work under python3 or python2.7 - (LP: #1304447) - - adjusts the add_info() function to take the expected additional ui - argument, though it has no need for it. - - converts the log parsing code to use with statements so as not to - leak open file descriptors - - updates the set of packages to query to see if installed and if so, - report the version of. - - adjust import to make pyflakes job easier - - minor pep8 cleanups - - [ Jamie Strandboge ] - * add-chromium-browser.patch: - - don't allow writing to the oom score and adjust files since this allows - chromium to change the values for any process matching our UID - - allow writing to /run/shm/shmfd-* - - add a few signal rules from base abstraction for the sandbox - * debian/apparmor.upstart: check if click-apparmor md5sums changed so we - regenerate the policy if it changes too (LP: #1371574) - * debian/apparmor.init: make corresponding upstart change to initscript - * debian/lib/apparmor/functions: fall back to using -n1 if the parser failed - to load a profile set. This should be removed when the parser properly - handles profile sets with corrupted profiles (LP: 1377338) - * debian/control: fix typo (LP: #1187447) - - -- Steve Beattie Thu, 09 Oct 2014 22:39:32 -0700 - -apparmor (2.8.96~2652-0ubuntu7) utopic; urgency=medium - - * add-chromium-browser.patch: user addr=none instead of peer=(addr=none) - (LP: #1374363) - - -- Jamie Strandboge Sat, 27 Sep 2014 07:41:07 -0500 - -apparmor (2.8.96~2652-0ubuntu6) utopic; urgency=medium - - * lp1169881.patch: add /usr/bin/gnome-gmail to ubuntu-email (LP: #1169881) - * debian/control: update Breaks on lxc 1.1.0~alpha1-0ubuntu5~ (LP: #1373555) - - -- Jamie Strandboge Thu, 25 Sep 2014 09:03:06 -0500 - -apparmor (2.8.96~2652-0ubuntu5) utopic; urgency=medium - - [ Jamie Strandboge ] - * sanitized-helpers-updates.patch: update ubuntu-helpers for unix mediation - * 10-lp1371771.patch: don't exit prematurely and fail to load remaining - policy if encounter a corrupt cache file (LP: #1371771) - * 11-lp1371765.patch: if a cache load fails, attempt to rebuild and load it - (LP: #1371765) - * debian/lib/apparmor/functions: - - don't return 0 on parsing failure. Patch thanks to Felix Geyer - (LP: #1370228) - - use xargs -n1 when we don't have cache files, but omit it when we do. - This allows taking full advantage of xargs -P when we need it most, - without the cost when we don't. - - [ Steve Beattie ] - * update_socketpair_tests_for_af_unix.patch, - fix_socketpair_tests.patch: update socketpair regression tests for - af_unix socket mediation - - -- Jamie Strandboge Mon, 22 Sep 2014 09:39:10 -0500 - -apparmor (2.8.96~2652-0ubuntu4) utopic; urgency=medium - - * debian/apparmor.{upstart,init}: make sure we always update the .md5sums - for apparmor-easyprof-ubuntu even when apparmor is updated (before if both - were updated, aa-clickhook -f would be run on the 1st and 2nd boot rather - than just the 1st) - * debian/apparmor.postinst: update the cached .md5sums file on upgrade to - avoid running on install and then again on first boot after upgrade. This - change only affects apt upgrades and not system-image upgrades since - system-image upgrades always use the existing .md5sums if they exist (see - /etc/system-image/writable-paths). - * ubuntu-manpage-updates.patch: adjust for move to upstart job and click - policy - * debian/lib/apparmor/functions: don't pass costly '-n1' to xargs in - foreach_configured_profile() when loading valid cache files. This used to - be needed when apparmor_parser would generate different binary caches when - compiling policy one profile at a time and all at once. That bug is long - fixed and removing -n1 gives a significant performance improvement for - boots with valid cache files (~65% on armhf) - - -- Jamie Strandboge Fri, 12 Sep 2014 13:45:35 -0500 - -apparmor (2.8.96~2652-0ubuntu3) utopic; urgency=medium - - * 08-phpsysinfo-policy-updates.patch: update for new phpsysinfo on Ubuntu - 14.10 - * 09-apache2-policy-instructions.patch: update for recent Debian/Ubuntu - packaging - * debian/control: update Breaks for apparmor-easyprof-ubuntu, libvirt-bin, - and lightdm. Add Breaks on rsyslog. - - -- Jamie Strandboge Mon, 08 Sep 2014 16:13:10 -0500 - -apparmor (2.8.96~2652-0ubuntu2) utopic; urgency=medium - - * 07-parser-fix_local_perms.patch: do not output local permissions for rules - that have peer_conditionals. Patch from John Johansen - - -- Jamie Strandboge Fri, 05 Sep 2014 23:34:53 -0500 - -apparmor (2.8.96~2652-0ubuntu1) utopic; urgency=medium - - * Updated to r2652 snapshot of 2.8.96 (LP: #1362199, LP: #1341152) - - [ Steve Beattie ] - * removed upstreamed patches: - - dnsmasq-libvirtd-signal-ptrace.patch - - update-base-abstraction-for-signals-and-ptrace.patch - - update-nameservice-abstraction-for-extrausers.patch - - debian/apparmor-profiles.install: dropped program-chunks/postfix-common, - moved to abstractions/ and covered by apparmor.install - - refreshed libapparmor-layout-deb.patch patch - * Add in Tyler Hicks' regression test improvements: - - 01-tests-unix_socket_lists.patch, - - 02-tests-accept_unix_rules_in_mkprofile.patch, - - 03-tests-unix_sockets_v7_pathnames.patch, - - 04-tests-migrate_from_poll_to_sockio_timeout.patch, - - 05-tests-add_abstract_socket_tests.patch, - * 07-parser-fix_local_perms.patch: do not output local permissions - for rules that have peer_conditionals - - [ Jamie Strandboge ] - * add-chromium-browser.patch: update for unix socket mediation - * drop-peer_addr-with-local-addr-in-base.patch: don't use peer=(addr=none) - with getattr, getopt, setopt and shutdown - - [ Tyler Hicks ] - * debian/lib/apparmor/functions, debian/apparmor.init, - debian/apparmor.upstart: Ensure system policy cache cannot become stale - after image based upgrades that update the system profiles (LP: #1350673) - * parser-include-usr-share-apparmor.patch, debian/apparmor.install: Adjust - the default parser.conf file, to add /usr/share/apparmor as an additional - search path when resolving include directives in profiles, and install the - file in /etc/apparmor. Ubuntu places hardware specific access rules in - /usr/share/apparmor/hardware. This change allows these files to be - included without using an absolute path (e.g., - '#include '). - - -- Jamie Strandboge Fri, 05 Sep 2014 16:27:48 -0500 - -apparmor (2.8.96~2541-0ubuntu3.1) utopic; urgency=medium - - * Updates for perl 5.20 multiarch transition - - debian/libapparmor-perl.install: don't hardcode usr/lib/perl5 but - instead use $Config{vendorarch} in an executable install file. Make it - executable - - debian/control: Build-Depends on debhelper (>= 9) (9 is needed to use - an executable install file) - - debian/patches/perl-multiarch.patch: - + add @{multiarch} paths to perl abstraction - + update logprof.conf, severity.db and corresponding tests for updated - perl path - - -- Jamie Strandboge Tue, 19 Aug 2014 14:33:02 -0500 - -apparmor (2.8.96~2541-0ubuntu2) utopic; urgency=medium - - * update-nameservice-abstraction-for-extrausers.patch: update nameservice - abstraction to allow passwd and group when using libnss-extrausers - - -- Jamie Strandboge Mon, 28 Jul 2014 08:16:39 -0500 - -apparmor (2.8.96~2541-0ubuntu1) utopic; urgency=medium - - * Updated to r2541 snapshot of 2.8.96: - - removed upstreamed patches: convert-to-rules.patch, list-fns.patch, - parse-mode.patch, add-decimal-interp.patch, policy_mediates.patch, - fix-failpath.patch, feature_file.patch, fix-network.patch, - aare-to-class.patch, add-mediation-unix.patch, parser_version.patch, - caching.patch, label-class.patch, fix-lexer-debug.patch, - use-diff-encode.patch, fix-serialize.patch, - fix-ppc-endian-ftbfs.patch, opt_arg.patch, tests-cond-dbus.patch, - initialize-mount-flags.patch, fix-typo-in-dbus_write.patch, - limited-mount-rule-support.patch, bare-capability-rule-support.patch, - check-config-for-sysctl.patch, increase-swap-size.patch, - test-v6-policy.patch, test-mount-mediation.patch, - mediate-signals.patch, change-signal-syntax.patch, - mediate-ptrace.patch, change-ptrace-syntax.patch, - test-signal-rules.patch, test-ptrace-rules.patch, - update-tests-for-new-semantics.patch, - fix-garbage-in-preprocessor-output.patch, - fix-double-comma-in-preprocessor-output.patch, - symtab-tests-and-seenlist-bug.patch, add-profile-name-variable.patch, - fix-names-treated-as-condlistid.patch, manpage-signal-ptrace.patch, - python-utils-file-support.patch, python-utils-signal-support.patch, - python-utils-ptrace-support.patch, - python-utils-pivot_root-support.patch. - * Added upstart job (LP: #1305108) - - debian/apparmor.upstart: new upstart job. - - debian/apparmor.init: added click handling, move some code to - unload_obsolete_profiles(). - - debian/lib/apparmor/functions: add unload_obsolete_profiles(). - - debian/apparmor.postinst, debian/apparmor-profiles.postinst: reload - profiles directly since invoke-rc.d won't allow to do this easily - with upstart and systemd jobs. - - debian/rules: pass --no-start to dh_installinit since we're handling - reloading profiles manually in the postinst scripts. - - debian/control: add a versioned apparmor Depends to the - apparmor-profiles package to make sure the required tools are - installed for the postinst script. - - -- Marc Deslauriers Fri, 20 Jun 2014 07:20:34 -0400 - -apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium - - * debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin, - lightdm and apparmor-easyprof-ubuntu - - -- Jamie Strandboge Fri, 04 Apr 2014 01:07:24 -0500 - -apparmor (2.8.95~2430-0ubuntu4) trusty; urgency=medium - - [ John Johansen, Steve Beattie ] - * Add userspace support for AppArmor signals and ptrace mediation - (LP: #1298611) - + debian/patches/mediate-signals.patch, - debian/patches/change-signal-syntax.patch: Parse signal rules with - apparmor_parser. See the apparmor.d(5) man page for syntax details. - + debian/patches/change-ptrace-syntax.patch, - debian/patches/mediate-ptrace.patch: Parse ptrace rules with - apparmor_parser. See the apparmor.d(5) man page for syntax details. - + debian/patches/test-signal-rules.patch, - debian/patches/test-ptrace-rules.patch, - debian/patches/update-tests-for-new-semantics.patch: Update existing - tests and add new tests for signal and ptrace mediation - + debian/patches/fix-garbage-in-preprocessor-output.patch: Fix bug causing - apparmor_parser preprocessor output to contain garbage after include - statements - + debian/patches/fix-double-comma-in-preprocessor-output.patch: Fix bug - causing apparmor_parser preprocessor output to contain double commas - after some rules - + debian/patches/symtab-tests-and-seenlist-bug.patch, - debian/patches/add-profile-name-variable.patch: Add ${profile_name} - variable for use in profiles when rules need to specify the current - profile's name. This is useful for signal and ptrace rules that specify - + debian/patches/fix-names-treated-as-condlistid.patch: Fix - apparmor_parser bug that caused mount and dbus rules to fail for sets of - values - - [ Jamie Strandboge ] - * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch: - Adjust the base abstraction for signals and ptrace mediation. Profiles - that use the base abstraction can deny any of the granted permissions to - achieve tighter confinement. - * debian/patches/manpage-signal-ptrace.patch: Update the apparmor.d man - page to document signal rules, ptrace rules, and variables for use in - AppArmor profiles - * debian/patches/dnsmasq-libvirtd-signal-ptrace.patch: Update the dnsmasq - profile to allow libvirtd to send signals to and ptrace read the dnsmasq - process - * debian/patches/update-chromium-browser.patch: Adjust the chromium-browser - profile for permissions needed in newer chromium-browser versions and add - the rules needed for AppArmor ptrace mediation - - [ Tyler Hicks ] - * Add new rule type support to aa.py to fix tracebacks when using the Python - utilities in apparmor-utils on systems with AppArmor profiles containing - previously unsupported rule types - - debian/patches/python-utils-file-support.patch: Support path rules - containing the "file" prefix (LP: #1295346) - - debian/patches/python-utils-signal-support.patch: Parse and write signal - rules (LP: #1300316) - - debian/patches/python-utils-ptrace-support.patch: Parse and write ptrace - rules (LP: #1300317) - - debian/patches/python-utils-pivot_root-support.patch: Parse and write - pivot_root rules (LP: #1298678) - - -- Tyler Hicks Thu, 03 Apr 2014 15:50:26 -0500 - -apparmor (2.8.95~2430-0ubuntu3) trusty; urgency=medium - - [ Jamie Strandboge ] - * debian/lib/apparmor/functions: properly calculate number of profiles in - /var/lib/apparmor/profiles (LP: #1295816) - * autostart aa-notify via /etc/xdg/autostart instead of /etc/X11/Xsession.d - (LP: #1288241) - - remove debian/notify/90apparmor-notify - - add debian/notify/apparmor-notify.desktop - - debian/apparmor-notify.install: adjust for the above - - add debian/apparmor-notify.maintscript to remove 90apparmor-notify - * debian/notify/notify.conf: use_group should be set to "sudo" instead of - "admin" (LP: #1009666) - - [ Tyler Hicks ] - * debian/patches/initialize-mount-flags.patch: Initialize the variables - containing mount rule flags to zero. Otherwise, the parser may set - unexpected bits in the mount flags field for rules that do not specify - mount flags. The uninitialized mount flag variables may have caused - unexpected AppArmor denials during mount mediation. (LP: #1296459) - * debian/patches/fix-typo-in-dbus_write.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to write out network rules instead of dbus rules - * debian/patches/limited-mount-rule-support.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to traceback when encountering a mount rule (LP: #1294825) - * debian/patches/bare-capability-rule-support.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to traceback when encountering a bare capability rule - (LP: #1294819) - * debian/patches/check-config-for-sysctl.patch, - debian/patches/increase-swap-size.patch: Fix bugs in the regression test - suite that caused errors when running on ppc64el - * debian/patches/test-v6-policy.patch, - debian/patches/test-mount-mediation.patch: Improve the regression tests - by increasing the mount rule test coverage - - -- Tyler Hicks Thu, 27 Mar 2014 14:12:29 -0500 - -apparmor (2.8.95~2430-0ubuntu2) trusty; urgency=medium - - * debian/control: Depends on python-pkg-resources for python-apparmor and - python3-pkg-resources for python3-apparmor to fix autopkgtests in - click-apparmor and apparmor-easyprof-ubuntu - - -- Jamie Strandboge Thu, 20 Mar 2014 19:33:51 -0500 - -apparmor (2.8.95~2430-0ubuntu1) trusty; urgency=low - - [ Jamie Strandboge ] - - * debian/debhelper/dh_apparmor: exit with error if aa-easyprof does not - exist - * debian/control: drop Depends on apparmor-easyprof to Suggests for - dh-apparmor - - [ Seth Arnold, Jamie Strandboge, Steve Beattie, John Johansen, Tyler Hicks ] - - * New upstream snapshot (LP: #1278702, #1061693, #1285653) dropping very - large Ubuntu delta and fixing the following bugs: - - Adjust fonts abstraction for libthai (LP: #1278702) - - Support translated XDG user directories (LP: #1061693) - - Adjust abstractions/web-data to include /var/www/html (LP: #1285653) - Refresh 0002-add-debian-integration-to-lighttpd.patch to include - /etc/lighttpd/conf-available/*.conf - - Adjust debian/libapparmor1.symbols to reflect new upstream versioning - for the aa_query_label() function - - Raise exceptions in Python bindings when something fails - * ship new Python replacements for previous Perl-based tools - - debian/apparmor-utils.install: remove usr/share/perl5/Immunix/*.pm and - add usr/sbin/aa-autodep, usr/sbin/aa-cleanprof and usr/sbin/aa-mergeprof - - debian/control: - + remove various Perl dependencies - + add python-apparmor and python3-apparmor - + python3-apparmor Breaks: apparmor-easyprof to move the file since it - ships dist-packages/apparmor/__init__.py now - - debian/apparmor-utils.manpages: ship new manpages for aa-cleanprof and - aa-mergeprof - - debian/rules: build and install Python tools - * debian/apparmor.install: - - install apparmorfs, dovecot, kernelvars, securityfs, sys, - and xdg-user-dirs tunables and xdg-user-dirs.d directory - * debian/apparmor.dirs: - - install /etc/apparmor.d/tunables/xdg-user-dirs.d - * debian/rules: delete upstream-provided xdg-user-dirs.d/site.local - * debian/apparmor.postinst: create xdg-user-dirs.d/site.local - * debian/apparmor.postrm: remove xdg-user-dirs.d - * Remaining patches: - - add-chromium-browser.patch - - add-debian-integration-to-lighttpd.patch - - ubuntu-manpage-updates.patch - - libapparmor-layout-deb.patch - - libapparmor-mention-dbus-method-in-getcon-man.patch - - etc-writable.patch - - aa-utils_are_bilingual.patch - * New patches: - - convert-to-rules.patch - - list-fns.patch - - parse-mode.patch - - add-decimal-interp.patch - - policy_mediates.patch - - fix-failpath.patch - - feature_file.patch - - fix-network.patch - - aare-to-class.patch - - add-mediation-unix.patch - - parser_version.patch - - caching.patch - - label-class.patch - - fix-lexer-debug.patch - - use-diff-encode.patch - - fix-serialize.patch - - fix-ppc-endian-ftbfs.patch - - opt_arg.patch - - tests-cond-dbus.patch - * Move manpages from libapparmor1 to libapparmor-dev - - debian/libapparmor-dev.manpages: install aa_change_hat.2, - aa_change_profile.2, aa_find_mountpoint.2, aa_getcon.2 - - debian/control: libapparmor-dev Replaces: and Breaks: libapparmor1 - * Move /usr/lib/python3/dist-packages/apparmor/__init__.py from - apparmor-easyprof to python3-apparmor - - debian/control: python3-apparmor Breaks: apparmor-easyprof - - debian/apparmor-easyprof.install: remove - usr/lib/python*.*/site-packages/apparmor* - * New profiles and abstractions: - - debian/apparmor.install: tunables/dovecot, tunables/kernelvars, - tunables/xdg-user-dirs, tunables/xdg-user-dirs.d - - -- Seth Arnold Wed, 19 Mar 2014 20:29:27 -0700 - -apparmor (2.8.94-0ubuntu1.4) trusty; urgency=low - - * Test merge from upstream new pyutils branch (rev 2385) - - -- Steve Beattie Thu, 13 Feb 2014 14:16:24 -0800 - -apparmor (2.8.0-0ubuntu38) trusty; urgency=low - - [ Tyler Hicks ] - * 0084-parser-add-dbus-eavesdrop-perm.patch: Add an eavesdrop permission to - the dbus rule type, allowing confined applications to eavesdrop. The only - valid conditional for eavesdrop rules is 'bus'. See the apparmor.d(5) man - page for more information. (LP: #1262440) - - [ Steve Beattie ] - * 0085-push-normalize-tree-ops-into-expr-tree-classes.patch: Improve - parser performance in some cases - - [ John Johansen ] - * 0086-add-diff-state-compression-to-dfa.patch: Implement differential - state compression in the parser - * 0087-fix-dfa-minimization.patch: Fix a parser bug that caused some DFAs to - not be fully minimized (LP: #1262938) - * 0088-fix-pol-generation-for-small-dfas.patch: Fixes bugs in the parser - when generating policy for some small DFAs - - -- Tyler Hicks Mon, 13 Jan 2014 11:17:42 -0600 - -apparmor (2.8.0-0ubuntu37) trusty; urgency=low - - [ Jan Rękorajski ] - * 0082-parser-fix-FTBFS-with-bison-3.patch: Fix parser FTBFS with bison 3 - - [ Steve Beattie ] - * 0083-libapparmor-require-libtoolize.patch: Fix FTBFS by switching - the autogen.sh script to use libtoolize instead of libtool - - -- Tyler Hicks Fri, 10 Jan 2014 13:48:43 -0600 - -apparmor (2.8.0-0ubuntu36) trusty; urgency=medium - - * Rebuild for python3.4 as a supported python version. - - -- Matthias Klose Sat, 04 Jan 2014 18:30:59 +0000 - -apparmor (2.8.0-0ubuntu35) trusty; urgency=low - - * abstractions/nameservice: Also allow access to the sssd nss pipe. - - -- Stéphane Graber Fri, 29 Nov 2013 13:44:49 -0500 - -apparmor (2.8.0-0ubuntu34) trusty; urgency=low - - [ Tyler Hicks ] - * 0078-parser-check-for-dbus-kernel-support.patch: The parser should not - include D-Bus rules in the binary policy that it loads into the kernel if - the kernel does not support D-Bus rules (LP: #1231778) - * 0079-utils-ignore-unsupported-log-events.patch: aa-logprof should ignore - audit events that it does not yet support instead of treating them as - errors (LP: #1243932) - * 0080-tests-use-ldconfig-for-library-detection.patch: Fix libapparmor - detection in regression tests after the multiarch changes - - [ Jamie Strandboge ] - * 0081-python-abstraction-updates.patch: Add rules in support of Python 3.3 - - [ Chad Miller ] - * debian/patches/0001-add-chromium-browser.patch: Follow new chromium-browser - sandbox name. Keep old name for now to allow transition. LP: #1247269 - - -- Tyler Hicks Mon, 04 Nov 2013 15:57:30 -0800 - -apparmor (2.8.0-0ubuntu33) trusty; urgency=low - - * Convert to dh. - * Bump to debhelper compat level 9 for multiarch support. - * Mark libapparmor1, libapparmor-dev Multi-Arch: same. LP: #1246067. - - -- Steve Langasek Thu, 31 Oct 2013 13:23:57 -0700 - -apparmor (2.8.0-0ubuntu32) trusty; urgency=low - - * no change rebuild for perl 5.18 - - -- Jamie Strandboge Mon, 21 Oct 2013 13:28:26 -0500 - -apparmor (2.8.0-0ubuntu31) saucy; urgency=low - - * 0077_aa-status-is-bilingual.patch: aa-status was written to work with - python 2 or 3. Upstream is still using 2, so adjust ours to use - /usr/bin/python3 to avoid pulling python 2 back to the desktop images - - -- Jamie Strandboge Fri, 11 Oct 2013 15:35:03 -0500 - -apparmor (2.8.0-0ubuntu30) saucy; urgency=low - - [ Tyler Hicks ] - * debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an - abstraction for the accessibility bus. It is currently very permissive, - like the dbus and dbus-session abstractions, and grants all permissions on - the accessibility bus. (LP: #1226141) - * debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount - rules. Both rule classes suffered from unexpected auditing behavior when - using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier - resulting in accesses being audited and the 'audit deny' modifier - resulting in accesses not being audited. (LP: #1226356) - * debian/patches/0072-lp1229393.patch: Fix cache location for .features - file, which was not being written to the proper location if the parameter - --cache-loc= is passed to apparmor_parser. This bug resulted in using the - .features file from /etc/apparmor.d/cache or always recompiling policy. - Patch thanks to John Johansen. (LP: #1229393) - * debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX - domain sockets to include read and write permissions. Both permissions are - required when a process connects to a UNIX domain socket. Also include new - tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for - helping with the policy updates and testing. (LP: #1208988) - * debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only - grant access to specific pulseaudio files in the pulse runtime directory - to remove access to potentially dangerous files (LP: #1211380) - - [ Jamie Strandboge ] - * debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia - (LP: #1228882) - * 0076_sanitized_helper_dbus_access.patch: allow applications run under - sanitized_helper to connect to DBus - - -- Tyler Hicks Fri, 04 Oct 2013 17:29:52 -0700 - -apparmor (2.8.0-0ubuntu29) saucy; urgency=low - - * Add 0070-etc-writable.patch: Allow reading time configuration from - /etc/writable, as we have it on the phone. (LP: #1227520) - - -- Martin Pitt Tue, 01 Oct 2013 09:55:15 +0200 - -apparmor (2.8.0-0ubuntu28) saucy; urgency=low - - [ Tyler Hicks ] - * Move the aa-exec man page out of apparmor-utils into apparmor, since - aa-exec is now in apparmor - - debian/control: adjust Breaks/Replaces to use apparmor-utils - (<< 2.8.0-0ubuntu28) - - debian/apparmor.manpages: install the aa-exec man page - - debian/apparmor-utils.manpages: don't install the aa-exec man page - * debian/patches/0065-lp1220861.patch: Always NUL-terminate confinement - context strings returned from libapparmor (LP: #1220861) - * debian/patches/0066-lp1196880.patch: Don't assign mode pointer in - aa_getprocattr() if caller passed in NULL (LP: #1196880) - * debian/patches/0067-libapparmor-mode-strings-are-not-to-be-freed.patch: - Update man page and code comments to make it clear that freeing the *con - string returned from libapparmor's getcon functions also frees the *mode - string - * debian/patches/0068-libapparmor-mention-dbus-method-in-getcon-man.patch: - Document the D-Bus method, in the aa_getcon man page, that returns the - AppArmor task confinement string of a D-Bus connection - - [ Jamie Strandboge ] - * debian/patches/0069-p11kit-abstraction.patch: p11-kit needs access to - /usr/share/p11-kit/modules - - -- Jamie Strandboge Tue, 10 Sep 2013 12:06:06 -0500 - -apparmor (2.8.0-0ubuntu27) saucy; urgency=low - - * debian/apport/source_apparmor.py: AppArmor logs DBus messages to syslog, - adjust apport hook to also search there for denials - - -- Jamie Strandboge Tue, 03 Sep 2013 10:25:45 -0500 - -apparmor (2.8.0-0ubuntu26) saucy; urgency=low - - * debian/patches/0064-lp1218099.patch: add support for variable expansion in - dbus rules (LP: #1218099) - - -- Jamie Strandboge Thu, 29 Aug 2013 16:28:36 -0500 - -apparmor (2.8.0-0ubuntu25) saucy; urgency=low - - [ Tyler Hicks ] - * Add support for mediation of D-Bus messages and services. AppArmor D-Bus - rules are described in the apparmor.d(5) man page. dbus-daemon will use - libapparmor to perform queries against the AppArmor policies to determine - if a connection should be able to send messages to another connection, if - a connection should be able to receive messages from another connection, - and if a connection should be able to bind to a well-known name. - - 0042-Fix-mount-rule-preprocessor-output.patch, - 0043-libapparmor-Safeguard-aa_getpeercon-buffer-reallocat.patch, - 0044-libapparmor-fix-return-value-of-aa_getpeercon_raw.patch, - 0045-libapparmor-Move-mode-parsing-into-separate-function.patch, - 0046-libapparmor-Parse-mode-from-confinement-string-in-ge.patch, - 0047-libapparmor-Make-aa_getpeercon_raw-similar-to-aa_get.patch, - 0048-libapparmor-Update-aa_getcon-man-page-to-reflect-get.patch: - Backport parser and libapparmor pre-requisites for D-Bus mediation - - 0049-parser-Update-man-page-for-DBus-rules.patch: Update apparmor.d man - page - - 0050-parser-Add-support-for-DBus-rules.patch, - 0051-parser-Regression-tests-for-DBus-rules.patch, - 0052-parser-Binary-profile-equality-tests-for-DBus-rules.patch: Add - apparmor_parser support for D-Bus mediation rules - - 0053-libapparmor-Export-a-label-based-query-interface.patch, - debian/libapparmor1.symbols: Provide the libapparmor interface necessary - for trusted helpers to make security decisions based upon AppArmor - policy - - 0054-libaalogparse-Parse-dbus-daemon-audit-messages.patch, - 0055-libaalogparse-Regression-tests-for-dbus-daemon-audit.patch: Allow - applications to parse denials, generated by dbus-daemon, using - libaalogparse and add a set of regression tests - - 0056-tests-Add-an-optional-final-check-to-checktestfg.patch, - 0057-tests-Add-required-features-check.patch, - 0058-tests-Add-regression-tests-for-dbus.patch: Add regression tests - which start their own dbus-daemon, load profiles containing D-Bus rules, - and confine simple D-Bus service and client applications - - 0059-dbus-rules-for-dbus-abstractions.patch: Add bus-specific, but - otherwise permissive, D-Bus rules to the dbus and dbus-session - abstractions. Confined applications that use D-Bus should already be - including these abstractions in their profiles so this should be a - seamless transition for those profiles. - * 0060-utils-make_clean_fixup.patch: Clean up the Python cache in the - AppArmor tests directory - * 0061-profiles-dnsmasq-needs-dbus-abstraction.patch: Dnsmasq uses the - system D-Bus when it is started with --enable-dbus, so its AppArmor - profile needs to include the system bus abstraction - * 0062-fix-clone-test-on-arm.patch: Fix compiler error when building - regression tests on ARM - * 0063-utils-ignore-unsupported-rules.patch: Utilities that use the - Immunix::AppArmor perl module, such as aa-logprof and aa-genprof, error - out when they encounter rules unsupported by the perl module. This patch - ignores unsupported rules. - - [ Jamie Strandboge ] - * debian/control: don't have easyprof Depends on apparmor-easyprof-ubuntu - - -- Tyler Hicks Mon, 26 Aug 2013 15:32:12 -0700 - -apparmor (2.8.0-0ubuntu24) saucy; urgency=low - - * 0040-libapparmor-support-pkg-config.patch: Make it easier for other - sources to build against libapparmor with pkg-config - - debian/control: Add pkg-config as a Build-Depends - - debian/libapparmor-dev.install: Install libapparmor pkg-config file - * 0041-parser-fix-flags.patch: Minimal fix for cache failures when the - feature file is larger than the feature buffer used for cache version - comparison - - -- Tyler Hicks Thu, 15 Aug 2013 16:34:53 -0700 - -apparmor (2.8.0-0ubuntu23) saucy; urgency=low - - * debian/patches/0038-lp1200392.patch: allow mmap of fglrx dri libraries - (LP: #1200392) - * debian/patches/0039-fix-parser-cache-loc.patch: fix apparmor cache - tempfile location to use passed arg - * debian/lib/apparmor/functions: update to also load from - /var/lib/apparmor/profiles and write cache to /var/cache/apparmor - * debian/apparmor.dirs: create /var/cache/apparmor and - /var/lib/apparmor/profiles - - -- Jamie Strandboge Tue, 23 Jul 2013 21:36:40 -0500 - -apparmor (2.8.0-0ubuntu22) saucy; urgency=low - - * Refresh easyprof - - drop 0034-easyprof-dont-add-vendor-dir.patch - - drop 0035-easyprof-update-manpage-for-sdk-base.patch - * debian/patches/0037-easyprof-sdk-pt2.patch: update easyprof for the - following: - - don't add vendor directory to self.templates and self.policy_groups - - utils/aa-easyprof: adjust error message for manifest read failure - - utils/aa-easyprof: adjust to use EnvironmentError on failed read of the - manifest - - utils/apparmor/easyprof.py: clean up set_template() - - utils/apparmor/easyprof.py: read_paths should use 'rk' - - utils/test/test-aa-easyprof.py: adjust tests for above - - utils/apparmor/easyprof.py - + valid_path should verify os.path.normpath(path) == (path) - + adjust valid_profile_name() to start with alpha-numeric and allow - Debian source package names and version, plus '_' - + adjust tests for above - - update valid_variable() to check for valid_path if '/' is in the value - - adjust valid_path() to have a relative_ok flag (default to False) - - adjust valid_path() to verify path is same as normalized path - - add some valid_path() test cases - - adjust to always quote template vars in policy output - - add a couple tests that have spaces in the binary and template var - - update manifest JSON structure to use - m['security']['profiles']['profile_name'] instead of - m['security']['profile_name'] - - -- Jamie Strandboge Sun, 07 Jul 2013 19:37:56 -0500 - -apparmor (2.8.0-0ubuntu21) saucy; urgency=low - - * Apache 2.4 transition (LP: #1197617, Closes: 666808). Based on patch from - intrigeri - - debian/control: - + Build-Depends on apache2-dev and dh-apache2 instead of - apache2-prefork-dev - + adjust libapache2-mod-apparmor to not Depends on apache2.2-common - + adjust libapache2-mod-apparmor to Pre-Depends: ${misc:Pre-Depends} - - create debian/libapache2-mod-apparmor.apache2 - - debian/rules: adjust to use dh_apache2 --noenable - - debian/libapache2-mod-apparmor.maintscript: remove old prefork profile - - debian/libapache2-mod-apparmor.install: install new usr.sbin.apache2 - profile - - debian/libapache2-mod-apparmor.{preinst,postinst,postrm}: update to use - usr.sbin.apache2 - - debian/libapache2-mod-apparmor.postinst: remove the disable symlink for - old prefork profile - - debian/patches/0036-libapache2-mod-apparmor-profile-2.4.patch: update - mod_apparmor man page to mention loading mpm_prefork, add new - usr.sbin.apache2 profile and remove old prefork profile - * debian/rules: honor DEB_BUILD_OPTIONS=nocheck - - -- Jamie Strandboge Thu, 04 Jul 2013 10:20:20 -0500 - -apparmor (2.8.0-0ubuntu20) saucy; urgency=low - - * remove debian/patches/0033-add-ubuntu-sdk-abstractions.patch. We will - for now ship policy groups instead of abstractions like this - * debian/apparmor.maintscript: rm_conffile on ubuntu-sdk-base - * debian/patches/0035-easyprof-update-manpage-for-sdk-base.patch: add - sdk-base as a typical policy group - - -- Jamie Strandboge Wed, 03 Jul 2013 17:29:57 -0500 - -apparmor (2.8.0-0ubuntu19) saucy; urgency=low - - * debian/patches/0034-easyprof-dont-add-vendor-dir.patch: don't add vendor - directory to self.templates and self.policy_groups - * debian/patches/0030-easyprof-sdk.patch: mentioned patch has been forwarded - upstream - - -- Jamie Strandboge Tue, 02 Jul 2013 09:24:23 -0500 - -apparmor (2.8.0-0ubuntu18) saucy; urgency=low - - * debian/patches/0030-easyprof-sdk.patch: refreshed for the following: - - man page updates - - add --output-format=json option - - add --verify-manifest - - add --policy-version and --policy-vendor which to better work with - vendor templates (ie, with apparmor-easyprof-ubuntu) - - restructed JSON format (should be final version now). This converts - abstractions and policy_groups to proper JSON lists and allows for - multiple profiles in the JSON file, keyed off of the profile name - - add --output-directory option as an alternative to stdout (particularly - useful when using multiple profiles in a JSON file) - - also remove ubuntu-sdk-base abstraction. This may move out but for now - put it in a different patch - - add verify_options() and some utility functions for input validation - - unconditionally quote profile name and binary - - remove Ubuntu-specific checks in verify_manifest and check profile_name - with binary harder - * debian/patches/0033-add-ubuntu-sdk-abstractions.patch: add ubuntu-sdk-base - abstraction - - -- Jamie Strandboge Mon, 01 Jul 2013 17:20:33 -0500 - -apparmor (2.8.0-0ubuntu17) saucy; urgency=low - - * debian/patches/0032-lp1195362.patch: don't pull in unused perl modules - (LP: #1195362) - * debian/rules: use dh_perl -d with libapparmor-perl to Depends on perl-base - instead of perl - * debian/patches/0030-easyprof-sdk.patch: update to remove the ubuntu - specific templates and policy groups. These will be shipped in - apparmor-easyprof-ubuntu - * debian/control: have apparmor-easyprof Depends on apparmor-easyprof-ubuntu - - -- Jamie Strandboge Fri, 28 Jun 2013 12:01:06 -0500 - -apparmor (2.8.0-0ubuntu16) saucy; urgency=low - - * debian/patches/0030-easyprof-sdk.patch: update to have - - /usr/share/icons/gnome/index.theme should have 'rk' added to qmlscene - policy group - - add ubuntu-sdk-html5 template - - add qmlscene-webview policygroup - * debian/patches/0031-move-poppler-cmap-to-fonts.patch: more than just - gnome applications access /usr/share/poppler/cMap/** - - -- Jamie Strandboge Tue, 25 Jun 2013 15:58:33 -0500 - -apparmor (2.8.0-0ubuntu15) saucy; urgency=low - - * move aa-exec out of apparmor-utils into apparmor, since we want it in the - default install - - debian/control: adjust Breaks/Replaces to use apparmor-utils - <<2.8.0-0ubuntu15) and have apparmor Depends on libapparmor-perl - - debian/apparmor.install: install aa-exec - - debian/apparmor-utils.install: don't install aa-exec - - -- Jamie Strandboge Tue, 25 Jun 2013 11:48:25 -0500 - -apparmor (2.8.0-0ubuntu14) saucy-proposed; urgency=low - - * debian/patches/0029-easyprof-update-for-aa-sandbox.patch: add aa-sandbox - utility to source, but don't install yet. This includes code refactoring - for easyprof, which is required for the next patch - * debian/patches/0030-easyprof-sdk.patch: add SDK support to easyprof (don't - include DBus includes yet) - * create apparmor-easyprof package - - adjust debian/control for new packages and Breaks/Replaces on - apparmor-utils 2.8.0-0ubuntu14 - - create debian/apparmor-easyprof.install - - debian/apparmor-utils.install: don't install easyprof. python libraries - moved to easyprof for now since it is the only consumer - - debian/apparmor-utils.manpages: move easyprof manpage to - debian/apparmor-easyprof.manpages - - debian/rules: dh_python3 should also run on apparmor-easyprof - * debian/control: dh-apparmor should Depends on apparmor-easyprof - * debian/debhelper/dh_apparmor: update to support --manifest argument - - -- Jamie Strandboge Mon, 24 Jun 2013 09:49:44 -0500 - -apparmor (2.8.0-0ubuntu13) saucy-proposed; urgency=low - - * 0021-webapps_abstraction.patch: update to allow 'w' access to - ~/.local/share/unity-webapps/availableapps*.db and 'rk' access to - ~/.config/libaccounts-glib/accounts.db (LP: #1169633) - - -- Jamie Strandboge Mon, 10 Jun 2013 10:49:46 -0500 - -apparmor (2.8.0-0ubuntu12) saucy; urgency=low - - * 0027-add-gnome-keyring-to-strict.patch: add @{HOME}/.gnome2/keyrings/** to - abstractions/private-files-strict - * 0028-add-upstart-to-private.patch: deny writes to upstart user sessions - jobs in abstractions/private-files - - -- Jamie Strandboge Mon, 13 May 2013 13:04:54 -0500 - -apparmor (2.8.0-0ubuntu11) raring; urgency=low - - * 0025-update-pulseaudio-paths.patch: update path for pulseaudio directory - and cookie files - * 0026-add-vm_overcommit_memory.patch: add read access to - @{PROC}/sys/vm/overcommit_memory - * update 0001-add-chromium-browser.patch: - - additional accesses required by newer chromium-browser. Patch based on - work by Simon Deziel (LP: #1154164) - - don't include abstractions already included via gnome abstraction - - allow access to dconf/gsettings, required now - - -- Jamie Strandboge Mon, 08 Apr 2013 14:57:14 -0500 - -apparmor (2.8.0-0ubuntu10) raring; urgency=low - - * debian/patches/0001-add-chromium-browser.patch: add accesses for chromium - 23 (LP: #1091862) - - -- Jamie Strandboge Tue, 18 Dec 2012 15:20:05 -0600 - -apparmor (2.8.0-0ubuntu9) raring; urgency=low - - * debian/control: make libnotify-bin a Suggests rather than a Recommends - since it is assumed to already be installed on the desktop and so server - environments don't have to pull in a lot of X dependencies (LP: #1061879) - - -- Jamie Strandboge Tue, 18 Dec 2012 10:47:50 -0600 - -apparmor (2.8.0-0ubuntu8) raring; urgency=low - - [ Steve Beattie ] - * 0024-lp1091642-parser-reset_matchflags.patch: prevent reuse of - matchflags in parser dfa backend and add testcase demonstrating the - problem (LP: #1091642) - - [ Jamie Strandboge ] - * debian/debhelper/postinst-apparmor: quote all occurences of #PROFILE#. - - -- Steve Beattie Tue, 18 Dec 2012 04:53:28 -0800 - -apparmor (2.8.0-0ubuntu7) raring; urgency=low - - * Rebuild to drop python3.2 extension. - - -- Matthias Klose Thu, 08 Nov 2012 11:15:26 +0000 - -apparmor (2.8.0-0ubuntu6) raring-proposed; urgency=low - - * Build python swig modules for all supported pythons. - * Use dh_python2 instead of obsolete dh_python. - * Remove duplicate chrpath from control. - * Remove unneeded quilt dependency. - * Bump standards version to 3.9.4, no changes needed. - - -- Dmitrijs Ledkovs Tue, 23 Oct 2012 12:37:39 +0100 - -apparmor (2.8.0-0ubuntu5) quantal; urgency=low - - [ Micah Gersten ] - * Allow /etc/vdpau_wrapper.cfg r and /var/lib/xine/gxine.desktop r - in the multimedia browser abstraction (LP: #1057642) - - update profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia - - [ Steve Beattie ] - * debian/control: make libnotify-bin a Recommends rather than a - Depends for use in server environments (LP: #1061879) - * debian/patches/0020-coredump_tests.patch: fix coredump regression - tests (LP: #1050430) - * debian/patches/0021-webapps_abstraction.patch: add a few items - triggered by using and installing webapps in firefox (LP: #1056418) - * debian/patches/0022-aa-decode-stdin.patch: fix aa-decode to process - stdin correctly and decode encoded profiles names - - -- Steve Beattie Tue, 09 Oct 2012 12:44:56 -0700 - -apparmor (2.8.0-0ubuntu4) quantal; urgency=low - - * Allow /var/lib/sss/mc/{group|passwd} for systems using sssd. - (LP: #1056391) - - -- Stéphane Graber Tue, 25 Sep 2012 14:59:57 -0400 - -apparmor (2.8.0-0ubuntu3) quantal; urgency=low - - * remove 0010-lp972367.patch and 0012-lp964510.patch which should have been - dropped in 2.8.0-0ubuntu1 since they are included upstream - * debian/patches/0001-add-chromium-browser.patch: - - add a couple of small accesses - - add a child profile for xdgsettings (LP: #1045986) - - -- Jamie Strandboge Mon, 17 Sep 2012 08:26:46 -0500 - -apparmor (2.8.0-0ubuntu2) quantal; urgency=low - - * 0015-fontconfig.patch: update fonts abstraction for new fontconfig paths - * 0016-cap-block-suspend.patch: add CAP_BLOCK_SUSPEND to severity.db. In - the next version of AppArmor, this will replace 0006-cap-epollwakeup.patch - * 0017-gnome-poppler-data.patch: update gnome abstraction for poppler cMap - tables - - -- Jamie Strandboge Tue, 14 Aug 2012 11:27:15 -0500 - -apparmor (2.8.0-0ubuntu1) quantal; urgency=low - - * New upstream release - - Drop the following patches, now included upstream: - 0003-add-aa-easyprof.patch - 0005-clean-common-from-vim.patch - 0006-use-linux-capability-h.patch - 0008-apparmor-lp963756.patch - 0009-apparmor-lp959560-part1.patch - 0010-apparmor-lp959560-part2.patch - 0011-apparmor-lp872446.patch - 0012-apparmor-lp978584.patch - 0013-apparmor-lp800826.patch - 0014-apparmor-lp979095.patch - 0015-apparmor-lp963756.patch - 0016-apparmor-lp968956.patch - 0017-apparmor-lp979135.patch - 0018-lp990931.patch - * Rename 0007-ubuntu-manpage-updates.patch to 0003 - * debian/patches/0005-lp1019274.patch: add python3 support. Patch based - on work from Dmitrijs Ledkovs. (LP: #1019274) - * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for - CAP_EPOLLWAKEUP - * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to - adjust scripts to use PYTHON if it is defined - * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb - when calling setup.py - * enable python3 in the build: - - debian/rules: - + use python3 as default PYTHON - + build libapparmor with both python2 and python3 - - debian/control: - + Build-Depends on python3-all-dev and python3 - + adjust apparmor to Depends on ${python3:Depends} - + adjust apparmor-utils to Depends on ${python3:Depends} - + add python3-libapparmor package - - add debian/python3-libapparmor.install - - debian/python-libapparmor.install: adjust to use python2 and - dist-packages - * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for - IcedTea 7 (LP: #1003856) - * debian/patches/0010-lp972367.patch: allow software center to work again - from browsers (LP: #972367) - * debian/patches/0011-lp1013887.patch: let sanitized helper work with - /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887) - * debian/patches/0012-lp964510.patch: allow Google Chrome and - chromium-browser to work under sanitized helper (LP: #964510) - * debian/patches/0013-lp987578.patch: ubuntu-integration does not work - properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578) - * debian/patches/0014-lp933440.patch: update skype example profile to work - with latest skype. Based on work by Ivan Frederiks (LP: #933440) - - -- Jamie Strandboge Thu, 05 Jul 2012 10:53:17 -0500 - -apparmor (2.7.102-0ubuntu5) quantal; urgency=low - - * debian/debhelper/postrm.apparmor: do not delete local files if main - conffile still exists since it probably means it is owned by a - new/different package. (LP: #986892) - - -- Clint Byrum Mon, 11 Jun 2012 21:40:33 -0700 - -apparmor (2.7.102-0ubuntu4) quantal; urgency=low - - * Fix FTBFS (LP: #1000055). Patch thanks to Steve Beattie. - - debian/control: Build-Depends on texlive-latex-recommended - - debian/rules: add V=1 for 'make' and 'make check' when building the - parser - * debian/patches/0018-lp990931.patch: adjust path for thunderbird to include - non-versioned path - - LP: #990931 - - -- Jamie Strandboge Fri, 18 May 2012 15:02:02 -0500 - -apparmor (2.7.102-0ubuntu3) precise; urgency=low - - [ Jamie Strandboge ] - * debian/patches/0007-ubuntu-manpage-updates.patch: update apparmor(5) - to describe Ubuntu's two-stage policy load and how to add utilize it - when developing policy (LP: #974089) - - [ Serge Hallyn ] - * debian/apparmor.init: do nothing in a container. This can be - removed once stacked profiles are supported and used by lxc. - (LP: #978297) - - [ Steve Beattie ] - * debian/patches/0008-apparmor-lp963756.patch: Fix permission mapping - for change_profile onexec (LP: #963756) - * debian/patches/0009-apparmor-lp959560-part1.patch, - debian/patches/0010-apparmor-lp959560-part2.patch: Update the parser - to support the 'in' keyword for value lists, and make mount - operations aware of 'in' keyword so they can affect the flags build - list (LP: #959560) - * debian/patches/0011-apparmor-lp872446.patch: fix logprof missing - exec events in complain mode (LP: #872446) - * debian/patches/0012-apparmor-lp978584.patch: allow inet6 access in - dovecot imap-login profile (LP: #978584) - * debian/patches/0013-apparmor-lp800826.patch: fix libapparmor - log parsing library from dropping apparmor network events that - contain ip addresses or ports in them (LP: #800826) - * debian/patches/0014-apparmor-lp979095.patch: document new mount rule - syntax and usage in apparmor.d(5) manpage (LP: #979095) - * debian/patches/0015-apparmor-lp963756.patch: Fix change_onexec - for profiles without attachment specification (LP: #963756, - LP: #978038) - * debian/patches/0016-apparmor-lp968956.patch: Fix protocol error when - loading policy to kernels without compat patches (LP: #968956) - * debian/patches/0017-apparmor-lp979135.patch: Fix change_profile to - grant access to /proc/attr api (LP: #979135) - - -- Steve Beattie Thu, 12 Apr 2012 06:17:42 -0500 - -apparmor (2.7.102-0ubuntu2) precise; urgency=low - - * debian/control: Make dh-apparmor Multi-Arch: foreign, so that it can - satisfy cross-build-dependencies. - - -- Colin Watson Sat, 31 Mar 2012 02:28:05 +0100 - -apparmor (2.7.102-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes the following issues in support of LXC - AppArmor support for beta-2: - - Fix the return size of aa_getprocattr (LP: #962521) - - Fix mnt_flags passed for remount - - Fix dfa minimization around the nonmatching state - - Factor all the permissions dump code into a single perms method - * debian/apparmor-utils.install: - - AppArmor now installs apparmor.vim. Move it into place - - install aa-exec - * debian/apparmor-utils.manpages: install aa-exec man page - * debian/patches/0003-add-aa-easyprof.patch: refresh for Makefile changes - * debian/patches/0005-clean-common-from-vim.patch: clean up 'common' - symlink - * 0006-use-linux-capability-h.patch: Use linux/capability.h instead of - sys/capability.h - - -- Jamie Strandboge Thu, 22 Mar 2012 15:39:56 -0500 - -apparmor (2.7.101-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes: LP: #948147 - * debian/lib/apparmor/functions: Update to support the feature directory so - that caching will work on kernels that support the feature dir. Patch - based on work from John Johansen. LP: #954469 - - -- Jamie Strandboge Thu, 15 Mar 2012 15:57:02 -0500 - -apparmor (2.7.100-0ubuntu1) precise; urgency=low - - * New upstream bug fix release which fixes (in addition to other bugs): - - LP: #940362 - - LP: #947617 - - LP: #949891 - * Drop the following patches, included upstream: - - 0004-lp918879.patch - - 0007-lp941506.patch - - 0008-lp941503.patch - - 0009-lp943161.patch - * Drop the following patch, no longer required: - - 0005-disable-minimization.patch - * Rename 0006-lp941808.patch 0004-lp941808.patch - * debian/patches/0001-add-chromium-browser.patch: update for additional - denials with newer chromium-browser. (LP: #937723) - * debian/put-all-profiles-in-complain-mode.sh: deal with existing flags - - -- Jamie Strandboge Fri, 09 Mar 2012 06:56:48 -0600 - -apparmor (2.7.99-0ubuntu4) precise; urgency=low - - * Restore dpkg-maintscript-helper changes from 2.7.0-0ubuntu6, lost in - 2.7.99-0ubuntu1. - - -- Colin Watson Mon, 05 Mar 2012 16:11:01 +0000 - -apparmor (2.7.99-0ubuntu3) precise; urgency=low - - * debian/patches/0009-lp943161.patch: update to not fail when - default-jre-headless is installed (LP: #945019) - - -- Jamie Strandboge Fri, 02 Mar 2012 12:47:03 -0600 - -apparmor (2.7.99-0ubuntu2) precise; urgency=low - - * debian/control: dh-apparmor should Breaks/Replaces on debhelper - 9.20120115ubuntu3, not 9.20120115ubuntu2 - * debian/patches/0006-lp941808.patch: allow writes to - /{,var/}run/sendsigs.omit.d/*dnsmasq.pid for network manager integration - (LP: #941808) - * debian/patches/0007-lp941506.patch: allow reads to ~/.drirc in the X - abstraction (LP: #941506) - * debian/patches/0008-lp941503.patch: allow read access to - /usr/share/texmf/fonts in fonts abstraction (LP: #941503) - * debian/patches/0009-lp943161.patch: fix path to java in - ubuntu-browsers.d/java (LP: #943161) - - -- Jamie Strandboge Fri, 02 Mar 2012 07:50:50 -0600 - -apparmor (2.7.99-0ubuntu1) precise; urgency=low - - * New upstream release which also pulls in 2.7.0-1 changes from Debian. - For the sake of simplicity, I have added the 2.7.0-1 changelog entry after - 2.7.0-0ubuntu7 even though chronologically it appeared in Debian between - 2.7.0-0ubuntu4 and 2.7.0-0ubuntu5. - - LP: #940422 (FFe) - * Drop the following patches, included upstream: - - 0003-commits-through-r1882.patch - - 0004-lp887992.patch - - 0005-lp884748.patch - - 0006-lp870992.patch - - 0007-lp860856.patch - - 0008-lp852062.patch - - 0009-lp851977.patch - - 0010-lp890894.patch - - 0011-lp817956.patch - - 0012-lp458922.patch - - 0013-lp769148.patch - - 0014-lp904548.patch - - 0015-lp712584.patch - - 0016-lp562831.patch - - 0017-lp662906.patch - - 0018-deny-home-pki-so.patch - - 0019-lp899963.patch - - 0020-lp912754a.patch - - 0021-lp912754b.patch - - 0022-workaround-lp851986.patch - - 0023-syslog-ng-needs-dac-read-search.patch - - 0024-fix-python-and-ruby-autogeneration.patch - - 0025-lp914184.patch - - 0026-lp914190.patch - - 0027-lp914386.patch - - 0028-testsuite-fixes.patch - - 0029-lp917628.patch - - 0030-lp916285.patch - - 0031-lp917639.patch - - 0032-lp917641.patch - - 0033-add-ubuntu-helpers-to-plugins-common.patch - - 0034-lp917859.patch - - 0035-kde-should-use-kde4.patch - - 0036-lp929531.patch - - 0036-fix-manpage-errors.patch - * Rename 0037-add-aa-easyprof.patch 0003-add-aa-easyprof.patch - * debian/apparmor-profiles.postrm: clean out autogenerated files created by - apparmor-profiles.postinst (Closes: 656451) - * debian/patches/0004-lp918879.patch: allow /etc/drirc in the X abstraction - (LP: #918879) - * debian/patches/0005-disable-minimization.patch: do to LP: 940362, - minimization is not working correctly. Disable it for now. - - -- Jamie Strandboge Fri, 24 Feb 2012 09:04:45 -0600 - -apparmor (2.7.0-1) unstable; urgency=low - - * debian/po/pt.po add new Portuguese translation, thanks to Pedro Ribeiro, - (Closes: 651434). - * debian/control: do not require initramfs-tools on !linux-any - (Closes: 651297). - * debian/{control,rules,debhelper/*}: move dh_apparmor into separate - binary package, out of debhelper (Closes: 649784). - * debian/{control,rules}: fix up lack of real build-indep. - * debian/patches/0036-fix-manpage-errors.patch: minor man page cleanups. - * merge changes from Ubuntu (r1443). - - -- Kees Cook Thu, 09 Feb 2012 15:24:08 -0800 - -apparmor (2.7.0-0ubuntu7) precise; urgency=low - - * debian/patches/0037-add-aa-easyprof.patch: add the aa-easyprof tool - * apparmor-utils.dirs, apparmor-utils.install, apparmor-utils.manpages: - install aa-easyprof and supporting files - * python-libapparmor.install: only install LibAppArmor* - * debian/rules: use dh_python2 with apparmor-utils - * debian/control: apparmor-utils should Depends on ${python:Depends} - - -- Jamie Strandboge Wed, 15 Feb 2012 07:40:38 -0600 - -apparmor (2.7.0-0ubuntu6) precise; urgency=low - - * debian/apparmor.{preinst,postinst,postrm,maintscript}, debian/control: - Use maintscript support in dh_installdeb rather than writing out - dpkg-maintscript-helper commands by hand. We now simply Pre-Depend on a - new enough version of dpkg rather than using 'dpkg-maintscript-helper - supports' guards, leading to more predictable behaviour on upgrades. - - -- Colin Watson Sat, 11 Feb 2012 15:11:01 +0000 - -apparmor (2.7.0-0ubuntu5) precise; urgency=low - - * debian/patches/0036-lp929531.patch: adjust base abstraction to allow read - access to /sys/devices/system/cpu/online (LP: #929531) - - -- Jamie Strandboge Thu, 09 Feb 2012 08:04:13 -0600 - -apparmor (2.7.0-0ubuntu4) precise; urgency=low - - * debian/patches/0034-lp917859.patch: adjust aspell abstraction for user - customizable dictionaries (LP: #917859) - * debian/patches/0035-kde-should-use-kde4.patch: adjust abstractions to - use kde{,4} instead of kde - * debian/control: update Vcs-Bzr - - -- Jamie Strandboge Wed, 18 Jan 2012 16:27:30 -0600 - -apparmor (2.7.0-0ubuntu3) precise; urgency=low - - * debian/patches/0029-lp917628.patch: Adjust dnsmasq profile for - NetworkManager integration (LP: #917628) - * debian/patches/0030-lp916285.patch: update ubuntu-browsers.d/text-editors - to work with emacs2[2-9] (LP: #916285) - * debian/patches/0031-lp917639.patch: update p11-kit to allow mmap of - libraries in pkcs directories (LP: #917639) - * debian/patches/0032-lp917641.patch: ubuntu-integration abstraction for - multiarch with gst-plugin-scanner (LP: #917641) - * debian/patches/0033-add-ubuntu-helpers-to-plugins-common.patch: include - ubuntu-helpers in the plugins-common abstraction - - -- Jamie Strandboge Tue, 17 Jan 2012 07:18:34 -0600 - -apparmor (2.7.0-0ubuntu2) precise; urgency=low - - * debian/patches/0022-workaround-lp851986.patch: update sanitized_helper - to include inet6 - - -- Jamie Strandboge Fri, 13 Jan 2012 11:21:30 +0100 - -apparmor (2.7.0-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes the following: - - LP: #794974 - - LP: #815883 - - LP: #840973 - * Drop the following patches, included upstream: - - af_names-generation.patch - - 0004-adjust-logprof-log-search-order.patch - - 0005-lp826914.patch - - 0006-lp838275.patch - - 0007-fix-introspection-tests.patch - * Rename 0003-add-debian-integration-to-lighttpd.patch to 0002 - * debian/patches/0003-commits-through-r1882.patch: several bug, - documentation and performance fixes on our road to AppArmor 2.8 - (LP: #840734, LP: #905412) - * debian/patches/0004-lp887992.patch: cups-client abstraction should allow - owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions - (LP: #887992) - * update debian/patches/0001-add-chromium-browser.patch for deeper - directories of /sys/devices/pci (LP: #885833) - * debian/patches/0005-lp884748.patch: allow kate as text editor in the - browsers abstraction (LP: #884748) - * debian/patches/0006-lp870992.patch: abstractions/fonts should allow access - to ~/.fonts.conf.d (LP: #870992) - * debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py - in the python abstraction, which is needed for apport hooks to work in - python applications (LP: #860856) - * debian/patches/0008-lp852062.patch: update binaries for transmission - clients (LP: #852062) - * debian/patches/0009-lp851977.patch: allow ixr access to exo-open for - Xubuntu and friends (LP: #851977) - * debian/patches/0010-lp890894.patch: allow access to Thunar as well as - thunar in ubuntu-integration abstraction (LP: #890894) - * debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile - (LP: #817956) - * debian/patches/0012-lp458922.patch: update dovecot deliver profile to - access various .conf files for dovecot (LP: #458922) - * debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection - (LP: #769148) - * debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv - (LP: #904548) - * debian/patches/0015-lp712584.patch: Nvidia users need access to - /dev/nvidia* files for various plugins to work right. Since these are all - focused around multimedia, add the acceses to the multimedia abstraction. - (LP: #712584) - * debian/patches/0016-lp562831.patch: allow fireclam plugin to work - (LP: #562831) - * debian/patches/0017-lp662906.patch: allow software-center in the ubuntu - integration browser abstraction (LP: #662906) - * debian/patches/0018-deny-home-pki-so.patch: update private-files - abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847) - * debian/patches/0019-lp899963.patch: add audacity to the - ubuntu-media-players abstraction (LP: #899963) - * debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit - abstraction and add it to the authentication abstraction (LP: #912754) - * debian/patches/0022-workaround-lp851986.patch: instead of using Ux - in the ubuntu and launchpad abstractions, use a helper child profile. - This will help work around the lack of environment filtering - (LP: #851986) - * debian/patches/0023-syslog-ng-needs-dac-read-search.patch: adjust syslog-ng - profile for dac_read_search - * debian/patches/0024-fix-python-and-ruby-autogeneration.patch: fix python - and ruby autogeneration when using aa-autodep and aa-genprof - * debian/patches/0025-lp914184.patch: allow the creation of enchant .config - directory in the enchant abstraction (LP: #914184) - * debian/patches/0026-lp914190.patch: block write access to ~/.kde/env - because KDE automatically sources scripts in that folder on startup - (LP: #914190) - * debian/pathes/0027-lp914386.patch: add xdg-desktop abstraction and - adjust gnome and kde abstractions to use it (LP: #914386) - * debian/patches/0028-testsuite-fixes.patch: testsuite fixes in the kernel - regression tests - - -- Jamie Strandboge Thu, 12 Jan 2012 12:55:17 +0100 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu3) precise; urgency=low - - * Rebuild for Perl 5.14. - - -- Colin Watson Tue, 15 Nov 2011 22:10:05 +0000 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu2) oneiric; urgency=low - - * 0007-fix-introspection-tests.patch: Add missing introspection regression - test that should have been checked in with the introspection patches. - - -- Jamie Strandboge Tue, 04 Oct 2011 13:13:05 -0500 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu1) oneiric; urgency=low - - * 0004-adjust-logprof-log-search-order.patch: Adjust the search order to use - just /var/log/audit/audit.log and /var/log/syslog. (LP: #835838) - * 0005-lp826914.patch: fix missing multiarch in abstraction/X (LP: #826914) - * 0006-lp838275.patch: adjust ubuntu-email abstraction for thunderbird 7 - (LP: #838275) - - -- Jamie Strandboge Fri, 02 Sep 2011 12:30:10 -0500 - -apparmor (2.7.0~beta1+bzr1774-1) unstable; urgency=low - - * New upstream devel snapshot: - - drop 0002-lp750381.patch, taken upstream. - - drop 0004-lp754889.patch, taken upstream. - - drop 0005-lp761217.patch, taken upstream. - - drop 0100-manpage-typo.patch, taken upstream. - - drop 0101-declarations.patch, solved differently upstream. - - drop 0102-manpage-release-name.patch, taken upstream. - - drop 0103-kfreebsd-compile.patch, taken upstream. - - drop define-path-max.patch, taken upstream. - - drop indep-build.patch, taken upstream. - - debian/libapparmor1.manpages: add new function man pages. - * Merge with Ubuntu: - - drop 0104-python-aa-status.patch, taken upstream. - - drop 0105-lightdm.patch, taken upstream. - - drop 0106-lp810270.patch, taken upstream. - - drop 0107-lp767308.patch, taken upstream. - - drop 0108-gnome-mimeinfo.patch, taken upstream. - - drop 0109-add-profile-repo-info.patch, taken upstream. - * Add af_names-generation.patch to allow arbitrary socket.h file location. - - -- Kees Cook Wed, 10 Aug 2011 18:12:34 -0700 - -apparmor (2.6.1-4ubuntu5) oneiric; urgency=low - - * debian/patches/0109-add-profile-repo-info.patch: add a blurb about the - new profiles repository to aa-genprof, along with a link to the wiki - page. - - -- Marc Deslauriers Mon, 18 Jul 2011 10:49:13 -0400 - -apparmor (2.6.1-4ubuntu4) oneiric; urgency=low - - * debian/patches/0106-lp810270.patch: updated to use upstream commits - - -- Jamie Strandboge Fri, 15 Jul 2011 14:08:38 -0500 - -apparmor (2.6.1-4ubuntu3) oneiric; urgency=low - - * debian/patches/0106-lp810270.patch: adjustments for /var/run -> /run, - /var/lock -> /run/lock and /dev/shm -> /run/shm transition (LP: #810270) - * debian/patches/0107-lp767308.patch: allow read access to - /usr/local/share/ca-certificates (LP: #767308) - * debian/patches/0001-add-chromium-browser.patch: updates for newer chromium - (LP: #776648) - * debian/patches/0108-gnome-mimeinfo.patch: allow read access to - /usr/share/gnome/applications/mimeinfo.cache in the gnome abstraction - - -- Jamie Strandboge Thu, 14 Jul 2011 09:39:49 -0500 - -apparmor (2.6.1-4ubuntu2) oneiric; urgency=low - - * debian/patches/0105-lightdm.patch: allow owner read access to - /var/run/lightdm/authority/[0-9]* - - -- Jamie Strandboge Wed, 22 Jun 2011 16:29:11 -0500 - -apparmor (2.6.1-4ubuntu1) oneiric; urgency=low - - * Get rid of Perl in main AppArmor package so we can remove perl-modules - from the installation cd: - - debian/patches/0104-python-aa-status.patch: switch aa-status to - Python - - debian/apparmor.*, debian/apparmor-utils.*: move aa-status, symlink - and manpages to main apparmor package. - - debian/control: add appropriate Breaks/Replaces/Depends because of - the file move, add ${python:Depends} to apparmor Depends, add - apparmor-utils to apparmor Suggests. - - debian/rules: add apparmor package to dh_python2. - * debian/lib/apparmor/functions: fix hat separator (LP: #788616) - - Based on upstream revision 1733 - - -- Marc Deslauriers Wed, 01 Jun 2011 11:03:20 -0400 - -apparmor (2.6.1-4) unstable; urgency=low - - * debian/po: add new translations: - - zh_CN.po: Simplified Chinese, thanks to Aron Xu (Closes: 624853). - - da.po: Danish, thanks to Joe Dalton (Closes: 625252). - - sv.po: Swedish, thanks to Martin Bagge (Closes: 625264). - - cs.po: Czech, thanks to Michal Šimůnek (Closes: 625465). - - de.po: German, thanks to Chris Leick (Closes: 625931). - - nl.po: Dutch, thanks to Jeroen Schot (Closes: 626269). - - ja.po: Japanese, thanks to Hideki Yamane (Closes: 626803). - - it.po: Italian, thanks to Dario Santamaria (Closes: 626836). - - fr.po: French, thanks to Julien Patriarca (Closes: 626903). - - es.po: Spanish, thanks to Francisco Javier Cuadrado (Closes: 627031). - * debian/patches/define-path-max.patch: fix Hurd FTBFS. - * debian/patches/indep-build.patch: allow split indep/arch builds. - * debian/{control,rules,non-linux}: add fake parser for non-Linux - builds so that apparmor-utils is installable (Closes: 625977). - - -- Kees Cook Fri, 27 May 2011 13:51:18 -0700 - -apparmor (2.6.1-3) unstable; urgency=low - - * debian/control: add sneaky missing Build-Dep on liblocale-gettext-perl - (fixes FTBFS on some extremely minimal chroots, Closes: 624566). - * debian/patches/0101-declarations.patch: add missing declarations needed - for sensitive compilers (fixes FTBFS on mips/mipsel). - * debian/patches/0102-manpage-release-name.patch: update manpage release - names to match others. - * debian/patches/0103-kfreebsd-compile.patch, debian/{control,rules}: - attempt to build as much as possible (no parser) on non-Linux systems. - * debian/po/ru.po: add translation, thanks to Yuri Kozlov (Closes: 624741). - - -- Kees Cook Sun, 01 May 2011 19:29:07 -0700 - -apparmor (2.6.1-2) unstable; urgency=low - - * debian/copyright: clarify for some full organization names. - - -- Kees Cook Wed, 27 Apr 2011 10:38:07 -0700 - -apparmor (2.6.1-1) unstable; urgency=low - - * Initial Debian upload (Closes: 622922). - * debian/patches/0100-manpage-typo.patch: fix lintian error in manpage. - * debian/clean: update for Debian build. - * debian/copyright: rearrange and add a few missing files. - * debian/source/format, debian/rules: convert to 3.0 quilt format. - * debian/{rules,apparmor-profiles.postinst}: deal with lack of dh_apparmor. - - -- Kees Cook Sat, 23 Apr 2011 12:14:55 -0700 - -apparmor (2.6.1-0ubuntu3) natty; urgency=low - - * debian/patches/0003-add-debian-integration-to-lighttpd.patch: updates for - lighttpd example profile to work in Debian/Ubuntu (LP: #582814) - * debian/patches/0004-lp754889.patch: add several image viewers to - ubuntu-browsers.d/multimedia abstraction (LP: #754889) - * debian/patches/0005-lp761217.patch: abstractions/private-files updates for - zsh and several other shells (LP: #761217) - * debian/patches/0001-add-chromium-browser.patch: fixes for multiarch and - crash reporter (LP: #764786) - - -- Jamie Strandboge Mon, 18 Apr 2011 09:23:50 -0500 - -apparmor (2.6.1-0ubuntu2) natty; urgency=low - - * debian/patches/0002-lp750381.path: adjust ubuntu-media-players abstraction - to allow reading of configs required by gnash and owner writing of - @{HOME}/.gnash (LP: #750381) - - -- Jamie Strandboge Thu, 07 Apr 2011 10:09:24 -0500 - -apparmor (2.6.1-0ubuntu1) natty; urgency=low - - * New upstream release. - - Fixes breakage of mod_apparmor apache2 module (LP: #737074) - - Fixes profile matching when an attachement doesn't contain a - regex (LP: #731155) - - Fixes parser acceptance of missing network protocols (LP: #732837) - - Patches taken upstream and dropped: - + debian/patches/0002-lp727478.patch - + debian/patches/0003-test-lp727478.patch - + debian/patches/0004-lp736870.patch - * debian/apparmor.install, debian/apparmor.dirs: add new multiarch - tunable file and directory - * debian/python-libapparmor.install: loosen directory specification - for resiliancy against different python versions - - -- Steve Beattie Thu, 24 Mar 2011 01:55:12 -0700 - -apparmor (2.6.0-0ubuntu4) natty; urgency=low - - * Update debian/patches/0004-lp736870.patch (LP: #736870): - - armel triplet doesn't match '*-linux-gnu' - - /lib/tls for libc6-xen needs handling - - gnome, kde, kerberosclient, and authentication abstractions also need - updating for multiarch. - - -- Steve Langasek Tue, 22 Mar 2011 15:18:54 -0700 - -apparmor (2.6.0-0ubuntu3) natty; urgency=low - - * debian/patches/0004-lp736870.patch: add multiarch support to abstractions - (LP: #736870) - - -- Jamie Strandboge Thu, 17 Mar 2011 09:17:01 -0500 - -apparmor (2.6.0-0ubuntu2) natty; urgency=low - - * debian/patches/0002-lp727478.patch: Override AF_MAX for kernels that don't - support proper masking. Patch thanks to John Johansen (LP: #727478) - * debian/patches/0003-test-lp727478.patch: add tcp.sh test as partial - networking test - - -- Jamie Strandboge Thu, 03 Mar 2011 16:40:08 -0600 - -apparmor (2.6.0-0ubuntu1) natty; urgency=low - - [ Steve Beattie ] - * New upstream 2.6.0 release (LP: #724193) - - Patches taken upstream and dropped: - + 0001-ubuntu-buildd.patch - + 0003-add-libvirt-support-to-dnsmasq.patch - + 0004-lp698194.patch - + 0005-aa-disable.patch - - debian/rules: remove library path settings for mod_apparmor and - pam_apprmor builds; upstream handles this properly now. - - debian/apparmor-utils.install: handle upstream SubDomain.pm => - AppArmor.pm renaming - * debian/lib/apparmor/functions: handle profile names with embedded - spaces (LP: #655523) - * debian/rules, debian/control, debian/python-libapparmor: build - a python-libapparmor package. - - [ Jamie Strandboge ] - * debian/copyright: update and reformat according to DEP-5 - * debian/lib/apparmor/functions: don't unload dynamically generated libvirt - profiles on reload, restart, and force-reload (LP: #702774) - * debian/control: use Section: python for python-libapparmor - - -- Steve Beattie Thu, 24 Feb 2011 01:41:58 -0800 - -apparmor (2.6~devel+bzr1617-0ubuntu2) natty; urgency=low - - * debian/patches/0005-aa-disable.patch: add aa-disable - * debian/apparmor-utils.install: install aa-disable - * debian/apparmor-utils.manpages: install aa-disable man page - - -- Jamie Strandboge Mon, 07 Feb 2011 11:23:50 -0600 - -apparmor (2.6~devel+bzr1617-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1617. Closes the following bugs: - - LP: #692406: temporarily disable the defunct repository until an - alternative can be used - - LP: #649497: add ibus abstraction - - LP: #652562: allow 'rw' to /var/log/samba/cores/ - - LP: #658135: allow access to /usr/lib32 and /usr/lib64 for dri modules - * 0002-add-chromium-browser.patch: add /dev/shm/.org.chromium.* - (LP: #692866) - * rename debian/patches/0010-ubuntu-buildd.patch to 0001-ubuntu-buildd.patch - and adjust debian/patches/series - * debian/patches/0003-add-libvirt-support-to-dnsmasq.patch (LP: #697239): - - allow read and write access to libvirt pid files for dnsmasq - - allow net_admin capability for DHCP server - - allow net_raw and network inet raw for ICMP pings when used as a DHCP - server - * debian/patches/0004-lp698194 (LP: #698194): - - abstractions/private-files: don't allow wl to autostart directories - - abstractions/private-files-strict: don't allow access to chromium, - kwallet and popular mail clients - - -- Jamie Strandboge Fri, 07 Jan 2011 12:44:26 -0600 - -apparmor (2.6~devel+bzr1601-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1601 to gain parser speed - improvements and man page fixes. Closes the following bugs: - - LP: #349049: document audit, deny and owner rule qualifiers - - LP: #466228: ubuntu-browsers.d/multimedia: allow flash printing - - LP: #644983: add ubuntu-browsers.d/ubuntu-integration-xul - - LP: #692216: use aa_change_hat() instead of change_hat() - - LP: #692217: add aa_change_profile.pod manpage - * debian/control: explicitly depend on gettext module. - * ship apparmor vim syntax file (LP: #646800): - - debian/vim-apparmor.yaml: vim addon definition file. - - debian/apparmor-utils.install: add apparmor.vim and vim-apparmor.yaml. - * debian/libapparmor1.manpages: ship aa_change_profile manpage. - - -- Kees Cook Mon, 20 Dec 2010 14:37:38 -0800 - -apparmor (2.6~devel+bzr1527-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1527, drop patches taken upstream: - - debian/patches/0001-fix-release.patch - - debian/patches/0003-local-includes.patch - - debian/patches/0004-ubuntu-abstractions-updates.patch - - debian/patches/0005-lp648900.patch - - debian/patches/0006-testsuite-fixes.patch - - debian/patches/0007-honor-cflags.patch - - debian/patches/0008-lp652674.patch - - debian/patches/0009-sensible-browser-pix.patch - * Rework packaging for more sanity. - - debian/control: - - bump debhelper build depend to Ubuntu-specific v8. - - switch apparmor-profiles to arch all as it ships only text. - - update Homepage to new domain. - - expand long descriptions to keep lintian happy. - - debian/compat: bump to 8. - - README.Debian: removed, hopelessly out of date. - - debian/copyright: - - updated for changes to upstream source layout. - - fixed lintian warnings. - - debian/rules: - - ditch mv/install in favor of *.install,*.dir files. - - replace "dh_clean -k" with "dh_prep" - - use dh_clean's debian/clean file instead of manual rm. - - scan for all profiles to run through dh_apparmor. - - debian/*.{install,dirs,manpages,docs}: - - explicitly list all files needed for packaging - - debian/apparmor.{preinst,postinst,postrm}: - - add dpkg-maintscript-helper calls to clean up old script locations. - - drop old conffile cleanups, since they predate Lucid. - - debian/apparmor.init: - - move functions to /lib/apparmor. - - start on $remote_fs due to using /usr tools during init. - - use LC_COLLATE=C for proper sorting. - - debian/libapparmor1.symbols: created initial symbols file. - - debian/apparmor-docs.doc-base: include doc-base details for techdoc. - - debian/notify/90apparmor-notify: use new command name. - - lib/apparmor/functions: use LC_COLLATE=C for proper sorting. - - -- Kees Cook Thu, 04 Nov 2010 18:06:34 -0700 - -apparmor (2.5.1-0ubuntu4) natty; urgency=low - - * debian/patches/0004-ubuntu-abstractions-updates.patch: updated to add - /usr/bin/emacs-snapshot-gtk PUxr - * debian/patches/0009-sensible-browser-pix.patch: use Pix for - sensible-browser - * debian/patches/0010-ubuntu-buildd.patch: skip parser caching test if - the AppArmor securityfs introspection directory is not mounted, as - is the case on Ubuntu buildds. - - -- Jamie Strandboge Tue, 02 Nov 2010 12:17:21 -0500 - -apparmor (2.5.1-0ubuntu3) natty; urgency=low - - * debian/control: use the correct version for Conflicts/Replaces - - -- Jamie Strandboge Tue, 19 Oct 2010 19:53:26 -0500 - -apparmor (2.5.1-0ubuntu2) natty; urgency=low - - * debian/{rules,control}: move apache2 abstractions into the base package - so we can put apache2 profiles into the -profiles package without - aa-logprof bailing out. Patch by Marc Deslauriers. - (LP: #539441) - - -- Jamie Strandboge Tue, 19 Oct 2010 15:44:43 -0500 - -apparmor (2.5.1-0ubuntu1) natty; urgency=low - - * New upstream release (LP: #660077) - - The following patches were refreshed: - + 0001-fix-release.patch - + 0003-local-includes.patch - + 0008-lp648900.patch: renamed as 0005-lp648900.patch - - The following patches were dropped (included upstream): - + 0005-lp601583.patch - + 0006-network-interface-enumeration.patch - + 0007-gnome-updates.patch - * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head - of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211) - * debian/patches/0007-honor-cflags.patch: have the parser makefile honor - CFLAGS environment variable. Brings back missing symbols for the retracer - * debian/patches/0008-lp652674.patch: fix warnings for messages without - denied or requested masks (LP: #652674) - * debian/apparmor.init: fix path to aa-status (LP: #654841) - * debian/apport/source_apparmor.py: apport hook should use - root_command_hook() for running apparmor_status (LP: #655529) - * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber - cmdline details (LP: #657091) - - -- Jamie Strandboge Fri, 15 Oct 2010 12:23:00 -0500 - -apparmor (2.5.1~rc1-0ubuntu2) maverick; urgency=low - - * abstractions/ubuntu-email: adjustment for ever-changing thunderbird path - (LP: #648900) - - -- Jamie Strandboge Mon, 27 Sep 2010 09:00:06 -0500 - -apparmor (2.5.1~rc1-0ubuntu1) maverick; urgency=low - - [ Jamie Strandboge ] - * New upstream RC release (revision 1413). In addition to getting the tools - to work with the maverick kernel, this update fixes: - - LP: #619521 - - LP: #633369 - - LP: #626451 - - LP: #581525 - - LP: #623467 (link and unlink still need to be addressed) - * Dropped the following patches, included upstream: - - 0002-lp615177.patch - - 0004-ubuntu-pux.patch - - 0006-kde4-config-pux.patch - - 0007-lp605835.patch - - 0012-lp625041.patch - - 0013-lp623586.patch - * Update the following patches: - - rename 0010-fix-release.patch as 0001-fix-release.patch since this will - likely always need to be here - - rename 0005-add-chromium-browser.patch as - 0002-add-chromium-browser.patch - - rename 0001-local-includes.patch as 0003-local-includes.patch and update - to use r1493 (from trunk) of local/README file. This can be dropped in - 2.6. - - collect the ubuntu abstractions updates pulled from trunk into - 0004-ubuntu-abstractions-updates.patch. This can be dropped in 2.6. - - rename 0008-lp601583.patch as 0005-lp601583.patch. This can be dropped - in 2.5.1 final. - * fix up some lintian warnings: - - debian/control: - + don't use 'Section' in apparmor-notify, since it is the same as the - source - + updates Standards-Version to 3.9.1 - + add ${misc:Depends} to libapparmor-dev and apparmor-notify - - add debian/source/format - - debian/libapache2-mod-apparmor.postrm: use #DEBHELPER# - - debian/libapache2-mod-apparmor.preinst: use #DEBHELPER# - - add debian/watch - * debian/notify/notify.conf: set show_notifications="yes" by default - * debian/patches/0006-network-interface-enumeration.patch: allow network - interface enumeration. This can be dropped in 2.5.1 final. - * debian/patches/0007-gnome-updates.patch: update for font/icon/mime - locations in current gnome. This can be dropped in 2.5.1 final. - - [ Kees Cook ] - * debian/apparmor.init: rename "stop" to "teardown", drop caches on - "stop" and warn about the dangers of "teardown". - - -- Jamie Strandboge Fri, 10 Sep 2010 11:07:19 -0500 - -apparmor (2.5.1~pre1393-0ubuntu6) maverick; urgency=low - - * debian/profiles/chromium-browser: updated to have the proper path to - local/ - * debian/patches/0011-lp514356+573344+593413.patch: browser abstraction - updates for /net, kmozillahelper and gnome-appearance-properties - (LP: #593413, LP: #514356, LP: #573344) - * debian/patches/0012-lp625041.patch: add sensible-browser (LP: #625041) - * debian/patches/0013-lp623586.patch: allow access to ghostscript fonts when - not using defoma (LP: #623586) - - -- Jamie Strandboge Fri, 03 Sep 2010 07:39:31 -0500 - -apparmor (2.5.1~pre1393-0ubuntu5) maverick; urgency=low - - * debian/patches/0007-lp605835.patch: allow ca-certificates in ssl_certs - abstraction (LP: #605835) - * debian/patches/0008-lp601583.patch: adjust X abstraction for newer gdm - (LP: #601583) - * debian/patches/0009-lp565753.patch: add ubuntu-feed-readers abstraction - and have ubuntu-browsers.d/multimedia use it (LP: #565753) - * debian/apparmor.config: don't try to read in the existing value from - /etc/apparmor.d/tunables/home.d/ubuntu, but instead always use what is - in debconf. (LP: #561694) - * add aa-update-browser for giving a programmatic way to update browser - profiles to use browser abstractions - - add debian/aa-update-browser - - add debian/aa-update-browser.8 - - debian/rules: install aa-update-browser* - * debian/patches/0003-ubuntu-browsers-d.patch: updated to generalize java - child profile names - * debian/patches/0010-fix-release.patch: update common/Make.rules to use - lsb_release - - -- Jamie Strandboge Wed, 11 Aug 2010 09:24:23 -0500 - -apparmor (2.5.1~pre1393-0ubuntu4) maverick; urgency=low - - * debian/patches/0001-local-includes.patch: updated to adjust local/README - to have upstream clarifications - * debian/patches/0003-ubuntu-browsers-d.patch: add ubuntu-browsers.d/* - abstractions - * debian/patches/0004-ubuntu-pux.patch: use 'PUx' instead of 'Ux' in - abstractions/ubuntu-* - * add chromium-browser profile. All this can be removed once - chromium-browser ships its own profile: - - debian/patches/0005-add-chromium-browser.patch: add preliminary - profiles/apparmor.d/usr.bin.chromium-browser - - debian/profiles/chromium-browser: added for use with ubuntu-browsers.d - - debian/rules: ship debian/profiles/chromium-browser in apparmor-profiles - * don't make /etc/apparmor.d/local/* from apparmor-profiles conffiles - - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 - - debian/rules: use dh_apparmor instead of shipping the files as conffiles - - debian/apparmor-profiles.postinst: move DEBHELPER before initscript - reload - - debian/apparmor-profiles.postrm: added to remove chromium-browser config - file - * debian/patches/0006-kde4-config-pux.patch: remove kde4-config from kde - abstraction and add it to kde ubuntu-browsers abstraction - - -- Jamie Strandboge Tue, 10 Aug 2010 14:31:32 -0500 - -apparmor (2.5.1~pre1393-0ubuntu3) maverick; urgency=low - - * debian/patches/0002-lp615177.patch: 'owner' match in commit 1406 too - strict for /tmp/ and /var/tmp/ (LP: #615177) - - -- Jamie Strandboge Mon, 09 Aug 2010 10:17:05 -0500 - -apparmor (2.5.1~pre1393-0ubuntu2) maverick; urgency=low - - * debian/rules: move local/usr.lib.apache2.mpm-prefork.apache2 to - libapache2-mod-apparmor - - -- Jamie Strandboge Fri, 06 Aug 2010 13:38:59 -0500 - -apparmor (2.5.1~pre1393-0ubuntu1) maverick; urgency=low - - * Update to upstream bzr revision 1393 from lp:apparmor/2.5. - * add dbus-session abstraction (LP: #566207) - * require owner in user-tmp abstraction (LP: #578922) - * don't use uninitialized $opt_s (LP: #582075) - * allow thunderbird 3 in abstractions/ubuntu-email (LP: #590462) - * allow gmplayer in abstractions/ubuntu-media-players (LP: #591421) - * debian/control: updated branches. - * debian/patches/0001-local-includes.patch: backported patch from trunk to - allow local administrators to customize their profiles without modifying - a shipped profile - * debian/rules: - - don't pass RELEASE to libapparmor's 'make install' as it breaks the - build and isn't used by the Makfile anyway - - install apparmor.d/local/README in apparmor, not apparmor-profiles - - don't install apparmor.d/local/usr.sbin.ntpd - * Drop the following patches already included upstream: - - 0001-lp538561.patch - - 0002-aalogprof-warnings.patch - - 0003-fix-memleaks.patch - - 0004-lp549557.patch - - 0005-lp538661.patch - - 0006-lp611248.patch - - -- Jamie Strandboge Thu, 05 Aug 2010 16:10:46 -0500 - -apparmor (2.5-0ubuntu4) maverick; urgency=low - - * debian/patches/0006-lp611248.patch: allow access to gdk-pixbuf loaders - LP: #611248 - - -- Jamie Strandboge Tue, 03 Aug 2010 09:32:10 -0500 - -apparmor (2.5-0ubuntu3) lucid; urgency=low - - [ Jamie Strandboge ] - * debian/patches/lp-549557.patch: have apparmor_notify deal with log file - rotation. (LP: #549557) - * debian/notify/notify.conf: set show_notifications="yes" - * debian/patches/0005-lp538661.patch: adjust php5 abstraction for cgi config - file path and extensions (LP: #538661) - - [ Kees Cook ] - * debian/apparmor.functions: do not load in parallel, this is causing - weird side-effects. - - -- Jamie Strandboge Tue, 30 Mar 2010 11:31:49 -0500 - -apparmor (2.5-0ubuntu2) lucid; urgency=low - - [ Jamie Strandboge ] - * debian/patches/0001-lp538561.patch: add 'k' to /var/lib/samba/**.tdb in - the samba abstraction (LP: #538561) - - [ Marc Deslauriers ] - * debian/patches/0002-aalogprof-warnings.patch: get rid of warnings when - aa-logprof is run. - * debian/{rules,control}: move apache2 abstractions into the base package - so we can put apache2 profiles into the -profiles package without - aa-logprof bailing out. (LP: #539441) - * debian/patches/0003-fix-memleaks.patch: include a couple of leak - patches from upstream. - - -- Marc Deslauriers Fri, 26 Mar 2010 11:39:18 -0400 - -apparmor (2.5-0ubuntu1) lucid; urgency=low - - * New upstream release. - * debian/control: updated branches. - * debian/copyright: updated download locations. - * debian/rules: drop unneeded build variables. - * common/Make.rules: set distributor. - - -- Kees Cook Thu, 11 Mar 2010 00:08:08 -0800 - -apparmor (2.5~pre+bzr1367-0ubuntu1) lucid; urgency=low - - * Update to upstream bzr revision 1367 - * debian/notify/90apparmor-notify: sleep for 60 seconds for boot speed and - to make sure that X is all the way up so the notifications look pretty - - -- Jamie Strandboge Mon, 08 Mar 2010 13:53:50 -0600 - -apparmor (2.5~pre+bzr1364-0ubuntu1) lucid; urgency=low - - * Update to upstream bzr revision 1364. - * debian/apparmor.functions: ignore .dpkg-bak files when loading too. - - -- Kees Cook Wed, 17 Feb 2010 13:36:21 -0800 - -apparmor (2.5~pre+bzr1362-0ubuntu2) lucid; urgency=low - - * debian/apparmor.postinst: on upgrades, prepopulate apparmor/homedirs - if it is not preseeded. Will check /etc/passwd for UIDs >= 1000 and - < 30000 for unique dirnames of home directories that are not /home. Fully - resolves (LP: #447292) - - -- Jamie Strandboge Wed, 17 Feb 2010 09:42:55 -0600 - -apparmor (2.5~pre+bzr1362-0ubuntu1) lucid; urgency=low - - [ Kees Cook ] - * Update to upstream bzr revision 1362. - - This release includes DFA minimization, transition table compression, - and improved partitioning performance (LP: #503869). - - drop 0001-tunable-alias.patch, now upstream. - * debian/apparmor.postinst: update home.d template to note the trailing - slash, even if the debconf template mentions it too. - * debian/apparmor.functions: go fully parallel with parsing to use all - CPUs in the case of needing to regenerate caches. - * debian/rules: enable library testsuite during build. - * debian/control: add dejagnu for library testsuite. - * debian/{rules,control}: use chrpath to drop rpath in libapparmor-perl. - - [ Jamie Strandboge ] - * debian/control: add apparmor-notify - * add debian/notify/notify.conf - * add debian/notify/90apparmor-notify - * add debian/apparmor-notify.install: install notify.conf to /etc/apparmor - and 90apparmor-notify to /etc/X11/Xsession.d - * debian/rules: - - remove upstream notify.conf since we will install our own via debhelper - - move apparmor_notify script and man pages to apparmor-notify - - -- Kees Cook Sat, 13 Feb 2010 12:19:30 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu4) lucid; urgency=low - - * 0001-tunable-alias.patch: backport r1330 to make it easier for people - to use AppArmor's alias rules (LP: #160002) - - -- Jamie Strandboge Mon, 11 Jan 2010 14:31:06 -0600 - -apparmor (2.3.1+bzr1312-0ubuntu3) lucid; urgency=low - - * debian/apparmor.{init,functions}: - - add "recache" argument to init script for liveCD cache generation. - - skip start/stop/reload when running on liveCD. - - -- Kees Cook Fri, 08 Jan 2010 08:39:14 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu2) lucid; urgency=low - - * debian/rules: disable profiling support for released version. - - -- Kees Cook Wed, 06 Jan 2010 16:57:58 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu1) lucid; urgency=low - - [ Kees Cook ] - * Update to upstream bzr revision 1312. - * debian/apparmor.postrm: fix comment typo. - * debain/rules: switch to bzr for upstream versioning. - * debian/rules: install apache2-* abstractions into apache2-mod package. - * drop debian/patches/0001-likewise-home-tunables.patch: this is causing - too much time in the parser (see LP 503869). The default install is - suffering, so move this configuration to likewise-open (see LP 274350). - - [ Jamie Strandboge ] - * debian/rules: - - don't ship tunables/home.d/site.local - - correct path for moving apache2 abstraction - * add debconf question for adjusting HOMEDIRS (LP: #447292) - - add debian/apparmor.config - - debian/apparmor.postinst: query debconf and adjust - tunables/home.d/ubuntu - - debian/apparmor.postrm: on purge, remove tunables/home.d/ubuntu and run - db_purge - - debian/control: Build-Depends on po-debconf and have apparmor Depends on - debconf - - add debian/po/* - - debian/rules: use dh_installdebconf -papparmor - - added debian/templates - - -- Kees Cook Wed, 06 Jan 2010 15:51:33 -0800 - -apparmor (2.3.1+1403-0ubuntu31) lucid; urgency=low - - * Remove initramfs hooks, as early profile loading is handled - on a service-by-service basis with Upstart jobs now. - - -- Kees Cook Fri, 04 Dec 2009 13:22:04 -0800 - -apparmor (2.3.1+1403-0ubuntu30) lucid; urgency=low - - [ Jamie Strandboge ] - * convert to using quilt - - debian/control: Build-Depends on quilt - - add debian/README.source - - debian/rules: include /usr/share/quilt/quilt.make and adjust - targets for patching - * debian/patches/0001-likewise-home-tunables.patch: tunables/home: add - /home/likewise-open/*/ to HOMEDIRS (LP: #274350) - * Merge to upstream bzr rev 1308. - - really add chromium-browser (LP: #488559) - - add official google-chrome (LP: #481661) - - [ Kees Cook ] - * parser/parser_main.c: use nanosec ctime resolution when checking - cache file times. - * parser/tst/caching.sh: add tests for cache use based on timestamps. - - -- Jamie Strandboge Fri, 04 Dec 2009 11:11:01 -0600 - -apparmor (2.3.1+1403-0ubuntu29) lucid; urgency=low - - * parser/Makefile: generate af_names.h based on bits/socket.h since - linux/socket.h no longer has what we need (LP: #474751) - * usr.sbin.dnsmasq: fully address LP: #445818 - - more pidfile refinements - - allow access to /var/run/dnsmasq - - allow access to /etc/dnsmasq.d - - allow dac_override so it can write its pidfile - * abstractions/ubuntu-browsers: add chromium-browser - - -- Jamie Strandboge Wed, 04 Nov 2009 17:07:23 -0600 - -apparmor (2.3.1+1403-0ubuntu28) lucid; urgency=low - - [ Jamie Strandboge ] - * update skype profile in extras. Based on work by Андрей Калинин. - (LP: #226624) - * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778) - * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and - epiphany-webkit were already present, but the recent changes in - epiphany packaging require /usr/bin/epiphany) (LP: #472952) - * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818) - * abstractions/gnome: allow access to ~/.themes (LP: #460125) - * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config - (LP: #447006) - - [ Marc Deslauriers ] - * utils/Subdomain.pm: don't skip reading profiles that are also in the - cache directory (LP: #446449) - * utils/Subdomain.pm: correctly parse PUxr modes - * utils/Subdomain.pm: support include directories - - -- Jamie Strandboge Wed, 04 Nov 2009 11:02:27 -0600 - -apparmor (2.3.1+1403-0ubuntu27) karmic; urgency=low - - * utils/SubDomain.pm: handle new format "null" log entries (LP: #446524) - - -- Marc Deslauriers Fri, 16 Oct 2009 14:40:04 -0400 - -apparmor (2.3.1+1403-0ubuntu26) karmic; urgency=low - - * abstractions/ubuntu-browsers: add Dooble - * abstractions/ubuntu-browsers: add chromium (LP: #448812) - * abstractions/gnome: add read for /etc/orbitrc - * abstractions/audio: add read for /etc/pulse/* for when ~/.pulse/* doesn't - exist and these files are used for fallback - - -- Jamie Strandboge Wed, 14 Oct 2009 07:59:03 -0500 - -apparmor (2.3.1+1403-0ubuntu25) karmic; urgency=low - - * Do not use tools in /usr during initial start-up (LP: #439726). - - -- Kees Cook Fri, 02 Oct 2009 16:52:04 -0700 - -apparmor (2.3.1+1403-0ubuntu24) karmic; urgency=low - - * abstractions/X: allow mouse themes (LP: #438051) - - -- Jamie Strandboge Thu, 01 Oct 2009 16:07:25 -0500 - -apparmor (2.3.1+1403-0ubuntu23) karmic; urgency=low - - [ Kees Cook ] - * Really fix quiet mode in initramfs (LP: #435285). - * Handle older kernel versions when loading profiles (LP: #429872): - - parser/parser_{interface,main}.c: detect kernel version and downgrade. - - debian/apparmor.functions, parser/parser_main.c: keep kernel features - recorded in cache directory. - - parser/parser_{interface,main}.c: add --skip-kernel-load for testing. - - parser/tst/caching.*: add caching tests. - [ Jamie Strandboge ] - * abstractions/audio: add a few more files for pulseaudio - - -- Kees Cook Fri, 25 Sep 2009 09:54:01 -0700 - -apparmor (2.3.1+1403-0ubuntu22) karmic; urgency=low - - * Do not run AppArmor on the LiveCD, again (LP: #131976). - * More aggressively stay quiet when booting in quiet mode (LP: #435285). - - -- Kees Cook Wed, 23 Sep 2009 15:40:22 -0700 - -apparmor (2.3.1+1403-0ubuntu21) karmic; urgency=low - - * debian/apparmor.{init-bottom,functions,initramfs}: perform initial - apparmor rule loading in initramfs. - - -- Kees Cook Mon, 21 Sep 2009 14:16:26 -0700 - -apparmor (2.3.1+1403-0ubuntu20) karmic; urgency=low - - * added disabled apache2 profile (FFE LP: #430812): - - add profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2: new - apache2 profile - - add profiles/apparmor.d/apache2.d/phpsysinfo: example profile for the - phpsysinfo application - - profiles/Makefile: handle the apache2.d directory - - add debian/libapache2-mod-apparmor.postinst: reload apparmor after - installation since we now ship a profile in this package - - add debian/libapache2-mod-apparmor.preinst: disable apache2 profile - if the user does not already have a profile defined - - add debian/libapache2-mod-apparmor.postrm: remove disabled symlink - on purge - - debian/rules: move apache2 profile to the libapache2-mod-apparmor - package and create apache2.d directory - * utils/SubDomain.pm: handle "open" log entries (LP: #427966) - * added ouid parsing support (LP: #431929): - - libraries/libapparmor/testsuite/test_multi.c - - libraries/libapparmor/src/{scanner.l,grammar.y,aalogparse.h, - libaalogparse.c} - - -- Marc Deslauriers Sat, 19 Sep 2009 09:32:02 -0400 - -apparmor (2.3.1+1403-0ubuntu19) karmic; urgency=low - - [ Jamie Strandboge ] - * abstractions/fonts: allow links in @{HOME}/.fontconfig/** - - [ Kees Cook ] - * debian/apparmor.init: expect that the securityfs is mounted, and only - test for the mounted filesystem against the type column when it is not - found. - - -- Kees Cook Wed, 09 Sep 2009 11:42:07 -0700 - -apparmor (2.3.1+1403-0ubuntu18) karmic; urgency=low - - * added the following abstractions: - - ubuntu-browsers: Ux transitions to graphical browsers - - ubuntu-console-browsers: Ux transitions to text-mode browsers - - ubuntu-console-email: Ux transitions to text-mode email clients - - ubuntu-email: Ux transitions to graphical email clients - - ubuntu-gnome-terminal: ix transition for gnome-terminal - - ubuntu-konsole: ix transition for konsole - - ubuntu-xterm: ix transition for xterm - - -- Jamie Strandboge Thu, 03 Sep 2009 11:57:39 -0500 - -apparmor (2.3.1+1403-0ubuntu17) karmic; urgency=low - - * abstractions/base: workaround for ecryptfs and apparmor by allowing - 'owner' match for files in .Private. (LP: #359338) - - -- Jamie Strandboge Mon, 31 Aug 2009 15:38:54 -0500 - -apparmor (2.3.1+1403-0ubuntu16) karmic; urgency=low - - * profiles/apparmor.d/*dovecot*: add first-pass at complain-only - profiles for basic dovecot operation. - - -- Kees Cook Wed, 26 Aug 2009 15:19:46 -0700 - -apparmor (2.3.1+1403-0ubuntu15) karmic; urgency=low - - * utils/SubDomain.pm: don't abort when an include file only contains - hats (LP: #400367) - - -- Marc Deslauriers Wed, 26 Aug 2009 11:35:58 -0400 - -apparmor (2.3.1+1403-0ubuntu14) karmic; urgency=low - - * Pull upstream changes for 64bit capabilities (svn 1427, 1437, 1438). - * Pull upstream changes for pux exec mode (svn 1439). - * debian/apparmor.init: "find" -name is not brace-aware (LP: #418364). - - -- Kees Cook Mon, 24 Aug 2009 18:01:05 -0700 - -apparmor (2.3.1+1403-0ubuntu13) karmic; urgency=low - - [ Kees Cook ] - * parser/parser_main.c: add --skip-read-cache to force reading of - uncached profiles while still allowing for --write-cache to work. - * parser/apparmor_parser.pod: add all missing option documentation. - - [ Jamie Strandboge ] - * abstractions/kde: update for kde4 - - -- Jamie Strandboge Wed, 19 Aug 2009 12:07:06 -0500 - -apparmor (2.3.1+1403-0ubuntu12) karmic; urgency=low - - * abstractions/base: add more locale paths (LP: #413454) - - -- Jamie Strandboge Fri, 14 Aug 2009 07:31:03 -0500 - -apparmor (2.3.1+1403-0ubuntu11) karmic; urgency=low - - * utils/enforce: remove /etc/apparmor.d/disable/ symlink - LP: #413153 - * debian/rules: don't install usr.sbin.ntpd or tunables/ntpd. Can remove - this when we create a new orig.tar.gz - - -- Jamie Strandboge Wed, 12 Aug 2009 10:04:34 -0500 - -apparmor (2.3.1+1403-0ubuntu10) karmic; urgency=low - - * remove apparmor.d/usr.sbin.ntpd and apparmor.d/tunables/ntpd since ntpd - will begin shipping its own profile - - -- Jamie Strandboge Wed, 12 Aug 2009 10:02:53 -0500 - -apparmor (2.3.1+1403-0ubuntu9) karmic; urgency=low - - * Revert 64-bit capabilities (LP: #408773). - - -- Kees Cook Tue, 04 Aug 2009 11:51:27 +0100 - -apparmor (2.3.1+1403-0ubuntu8) karmic; urgency=low - - * Update to upstream subversion r1431. - - change_profile can use regex (LP: #390810, #401931) - * debian/apparmor.init: always clear cache on reload. - - -- Kees Cook Mon, 03 Aug 2009 07:46:33 -0700 - -apparmor (2.3.1+1403-0ubuntu7) karmic; urgency=low - - * profiles/apparmor.d/abstractions/base: add /proc/sys/crypto (LP: #392337). - - -- Kees Cook Sat, 25 Jul 2009 09:04:46 -0700 - -apparmor (2.3.1+1403-0ubuntu6) karmic; urgency=low - - [ Kees Cook ] - * parser/parser_policy.c: return errors instead of exiting. - * debian/apparmor.init: skip more suffixes. - * parser/parser_lex.l: define file suffixes to ignore. - * parser/parser_main.c: disable cache for parsing reports. - * debian/apparmor.init: also remove unparsed profiles. - - [ Jamie Strandboge ] - * update gnome abstraction for /var/run/gdm/auth*/database - * utils/SubDomain.pm: parse profiles in subdirectories, not just include - files (LP: #401935) - - -- Jamie Strandboge Mon, 20 Jul 2009 11:45:24 -0500 - -apparmor (2.3.1+1403-0ubuntu5) karmic; urgency=low - - * Always use --replace when loading profiles so that if profiles - are loaded outside of the init script (e.g. dhcp3), the init - script does not abort (LP: #401109). - * parser/parser_main.c: more carefully create cache files. - - -- Kees Cook Sun, 19 Jul 2009 07:48:11 -0700 - -apparmor (2.3.1+1403-0ubuntu4) karmic; urgency=low - - * utils/SubDomain.pm: exclude new cache directory. - * parser/parser_main.c: - - allow OPTION_REMOVE to work again (LP: #400781). - - warn about using stdin. - - do not cache disabled profiles. - - report cached loading if not quiet. - * debian/apparmor.init: - - do not depend on aa-status. - - only write cache from init script. - - -- Kees Cook Fri, 17 Jul 2009 10:10:05 -0700 - -apparmor (2.3.1+1403-0ubuntu3) karmic; urgency=low - - * debian/apparmor.init: more cleanly handle disabled AppArmor. - - -- Kees Cook Fri, 17 Jul 2009 00:12:19 -0700 - -apparmor (2.3.1+1403-0ubuntu2) karmic; urgency=low - - * improve profile loading speed (LP: #382944): - - parser/parser_lex.l: move include handling into flex parser. - - parser/parser_main.c: - - move disable/complain logic into loader. - - add binary caching. - - debian/apparmor.init: reduce to bare minimum. - - -- Kees Cook Wed, 15 Jul 2009 17:05:49 -0700 - -apparmor (2.3.1+1403-0ubuntu1) karmic; urgency=low - - [ Kees Cook ] - * New upstream bundle (svn1403). - * debian/apparmor.init: add specific Start/Stop dependencies - (LP: #372441). - * debian/control: correctly use lsb-base not sysv for Depends. - - [ Jamie Strandboge ] - * add abstractions/launchpad-integration - * abstractions/audio: add pulseaudio - * add abstractions/private-files* for explicitly denying access to sensitive - files. - - -- Kees Cook Fri, 10 Jul 2009 08:37:54 -0700 - -apparmor (2.3+1289-0ubuntu15) karmic; urgency=low - - * Depend on upstart 0.6.0 which contains upstart-compat-sysv now - - -- Scott James Remnant Fri, 10 Jul 2009 10:28:45 +0100 - -apparmor (2.3+1289-0ubuntu14) jaunty; urgency=low - - * abstractions/smbpass: Add *.ldb used in Samba 3.2 and above (LP: #357581) - - -- Thierry Carrez Wed, 08 Apr 2009 13:42:21 +0200 - -apparmor (2.3+1289-0ubuntu13) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/gnome: allow /proc/$pid/mounts for gvfs. - * abstractions/python: clean up allowed paths (LP: #350820), thanks to - Jonathan Davies. - - [ Jamie Strandboge ] - * abstractions/user-tmp: allow 'k' for files in tmp dirs (LP: #351275) - - -- Jamie Strandboge Tue, 31 Mar 2009 09:57:57 -0500 - -apparmor (2.3+1289-0ubuntu12) jaunty; urgency=low - - * expand allowed library paths to handle unexpected architectures - (LP: #349819). - - -- Kees Cook Fri, 27 Mar 2009 13:48:11 -0700 - -apparmor (2.3+1289-0ubuntu11) jaunty; urgency=low - - * fix path to winbindd_privileged/pipe in winbind abstraction (LP: #348541) - - -- Jamie Strandboge Fri, 27 Mar 2009 08:29:13 -0500 - -apparmor (2.3+1289-0ubuntu10) jaunty; urgency=low - - * utils/SubDomain.pm: - - teach utils about rearranged syslog audit messages (LP: #340183) - from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1393 - - fix corruption of profiles, from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1354 - - don't ask about networking events over and over again, from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1296 - - use apparmor logdir instead of /tmp to write debugging log - - -- Steve Beattie Thu, 19 Mar 2009 03:05:07 -0700 - -apparmor (2.3+1289-0ubuntu9) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/base: allow /proc/$pid/maps (LP: #343287). - * abstractions/*: clean up lib, lib32, lib64 semantics (LP: #342200). - * abstractions/nameservice: fix up paths for nscd (LP: #342198). - * parser/rc.apparmor.functions, debian/apparmor.init: LSB-ify startup - messages (LP: #295200). - - [ Steve Beattie ] - * libapparmor/src/scanner.l: adjust lexer to fix matching updated audit - messages (LP: #340183) from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1389 - * debian/source_apparmor.py: add a per-package apport hook (LP: #342554). - - -- Kees Cook Wed, 18 Mar 2009 21:18:01 -0700 - -apparmor (2.3+1289-0ubuntu8) jaunty; urgency=low - - * abstractions/ssl_keys: allow read access to all of /etc/ssl (LP: #317109) - * utils/SubDomain.pm: re-add dropped patch to not process disable/ as - include files, and also don't process force-complain/ (LP: #331534) - - -- Jamie Strandboge Thu, 12 Mar 2009 12:53:08 -0500 - -apparmor (2.3+1289-0ubuntu7) jaunty; urgency=low - - * abstractions/dbus: add machine-id - * abstractions/audio: add libcanberra paths - * abstractions/freedesktop.org: add user-dirs.dirs - - -- Jamie Strandboge Thu, 12 Feb 2009 11:28:15 -0600 - -apparmor (2.3+1289-0ubuntu6) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/X: add DRI paths. - * parser/Makefile: blacklist AF_PHONET. - - [ Jamie Strandboge ] - * update usr.sbin.smbd profile to write to /var/lib/samba/** and - read/write to /var/run/dbus/system_bus_socket (LP: #294802) - * abstractions/freedesktop.org: use /usr/share/mime/**, @{HOME}/.icons/, - and @{HOME}/.recently-used.xbel* - * abstractions/gnome: add gvfs remote-volume-monitors paths and printing - files - - -- Kees Cook Mon, 22 Dec 2008 17:20:10 -0800 - -apparmor (2.3+1289-0ubuntu5) jaunty; urgency=low - - * abstractions/nameservice: allow read access to - /etc/resolvconf/run/resolv.conf (LP: #286080) - * adjust src/grammar.y and src/scanner.l to account for the moved type=NNNN - field in 2.6.27 kernels and capture non-matching logfile input instead of - printing it to stdout (LP: #271252). Patch thanks to Jesse Michael and - Steve Beattie. - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1310 - * add syslog test cases to testsuite. Patch thanks to Steve Beattie. - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1307 - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1308 - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1309 - - -- Jamie Strandboge Tue, 21 Oct 2008 09:09:58 -0500 - -apparmor (2.3+1289-0ubuntu4) intrepid; urgency=low - - * parser/rc.apparmor.functions: fix typo seen when admin changes - the default location of the apparmor.d directory (LP: #280467). - * abstractions/{samba,base}: clean up unneeded "m" permissions. - * abstractions/perl: add missing default perl paths. - - -- Kees Cook Wed, 08 Oct 2008 16:42:10 -0700 - -apparmor (2.3+1289-0ubuntu3) intrepid; urgency=low - - * add locking permission to /var/log/wtmp abstraction, thanks to - Martin Pitt (LP: #253328). - * utils/logprof.conf: repository updated for Intrepid (LP: #258818). - * profiles/apparmor.d/usr.sbin.nscd: added cache directory (LP: #144383). - * parser/rc.apparmor.functions: redirect stderr (LP: #244013). - * parser/Makefile: blacklist "AF_ISDN". - - -- Kees Cook Wed, 30 Jul 2008 09:29:03 -0700 - -apparmor (2.3+1289-0ubuntu2) intrepid; urgency=low - - [ Mathias Gug ] - * debian/control: - - move apparmor-profiles to a suggested package by apparmor. - - [ Kees Cook ] - * debian/control - - move libterm-readline-gnu-perl to "suggests". - - drop apparmor-modules-source since it no longer exists. - - -- Kees Cook Wed, 02 Jul 2008 12:35:12 -0700 - -apparmor (2.3+1289-0ubuntu1) intrepid; urgency=low - - * Updated to upstream subversion v1289. - - new parser requires new AppArmor kernel LSM. - * debian/control: - - add libapparmor-perl, and associated Depends - - bump standards version to 3.7.3.0 (no changes needed) - * debian/rules: - - adjust "clean" rule to be more effective. - - -- Kees Cook Sat, 28 Jun 2008 15:38:12 -0700 - -apparmor (2.1+1075-0ubuntu10) intrepid; urgency=low - - [ Jamie Strandboge ] - * added abstractions/smbpass and #include it in abstractions/authentication - to allow access to /var/lib/samba/*.tdb. LP: #217787 - - [ Mathias Gug ] - * update likewise-open authentication abstraction: allow access to - privileged pipe (LP: #235646). - * Update smbd profile to include access to /var/spool/samba/ (printer - sharing) and utmp update (LP: #237066). - * Update esound location in audio profile (LP: #229127). - Thanks to Adam Mondl. - * Add dnsmasq profile (LP: #148590). Thanks to John Dong. - - -- Mathias Gug Mon, 09 Jun 2008 18:24:09 -0400 - -apparmor (2.1+1075-0ubuntu9) hardy; urgency=low - - * parser/rc.apparmor.functions: do not abort if parser is missing, in - the case of an unpurged "apparmor" init script running under SELinux. - - -- Kees Cook Mon, 07 Apr 2008 13:25:06 -0700 - -apparmor (2.1+1075-0ubuntu8) hardy; urgency=low - - * Sync bugfixes from upstream 8.04 branch, svn 1161. - - documentation updated to reflect AppArmor 2.1 features. - - minor profile updates (nscd, ntpd, opera) - - util/SubDomain.pm: corrected mask merging and type detection. - - -- Kees Cook Wed, 02 Apr 2008 15:48:58 -0700 - -apparmor (2.1+1075-0ubuntu7) hardy; urgency=low - - * profiles/apparmor.d/abstractions/nameservice: (LP: #207912) - - fix ldap path - - add nsswitch "db" backend paths - - -- Kees Cook Thu, 27 Mar 2008 14:19:06 -0700 - -apparmor (2.1+1075-0ubuntu6) hardy; urgency=low - - [ Kees Cook ] - * utils/SubDomain.pm: - - fix up mask parsing to match kernel version (LP: #202920). - - fix up syslog parsing regexp to match broken kernels (LP: #202888). - * profiles/apparmor.d/abstractions/base: add licenses path for reading. - * profiles/apparmor.d/abstractions/freedesktop.org: include /usr/local. - * profiles/apparmor.d/usr.sbin.smbd: include print client abstraction. - * profiles/apparmor.d/abstractions/nameservice: include missing gai.conf - (LP: #202991). - - [ Jamie Strandboge ] - * add Debian Policy compliant way to toggle complain mode (LP: #203137) - - parser/rc.apparmor.functions: add '-C' to PARSER_ARGS if - force-complain/ exists - - utils/enforce: remove symlink in force-complain/ - - debian/rules: create /etc/apparmor.d/force-complain - - -- Kees Cook Mon, 17 Mar 2008 10:28:23 -0700 - -apparmor (2.1+1075-0ubuntu5) hardy; urgency=low - - * profiles/apparmor.d/abstractions/python: update shared python locations. - * debian/control: adjust Depends to allow sysvinit (LP: #199871). - - -- Kees Cook Tue, 11 Mar 2008 15:25:11 -0700 - -apparmor (2.1+1075-0ubuntu4) hardy; urgency=low - - [ Jamie Strandboge ] - * removed usr.sbin.named and usr.sbin.mysqld, as these will be provided - be bind9 and mysql-server-5.0, respectively. - - [ Mathias Gug ] - * profiles/apparmor.d/abstractions/ssl_keys: add ssl_keys abstraction, to - be used by profiles accessing ssl privates keys. - - [ Rick Clark ] - * added abstraction for likewise-open. - - -- Mathias Gug Wed, 13 Feb 2008 19:16:12 -0500 - -apparmor (2.1+1075-0ubuntu3) hardy; urgency=low - - * profiles/apparmor.d/abstractions/fonts: add missing ~/.fonts.conf - * profiles/apparmor.d/sbin.klogd: add newly needed @{PROC}/kallsyms - - -- Kees Cook Wed, 16 Jan 2008 14:16:18 -0800 - -apparmor (2.1+1075-0ubuntu2) hardy; urgency=low - - * utils/apparmor_status: fix module loaded test to handle built-in. - - -- Kees Cook Thu, 03 Jan 2008 17:24:40 -0800 - -apparmor (2.1+1075-0ubuntu1) hardy; urgency=low - - [ Mathias Gug ] - * profiles/apparmor.d/abstractions/nameservice: update nameservice - abstraction to support nscd setup. - - [ Kees Cook ] - * merge with upstream trunk revision 1075. - * debian/{control,apparmor.postrm,apparmor.postinst,apparmor.initramfs}: - dropped module hook since module is loaded in kernel automatically now. - * debian/rules: tweaked get-orig-source to use defined variables. - * debian/copyright: mention "get-orig-source" build rule. - * debian/{rules,control,libpam-apparmor.docs}: add libpam-apparmor now - that PAM is 0.99. - - -- Kees Cook Thu, 03 Jan 2008 13:29:31 -0800 - -apparmor (2.1+993-0ubuntu3) gutsy; urgency=low - - [ Mathias Gug ] - * Add mdns4 resolution to nameservice abstraction. (LP: #148579). - * Update syslog-ng profile. (LP: #148708). - * Add xen tls libraries to base abstraction. (LP: #150282). - * Update cups-client abstraction: add /var/run/cups/cups.sock. (LP: #151269) - - [ Kees Cook ] - * Adjust KDE abstractions for Ubuntu paths (LP: #148309). - - -- Kees Cook Fri, 12 Oct 2007 12:54:36 -0700 - -apparmor (2.1+993-0ubuntu2) gutsy; urgency=low - - [ Mathias Gug ] - * debian/control: Set maintainer to Ubuntu Core Developers. - * utils/SubDomain.pm, utils/logprog.conf: refactor readprofiledir() to not - fail on non-existing profile directory. Fixes LP: #141128. - * debian/rules: don't compress profiles in doc/extras/. - * utils/SubDomain.pm: Fix regex so that aa-logprof can find audit messages - in syslog files. Fixes LP: #140508. - * Update usr.sbin.nscd profile. Fixes LP: #144383. - - [ Kees Cook ] - * abstractions/gnupg: drop bad attempt at general-purpose client rule. - * abstractions/fonts: adjust for new syntax, add more local fonts paths. - * abstractions/nameservice: add mmap permission to some /etc files. - - -- Kees Cook Tue, 25 Sep 2007 10:23:29 -0700 - -apparmor (2.1+993-0ubuntu1) gutsy; urgency=low - - * new merge from upstream: - * fixes to support new audit messages sent by the kernel module. - * bump in minor library version for libapparmor. - * debian/control: Add perl libterm-readkey-perl and librpc-xml-perl - dependencies for apparmor-utils. Fixes LP: #139757, LP: #139091. - * utils/SubDomain.pm: Re-enable RPC client for remote repositories. - * profiles/apparmor.d/sbin.syslogd: update profile. - Fixes LP: #140672, LP: #140274. - - -- Mathias Gug Tue, 18 Sep 2007 11:12:50 -0400 - -apparmor (2.1+961-0ubuntu5) gutsy; urgency=low - - * utils/SubDomain.pm, parser/rc.apparmor.functions: skip .dpkg-dist profiles. - * debian/rules, debian/apparmor.postinst: fix postinst script failure on - upgrades. Fix LP: #139683. - - -- Mathias Gug Fri, 14 Sep 2007 17:20:01 -0400 - -apparmor (2.1+961-0ubuntu4) gutsy; urgency=low - - [ Mathias Gug ] - * debian/rules: Fix libapparmor-dev build. - * apparmor-profiles: remove gnupg.moved. - - [ Kees Cook ] - * abstractions: adjust gnome for new syntax. - * abstractions: adjust aspell to add locking. - - -- Kees Cook Fri, 14 Sep 2007 09:34:15 -0700 - -apparmor (2.1+961-0ubuntu3) gutsy; urgency=low - - [ Mathias Gug ] - * Update avahi-daemon profile: add m permission to /etc/password and - /etc/group. - - [ Kees Cook ] - * Rename libapparmor1-dev back to libapparmor-dev. - - -- Kees Cook Thu, 13 Sep 2007 15:44:30 -0700 - -apparmor (2.1+961-0ubuntu2) gutsy; urgency=low - - [ Mathias Gug ] - * Disable html documentation: Fixes LP: #139091. - * parser/Makefile, debian/rules: disable html documentation building. - * debian/control: remove latex2html dependency. - * profiles/apparmor.d/usr.sbin.avahi-daemon: add sys_chroot capability. - Fixes LP: #139092. - - [ Kees Cook ] - * profiles/apparmor.d/abstractions/user-tmp: adjust directory permissions - for newly unmasked /tmp handling (LP: #138978). - * utils/SubDomain.pm: disable remote repositories until RPC::XML MIR - clears (LP: 139091). - * utils/*.pod: adjust for Ubuntu paths and "aa-" prefixes (LP: #116647). - * Fix upgrades to not unload profiles, which would cause programs to - become unconfined: - - debian/rules: don't stop apparmor on upgrades. - - debian/apparmor.postinst: reload profiles after a configure. - - -- Kees Cook Wed, 12 Sep 2007 13:14:02 -0700 - -apparmor (2.1+961-0ubuntu1) gutsy; urgency=low - - * New upstream version. - * Support resolvconf. Fix LP: #132468. - * Move package maintainance to bzr: - * Apply all patches directly into the tree with dpatch apply-all. - * debian/patches/: remove all patches as they are applied inline now. - * debian/control, debian/control.modules.in: remove dpatch from - Build Depends. - * debian/rules: - * remove dpatch include. - * remove patch and unpatch dependencies - * debian/control: - * Rename libapparmor-dev to libapparmor1-dev. - Add Provides: and Conflict: tags. - * Remove universe component in Section tag. - * Remove apparmor-utils depends on bsdutils. - * Update apparmor-modules Recommends to apparmor-modules-2.1. - * utils/: - * Add audit man page. - * Fix mod_appamor library: remove rpath info. - * debian/rules: remove rpath info. - * debian/control: add chrpath as a build dependency. - * Remove apparmor-modules-source package: - * debian/conrol: remove apparmor-modules-source package. - * debian/apparmor.postinst, debian/apparmor.preinst, - debian/apparmor.prerm: remove error_handler function. - * debian/rules: remove error_handler option from dh_installinit. - * debian/apparmor-modules-_KVERS_.postinst.modules.in, - debian/control.modules.in: remove control and postinst files. - - -- Mathias Gug Tue, 11 Sep 2007 10:44:56 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu25) gutsy; urgency=low - - * debian/rules: move tunables/ and abstractions/ in apparmor package. - Fixes LP: #130114. - - -- Mathias Gug Mon, 06 Aug 2007 14:40:37 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu24) gutsy; urgency=low - - * Cannot Depend on apparmor-modules-* in apparmor due to germinate - issues. Moved to Recommends. - - -- Kees Cook Mon, 23 Jul 2007 11:08:38 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu23) gutsy; urgency=low - - * debian/control: add explicit Depends on l-u-m apparmor kernel modules. - - -- Kees Cook Wed, 18 Jul 2007 21:07:03 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu22) gutsy; urgency=low - - * 13-subdomain.pm-skip-files.dpatch: update isSkippable function in - SubDomain.pm to skip the same files as rc.apparmor.functions (used by the - init script) : .dpkg-old, .dpkg-new and symlinks in disable/ - sub-directory. - - -- Mathias Gug Thu, 12 Jul 2007 06:56:45 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu21) gutsy; urgency=low - - * 07-apparmor-init-script.dpatch, debian/rules: skip profiles that have a - link in /etc/apparmor.d/disable. Update rules file : create - /etc/apparmor.d/disable. - - -- Mathias Gug Mon, 09 Jul 2007 11:07:29 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu20) gutsy; urgency=low - - * debian/control - - fix typo in XS-Vcs. - - adjust apparmor-modules-source to no longer be required and document - the fact that the modules come from the linux-ubuntu-modules package - now. - - add initramfs-tools for loading apparmor modules early. - * debian/apparmor.{initramfs,postinst,prerm}, debian/rules: install - initramfs hook and update-initramfs for adding armor modules for boot. - - -- Kees Cook Fri, 06 Jul 2007 03:41:06 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu19) gutsy; urgency=low - - * Update 11-getprocattr-api.dpatch: pass back the correct string pointer - so as to not corrupt kernel memory (LP: #123081). - * debian/control: add XS-Vcs for bzr branch. - - -- Kees Cook Tue, 03 Jul 2007 09:07:52 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu18) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: add m permission for all libraries - under /usr/lib/**, so that ssl libraries optimized for i686 can be - accessed. - * 09-profile-usr-sbin-mysqld.dpatch: add m permission to /etc/passwd, - /etc/group. - * 12-profile-samba.dpatch: add profile for smbd and nmbd daemons from - samba. - * 99-complain-all-profiles.dpatch: turn complain mode for smbd and nmbd - profiles. - - -- Mathias Gug Fri, 29 Jun 2007 15:19:15 +0200 - -apparmor (2.0.1+510.dfsg-0ubuntu17) gutsy; urgency=low - - * Update 11-getprocattr-api.dpatch: match upstream more closely, check - for errors. - - -- Kees Cook Tue, 26 Jun 2007 16:00:08 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu16) gutsy; urgency=low - - * Added 11-getprocattr-api.dpatch: update kernel module for getprocattr - API change (LP: #122444). - - -- Kees Cook Tue, 26 Jun 2007 15:21:54 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu15) gutsy; urgency=low - - * debian/apparmor.init: do not unload apparmor module on stop, since it - already defaults to capabilities-compatible fall back and we don't want - to lose the started process knowledge of the module for the next load of - the parser. - * Added 10-namespace-header.dpatch: include namespace_sem extern, since - mnt_namespace.h is missing it currently. - * Updated 07-apparmor-init-script.dpatch: ignore .dpkg-old profiles. - - -- Kees Cook Tue, 26 Jun 2007 10:04:54 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu14) gutsy; urgency=low - - * Correct missing libapparmor1 file contents. - - -- Kees Cook Thu, 21 Jun 2007 08:04:42 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu13) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: add /lib/tls/i686/cmov/lib* to base - abstraction to support i686 optimized libraries from libc6-i686 package. - * 09-profile-usr-sbin-mysqld.dpatch: - * add profile usr.sbin.mysqld - * update abstractions/mysql - * debian/rules: remove extras/usr.sbin.mysqld. - * 99-complain-all-profiles.dpatch: - * put mysqld profile in complain mode. - * put named profile in complain mode. - - -- Mathias Gug Wed, 20 Jun 2007 12:12:28 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu12) gutsy; urgency=low - - * Add missing dh_makeshlibs call to rules, fix up libapparmor naming. - - -- Kees Cook Wed, 20 Jun 2007 09:15:48 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu11) gutsy; urgency=low - - * Packaged libapparmor, libapparmor-dev, and libapache2-mod-apparmor. - - -- Kees Cook Mon, 18 Jun 2007 18:27:46 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu10) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch, 06-profile-usr-sbin-named.dpatch: - move /dev/random into abstractions/base. - * 06-profile-usr-sbin-named.dpatch: Add sys_chroot capability. - * debian/rules: don't package aa-eventd and Reports.pm as they use perl - modules not maintained in main. - Reports.pm is only used by Yast for now. aa-eventd maintains an - sqlite database of audit messages which is used by Reports.pm. - If configured (not by default), aa-eventd can also send emails when - AppArmor audit messages are emited. - * debian/control: Add universe component to Section: header. Needed to make - it work with PPA. - - -- Mathias Gug Fri, 15 Jun 2007 12:47:05 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu9) gutsy; urgency=low - - * 06-profile-usr-sbin-named.dpatch : Generate a new profile for - /usr/sbin/named to make it work with bind9. - * debian/apparmor.init, 07-apparmor-init-script.dpatch: merge ubuntu - changes with the latest version from upstream. - * 99-complain-all-profiles.dpatch : put all profiles into complain mode by - default. - Add a small script (put-all-profiles-in-complain-mode.sh) in - debian/ that takes care of automatically setting all profiles into - complain mode. This script should be used by the maintainer to set all - profiles in complain mode before packaging them. - - -- Mathias Gug Wed, 6 Jun 2007 13:41:57 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu8) gutsy; urgency=low - - * Start apparmor as early as possible in the boot process : just after - mountall in rcS.d. Add preinst script to remove symlinks previously - installed in rc*.d/. - (LP: #116624). - * Sync 04-apparmor-status.dpatch with upstream apparmor_status. The previous - patch has been merged in upstream. - * Update klogd profile : add /var/run/klogd/klogd.pid and - /var/run/klogd/kmsg to the profile. - - -- Mathias Gug Thu, 31 May 2007 14:26:03 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu7) gutsy; urgency=low - - * 03-profile-usr-sbin-ntpd.dpatch: udpdate profile for ntpd daemon. Add - /var/lib/ntp/ntp.drift and /var/log/ntpstats/peerstats* to the profile. - - * 04-apparmor-status.dpatch: improve apparmor_status script. Report more - detailed information. - - -- Mathias Gug Tue, 29 May 2007 13:05:55 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu6) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: Update abstractions for changes - specific to Gnome, Debian, and 32bit on 64bit environments. - * debian/control: adjust Recommends to apparmor-modules-source - (LP: #113553). - * debian/apparmor.init: moved rmmod/modprobe into init script, and dropped - alias to avoid confusion and move control of the LSM closer to loading - the profiles and work around capability already being loaded in the - initrd (LP: #113887). - - -- Kees Cook Thu, 17 May 2007 20:34:41 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu5) gutsy; urgency=low - - * 01-logger-path.dpatch: Fix path to logger (LP: #112147). - - -- Kees Cook Thu, 03 May 2007 11:59:34 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu4) feisty; urgency=low - - * debian/control: move apparmor-modules to Recommends to Avoid - uninstallable situation when AppArmor modules haven't yet been - compiled/installed. - - -- Kees Cook Wed, 11 Apr 2007 11:39:39 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu3) feisty; urgency=low - - * debian/rules, debian/apparmor.{postinst,prerm}: ignore init script - failures so that they don't block package installs/upgrades/uninstalls. - - -- Kees Cook Wed, 11 Apr 2007 08:52:37 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu2) feisty; urgency=low - - * debian/control: add missing Depend on 'dpatch' for modules-source. - - -- Kees Cook Sat, 7 Apr 2007 09:35:16 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu1) feisty; urgency=low - - * Initial release, thanks to Magnus Runesson and Jesse Michael - (LP: #95334). - - -- Kees Cook Fri, 23 Mar 2007 16:42:01 -0700 diff -Nru apparmor-2.10/debian/changelog.dch apparmor-2.10/debian/changelog.dch --- apparmor-2.10/debian/changelog.dch 2015-09-01 22:01:49.000000000 +0000 +++ apparmor-2.10/debian/changelog.dch 1970-01-01 00:00:00.000000000 +0000 @@ -1,3257 +0,0 @@ -apparmor (2.10-0ubuntu5) wily; urgency=medium - - * debian/libapparmor-dev.manpages: add 5 missing libapparmor manpages - (LP: #1491147) - - -- Steve Beattie Tue, 01 Sep 2015 14:17:16 -0700 - -apparmor (2.10-0ubuntu4) wily; urgency=medium - - * Rebuild against python3.5. - - -- Dimitri John Ledkov Sat, 15 Aug 2015 22:12:50 +0100 - -apparmor (2.10-0ubuntu3) wily; urgency=medium - - * debian/patches/parser-fix-cache-file-mtime-regression.patch: Fix a bug - that resulted in the mtime of generate policy cache files to be set - incorrectly. The mtime of cache files should be the newest mtime detected - on the profile and abstraction files used to generate the policy cache - file. However, the bug caused the mtime of the policy cache file to either - not be updated or to be updated to an incorrect time. (LP: #1484178) - * debian/patches/parser-verify-cache-file-mtime.patch: Add tests to verify - that the policy cache file's mtime is being set correctly and that cache - handling is correct when the profile or abstraction files are newer than - the policy cache file. - * debian/patches/parser-run-caching-tests-without-apparmorfs.patch, - debian/patches/parser-do-cleanup-when-test-was-skipped.patch: Enable the - caching tests to run on the buildds even though apparmorfs isn't mounted. - - -- Tyler Hicks Wed, 12 Aug 2015 13:01:56 -0500 - -apparmor (2.10-0ubuntu2) wily; urgency=medium - - * debian/patches/aa-status-dont_require_python3-apparmor.patch: - make aa-status(8) work even when python3-apparmor is not installed, - otherwise dh_apparmor postinst snippets can fail (LP: #1480492) - * debian/control: make apparmor-utils depend on the same package - version of python3-apparmor - - -- Steve Beattie Fri, 31 Jul 2015 16:35:03 -0700 - -apparmor (2.10-0ubuntu1) wily; urgency=medium - - * Update to apparmor 2.10 - - libapparmor added functions to ease loading profile cache files to - help support systemd on-demand load of policy (LP: #1385414) - - apparmor parser: fixed policy generation to allow matching - embedded NULs in abstract unix socket names (LP: #1413410) - - aa-status: don't traceback when not permitted to read current - set of apparmor policy (LP: #1466768) - - aa-logprof: don't crash on policies that have an #include of a - directory (LP: #1471425) - - aa-logprof: fix crash when network rejections occur when file - operations are performed on network sockets (LP: #1466812) - * dropped reproducible-pdf.patch, incorporated upstream - * debian/patches/tests-fix_sysctl_test.patch: fix sysctl test failure - with 4.1 kernel and newer. - * debian/control: add alternate dependency on linux-initramfs-tool - (LP: #1109029) - * debian/libapparmor1.symbols: update symbols file for added symbols - in libapparmor - - -- Steve Beattie Thu, 23 Jul 2015 01:57:43 -0700 - -apparmor (2.9.2-0ubuntu2) wily; urgency=medium - - * No-change rebuild for python3.5 transition - - -- Steve Langasek Wed, 22 Jul 2015 04:07:28 +0000 - -apparmor (2.9.2-0ubuntu1) wily; urgency=medium - - * Update to apparmor 2.9.2 - - Fix minitools to work with multiple profiles at once (LP: #1378095) - - Parse mounts that have non-ascii UTF-8 chars (LP: #1310598) - - Update dovecot profiles (LP: #1296667) - - Allow ubuntu-helpers to build texlive fonts (LP: #1010909) - * dropped patches incorporated upstream: - add-mir-abstraction-lp1422521.patch, systemd-dev-log-lp1413232.patch - parser-fix_modifier_compilation_+_tests.patch, - tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch, - GDM_X_authority-lp1432126.patch, and - debian/patches/easyprof-framework-policy.patch - * Partial merge with debian apparmor package: - - debian/rules: enable the bindnow hardening flag during build. - - debian/upstream/signing-key.asc: add new upstream public - signing key - - debian/watch: fix watch file, add gpg signature checking - - install libapparmor.so dev symlink under /usr not /lib - - debian/patches/reproducible-pdf.patch: make techdoc.pdf - reproducible even in face of timezone variations. - - debian/control: sync fields - - debian/debhelper/postrm-apparmor: remove - /etc/apparmor.d/{disable,} on package purge - - debian/libapache2-mod-apparmor.postrm: on package purge, delete - /etc/apparmor.d/{,disable} if empty - - debian/libapparmor1.symbols: Use Build-Depends-Package in the - symbols file. - - debian/copyright: sync - - -- Steve Beattie Mon, 11 May 2015 22:03:04 -0700 - -apparmor (2.9.1-0ubuntu9) vivid; urgency=medium - - * Make debian/lib/apparmor/profile-load executable. - - -- Serge Hallyn Thu, 02 Apr 2015 13:00:35 -0500 - -apparmor (2.9.1-0ubuntu8) vivid; urgency=medium - - [ Steve Beattie ] - * debian/rules: run make check on the libapparmor library - * add-chromium-browser.patch: add support for chromium policies - (LP: #1419294) - * debian/apparmor.{init,upstart}: add support for triggering - aa-profile-hook runs when packages are updated via snappy system - image updates (LP: #1434143) - * parser-fix_modifier_compilation_+_tests.patch: fix compilation - of audit modifiers for exec and pivot_root and deny modifiers on - link rules as well as significantly expand related tests - (LP: #1431717, LP: #1432045, LP: #1433829) - * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work - around pivot_root test failures due to init=systemd (LP: #1436109) - * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority - file to X abstraction (LP: #1432126) - - [ Jamie Strandboge ] - * easyprof-framework-policy.patch: add --include-templates-dir and - --include-policy-groups-dir options to easyprof to support framework - policy on snappy - - [ Robie Basak ] - * Add /lib/apparmor/profile-load; moved from - /lib/init/apparmor-profile-load from the upstart package. A wrapper at - the original path is now provided by init-system-helpers. (LP: #1432683) - - -- Jamie Strandboge Sat, 28 Mar 2015 07:22:30 -0500 - -apparmor (2.9.1-0ubuntu7) vivid; urgency=medium - - * systemd-dev-log-lp1413232.patch: Allow writes to the systemd journal - socket /{,var}/run/systemd/journal/dev-log. This can be dropped with - with AppArmor 2.9.2. (LP: #1413232) - - -- Jamie Strandboge Fri, 06 Mar 2015 06:22:34 -0600 - -apparmor (2.9.1-0ubuntu6) vivid; urgency=medium - - * add-mir-abstractions-lp1422521.patch: add correct location of - mir specific libraries and mir unprivileged client socket - to mir abstraction (LP: #1422521) - - -- Steve Beattie Tue, 03 Mar 2015 10:42:24 -0800 - -apparmor (2.9.1-0ubuntu5) vivid; urgency=medium - - * debian/apparmor.init: Replace unnecessary $remote_fs dependency with - $local_fs. This is sufficient as during boot we don't use anything from - /usr. It's also necessary to avoid dependency cycles when using NFS (as - its dependencies should be covered by AppArmor). (LP: #1312976) - - -- Martin Pitt Tue, 03 Mar 2015 08:54:33 +0100 - -apparmor (2.9.1-0ubuntu4) vivid; urgency=medium - - * Update to apparmor 2.9.1 - - make parser mount rule options consistent with documentation - (LP: #1401619) - - make parser fail if unknown mount options are encountered - (LP: #1401621) - - stop aa-logprof from asking about already allowed network rules - (LP: #1380367) - - make utils offer abstractions for network rules (LP: #1380367) - - make libapparmor understand logs generated by syslog-ng - (LP: #1399027) - - stop python utilities from adding duplicate quotes (LP: #1328707) - - work around aa-cleanprof crashes (LP: #1382236) - - other bug fixes, performance improvements, and testcases added to - the python utils. - - policy updates for dnsmasq, nscd, and others - - translation updates - * Partial sync with debian apparmor package: - - debian/apparmor-profiles.install: add additional dovecot and - smbldap-useradd profiles - - debian/control: fix typo in apparmor-docs description, fix file - overwrite issues with python-apparmor, apparmor-docs - - debian/rules: improved repeat-build cleanup logic. - - Add Turkish translation of debconf messages. Thanks to - Mert Dirik for the patch! - - debian/apparmor.postrm: Remove - /var/lib/apparmor/profiles/.apparmor.md5sums and parent - directories on package purge. - * add-mir-abstractions-lp1422521.patch: add mir abstraction to cover - mir specific libraries (LP: #1422521) - * debian/rules: remove no longer needed references to PERLDIR when - installing from utils/ - - -- Steve Beattie Tue, 17 Feb 2015 16:31:25 -0800 - -apparmor (2.8.98-0ubuntu4) vivid; urgency=medium - - * Ship libapparmor in /lib instead of /usr as we want to use it in systemd - now. (LP: #1397960) - - -- Martin Pitt Mon, 01 Dec 2014 15:37:32 +0100 - -apparmor (2.8.98-0ubuntu3) vivid; urgency=medium - - * debian/lib/apparmor/functions: disable expr tree simplification for - /var/lib/apparmor/profiles (LP: #1383858) - * parser-dont-skip-read-cache-with-optimizations.patch: don't skip read - cache when specifying '-O' (LP: #1385947) - - -- Jamie Strandboge Tue, 28 Oct 2014 17:41:08 -0500 - -apparmor (2.8.98-0ubuntu2) utopic; urgency=medium - - * Updated to apparmor 2.9.beta4 (aka apparmor 2.8.98) - - fix logparsing memory leak (LP: #1340927) - - incorporate fixes to regression testsuite to compensate for - af_unix mediation, as well as extend test coverage - (LP: #1375403, LP: #1375516) - - fix libapparmor's log parsing code to accept additional rejection - types (LP: #1375413) - - fix X abstraction for changed lightdm xauthority file locations - (LP: #1339727) - - parser: disable downgrade and not enforced rule messages - by default (LP: #1302735) - - fix error when using regex profile names in IPC rules - (LP: #1373085) - - update base abstraction for /proc/sys/kernel/cap_last_cap for dnsmasq - (LP: #1378977) - - update freedesktop.org for @{HOME}/.config/mimeapps.list (LP: #1377140) - - update gnome abstraction for access to @/dbus-vfs-daemon/socket-* - (LP: #1375067) - - update ubuntu-browsers.d/java abstraction for icedtea plugin access - in /{,var/}run/user/*/icedteaplugin-* (LP: #1293439) - - update user-mail abstraction for /var/mail (LP: #1192965) - - updates and fixes to the python utilities - - translation updates - - [ Steve Beattie ] - * Removed upstreamed patches: - drop-peer_addr-with-local-addr-in-base.patch, - update_socketpair_tests_for_af_unix.patch, - fix_socketpair_tests.patch, sanitized-helpers-updates.patch, - 01-tests-unix_socket_lists.patch, - 02-tests-accept_unix_rules_in_mkprofile.patch, - 03-tests-unix_sockets_v7_pathnames.patch, - 04-tests-migrate_from_poll_to_sockio_timeout.patch, - 05-tests-add_abstract_socket_tests.patch, - 06-tests-use_socketpair_and_none.patch, - 07-parser-fix_local_perms.patch, - 08-phpsysinfo-policy-updates.patch, - 09-apache2-policy-instructions.patch, - 10-lp1371771.patch, 11-lp1371765.patch, - lp1169881.patch - * refreshed etc-writable.patch and libapparmor-layout-deb.patch - * debian/control: add breaks on python3-apparmor against older - apparmor-utils that used to be where python bits lived - (LP: #1373259) - * debian/apport/source_apparmor.py: - - fixes the apparmor apport hook so it does not raise an exception if - a non-unicode character is found in /var/log/kern.log or in - /var/log/syslog. This should work under python3 or python2.7 - (LP: #1304447) - - adjusts the add_info() function to take the expected additional ui - argument, though it has no need for it. - - converts the log parsing code to use with statements so as not to - leak open file descriptors - - updates the set of packages to query to see if installed and if so, - report the version of. - - adjust import to make pyflakes job easier - - minor pep8 cleanups - - [ Jamie Strandboge ] - * add-chromium-browser.patch: - - don't allow writing to the oom score and adjust files since this allows - chromium to change the values for any process matching our UID - - allow writing to /run/shm/shmfd-* - - add a few signal rules from base abstraction for the sandbox - * debian/apparmor.upstart: check if click-apparmor md5sums changed so we - regenerate the policy if it changes too (LP: #1371574) - * debian/apparmor.init: make corresponding upstart change to initscript - * debian/lib/apparmor/functions: fall back to using -n1 if the parser failed - to load a profile set. This should be removed when the parser properly - handles profile sets with corrupted profiles (LP: 1377338) - * debian/control: fix typo (LP: #1187447) - - -- Steve Beattie Thu, 09 Oct 2014 22:39:32 -0700 - -apparmor (2.8.96~2652-0ubuntu7) utopic; urgency=medium - - * add-chromium-browser.patch: user addr=none instead of peer=(addr=none) - (LP: #1374363) - - -- Jamie Strandboge Sat, 27 Sep 2014 07:41:07 -0500 - -apparmor (2.8.96~2652-0ubuntu6) utopic; urgency=medium - - * lp1169881.patch: add /usr/bin/gnome-gmail to ubuntu-email (LP: #1169881) - * debian/control: update Breaks on lxc 1.1.0~alpha1-0ubuntu5~ (LP: #1373555) - - -- Jamie Strandboge Thu, 25 Sep 2014 09:03:06 -0500 - -apparmor (2.8.96~2652-0ubuntu5) utopic; urgency=medium - - [ Jamie Strandboge ] - * sanitized-helpers-updates.patch: update ubuntu-helpers for unix mediation - * 10-lp1371771.patch: don't exit prematurely and fail to load remaining - policy if encounter a corrupt cache file (LP: #1371771) - * 11-lp1371765.patch: if a cache load fails, attempt to rebuild and load it - (LP: #1371765) - * debian/lib/apparmor/functions: - - don't return 0 on parsing failure. Patch thanks to Felix Geyer - (LP: #1370228) - - use xargs -n1 when we don't have cache files, but omit it when we do. - This allows taking full advantage of xargs -P when we need it most, - without the cost when we don't. - - [ Steve Beattie ] - * update_socketpair_tests_for_af_unix.patch, - fix_socketpair_tests.patch: update socketpair regression tests for - af_unix socket mediation - - -- Jamie Strandboge Mon, 22 Sep 2014 09:39:10 -0500 - -apparmor (2.8.96~2652-0ubuntu4) utopic; urgency=medium - - * debian/apparmor.{upstart,init}: make sure we always update the .md5sums - for apparmor-easyprof-ubuntu even when apparmor is updated (before if both - were updated, aa-clickhook -f would be run on the 1st and 2nd boot rather - than just the 1st) - * debian/apparmor.postinst: update the cached .md5sums file on upgrade to - avoid running on install and then again on first boot after upgrade. This - change only affects apt upgrades and not system-image upgrades since - system-image upgrades always use the existing .md5sums if they exist (see - /etc/system-image/writable-paths). - * ubuntu-manpage-updates.patch: adjust for move to upstart job and click - policy - * debian/lib/apparmor/functions: don't pass costly '-n1' to xargs in - foreach_configured_profile() when loading valid cache files. This used to - be needed when apparmor_parser would generate different binary caches when - compiling policy one profile at a time and all at once. That bug is long - fixed and removing -n1 gives a significant performance improvement for - boots with valid cache files (~65% on armhf) - - -- Jamie Strandboge Fri, 12 Sep 2014 13:45:35 -0500 - -apparmor (2.8.96~2652-0ubuntu3) utopic; urgency=medium - - * 08-phpsysinfo-policy-updates.patch: update for new phpsysinfo on Ubuntu - 14.10 - * 09-apache2-policy-instructions.patch: update for recent Debian/Ubuntu - packaging - * debian/control: update Breaks for apparmor-easyprof-ubuntu, libvirt-bin, - and lightdm. Add Breaks on rsyslog. - - -- Jamie Strandboge Mon, 08 Sep 2014 16:13:10 -0500 - -apparmor (2.8.96~2652-0ubuntu2) utopic; urgency=medium - - * 07-parser-fix_local_perms.patch: do not output local permissions for rules - that have peer_conditionals. Patch from John Johansen - - -- Jamie Strandboge Fri, 05 Sep 2014 23:34:53 -0500 - -apparmor (2.8.96~2652-0ubuntu1) utopic; urgency=medium - - * Updated to r2652 snapshot of 2.8.96 (LP: #1362199, LP: #1341152) - - [ Steve Beattie ] - * removed upstreamed patches: - - dnsmasq-libvirtd-signal-ptrace.patch - - update-base-abstraction-for-signals-and-ptrace.patch - - update-nameservice-abstraction-for-extrausers.patch - - debian/apparmor-profiles.install: dropped program-chunks/postfix-common, - moved to abstractions/ and covered by apparmor.install - - refreshed libapparmor-layout-deb.patch patch - * Add in Tyler Hicks' regression test improvements: - - 01-tests-unix_socket_lists.patch, - - 02-tests-accept_unix_rules_in_mkprofile.patch, - - 03-tests-unix_sockets_v7_pathnames.patch, - - 04-tests-migrate_from_poll_to_sockio_timeout.patch, - - 05-tests-add_abstract_socket_tests.patch, - * 07-parser-fix_local_perms.patch: do not output local permissions - for rules that have peer_conditionals - - [ Jamie Strandboge ] - * add-chromium-browser.patch: update for unix socket mediation - * drop-peer_addr-with-local-addr-in-base.patch: don't use peer=(addr=none) - with getattr, getopt, setopt and shutdown - - [ Tyler Hicks ] - * debian/lib/apparmor/functions, debian/apparmor.init, - debian/apparmor.upstart: Ensure system policy cache cannot become stale - after image based upgrades that update the system profiles (LP: #1350673) - * parser-include-usr-share-apparmor.patch, debian/apparmor.install: Adjust - the default parser.conf file, to add /usr/share/apparmor as an additional - search path when resolving include directives in profiles, and install the - file in /etc/apparmor. Ubuntu places hardware specific access rules in - /usr/share/apparmor/hardware. This change allows these files to be - included without using an absolute path (e.g., - '#include '). - - -- Jamie Strandboge Fri, 05 Sep 2014 16:27:48 -0500 - -apparmor (2.8.96~2541-0ubuntu3.1) utopic; urgency=medium - - * Updates for perl 5.20 multiarch transition - - debian/libapparmor-perl.install: don't hardcode usr/lib/perl5 but - instead use $Config{vendorarch} in an executable install file. Make it - executable - - debian/control: Build-Depends on debhelper (>= 9) (9 is needed to use - an executable install file) - - debian/patches/perl-multiarch.patch: - + add @{multiarch} paths to perl abstraction - + update logprof.conf, severity.db and corresponding tests for updated - perl path - - -- Jamie Strandboge Tue, 19 Aug 2014 14:33:02 -0500 - -apparmor (2.8.96~2541-0ubuntu2) utopic; urgency=medium - - * update-nameservice-abstraction-for-extrausers.patch: update nameservice - abstraction to allow passwd and group when using libnss-extrausers - - -- Jamie Strandboge Mon, 28 Jul 2014 08:16:39 -0500 - -apparmor (2.8.96~2541-0ubuntu1) utopic; urgency=medium - - * Updated to r2541 snapshot of 2.8.96: - - removed upstreamed patches: convert-to-rules.patch, list-fns.patch, - parse-mode.patch, add-decimal-interp.patch, policy_mediates.patch, - fix-failpath.patch, feature_file.patch, fix-network.patch, - aare-to-class.patch, add-mediation-unix.patch, parser_version.patch, - caching.patch, label-class.patch, fix-lexer-debug.patch, - use-diff-encode.patch, fix-serialize.patch, - fix-ppc-endian-ftbfs.patch, opt_arg.patch, tests-cond-dbus.patch, - initialize-mount-flags.patch, fix-typo-in-dbus_write.patch, - limited-mount-rule-support.patch, bare-capability-rule-support.patch, - check-config-for-sysctl.patch, increase-swap-size.patch, - test-v6-policy.patch, test-mount-mediation.patch, - mediate-signals.patch, change-signal-syntax.patch, - mediate-ptrace.patch, change-ptrace-syntax.patch, - test-signal-rules.patch, test-ptrace-rules.patch, - update-tests-for-new-semantics.patch, - fix-garbage-in-preprocessor-output.patch, - fix-double-comma-in-preprocessor-output.patch, - symtab-tests-and-seenlist-bug.patch, add-profile-name-variable.patch, - fix-names-treated-as-condlistid.patch, manpage-signal-ptrace.patch, - python-utils-file-support.patch, python-utils-signal-support.patch, - python-utils-ptrace-support.patch, - python-utils-pivot_root-support.patch. - * Added upstart job (LP: #1305108) - - debian/apparmor.upstart: new upstart job. - - debian/apparmor.init: added click handling, move some code to - unload_obsolete_profiles(). - - debian/lib/apparmor/functions: add unload_obsolete_profiles(). - - debian/apparmor.postinst, debian/apparmor-profiles.postinst: reload - profiles directly since invoke-rc.d won't allow to do this easily - with upstart and systemd jobs. - - debian/rules: pass --no-start to dh_installinit since we're handling - reloading profiles manually in the postinst scripts. - - debian/control: add a versioned apparmor Depends to the - apparmor-profiles package to make sure the required tools are - installed for the postinst script. - - -- Marc Deslauriers Fri, 20 Jun 2014 07:20:34 -0400 - -apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium - - * debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin, - lightdm and apparmor-easyprof-ubuntu - - -- Jamie Strandboge Fri, 04 Apr 2014 01:07:24 -0500 - -apparmor (2.8.95~2430-0ubuntu4) trusty; urgency=medium - - [ John Johansen, Steve Beattie ] - * Add userspace support for AppArmor signals and ptrace mediation - (LP: #1298611) - + debian/patches/mediate-signals.patch, - debian/patches/change-signal-syntax.patch: Parse signal rules with - apparmor_parser. See the apparmor.d(5) man page for syntax details. - + debian/patches/change-ptrace-syntax.patch, - debian/patches/mediate-ptrace.patch: Parse ptrace rules with - apparmor_parser. See the apparmor.d(5) man page for syntax details. - + debian/patches/test-signal-rules.patch, - debian/patches/test-ptrace-rules.patch, - debian/patches/update-tests-for-new-semantics.patch: Update existing - tests and add new tests for signal and ptrace mediation - + debian/patches/fix-garbage-in-preprocessor-output.patch: Fix bug causing - apparmor_parser preprocessor output to contain garbage after include - statements - + debian/patches/fix-double-comma-in-preprocessor-output.patch: Fix bug - causing apparmor_parser preprocessor output to contain double commas - after some rules - + debian/patches/symtab-tests-and-seenlist-bug.patch, - debian/patches/add-profile-name-variable.patch: Add ${profile_name} - variable for use in profiles when rules need to specify the current - profile's name. This is useful for signal and ptrace rules that specify - + debian/patches/fix-names-treated-as-condlistid.patch: Fix - apparmor_parser bug that caused mount and dbus rules to fail for sets of - values - - [ Jamie Strandboge ] - * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch: - Adjust the base abstraction for signals and ptrace mediation. Profiles - that use the base abstraction can deny any of the granted permissions to - achieve tighter confinement. - * debian/patches/manpage-signal-ptrace.patch: Update the apparmor.d man - page to document signal rules, ptrace rules, and variables for use in - AppArmor profiles - * debian/patches/dnsmasq-libvirtd-signal-ptrace.patch: Update the dnsmasq - profile to allow libvirtd to send signals to and ptrace read the dnsmasq - process - * debian/patches/update-chromium-browser.patch: Adjust the chromium-browser - profile for permissions needed in newer chromium-browser versions and add - the rules needed for AppArmor ptrace mediation - - [ Tyler Hicks ] - * Add new rule type support to aa.py to fix tracebacks when using the Python - utilities in apparmor-utils on systems with AppArmor profiles containing - previously unsupported rule types - - debian/patches/python-utils-file-support.patch: Support path rules - containing the "file" prefix (LP: #1295346) - - debian/patches/python-utils-signal-support.patch: Parse and write signal - rules (LP: #1300316) - - debian/patches/python-utils-ptrace-support.patch: Parse and write ptrace - rules (LP: #1300317) - - debian/patches/python-utils-pivot_root-support.patch: Parse and write - pivot_root rules (LP: #1298678) - - -- Tyler Hicks Thu, 03 Apr 2014 15:50:26 -0500 - -apparmor (2.8.95~2430-0ubuntu3) trusty; urgency=medium - - [ Jamie Strandboge ] - * debian/lib/apparmor/functions: properly calculate number of profiles in - /var/lib/apparmor/profiles (LP: #1295816) - * autostart aa-notify via /etc/xdg/autostart instead of /etc/X11/Xsession.d - (LP: #1288241) - - remove debian/notify/90apparmor-notify - - add debian/notify/apparmor-notify.desktop - - debian/apparmor-notify.install: adjust for the above - - add debian/apparmor-notify.maintscript to remove 90apparmor-notify - * debian/notify/notify.conf: use_group should be set to "sudo" instead of - "admin" (LP: #1009666) - - [ Tyler Hicks ] - * debian/patches/initialize-mount-flags.patch: Initialize the variables - containing mount rule flags to zero. Otherwise, the parser may set - unexpected bits in the mount flags field for rules that do not specify - mount flags. The uninitialized mount flag variables may have caused - unexpected AppArmor denials during mount mediation. (LP: #1296459) - * debian/patches/fix-typo-in-dbus_write.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to write out network rules instead of dbus rules - * debian/patches/limited-mount-rule-support.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to traceback when encountering a mount rule (LP: #1294825) - * debian/patches/bare-capability-rule-support.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to traceback when encountering a bare capability rule - (LP: #1294819) - * debian/patches/check-config-for-sysctl.patch, - debian/patches/increase-swap-size.patch: Fix bugs in the regression test - suite that caused errors when running on ppc64el - * debian/patches/test-v6-policy.patch, - debian/patches/test-mount-mediation.patch: Improve the regression tests - by increasing the mount rule test coverage - - -- Tyler Hicks Thu, 27 Mar 2014 14:12:29 -0500 - -apparmor (2.8.95~2430-0ubuntu2) trusty; urgency=medium - - * debian/control: Depends on python-pkg-resources for python-apparmor and - python3-pkg-resources for python3-apparmor to fix autopkgtests in - click-apparmor and apparmor-easyprof-ubuntu - - -- Jamie Strandboge Thu, 20 Mar 2014 19:33:51 -0500 - -apparmor (2.8.95~2430-0ubuntu1) trusty; urgency=low - - [ Jamie Strandboge ] - - * debian/debhelper/dh_apparmor: exit with error if aa-easyprof does not - exist - * debian/control: drop Depends on apparmor-easyprof to Suggests for - dh-apparmor - - [ Seth Arnold, Jamie Strandboge, Steve Beattie, John Johansen, Tyler Hicks ] - - * New upstream snapshot (LP: #1278702, #1061693, #1285653) dropping very - large Ubuntu delta and fixing the following bugs: - - Adjust fonts abstraction for libthai (LP: #1278702) - - Support translated XDG user directories (LP: #1061693) - - Adjust abstractions/web-data to include /var/www/html (LP: #1285653) - Refresh 0002-add-debian-integration-to-lighttpd.patch to include - /etc/lighttpd/conf-available/*.conf - - Adjust debian/libapparmor1.symbols to reflect new upstream versioning - for the aa_query_label() function - - Raise exceptions in Python bindings when something fails - * ship new Python replacements for previous Perl-based tools - - debian/apparmor-utils.install: remove usr/share/perl5/Immunix/*.pm and - add usr/sbin/aa-autodep, usr/sbin/aa-cleanprof and usr/sbin/aa-mergeprof - - debian/control: - + remove various Perl dependencies - + add python-apparmor and python3-apparmor - + python3-apparmor Breaks: apparmor-easyprof to move the file since it - ships dist-packages/apparmor/__init__.py now - - debian/apparmor-utils.manpages: ship new manpages for aa-cleanprof and - aa-mergeprof - - debian/rules: build and install Python tools - * debian/apparmor.install: - - install apparmorfs, dovecot, kernelvars, securityfs, sys, - and xdg-user-dirs tunables and xdg-user-dirs.d directory - * debian/apparmor.dirs: - - install /etc/apparmor.d/tunables/xdg-user-dirs.d - * debian/rules: delete upstream-provided xdg-user-dirs.d/site.local - * debian/apparmor.postinst: create xdg-user-dirs.d/site.local - * debian/apparmor.postrm: remove xdg-user-dirs.d - * Remaining patches: - - add-chromium-browser.patch - - add-debian-integration-to-lighttpd.patch - - ubuntu-manpage-updates.patch - - libapparmor-layout-deb.patch - - libapparmor-mention-dbus-method-in-getcon-man.patch - - etc-writable.patch - - aa-utils_are_bilingual.patch - * New patches: - - convert-to-rules.patch - - list-fns.patch - - parse-mode.patch - - add-decimal-interp.patch - - policy_mediates.patch - - fix-failpath.patch - - feature_file.patch - - fix-network.patch - - aare-to-class.patch - - add-mediation-unix.patch - - parser_version.patch - - caching.patch - - label-class.patch - - fix-lexer-debug.patch - - use-diff-encode.patch - - fix-serialize.patch - - fix-ppc-endian-ftbfs.patch - - opt_arg.patch - - tests-cond-dbus.patch - * Move manpages from libapparmor1 to libapparmor-dev - - debian/libapparmor-dev.manpages: install aa_change_hat.2, - aa_change_profile.2, aa_find_mountpoint.2, aa_getcon.2 - - debian/control: libapparmor-dev Replaces: and Breaks: libapparmor1 - * Move /usr/lib/python3/dist-packages/apparmor/__init__.py from - apparmor-easyprof to python3-apparmor - - debian/control: python3-apparmor Breaks: apparmor-easyprof - - debian/apparmor-easyprof.install: remove - usr/lib/python*.*/site-packages/apparmor* - * New profiles and abstractions: - - debian/apparmor.install: tunables/dovecot, tunables/kernelvars, - tunables/xdg-user-dirs, tunables/xdg-user-dirs.d - - -- Seth Arnold Wed, 19 Mar 2014 20:29:27 -0700 - -apparmor (2.8.94-0ubuntu1.4) trusty; urgency=low - - * Test merge from upstream new pyutils branch (rev 2385) - - -- Steve Beattie Thu, 13 Feb 2014 14:16:24 -0800 - -apparmor (2.8.0-0ubuntu38) trusty; urgency=low - - [ Tyler Hicks ] - * 0084-parser-add-dbus-eavesdrop-perm.patch: Add an eavesdrop permission to - the dbus rule type, allowing confined applications to eavesdrop. The only - valid conditional for eavesdrop rules is 'bus'. See the apparmor.d(5) man - page for more information. (LP: #1262440) - - [ Steve Beattie ] - * 0085-push-normalize-tree-ops-into-expr-tree-classes.patch: Improve - parser performance in some cases - - [ John Johansen ] - * 0086-add-diff-state-compression-to-dfa.patch: Implement differential - state compression in the parser - * 0087-fix-dfa-minimization.patch: Fix a parser bug that caused some DFAs to - not be fully minimized (LP: #1262938) - * 0088-fix-pol-generation-for-small-dfas.patch: Fixes bugs in the parser - when generating policy for some small DFAs - - -- Tyler Hicks Mon, 13 Jan 2014 11:17:42 -0600 - -apparmor (2.8.0-0ubuntu37) trusty; urgency=low - - [ Jan Rękorajski ] - * 0082-parser-fix-FTBFS-with-bison-3.patch: Fix parser FTBFS with bison 3 - - [ Steve Beattie ] - * 0083-libapparmor-require-libtoolize.patch: Fix FTBFS by switching - the autogen.sh script to use libtoolize instead of libtool - - -- Tyler Hicks Fri, 10 Jan 2014 13:48:43 -0600 - -apparmor (2.8.0-0ubuntu36) trusty; urgency=medium - - * Rebuild for python3.4 as a supported python version. - - -- Matthias Klose Sat, 04 Jan 2014 18:30:59 +0000 - -apparmor (2.8.0-0ubuntu35) trusty; urgency=low - - * abstractions/nameservice: Also allow access to the sssd nss pipe. - - -- Stéphane Graber Fri, 29 Nov 2013 13:44:49 -0500 - -apparmor (2.8.0-0ubuntu34) trusty; urgency=low - - [ Tyler Hicks ] - * 0078-parser-check-for-dbus-kernel-support.patch: The parser should not - include D-Bus rules in the binary policy that it loads into the kernel if - the kernel does not support D-Bus rules (LP: #1231778) - * 0079-utils-ignore-unsupported-log-events.patch: aa-logprof should ignore - audit events that it does not yet support instead of treating them as - errors (LP: #1243932) - * 0080-tests-use-ldconfig-for-library-detection.patch: Fix libapparmor - detection in regression tests after the multiarch changes - - [ Jamie Strandboge ] - * 0081-python-abstraction-updates.patch: Add rules in support of Python 3.3 - - [ Chad Miller ] - * debian/patches/0001-add-chromium-browser.patch: Follow new chromium-browser - sandbox name. Keep old name for now to allow transition. LP: #1247269 - - -- Tyler Hicks Mon, 04 Nov 2013 15:57:30 -0800 - -apparmor (2.8.0-0ubuntu33) trusty; urgency=low - - * Convert to dh. - * Bump to debhelper compat level 9 for multiarch support. - * Mark libapparmor1, libapparmor-dev Multi-Arch: same. LP: #1246067. - - -- Steve Langasek Thu, 31 Oct 2013 13:23:57 -0700 - -apparmor (2.8.0-0ubuntu32) trusty; urgency=low - - * no change rebuild for perl 5.18 - - -- Jamie Strandboge Mon, 21 Oct 2013 13:28:26 -0500 - -apparmor (2.8.0-0ubuntu31) saucy; urgency=low - - * 0077_aa-status-is-bilingual.patch: aa-status was written to work with - python 2 or 3. Upstream is still using 2, so adjust ours to use - /usr/bin/python3 to avoid pulling python 2 back to the desktop images - - -- Jamie Strandboge Fri, 11 Oct 2013 15:35:03 -0500 - -apparmor (2.8.0-0ubuntu30) saucy; urgency=low - - [ Tyler Hicks ] - * debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an - abstraction for the accessibility bus. It is currently very permissive, - like the dbus and dbus-session abstractions, and grants all permissions on - the accessibility bus. (LP: #1226141) - * debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount - rules. Both rule classes suffered from unexpected auditing behavior when - using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier - resulting in accesses being audited and the 'audit deny' modifier - resulting in accesses not being audited. (LP: #1226356) - * debian/patches/0072-lp1229393.patch: Fix cache location for .features - file, which was not being written to the proper location if the parameter - --cache-loc= is passed to apparmor_parser. This bug resulted in using the - .features file from /etc/apparmor.d/cache or always recompiling policy. - Patch thanks to John Johansen. (LP: #1229393) - * debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX - domain sockets to include read and write permissions. Both permissions are - required when a process connects to a UNIX domain socket. Also include new - tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for - helping with the policy updates and testing. (LP: #1208988) - * debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only - grant access to specific pulseaudio files in the pulse runtime directory - to remove access to potentially dangerous files (LP: #1211380) - - [ Jamie Strandboge ] - * debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia - (LP: #1228882) - * 0076_sanitized_helper_dbus_access.patch: allow applications run under - sanitized_helper to connect to DBus - - -- Tyler Hicks Fri, 04 Oct 2013 17:29:52 -0700 - -apparmor (2.8.0-0ubuntu29) saucy; urgency=low - - * Add 0070-etc-writable.patch: Allow reading time configuration from - /etc/writable, as we have it on the phone. (LP: #1227520) - - -- Martin Pitt Tue, 01 Oct 2013 09:55:15 +0200 - -apparmor (2.8.0-0ubuntu28) saucy; urgency=low - - [ Tyler Hicks ] - * Move the aa-exec man page out of apparmor-utils into apparmor, since - aa-exec is now in apparmor - - debian/control: adjust Breaks/Replaces to use apparmor-utils - (<< 2.8.0-0ubuntu28) - - debian/apparmor.manpages: install the aa-exec man page - - debian/apparmor-utils.manpages: don't install the aa-exec man page - * debian/patches/0065-lp1220861.patch: Always NUL-terminate confinement - context strings returned from libapparmor (LP: #1220861) - * debian/patches/0066-lp1196880.patch: Don't assign mode pointer in - aa_getprocattr() if caller passed in NULL (LP: #1196880) - * debian/patches/0067-libapparmor-mode-strings-are-not-to-be-freed.patch: - Update man page and code comments to make it clear that freeing the *con - string returned from libapparmor's getcon functions also frees the *mode - string - * debian/patches/0068-libapparmor-mention-dbus-method-in-getcon-man.patch: - Document the D-Bus method, in the aa_getcon man page, that returns the - AppArmor task confinement string of a D-Bus connection - - [ Jamie Strandboge ] - * debian/patches/0069-p11kit-abstraction.patch: p11-kit needs access to - /usr/share/p11-kit/modules - - -- Jamie Strandboge Tue, 10 Sep 2013 12:06:06 -0500 - -apparmor (2.8.0-0ubuntu27) saucy; urgency=low - - * debian/apport/source_apparmor.py: AppArmor logs DBus messages to syslog, - adjust apport hook to also search there for denials - - -- Jamie Strandboge Tue, 03 Sep 2013 10:25:45 -0500 - -apparmor (2.8.0-0ubuntu26) saucy; urgency=low - - * debian/patches/0064-lp1218099.patch: add support for variable expansion in - dbus rules (LP: #1218099) - - -- Jamie Strandboge Thu, 29 Aug 2013 16:28:36 -0500 - -apparmor (2.8.0-0ubuntu25) saucy; urgency=low - - [ Tyler Hicks ] - * Add support for mediation of D-Bus messages and services. AppArmor D-Bus - rules are described in the apparmor.d(5) man page. dbus-daemon will use - libapparmor to perform queries against the AppArmor policies to determine - if a connection should be able to send messages to another connection, if - a connection should be able to receive messages from another connection, - and if a connection should be able to bind to a well-known name. - - 0042-Fix-mount-rule-preprocessor-output.patch, - 0043-libapparmor-Safeguard-aa_getpeercon-buffer-reallocat.patch, - 0044-libapparmor-fix-return-value-of-aa_getpeercon_raw.patch, - 0045-libapparmor-Move-mode-parsing-into-separate-function.patch, - 0046-libapparmor-Parse-mode-from-confinement-string-in-ge.patch, - 0047-libapparmor-Make-aa_getpeercon_raw-similar-to-aa_get.patch, - 0048-libapparmor-Update-aa_getcon-man-page-to-reflect-get.patch: - Backport parser and libapparmor pre-requisites for D-Bus mediation - - 0049-parser-Update-man-page-for-DBus-rules.patch: Update apparmor.d man - page - - 0050-parser-Add-support-for-DBus-rules.patch, - 0051-parser-Regression-tests-for-DBus-rules.patch, - 0052-parser-Binary-profile-equality-tests-for-DBus-rules.patch: Add - apparmor_parser support for D-Bus mediation rules - - 0053-libapparmor-Export-a-label-based-query-interface.patch, - debian/libapparmor1.symbols: Provide the libapparmor interface necessary - for trusted helpers to make security decisions based upon AppArmor - policy - - 0054-libaalogparse-Parse-dbus-daemon-audit-messages.patch, - 0055-libaalogparse-Regression-tests-for-dbus-daemon-audit.patch: Allow - applications to parse denials, generated by dbus-daemon, using - libaalogparse and add a set of regression tests - - 0056-tests-Add-an-optional-final-check-to-checktestfg.patch, - 0057-tests-Add-required-features-check.patch, - 0058-tests-Add-regression-tests-for-dbus.patch: Add regression tests - which start their own dbus-daemon, load profiles containing D-Bus rules, - and confine simple D-Bus service and client applications - - 0059-dbus-rules-for-dbus-abstractions.patch: Add bus-specific, but - otherwise permissive, D-Bus rules to the dbus and dbus-session - abstractions. Confined applications that use D-Bus should already be - including these abstractions in their profiles so this should be a - seamless transition for those profiles. - * 0060-utils-make_clean_fixup.patch: Clean up the Python cache in the - AppArmor tests directory - * 0061-profiles-dnsmasq-needs-dbus-abstraction.patch: Dnsmasq uses the - system D-Bus when it is started with --enable-dbus, so its AppArmor - profile needs to include the system bus abstraction - * 0062-fix-clone-test-on-arm.patch: Fix compiler error when building - regression tests on ARM - * 0063-utils-ignore-unsupported-rules.patch: Utilities that use the - Immunix::AppArmor perl module, such as aa-logprof and aa-genprof, error - out when they encounter rules unsupported by the perl module. This patch - ignores unsupported rules. - - [ Jamie Strandboge ] - * debian/control: don't have easyprof Depends on apparmor-easyprof-ubuntu - - -- Tyler Hicks Mon, 26 Aug 2013 15:32:12 -0700 - -apparmor (2.8.0-0ubuntu24) saucy; urgency=low - - * 0040-libapparmor-support-pkg-config.patch: Make it easier for other - sources to build against libapparmor with pkg-config - - debian/control: Add pkg-config as a Build-Depends - - debian/libapparmor-dev.install: Install libapparmor pkg-config file - * 0041-parser-fix-flags.patch: Minimal fix for cache failures when the - feature file is larger than the feature buffer used for cache version - comparison - - -- Tyler Hicks Thu, 15 Aug 2013 16:34:53 -0700 - -apparmor (2.8.0-0ubuntu23) saucy; urgency=low - - * debian/patches/0038-lp1200392.patch: allow mmap of fglrx dri libraries - (LP: #1200392) - * debian/patches/0039-fix-parser-cache-loc.patch: fix apparmor cache - tempfile location to use passed arg - * debian/lib/apparmor/functions: update to also load from - /var/lib/apparmor/profiles and write cache to /var/cache/apparmor - * debian/apparmor.dirs: create /var/cache/apparmor and - /var/lib/apparmor/profiles - - -- Jamie Strandboge Tue, 23 Jul 2013 21:36:40 -0500 - -apparmor (2.8.0-0ubuntu22) saucy; urgency=low - - * Refresh easyprof - - drop 0034-easyprof-dont-add-vendor-dir.patch - - drop 0035-easyprof-update-manpage-for-sdk-base.patch - * debian/patches/0037-easyprof-sdk-pt2.patch: update easyprof for the - following: - - don't add vendor directory to self.templates and self.policy_groups - - utils/aa-easyprof: adjust error message for manifest read failure - - utils/aa-easyprof: adjust to use EnvironmentError on failed read of the - manifest - - utils/apparmor/easyprof.py: clean up set_template() - - utils/apparmor/easyprof.py: read_paths should use 'rk' - - utils/test/test-aa-easyprof.py: adjust tests for above - - utils/apparmor/easyprof.py - + valid_path should verify os.path.normpath(path) == (path) - + adjust valid_profile_name() to start with alpha-numeric and allow - Debian source package names and version, plus '_' - + adjust tests for above - - update valid_variable() to check for valid_path if '/' is in the value - - adjust valid_path() to have a relative_ok flag (default to False) - - adjust valid_path() to verify path is same as normalized path - - add some valid_path() test cases - - adjust to always quote template vars in policy output - - add a couple tests that have spaces in the binary and template var - - update manifest JSON structure to use - m['security']['profiles']['profile_name'] instead of - m['security']['profile_name'] - - -- Jamie Strandboge Sun, 07 Jul 2013 19:37:56 -0500 - -apparmor (2.8.0-0ubuntu21) saucy; urgency=low - - * Apache 2.4 transition (LP: #1197617, Closes: 666808). Based on patch from - intrigeri - - debian/control: - + Build-Depends on apache2-dev and dh-apache2 instead of - apache2-prefork-dev - + adjust libapache2-mod-apparmor to not Depends on apache2.2-common - + adjust libapache2-mod-apparmor to Pre-Depends: ${misc:Pre-Depends} - - create debian/libapache2-mod-apparmor.apache2 - - debian/rules: adjust to use dh_apache2 --noenable - - debian/libapache2-mod-apparmor.maintscript: remove old prefork profile - - debian/libapache2-mod-apparmor.install: install new usr.sbin.apache2 - profile - - debian/libapache2-mod-apparmor.{preinst,postinst,postrm}: update to use - usr.sbin.apache2 - - debian/libapache2-mod-apparmor.postinst: remove the disable symlink for - old prefork profile - - debian/patches/0036-libapache2-mod-apparmor-profile-2.4.patch: update - mod_apparmor man page to mention loading mpm_prefork, add new - usr.sbin.apache2 profile and remove old prefork profile - * debian/rules: honor DEB_BUILD_OPTIONS=nocheck - - -- Jamie Strandboge Thu, 04 Jul 2013 10:20:20 -0500 - -apparmor (2.8.0-0ubuntu20) saucy; urgency=low - - * remove debian/patches/0033-add-ubuntu-sdk-abstractions.patch. We will - for now ship policy groups instead of abstractions like this - * debian/apparmor.maintscript: rm_conffile on ubuntu-sdk-base - * debian/patches/0035-easyprof-update-manpage-for-sdk-base.patch: add - sdk-base as a typical policy group - - -- Jamie Strandboge Wed, 03 Jul 2013 17:29:57 -0500 - -apparmor (2.8.0-0ubuntu19) saucy; urgency=low - - * debian/patches/0034-easyprof-dont-add-vendor-dir.patch: don't add vendor - directory to self.templates and self.policy_groups - * debian/patches/0030-easyprof-sdk.patch: mentioned patch has been forwarded - upstream - - -- Jamie Strandboge Tue, 02 Jul 2013 09:24:23 -0500 - -apparmor (2.8.0-0ubuntu18) saucy; urgency=low - - * debian/patches/0030-easyprof-sdk.patch: refreshed for the following: - - man page updates - - add --output-format=json option - - add --verify-manifest - - add --policy-version and --policy-vendor which to better work with - vendor templates (ie, with apparmor-easyprof-ubuntu) - - restructed JSON format (should be final version now). This converts - abstractions and policy_groups to proper JSON lists and allows for - multiple profiles in the JSON file, keyed off of the profile name - - add --output-directory option as an alternative to stdout (particularly - useful when using multiple profiles in a JSON file) - - also remove ubuntu-sdk-base abstraction. This may move out but for now - put it in a different patch - - add verify_options() and some utility functions for input validation - - unconditionally quote profile name and binary - - remove Ubuntu-specific checks in verify_manifest and check profile_name - with binary harder - * debian/patches/0033-add-ubuntu-sdk-abstractions.patch: add ubuntu-sdk-base - abstraction - - -- Jamie Strandboge Mon, 01 Jul 2013 17:20:33 -0500 - -apparmor (2.8.0-0ubuntu17) saucy; urgency=low - - * debian/patches/0032-lp1195362.patch: don't pull in unused perl modules - (LP: #1195362) - * debian/rules: use dh_perl -d with libapparmor-perl to Depends on perl-base - instead of perl - * debian/patches/0030-easyprof-sdk.patch: update to remove the ubuntu - specific templates and policy groups. These will be shipped in - apparmor-easyprof-ubuntu - * debian/control: have apparmor-easyprof Depends on apparmor-easyprof-ubuntu - - -- Jamie Strandboge Fri, 28 Jun 2013 12:01:06 -0500 - -apparmor (2.8.0-0ubuntu16) saucy; urgency=low - - * debian/patches/0030-easyprof-sdk.patch: update to have - - /usr/share/icons/gnome/index.theme should have 'rk' added to qmlscene - policy group - - add ubuntu-sdk-html5 template - - add qmlscene-webview policygroup - * debian/patches/0031-move-poppler-cmap-to-fonts.patch: more than just - gnome applications access /usr/share/poppler/cMap/** - - -- Jamie Strandboge Tue, 25 Jun 2013 15:58:33 -0500 - -apparmor (2.8.0-0ubuntu15) saucy; urgency=low - - * move aa-exec out of apparmor-utils into apparmor, since we want it in the - default install - - debian/control: adjust Breaks/Replaces to use apparmor-utils - <<2.8.0-0ubuntu15) and have apparmor Depends on libapparmor-perl - - debian/apparmor.install: install aa-exec - - debian/apparmor-utils.install: don't install aa-exec - - -- Jamie Strandboge Tue, 25 Jun 2013 11:48:25 -0500 - -apparmor (2.8.0-0ubuntu14) saucy-proposed; urgency=low - - * debian/patches/0029-easyprof-update-for-aa-sandbox.patch: add aa-sandbox - utility to source, but don't install yet. This includes code refactoring - for easyprof, which is required for the next patch - * debian/patches/0030-easyprof-sdk.patch: add SDK support to easyprof (don't - include DBus includes yet) - * create apparmor-easyprof package - - adjust debian/control for new packages and Breaks/Replaces on - apparmor-utils 2.8.0-0ubuntu14 - - create debian/apparmor-easyprof.install - - debian/apparmor-utils.install: don't install easyprof. python libraries - moved to easyprof for now since it is the only consumer - - debian/apparmor-utils.manpages: move easyprof manpage to - debian/apparmor-easyprof.manpages - - debian/rules: dh_python3 should also run on apparmor-easyprof - * debian/control: dh-apparmor should Depends on apparmor-easyprof - * debian/debhelper/dh_apparmor: update to support --manifest argument - - -- Jamie Strandboge Mon, 24 Jun 2013 09:49:44 -0500 - -apparmor (2.8.0-0ubuntu13) saucy-proposed; urgency=low - - * 0021-webapps_abstraction.patch: update to allow 'w' access to - ~/.local/share/unity-webapps/availableapps*.db and 'rk' access to - ~/.config/libaccounts-glib/accounts.db (LP: #1169633) - - -- Jamie Strandboge Mon, 10 Jun 2013 10:49:46 -0500 - -apparmor (2.8.0-0ubuntu12) saucy; urgency=low - - * 0027-add-gnome-keyring-to-strict.patch: add @{HOME}/.gnome2/keyrings/** to - abstractions/private-files-strict - * 0028-add-upstart-to-private.patch: deny writes to upstart user sessions - jobs in abstractions/private-files - - -- Jamie Strandboge Mon, 13 May 2013 13:04:54 -0500 - -apparmor (2.8.0-0ubuntu11) raring; urgency=low - - * 0025-update-pulseaudio-paths.patch: update path for pulseaudio directory - and cookie files - * 0026-add-vm_overcommit_memory.patch: add read access to - @{PROC}/sys/vm/overcommit_memory - * update 0001-add-chromium-browser.patch: - - additional accesses required by newer chromium-browser. Patch based on - work by Simon Deziel (LP: #1154164) - - don't include abstractions already included via gnome abstraction - - allow access to dconf/gsettings, required now - - -- Jamie Strandboge Mon, 08 Apr 2013 14:57:14 -0500 - -apparmor (2.8.0-0ubuntu10) raring; urgency=low - - * debian/patches/0001-add-chromium-browser.patch: add accesses for chromium - 23 (LP: #1091862) - - -- Jamie Strandboge Tue, 18 Dec 2012 15:20:05 -0600 - -apparmor (2.8.0-0ubuntu9) raring; urgency=low - - * debian/control: make libnotify-bin a Suggests rather than a Recommends - since it is assumed to already be installed on the desktop and so server - environments don't have to pull in a lot of X dependencies (LP: #1061879) - - -- Jamie Strandboge Tue, 18 Dec 2012 10:47:50 -0600 - -apparmor (2.8.0-0ubuntu8) raring; urgency=low - - [ Steve Beattie ] - * 0024-lp1091642-parser-reset_matchflags.patch: prevent reuse of - matchflags in parser dfa backend and add testcase demonstrating the - problem (LP: #1091642) - - [ Jamie Strandboge ] - * debian/debhelper/postinst-apparmor: quote all occurences of #PROFILE#. - - -- Steve Beattie Tue, 18 Dec 2012 04:53:28 -0800 - -apparmor (2.8.0-0ubuntu7) raring; urgency=low - - * Rebuild to drop python3.2 extension. - - -- Matthias Klose Thu, 08 Nov 2012 11:15:26 +0000 - -apparmor (2.8.0-0ubuntu6) raring-proposed; urgency=low - - * Build python swig modules for all supported pythons. - * Use dh_python2 instead of obsolete dh_python. - * Remove duplicate chrpath from control. - * Remove unneeded quilt dependency. - * Bump standards version to 3.9.4, no changes needed. - - -- Dmitrijs Ledkovs Tue, 23 Oct 2012 12:37:39 +0100 - -apparmor (2.8.0-0ubuntu5) quantal; urgency=low - - [ Micah Gersten ] - * Allow /etc/vdpau_wrapper.cfg r and /var/lib/xine/gxine.desktop r - in the multimedia browser abstraction (LP: #1057642) - - update profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia - - [ Steve Beattie ] - * debian/control: make libnotify-bin a Recommends rather than a - Depends for use in server environments (LP: #1061879) - * debian/patches/0020-coredump_tests.patch: fix coredump regression - tests (LP: #1050430) - * debian/patches/0021-webapps_abstraction.patch: add a few items - triggered by using and installing webapps in firefox (LP: #1056418) - * debian/patches/0022-aa-decode-stdin.patch: fix aa-decode to process - stdin correctly and decode encoded profiles names - - -- Steve Beattie Tue, 09 Oct 2012 12:44:56 -0700 - -apparmor (2.8.0-0ubuntu4) quantal; urgency=low - - * Allow /var/lib/sss/mc/{group|passwd} for systems using sssd. - (LP: #1056391) - - -- Stéphane Graber Tue, 25 Sep 2012 14:59:57 -0400 - -apparmor (2.8.0-0ubuntu3) quantal; urgency=low - - * remove 0010-lp972367.patch and 0012-lp964510.patch which should have been - dropped in 2.8.0-0ubuntu1 since they are included upstream - * debian/patches/0001-add-chromium-browser.patch: - - add a couple of small accesses - - add a child profile for xdgsettings (LP: #1045986) - - -- Jamie Strandboge Mon, 17 Sep 2012 08:26:46 -0500 - -apparmor (2.8.0-0ubuntu2) quantal; urgency=low - - * 0015-fontconfig.patch: update fonts abstraction for new fontconfig paths - * 0016-cap-block-suspend.patch: add CAP_BLOCK_SUSPEND to severity.db. In - the next version of AppArmor, this will replace 0006-cap-epollwakeup.patch - * 0017-gnome-poppler-data.patch: update gnome abstraction for poppler cMap - tables - - -- Jamie Strandboge Tue, 14 Aug 2012 11:27:15 -0500 - -apparmor (2.8.0-0ubuntu1) quantal; urgency=low - - * New upstream release - - Drop the following patches, now included upstream: - 0003-add-aa-easyprof.patch - 0005-clean-common-from-vim.patch - 0006-use-linux-capability-h.patch - 0008-apparmor-lp963756.patch - 0009-apparmor-lp959560-part1.patch - 0010-apparmor-lp959560-part2.patch - 0011-apparmor-lp872446.patch - 0012-apparmor-lp978584.patch - 0013-apparmor-lp800826.patch - 0014-apparmor-lp979095.patch - 0015-apparmor-lp963756.patch - 0016-apparmor-lp968956.patch - 0017-apparmor-lp979135.patch - 0018-lp990931.patch - * Rename 0007-ubuntu-manpage-updates.patch to 0003 - * debian/patches/0005-lp1019274.patch: add python3 support. Patch based - on work from Dmitrijs Ledkovs. (LP: #1019274) - * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for - CAP_EPOLLWAKEUP - * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to - adjust scripts to use PYTHON if it is defined - * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb - when calling setup.py - * enable python3 in the build: - - debian/rules: - + use python3 as default PYTHON - + build libapparmor with both python2 and python3 - - debian/control: - + Build-Depends on python3-all-dev and python3 - + adjust apparmor to Depends on ${python3:Depends} - + adjust apparmor-utils to Depends on ${python3:Depends} - + add python3-libapparmor package - - add debian/python3-libapparmor.install - - debian/python-libapparmor.install: adjust to use python2 and - dist-packages - * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for - IcedTea 7 (LP: #1003856) - * debian/patches/0010-lp972367.patch: allow software center to work again - from browsers (LP: #972367) - * debian/patches/0011-lp1013887.patch: let sanitized helper work with - /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887) - * debian/patches/0012-lp964510.patch: allow Google Chrome and - chromium-browser to work under sanitized helper (LP: #964510) - * debian/patches/0013-lp987578.patch: ubuntu-integration does not work - properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578) - * debian/patches/0014-lp933440.patch: update skype example profile to work - with latest skype. Based on work by Ivan Frederiks (LP: #933440) - - -- Jamie Strandboge Thu, 05 Jul 2012 10:53:17 -0500 - -apparmor (2.7.102-0ubuntu5) quantal; urgency=low - - * debian/debhelper/postrm.apparmor: do not delete local files if main - conffile still exists since it probably means it is owned by a - new/different package. (LP: #986892) - - -- Clint Byrum Mon, 11 Jun 2012 21:40:33 -0700 - -apparmor (2.7.102-0ubuntu4) quantal; urgency=low - - * Fix FTBFS (LP: #1000055). Patch thanks to Steve Beattie. - - debian/control: Build-Depends on texlive-latex-recommended - - debian/rules: add V=1 for 'make' and 'make check' when building the - parser - * debian/patches/0018-lp990931.patch: adjust path for thunderbird to include - non-versioned path - - LP: #990931 - - -- Jamie Strandboge Fri, 18 May 2012 15:02:02 -0500 - -apparmor (2.7.102-0ubuntu3) precise; urgency=low - - [ Jamie Strandboge ] - * debian/patches/0007-ubuntu-manpage-updates.patch: update apparmor(5) - to describe Ubuntu's two-stage policy load and how to add utilize it - when developing policy (LP: #974089) - - [ Serge Hallyn ] - * debian/apparmor.init: do nothing in a container. This can be - removed once stacked profiles are supported and used by lxc. - (LP: #978297) - - [ Steve Beattie ] - * debian/patches/0008-apparmor-lp963756.patch: Fix permission mapping - for change_profile onexec (LP: #963756) - * debian/patches/0009-apparmor-lp959560-part1.patch, - debian/patches/0010-apparmor-lp959560-part2.patch: Update the parser - to support the 'in' keyword for value lists, and make mount - operations aware of 'in' keyword so they can affect the flags build - list (LP: #959560) - * debian/patches/0011-apparmor-lp872446.patch: fix logprof missing - exec events in complain mode (LP: #872446) - * debian/patches/0012-apparmor-lp978584.patch: allow inet6 access in - dovecot imap-login profile (LP: #978584) - * debian/patches/0013-apparmor-lp800826.patch: fix libapparmor - log parsing library from dropping apparmor network events that - contain ip addresses or ports in them (LP: #800826) - * debian/patches/0014-apparmor-lp979095.patch: document new mount rule - syntax and usage in apparmor.d(5) manpage (LP: #979095) - * debian/patches/0015-apparmor-lp963756.patch: Fix change_onexec - for profiles without attachment specification (LP: #963756, - LP: #978038) - * debian/patches/0016-apparmor-lp968956.patch: Fix protocol error when - loading policy to kernels without compat patches (LP: #968956) - * debian/patches/0017-apparmor-lp979135.patch: Fix change_profile to - grant access to /proc/attr api (LP: #979135) - - -- Steve Beattie Thu, 12 Apr 2012 06:17:42 -0500 - -apparmor (2.7.102-0ubuntu2) precise; urgency=low - - * debian/control: Make dh-apparmor Multi-Arch: foreign, so that it can - satisfy cross-build-dependencies. - - -- Colin Watson Sat, 31 Mar 2012 02:28:05 +0100 - -apparmor (2.7.102-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes the following issues in support of LXC - AppArmor support for beta-2: - - Fix the return size of aa_getprocattr (LP: #962521) - - Fix mnt_flags passed for remount - - Fix dfa minimization around the nonmatching state - - Factor all the permissions dump code into a single perms method - * debian/apparmor-utils.install: - - AppArmor now installs apparmor.vim. Move it into place - - install aa-exec - * debian/apparmor-utils.manpages: install aa-exec man page - * debian/patches/0003-add-aa-easyprof.patch: refresh for Makefile changes - * debian/patches/0005-clean-common-from-vim.patch: clean up 'common' - symlink - * 0006-use-linux-capability-h.patch: Use linux/capability.h instead of - sys/capability.h - - -- Jamie Strandboge Thu, 22 Mar 2012 15:39:56 -0500 - -apparmor (2.7.101-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes: LP: #948147 - * debian/lib/apparmor/functions: Update to support the feature directory so - that caching will work on kernels that support the feature dir. Patch - based on work from John Johansen. LP: #954469 - - -- Jamie Strandboge Thu, 15 Mar 2012 15:57:02 -0500 - -apparmor (2.7.100-0ubuntu1) precise; urgency=low - - * New upstream bug fix release which fixes (in addition to other bugs): - - LP: #940362 - - LP: #947617 - - LP: #949891 - * Drop the following patches, included upstream: - - 0004-lp918879.patch - - 0007-lp941506.patch - - 0008-lp941503.patch - - 0009-lp943161.patch - * Drop the following patch, no longer required: - - 0005-disable-minimization.patch - * Rename 0006-lp941808.patch 0004-lp941808.patch - * debian/patches/0001-add-chromium-browser.patch: update for additional - denials with newer chromium-browser. (LP: #937723) - * debian/put-all-profiles-in-complain-mode.sh: deal with existing flags - - -- Jamie Strandboge Fri, 09 Mar 2012 06:56:48 -0600 - -apparmor (2.7.99-0ubuntu4) precise; urgency=low - - * Restore dpkg-maintscript-helper changes from 2.7.0-0ubuntu6, lost in - 2.7.99-0ubuntu1. - - -- Colin Watson Mon, 05 Mar 2012 16:11:01 +0000 - -apparmor (2.7.99-0ubuntu3) precise; urgency=low - - * debian/patches/0009-lp943161.patch: update to not fail when - default-jre-headless is installed (LP: #945019) - - -- Jamie Strandboge Fri, 02 Mar 2012 12:47:03 -0600 - -apparmor (2.7.99-0ubuntu2) precise; urgency=low - - * debian/control: dh-apparmor should Breaks/Replaces on debhelper - 9.20120115ubuntu3, not 9.20120115ubuntu2 - * debian/patches/0006-lp941808.patch: allow writes to - /{,var/}run/sendsigs.omit.d/*dnsmasq.pid for network manager integration - (LP: #941808) - * debian/patches/0007-lp941506.patch: allow reads to ~/.drirc in the X - abstraction (LP: #941506) - * debian/patches/0008-lp941503.patch: allow read access to - /usr/share/texmf/fonts in fonts abstraction (LP: #941503) - * debian/patches/0009-lp943161.patch: fix path to java in - ubuntu-browsers.d/java (LP: #943161) - - -- Jamie Strandboge Fri, 02 Mar 2012 07:50:50 -0600 - -apparmor (2.7.99-0ubuntu1) precise; urgency=low - - * New upstream release which also pulls in 2.7.0-1 changes from Debian. - For the sake of simplicity, I have added the 2.7.0-1 changelog entry after - 2.7.0-0ubuntu7 even though chronologically it appeared in Debian between - 2.7.0-0ubuntu4 and 2.7.0-0ubuntu5. - - LP: #940422 (FFe) - * Drop the following patches, included upstream: - - 0003-commits-through-r1882.patch - - 0004-lp887992.patch - - 0005-lp884748.patch - - 0006-lp870992.patch - - 0007-lp860856.patch - - 0008-lp852062.patch - - 0009-lp851977.patch - - 0010-lp890894.patch - - 0011-lp817956.patch - - 0012-lp458922.patch - - 0013-lp769148.patch - - 0014-lp904548.patch - - 0015-lp712584.patch - - 0016-lp562831.patch - - 0017-lp662906.patch - - 0018-deny-home-pki-so.patch - - 0019-lp899963.patch - - 0020-lp912754a.patch - - 0021-lp912754b.patch - - 0022-workaround-lp851986.patch - - 0023-syslog-ng-needs-dac-read-search.patch - - 0024-fix-python-and-ruby-autogeneration.patch - - 0025-lp914184.patch - - 0026-lp914190.patch - - 0027-lp914386.patch - - 0028-testsuite-fixes.patch - - 0029-lp917628.patch - - 0030-lp916285.patch - - 0031-lp917639.patch - - 0032-lp917641.patch - - 0033-add-ubuntu-helpers-to-plugins-common.patch - - 0034-lp917859.patch - - 0035-kde-should-use-kde4.patch - - 0036-lp929531.patch - - 0036-fix-manpage-errors.patch - * Rename 0037-add-aa-easyprof.patch 0003-add-aa-easyprof.patch - * debian/apparmor-profiles.postrm: clean out autogenerated files created by - apparmor-profiles.postinst (Closes: 656451) - * debian/patches/0004-lp918879.patch: allow /etc/drirc in the X abstraction - (LP: #918879) - * debian/patches/0005-disable-minimization.patch: do to LP: 940362, - minimization is not working correctly. Disable it for now. - - -- Jamie Strandboge Fri, 24 Feb 2012 09:04:45 -0600 - -apparmor (2.7.0-1) unstable; urgency=low - - * debian/po/pt.po add new Portuguese translation, thanks to Pedro Ribeiro, - (Closes: 651434). - * debian/control: do not require initramfs-tools on !linux-any - (Closes: 651297). - * debian/{control,rules,debhelper/*}: move dh_apparmor into separate - binary package, out of debhelper (Closes: 649784). - * debian/{control,rules}: fix up lack of real build-indep. - * debian/patches/0036-fix-manpage-errors.patch: minor man page cleanups. - * merge changes from Ubuntu (r1443). - - -- Kees Cook Thu, 09 Feb 2012 15:24:08 -0800 - -apparmor (2.7.0-0ubuntu7) precise; urgency=low - - * debian/patches/0037-add-aa-easyprof.patch: add the aa-easyprof tool - * apparmor-utils.dirs, apparmor-utils.install, apparmor-utils.manpages: - install aa-easyprof and supporting files - * python-libapparmor.install: only install LibAppArmor* - * debian/rules: use dh_python2 with apparmor-utils - * debian/control: apparmor-utils should Depends on ${python:Depends} - - -- Jamie Strandboge Wed, 15 Feb 2012 07:40:38 -0600 - -apparmor (2.7.0-0ubuntu6) precise; urgency=low - - * debian/apparmor.{preinst,postinst,postrm,maintscript}, debian/control: - Use maintscript support in dh_installdeb rather than writing out - dpkg-maintscript-helper commands by hand. We now simply Pre-Depend on a - new enough version of dpkg rather than using 'dpkg-maintscript-helper - supports' guards, leading to more predictable behaviour on upgrades. - - -- Colin Watson Sat, 11 Feb 2012 15:11:01 +0000 - -apparmor (2.7.0-0ubuntu5) precise; urgency=low - - * debian/patches/0036-lp929531.patch: adjust base abstraction to allow read - access to /sys/devices/system/cpu/online (LP: #929531) - - -- Jamie Strandboge Thu, 09 Feb 2012 08:04:13 -0600 - -apparmor (2.7.0-0ubuntu4) precise; urgency=low - - * debian/patches/0034-lp917859.patch: adjust aspell abstraction for user - customizable dictionaries (LP: #917859) - * debian/patches/0035-kde-should-use-kde4.patch: adjust abstractions to - use kde{,4} instead of kde - * debian/control: update Vcs-Bzr - - -- Jamie Strandboge Wed, 18 Jan 2012 16:27:30 -0600 - -apparmor (2.7.0-0ubuntu3) precise; urgency=low - - * debian/patches/0029-lp917628.patch: Adjust dnsmasq profile for - NetworkManager integration (LP: #917628) - * debian/patches/0030-lp916285.patch: update ubuntu-browsers.d/text-editors - to work with emacs2[2-9] (LP: #916285) - * debian/patches/0031-lp917639.patch: update p11-kit to allow mmap of - libraries in pkcs directories (LP: #917639) - * debian/patches/0032-lp917641.patch: ubuntu-integration abstraction for - multiarch with gst-plugin-scanner (LP: #917641) - * debian/patches/0033-add-ubuntu-helpers-to-plugins-common.patch: include - ubuntu-helpers in the plugins-common abstraction - - -- Jamie Strandboge Tue, 17 Jan 2012 07:18:34 -0600 - -apparmor (2.7.0-0ubuntu2) precise; urgency=low - - * debian/patches/0022-workaround-lp851986.patch: update sanitized_helper - to include inet6 - - -- Jamie Strandboge Fri, 13 Jan 2012 11:21:30 +0100 - -apparmor (2.7.0-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes the following: - - LP: #794974 - - LP: #815883 - - LP: #840973 - * Drop the following patches, included upstream: - - af_names-generation.patch - - 0004-adjust-logprof-log-search-order.patch - - 0005-lp826914.patch - - 0006-lp838275.patch - - 0007-fix-introspection-tests.patch - * Rename 0003-add-debian-integration-to-lighttpd.patch to 0002 - * debian/patches/0003-commits-through-r1882.patch: several bug, - documentation and performance fixes on our road to AppArmor 2.8 - (LP: #840734, LP: #905412) - * debian/patches/0004-lp887992.patch: cups-client abstraction should allow - owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions - (LP: #887992) - * update debian/patches/0001-add-chromium-browser.patch for deeper - directories of /sys/devices/pci (LP: #885833) - * debian/patches/0005-lp884748.patch: allow kate as text editor in the - browsers abstraction (LP: #884748) - * debian/patches/0006-lp870992.patch: abstractions/fonts should allow access - to ~/.fonts.conf.d (LP: #870992) - * debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py - in the python abstraction, which is needed for apport hooks to work in - python applications (LP: #860856) - * debian/patches/0008-lp852062.patch: update binaries for transmission - clients (LP: #852062) - * debian/patches/0009-lp851977.patch: allow ixr access to exo-open for - Xubuntu and friends (LP: #851977) - * debian/patches/0010-lp890894.patch: allow access to Thunar as well as - thunar in ubuntu-integration abstraction (LP: #890894) - * debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile - (LP: #817956) - * debian/patches/0012-lp458922.patch: update dovecot deliver profile to - access various .conf files for dovecot (LP: #458922) - * debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection - (LP: #769148) - * debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv - (LP: #904548) - * debian/patches/0015-lp712584.patch: Nvidia users need access to - /dev/nvidia* files for various plugins to work right. Since these are all - focused around multimedia, add the acceses to the multimedia abstraction. - (LP: #712584) - * debian/patches/0016-lp562831.patch: allow fireclam plugin to work - (LP: #562831) - * debian/patches/0017-lp662906.patch: allow software-center in the ubuntu - integration browser abstraction (LP: #662906) - * debian/patches/0018-deny-home-pki-so.patch: update private-files - abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847) - * debian/patches/0019-lp899963.patch: add audacity to the - ubuntu-media-players abstraction (LP: #899963) - * debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit - abstraction and add it to the authentication abstraction (LP: #912754) - * debian/patches/0022-workaround-lp851986.patch: instead of using Ux - in the ubuntu and launchpad abstractions, use a helper child profile. - This will help work around the lack of environment filtering - (LP: #851986) - * debian/patches/0023-syslog-ng-needs-dac-read-search.patch: adjust syslog-ng - profile for dac_read_search - * debian/patches/0024-fix-python-and-ruby-autogeneration.patch: fix python - and ruby autogeneration when using aa-autodep and aa-genprof - * debian/patches/0025-lp914184.patch: allow the creation of enchant .config - directory in the enchant abstraction (LP: #914184) - * debian/patches/0026-lp914190.patch: block write access to ~/.kde/env - because KDE automatically sources scripts in that folder on startup - (LP: #914190) - * debian/pathes/0027-lp914386.patch: add xdg-desktop abstraction and - adjust gnome and kde abstractions to use it (LP: #914386) - * debian/patches/0028-testsuite-fixes.patch: testsuite fixes in the kernel - regression tests - - -- Jamie Strandboge Thu, 12 Jan 2012 12:55:17 +0100 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu3) precise; urgency=low - - * Rebuild for Perl 5.14. - - -- Colin Watson Tue, 15 Nov 2011 22:10:05 +0000 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu2) oneiric; urgency=low - - * 0007-fix-introspection-tests.patch: Add missing introspection regression - test that should have been checked in with the introspection patches. - - -- Jamie Strandboge Tue, 04 Oct 2011 13:13:05 -0500 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu1) oneiric; urgency=low - - * 0004-adjust-logprof-log-search-order.patch: Adjust the search order to use - just /var/log/audit/audit.log and /var/log/syslog. (LP: #835838) - * 0005-lp826914.patch: fix missing multiarch in abstraction/X (LP: #826914) - * 0006-lp838275.patch: adjust ubuntu-email abstraction for thunderbird 7 - (LP: #838275) - - -- Jamie Strandboge Fri, 02 Sep 2011 12:30:10 -0500 - -apparmor (2.7.0~beta1+bzr1774-1) unstable; urgency=low - - * New upstream devel snapshot: - - drop 0002-lp750381.patch, taken upstream. - - drop 0004-lp754889.patch, taken upstream. - - drop 0005-lp761217.patch, taken upstream. - - drop 0100-manpage-typo.patch, taken upstream. - - drop 0101-declarations.patch, solved differently upstream. - - drop 0102-manpage-release-name.patch, taken upstream. - - drop 0103-kfreebsd-compile.patch, taken upstream. - - drop define-path-max.patch, taken upstream. - - drop indep-build.patch, taken upstream. - - debian/libapparmor1.manpages: add new function man pages. - * Merge with Ubuntu: - - drop 0104-python-aa-status.patch, taken upstream. - - drop 0105-lightdm.patch, taken upstream. - - drop 0106-lp810270.patch, taken upstream. - - drop 0107-lp767308.patch, taken upstream. - - drop 0108-gnome-mimeinfo.patch, taken upstream. - - drop 0109-add-profile-repo-info.patch, taken upstream. - * Add af_names-generation.patch to allow arbitrary socket.h file location. - - -- Kees Cook Wed, 10 Aug 2011 18:12:34 -0700 - -apparmor (2.6.1-4ubuntu5) oneiric; urgency=low - - * debian/patches/0109-add-profile-repo-info.patch: add a blurb about the - new profiles repository to aa-genprof, along with a link to the wiki - page. - - -- Marc Deslauriers Mon, 18 Jul 2011 10:49:13 -0400 - -apparmor (2.6.1-4ubuntu4) oneiric; urgency=low - - * debian/patches/0106-lp810270.patch: updated to use upstream commits - - -- Jamie Strandboge Fri, 15 Jul 2011 14:08:38 -0500 - -apparmor (2.6.1-4ubuntu3) oneiric; urgency=low - - * debian/patches/0106-lp810270.patch: adjustments for /var/run -> /run, - /var/lock -> /run/lock and /dev/shm -> /run/shm transition (LP: #810270) - * debian/patches/0107-lp767308.patch: allow read access to - /usr/local/share/ca-certificates (LP: #767308) - * debian/patches/0001-add-chromium-browser.patch: updates for newer chromium - (LP: #776648) - * debian/patches/0108-gnome-mimeinfo.patch: allow read access to - /usr/share/gnome/applications/mimeinfo.cache in the gnome abstraction - - -- Jamie Strandboge Thu, 14 Jul 2011 09:39:49 -0500 - -apparmor (2.6.1-4ubuntu2) oneiric; urgency=low - - * debian/patches/0105-lightdm.patch: allow owner read access to - /var/run/lightdm/authority/[0-9]* - - -- Jamie Strandboge Wed, 22 Jun 2011 16:29:11 -0500 - -apparmor (2.6.1-4ubuntu1) oneiric; urgency=low - - * Get rid of Perl in main AppArmor package so we can remove perl-modules - from the installation cd: - - debian/patches/0104-python-aa-status.patch: switch aa-status to - Python - - debian/apparmor.*, debian/apparmor-utils.*: move aa-status, symlink - and manpages to main apparmor package. - - debian/control: add appropriate Breaks/Replaces/Depends because of - the file move, add ${python:Depends} to apparmor Depends, add - apparmor-utils to apparmor Suggests. - - debian/rules: add apparmor package to dh_python2. - * debian/lib/apparmor/functions: fix hat separator (LP: #788616) - - Based on upstream revision 1733 - - -- Marc Deslauriers Wed, 01 Jun 2011 11:03:20 -0400 - -apparmor (2.6.1-4) unstable; urgency=low - - * debian/po: add new translations: - - zh_CN.po: Simplified Chinese, thanks to Aron Xu (Closes: 624853). - - da.po: Danish, thanks to Joe Dalton (Closes: 625252). - - sv.po: Swedish, thanks to Martin Bagge (Closes: 625264). - - cs.po: Czech, thanks to Michal Šimůnek (Closes: 625465). - - de.po: German, thanks to Chris Leick (Closes: 625931). - - nl.po: Dutch, thanks to Jeroen Schot (Closes: 626269). - - ja.po: Japanese, thanks to Hideki Yamane (Closes: 626803). - - it.po: Italian, thanks to Dario Santamaria (Closes: 626836). - - fr.po: French, thanks to Julien Patriarca (Closes: 626903). - - es.po: Spanish, thanks to Francisco Javier Cuadrado (Closes: 627031). - * debian/patches/define-path-max.patch: fix Hurd FTBFS. - * debian/patches/indep-build.patch: allow split indep/arch builds. - * debian/{control,rules,non-linux}: add fake parser for non-Linux - builds so that apparmor-utils is installable (Closes: 625977). - - -- Kees Cook Fri, 27 May 2011 13:51:18 -0700 - -apparmor (2.6.1-3) unstable; urgency=low - - * debian/control: add sneaky missing Build-Dep on liblocale-gettext-perl - (fixes FTBFS on some extremely minimal chroots, Closes: 624566). - * debian/patches/0101-declarations.patch: add missing declarations needed - for sensitive compilers (fixes FTBFS on mips/mipsel). - * debian/patches/0102-manpage-release-name.patch: update manpage release - names to match others. - * debian/patches/0103-kfreebsd-compile.patch, debian/{control,rules}: - attempt to build as much as possible (no parser) on non-Linux systems. - * debian/po/ru.po: add translation, thanks to Yuri Kozlov (Closes: 624741). - - -- Kees Cook Sun, 01 May 2011 19:29:07 -0700 - -apparmor (2.6.1-2) unstable; urgency=low - - * debian/copyright: clarify for some full organization names. - - -- Kees Cook Wed, 27 Apr 2011 10:38:07 -0700 - -apparmor (2.6.1-1) unstable; urgency=low - - * Initial Debian upload (Closes: 622922). - * debian/patches/0100-manpage-typo.patch: fix lintian error in manpage. - * debian/clean: update for Debian build. - * debian/copyright: rearrange and add a few missing files. - * debian/source/format, debian/rules: convert to 3.0 quilt format. - * debian/{rules,apparmor-profiles.postinst}: deal with lack of dh_apparmor. - - -- Kees Cook Sat, 23 Apr 2011 12:14:55 -0700 - -apparmor (2.6.1-0ubuntu3) natty; urgency=low - - * debian/patches/0003-add-debian-integration-to-lighttpd.patch: updates for - lighttpd example profile to work in Debian/Ubuntu (LP: #582814) - * debian/patches/0004-lp754889.patch: add several image viewers to - ubuntu-browsers.d/multimedia abstraction (LP: #754889) - * debian/patches/0005-lp761217.patch: abstractions/private-files updates for - zsh and several other shells (LP: #761217) - * debian/patches/0001-add-chromium-browser.patch: fixes for multiarch and - crash reporter (LP: #764786) - - -- Jamie Strandboge Mon, 18 Apr 2011 09:23:50 -0500 - -apparmor (2.6.1-0ubuntu2) natty; urgency=low - - * debian/patches/0002-lp750381.path: adjust ubuntu-media-players abstraction - to allow reading of configs required by gnash and owner writing of - @{HOME}/.gnash (LP: #750381) - - -- Jamie Strandboge Thu, 07 Apr 2011 10:09:24 -0500 - -apparmor (2.6.1-0ubuntu1) natty; urgency=low - - * New upstream release. - - Fixes breakage of mod_apparmor apache2 module (LP: #737074) - - Fixes profile matching when an attachement doesn't contain a - regex (LP: #731155) - - Fixes parser acceptance of missing network protocols (LP: #732837) - - Patches taken upstream and dropped: - + debian/patches/0002-lp727478.patch - + debian/patches/0003-test-lp727478.patch - + debian/patches/0004-lp736870.patch - * debian/apparmor.install, debian/apparmor.dirs: add new multiarch - tunable file and directory - * debian/python-libapparmor.install: loosen directory specification - for resiliancy against different python versions - - -- Steve Beattie Thu, 24 Mar 2011 01:55:12 -0700 - -apparmor (2.6.0-0ubuntu4) natty; urgency=low - - * Update debian/patches/0004-lp736870.patch (LP: #736870): - - armel triplet doesn't match '*-linux-gnu' - - /lib/tls for libc6-xen needs handling - - gnome, kde, kerberosclient, and authentication abstractions also need - updating for multiarch. - - -- Steve Langasek Tue, 22 Mar 2011 15:18:54 -0700 - -apparmor (2.6.0-0ubuntu3) natty; urgency=low - - * debian/patches/0004-lp736870.patch: add multiarch support to abstractions - (LP: #736870) - - -- Jamie Strandboge Thu, 17 Mar 2011 09:17:01 -0500 - -apparmor (2.6.0-0ubuntu2) natty; urgency=low - - * debian/patches/0002-lp727478.patch: Override AF_MAX for kernels that don't - support proper masking. Patch thanks to John Johansen (LP: #727478) - * debian/patches/0003-test-lp727478.patch: add tcp.sh test as partial - networking test - - -- Jamie Strandboge Thu, 03 Mar 2011 16:40:08 -0600 - -apparmor (2.6.0-0ubuntu1) natty; urgency=low - - [ Steve Beattie ] - * New upstream 2.6.0 release (LP: #724193) - - Patches taken upstream and dropped: - + 0001-ubuntu-buildd.patch - + 0003-add-libvirt-support-to-dnsmasq.patch - + 0004-lp698194.patch - + 0005-aa-disable.patch - - debian/rules: remove library path settings for mod_apparmor and - pam_apprmor builds; upstream handles this properly now. - - debian/apparmor-utils.install: handle upstream SubDomain.pm => - AppArmor.pm renaming - * debian/lib/apparmor/functions: handle profile names with embedded - spaces (LP: #655523) - * debian/rules, debian/control, debian/python-libapparmor: build - a python-libapparmor package. - - [ Jamie Strandboge ] - * debian/copyright: update and reformat according to DEP-5 - * debian/lib/apparmor/functions: don't unload dynamically generated libvirt - profiles on reload, restart, and force-reload (LP: #702774) - * debian/control: use Section: python for python-libapparmor - - -- Steve Beattie Thu, 24 Feb 2011 01:41:58 -0800 - -apparmor (2.6~devel+bzr1617-0ubuntu2) natty; urgency=low - - * debian/patches/0005-aa-disable.patch: add aa-disable - * debian/apparmor-utils.install: install aa-disable - * debian/apparmor-utils.manpages: install aa-disable man page - - -- Jamie Strandboge Mon, 07 Feb 2011 11:23:50 -0600 - -apparmor (2.6~devel+bzr1617-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1617. Closes the following bugs: - - LP: #692406: temporarily disable the defunct repository until an - alternative can be used - - LP: #649497: add ibus abstraction - - LP: #652562: allow 'rw' to /var/log/samba/cores/ - - LP: #658135: allow access to /usr/lib32 and /usr/lib64 for dri modules - * 0002-add-chromium-browser.patch: add /dev/shm/.org.chromium.* - (LP: #692866) - * rename debian/patches/0010-ubuntu-buildd.patch to 0001-ubuntu-buildd.patch - and adjust debian/patches/series - * debian/patches/0003-add-libvirt-support-to-dnsmasq.patch (LP: #697239): - - allow read and write access to libvirt pid files for dnsmasq - - allow net_admin capability for DHCP server - - allow net_raw and network inet raw for ICMP pings when used as a DHCP - server - * debian/patches/0004-lp698194 (LP: #698194): - - abstractions/private-files: don't allow wl to autostart directories - - abstractions/private-files-strict: don't allow access to chromium, - kwallet and popular mail clients - - -- Jamie Strandboge Fri, 07 Jan 2011 12:44:26 -0600 - -apparmor (2.6~devel+bzr1601-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1601 to gain parser speed - improvements and man page fixes. Closes the following bugs: - - LP: #349049: document audit, deny and owner rule qualifiers - - LP: #466228: ubuntu-browsers.d/multimedia: allow flash printing - - LP: #644983: add ubuntu-browsers.d/ubuntu-integration-xul - - LP: #692216: use aa_change_hat() instead of change_hat() - - LP: #692217: add aa_change_profile.pod manpage - * debian/control: explicitly depend on gettext module. - * ship apparmor vim syntax file (LP: #646800): - - debian/vim-apparmor.yaml: vim addon definition file. - - debian/apparmor-utils.install: add apparmor.vim and vim-apparmor.yaml. - * debian/libapparmor1.manpages: ship aa_change_profile manpage. - - -- Kees Cook Mon, 20 Dec 2010 14:37:38 -0800 - -apparmor (2.6~devel+bzr1527-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1527, drop patches taken upstream: - - debian/patches/0001-fix-release.patch - - debian/patches/0003-local-includes.patch - - debian/patches/0004-ubuntu-abstractions-updates.patch - - debian/patches/0005-lp648900.patch - - debian/patches/0006-testsuite-fixes.patch - - debian/patches/0007-honor-cflags.patch - - debian/patches/0008-lp652674.patch - - debian/patches/0009-sensible-browser-pix.patch - * Rework packaging for more sanity. - - debian/control: - - bump debhelper build depend to Ubuntu-specific v8. - - switch apparmor-profiles to arch all as it ships only text. - - update Homepage to new domain. - - expand long descriptions to keep lintian happy. - - debian/compat: bump to 8. - - README.Debian: removed, hopelessly out of date. - - debian/copyright: - - updated for changes to upstream source layout. - - fixed lintian warnings. - - debian/rules: - - ditch mv/install in favor of *.install,*.dir files. - - replace "dh_clean -k" with "dh_prep" - - use dh_clean's debian/clean file instead of manual rm. - - scan for all profiles to run through dh_apparmor. - - debian/*.{install,dirs,manpages,docs}: - - explicitly list all files needed for packaging - - debian/apparmor.{preinst,postinst,postrm}: - - add dpkg-maintscript-helper calls to clean up old script locations. - - drop old conffile cleanups, since they predate Lucid. - - debian/apparmor.init: - - move functions to /lib/apparmor. - - start on $remote_fs due to using /usr tools during init. - - use LC_COLLATE=C for proper sorting. - - debian/libapparmor1.symbols: created initial symbols file. - - debian/apparmor-docs.doc-base: include doc-base details for techdoc. - - debian/notify/90apparmor-notify: use new command name. - - lib/apparmor/functions: use LC_COLLATE=C for proper sorting. - - -- Kees Cook Thu, 04 Nov 2010 18:06:34 -0700 - -apparmor (2.5.1-0ubuntu4) natty; urgency=low - - * debian/patches/0004-ubuntu-abstractions-updates.patch: updated to add - /usr/bin/emacs-snapshot-gtk PUxr - * debian/patches/0009-sensible-browser-pix.patch: use Pix for - sensible-browser - * debian/patches/0010-ubuntu-buildd.patch: skip parser caching test if - the AppArmor securityfs introspection directory is not mounted, as - is the case on Ubuntu buildds. - - -- Jamie Strandboge Tue, 02 Nov 2010 12:17:21 -0500 - -apparmor (2.5.1-0ubuntu3) natty; urgency=low - - * debian/control: use the correct version for Conflicts/Replaces - - -- Jamie Strandboge Tue, 19 Oct 2010 19:53:26 -0500 - -apparmor (2.5.1-0ubuntu2) natty; urgency=low - - * debian/{rules,control}: move apache2 abstractions into the base package - so we can put apache2 profiles into the -profiles package without - aa-logprof bailing out. Patch by Marc Deslauriers. - (LP: #539441) - - -- Jamie Strandboge Tue, 19 Oct 2010 15:44:43 -0500 - -apparmor (2.5.1-0ubuntu1) natty; urgency=low - - * New upstream release (LP: #660077) - - The following patches were refreshed: - + 0001-fix-release.patch - + 0003-local-includes.patch - + 0008-lp648900.patch: renamed as 0005-lp648900.patch - - The following patches were dropped (included upstream): - + 0005-lp601583.patch - + 0006-network-interface-enumeration.patch - + 0007-gnome-updates.patch - * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head - of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211) - * debian/patches/0007-honor-cflags.patch: have the parser makefile honor - CFLAGS environment variable. Brings back missing symbols for the retracer - * debian/patches/0008-lp652674.patch: fix warnings for messages without - denied or requested masks (LP: #652674) - * debian/apparmor.init: fix path to aa-status (LP: #654841) - * debian/apport/source_apparmor.py: apport hook should use - root_command_hook() for running apparmor_status (LP: #655529) - * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber - cmdline details (LP: #657091) - - -- Jamie Strandboge Fri, 15 Oct 2010 12:23:00 -0500 - -apparmor (2.5.1~rc1-0ubuntu2) maverick; urgency=low - - * abstractions/ubuntu-email: adjustment for ever-changing thunderbird path - (LP: #648900) - - -- Jamie Strandboge Mon, 27 Sep 2010 09:00:06 -0500 - -apparmor (2.5.1~rc1-0ubuntu1) maverick; urgency=low - - [ Jamie Strandboge ] - * New upstream RC release (revision 1413). In addition to getting the tools - to work with the maverick kernel, this update fixes: - - LP: #619521 - - LP: #633369 - - LP: #626451 - - LP: #581525 - - LP: #623467 (link and unlink still need to be addressed) - * Dropped the following patches, included upstream: - - 0002-lp615177.patch - - 0004-ubuntu-pux.patch - - 0006-kde4-config-pux.patch - - 0007-lp605835.patch - - 0012-lp625041.patch - - 0013-lp623586.patch - * Update the following patches: - - rename 0010-fix-release.patch as 0001-fix-release.patch since this will - likely always need to be here - - rename 0005-add-chromium-browser.patch as - 0002-add-chromium-browser.patch - - rename 0001-local-includes.patch as 0003-local-includes.patch and update - to use r1493 (from trunk) of local/README file. This can be dropped in - 2.6. - - collect the ubuntu abstractions updates pulled from trunk into - 0004-ubuntu-abstractions-updates.patch. This can be dropped in 2.6. - - rename 0008-lp601583.patch as 0005-lp601583.patch. This can be dropped - in 2.5.1 final. - * fix up some lintian warnings: - - debian/control: - + don't use 'Section' in apparmor-notify, since it is the same as the - source - + updates Standards-Version to 3.9.1 - + add ${misc:Depends} to libapparmor-dev and apparmor-notify - - add debian/source/format - - debian/libapache2-mod-apparmor.postrm: use #DEBHELPER# - - debian/libapache2-mod-apparmor.preinst: use #DEBHELPER# - - add debian/watch - * debian/notify/notify.conf: set show_notifications="yes" by default - * debian/patches/0006-network-interface-enumeration.patch: allow network - interface enumeration. This can be dropped in 2.5.1 final. - * debian/patches/0007-gnome-updates.patch: update for font/icon/mime - locations in current gnome. This can be dropped in 2.5.1 final. - - [ Kees Cook ] - * debian/apparmor.init: rename "stop" to "teardown", drop caches on - "stop" and warn about the dangers of "teardown". - - -- Jamie Strandboge Fri, 10 Sep 2010 11:07:19 -0500 - -apparmor (2.5.1~pre1393-0ubuntu6) maverick; urgency=low - - * debian/profiles/chromium-browser: updated to have the proper path to - local/ - * debian/patches/0011-lp514356+573344+593413.patch: browser abstraction - updates for /net, kmozillahelper and gnome-appearance-properties - (LP: #593413, LP: #514356, LP: #573344) - * debian/patches/0012-lp625041.patch: add sensible-browser (LP: #625041) - * debian/patches/0013-lp623586.patch: allow access to ghostscript fonts when - not using defoma (LP: #623586) - - -- Jamie Strandboge Fri, 03 Sep 2010 07:39:31 -0500 - -apparmor (2.5.1~pre1393-0ubuntu5) maverick; urgency=low - - * debian/patches/0007-lp605835.patch: allow ca-certificates in ssl_certs - abstraction (LP: #605835) - * debian/patches/0008-lp601583.patch: adjust X abstraction for newer gdm - (LP: #601583) - * debian/patches/0009-lp565753.patch: add ubuntu-feed-readers abstraction - and have ubuntu-browsers.d/multimedia use it (LP: #565753) - * debian/apparmor.config: don't try to read in the existing value from - /etc/apparmor.d/tunables/home.d/ubuntu, but instead always use what is - in debconf. (LP: #561694) - * add aa-update-browser for giving a programmatic way to update browser - profiles to use browser abstractions - - add debian/aa-update-browser - - add debian/aa-update-browser.8 - - debian/rules: install aa-update-browser* - * debian/patches/0003-ubuntu-browsers-d.patch: updated to generalize java - child profile names - * debian/patches/0010-fix-release.patch: update common/Make.rules to use - lsb_release - - -- Jamie Strandboge Wed, 11 Aug 2010 09:24:23 -0500 - -apparmor (2.5.1~pre1393-0ubuntu4) maverick; urgency=low - - * debian/patches/0001-local-includes.patch: updated to adjust local/README - to have upstream clarifications - * debian/patches/0003-ubuntu-browsers-d.patch: add ubuntu-browsers.d/* - abstractions - * debian/patches/0004-ubuntu-pux.patch: use 'PUx' instead of 'Ux' in - abstractions/ubuntu-* - * add chromium-browser profile. All this can be removed once - chromium-browser ships its own profile: - - debian/patches/0005-add-chromium-browser.patch: add preliminary - profiles/apparmor.d/usr.bin.chromium-browser - - debian/profiles/chromium-browser: added for use with ubuntu-browsers.d - - debian/rules: ship debian/profiles/chromium-browser in apparmor-profiles - * don't make /etc/apparmor.d/local/* from apparmor-profiles conffiles - - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 - - debian/rules: use dh_apparmor instead of shipping the files as conffiles - - debian/apparmor-profiles.postinst: move DEBHELPER before initscript - reload - - debian/apparmor-profiles.postrm: added to remove chromium-browser config - file - * debian/patches/0006-kde4-config-pux.patch: remove kde4-config from kde - abstraction and add it to kde ubuntu-browsers abstraction - - -- Jamie Strandboge Tue, 10 Aug 2010 14:31:32 -0500 - -apparmor (2.5.1~pre1393-0ubuntu3) maverick; urgency=low - - * debian/patches/0002-lp615177.patch: 'owner' match in commit 1406 too - strict for /tmp/ and /var/tmp/ (LP: #615177) - - -- Jamie Strandboge Mon, 09 Aug 2010 10:17:05 -0500 - -apparmor (2.5.1~pre1393-0ubuntu2) maverick; urgency=low - - * debian/rules: move local/usr.lib.apache2.mpm-prefork.apache2 to - libapache2-mod-apparmor - - -- Jamie Strandboge Fri, 06 Aug 2010 13:38:59 -0500 - -apparmor (2.5.1~pre1393-0ubuntu1) maverick; urgency=low - - * Update to upstream bzr revision 1393 from lp:apparmor/2.5. - * add dbus-session abstraction (LP: #566207) - * require owner in user-tmp abstraction (LP: #578922) - * don't use uninitialized $opt_s (LP: #582075) - * allow thunderbird 3 in abstractions/ubuntu-email (LP: #590462) - * allow gmplayer in abstractions/ubuntu-media-players (LP: #591421) - * debian/control: updated branches. - * debian/patches/0001-local-includes.patch: backported patch from trunk to - allow local administrators to customize their profiles without modifying - a shipped profile - * debian/rules: - - don't pass RELEASE to libapparmor's 'make install' as it breaks the - build and isn't used by the Makfile anyway - - install apparmor.d/local/README in apparmor, not apparmor-profiles - - don't install apparmor.d/local/usr.sbin.ntpd - * Drop the following patches already included upstream: - - 0001-lp538561.patch - - 0002-aalogprof-warnings.patch - - 0003-fix-memleaks.patch - - 0004-lp549557.patch - - 0005-lp538661.patch - - 0006-lp611248.patch - - -- Jamie Strandboge Thu, 05 Aug 2010 16:10:46 -0500 - -apparmor (2.5-0ubuntu4) maverick; urgency=low - - * debian/patches/0006-lp611248.patch: allow access to gdk-pixbuf loaders - LP: #611248 - - -- Jamie Strandboge Tue, 03 Aug 2010 09:32:10 -0500 - -apparmor (2.5-0ubuntu3) lucid; urgency=low - - [ Jamie Strandboge ] - * debian/patches/lp-549557.patch: have apparmor_notify deal with log file - rotation. (LP: #549557) - * debian/notify/notify.conf: set show_notifications="yes" - * debian/patches/0005-lp538661.patch: adjust php5 abstraction for cgi config - file path and extensions (LP: #538661) - - [ Kees Cook ] - * debian/apparmor.functions: do not load in parallel, this is causing - weird side-effects. - - -- Jamie Strandboge Tue, 30 Mar 2010 11:31:49 -0500 - -apparmor (2.5-0ubuntu2) lucid; urgency=low - - [ Jamie Strandboge ] - * debian/patches/0001-lp538561.patch: add 'k' to /var/lib/samba/**.tdb in - the samba abstraction (LP: #538561) - - [ Marc Deslauriers ] - * debian/patches/0002-aalogprof-warnings.patch: get rid of warnings when - aa-logprof is run. - * debian/{rules,control}: move apache2 abstractions into the base package - so we can put apache2 profiles into the -profiles package without - aa-logprof bailing out. (LP: #539441) - * debian/patches/0003-fix-memleaks.patch: include a couple of leak - patches from upstream. - - -- Marc Deslauriers Fri, 26 Mar 2010 11:39:18 -0400 - -apparmor (2.5-0ubuntu1) lucid; urgency=low - - * New upstream release. - * debian/control: updated branches. - * debian/copyright: updated download locations. - * debian/rules: drop unneeded build variables. - * common/Make.rules: set distributor. - - -- Kees Cook Thu, 11 Mar 2010 00:08:08 -0800 - -apparmor (2.5~pre+bzr1367-0ubuntu1) lucid; urgency=low - - * Update to upstream bzr revision 1367 - * debian/notify/90apparmor-notify: sleep for 60 seconds for boot speed and - to make sure that X is all the way up so the notifications look pretty - - -- Jamie Strandboge Mon, 08 Mar 2010 13:53:50 -0600 - -apparmor (2.5~pre+bzr1364-0ubuntu1) lucid; urgency=low - - * Update to upstream bzr revision 1364. - * debian/apparmor.functions: ignore .dpkg-bak files when loading too. - - -- Kees Cook Wed, 17 Feb 2010 13:36:21 -0800 - -apparmor (2.5~pre+bzr1362-0ubuntu2) lucid; urgency=low - - * debian/apparmor.postinst: on upgrades, prepopulate apparmor/homedirs - if it is not preseeded. Will check /etc/passwd for UIDs >= 1000 and - < 30000 for unique dirnames of home directories that are not /home. Fully - resolves (LP: #447292) - - -- Jamie Strandboge Wed, 17 Feb 2010 09:42:55 -0600 - -apparmor (2.5~pre+bzr1362-0ubuntu1) lucid; urgency=low - - [ Kees Cook ] - * Update to upstream bzr revision 1362. - - This release includes DFA minimization, transition table compression, - and improved partitioning performance (LP: #503869). - - drop 0001-tunable-alias.patch, now upstream. - * debian/apparmor.postinst: update home.d template to note the trailing - slash, even if the debconf template mentions it too. - * debian/apparmor.functions: go fully parallel with parsing to use all - CPUs in the case of needing to regenerate caches. - * debian/rules: enable library testsuite during build. - * debian/control: add dejagnu for library testsuite. - * debian/{rules,control}: use chrpath to drop rpath in libapparmor-perl. - - [ Jamie Strandboge ] - * debian/control: add apparmor-notify - * add debian/notify/notify.conf - * add debian/notify/90apparmor-notify - * add debian/apparmor-notify.install: install notify.conf to /etc/apparmor - and 90apparmor-notify to /etc/X11/Xsession.d - * debian/rules: - - remove upstream notify.conf since we will install our own via debhelper - - move apparmor_notify script and man pages to apparmor-notify - - -- Kees Cook Sat, 13 Feb 2010 12:19:30 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu4) lucid; urgency=low - - * 0001-tunable-alias.patch: backport r1330 to make it easier for people - to use AppArmor's alias rules (LP: #160002) - - -- Jamie Strandboge Mon, 11 Jan 2010 14:31:06 -0600 - -apparmor (2.3.1+bzr1312-0ubuntu3) lucid; urgency=low - - * debian/apparmor.{init,functions}: - - add "recache" argument to init script for liveCD cache generation. - - skip start/stop/reload when running on liveCD. - - -- Kees Cook Fri, 08 Jan 2010 08:39:14 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu2) lucid; urgency=low - - * debian/rules: disable profiling support for released version. - - -- Kees Cook Wed, 06 Jan 2010 16:57:58 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu1) lucid; urgency=low - - [ Kees Cook ] - * Update to upstream bzr revision 1312. - * debian/apparmor.postrm: fix comment typo. - * debain/rules: switch to bzr for upstream versioning. - * debian/rules: install apache2-* abstractions into apache2-mod package. - * drop debian/patches/0001-likewise-home-tunables.patch: this is causing - too much time in the parser (see LP 503869). The default install is - suffering, so move this configuration to likewise-open (see LP 274350). - - [ Jamie Strandboge ] - * debian/rules: - - don't ship tunables/home.d/site.local - - correct path for moving apache2 abstraction - * add debconf question for adjusting HOMEDIRS (LP: #447292) - - add debian/apparmor.config - - debian/apparmor.postinst: query debconf and adjust - tunables/home.d/ubuntu - - debian/apparmor.postrm: on purge, remove tunables/home.d/ubuntu and run - db_purge - - debian/control: Build-Depends on po-debconf and have apparmor Depends on - debconf - - add debian/po/* - - debian/rules: use dh_installdebconf -papparmor - - added debian/templates - - -- Kees Cook Wed, 06 Jan 2010 15:51:33 -0800 - -apparmor (2.3.1+1403-0ubuntu31) lucid; urgency=low - - * Remove initramfs hooks, as early profile loading is handled - on a service-by-service basis with Upstart jobs now. - - -- Kees Cook Fri, 04 Dec 2009 13:22:04 -0800 - -apparmor (2.3.1+1403-0ubuntu30) lucid; urgency=low - - [ Jamie Strandboge ] - * convert to using quilt - - debian/control: Build-Depends on quilt - - add debian/README.source - - debian/rules: include /usr/share/quilt/quilt.make and adjust - targets for patching - * debian/patches/0001-likewise-home-tunables.patch: tunables/home: add - /home/likewise-open/*/ to HOMEDIRS (LP: #274350) - * Merge to upstream bzr rev 1308. - - really add chromium-browser (LP: #488559) - - add official google-chrome (LP: #481661) - - [ Kees Cook ] - * parser/parser_main.c: use nanosec ctime resolution when checking - cache file times. - * parser/tst/caching.sh: add tests for cache use based on timestamps. - - -- Jamie Strandboge Fri, 04 Dec 2009 11:11:01 -0600 - -apparmor (2.3.1+1403-0ubuntu29) lucid; urgency=low - - * parser/Makefile: generate af_names.h based on bits/socket.h since - linux/socket.h no longer has what we need (LP: #474751) - * usr.sbin.dnsmasq: fully address LP: #445818 - - more pidfile refinements - - allow access to /var/run/dnsmasq - - allow access to /etc/dnsmasq.d - - allow dac_override so it can write its pidfile - * abstractions/ubuntu-browsers: add chromium-browser - - -- Jamie Strandboge Wed, 04 Nov 2009 17:07:23 -0600 - -apparmor (2.3.1+1403-0ubuntu28) lucid; urgency=low - - [ Jamie Strandboge ] - * update skype profile in extras. Based on work by Андрей Калинин. - (LP: #226624) - * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778) - * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and - epiphany-webkit were already present, but the recent changes in - epiphany packaging require /usr/bin/epiphany) (LP: #472952) - * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818) - * abstractions/gnome: allow access to ~/.themes (LP: #460125) - * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config - (LP: #447006) - - [ Marc Deslauriers ] - * utils/Subdomain.pm: don't skip reading profiles that are also in the - cache directory (LP: #446449) - * utils/Subdomain.pm: correctly parse PUxr modes - * utils/Subdomain.pm: support include directories - - -- Jamie Strandboge Wed, 04 Nov 2009 11:02:27 -0600 - -apparmor (2.3.1+1403-0ubuntu27) karmic; urgency=low - - * utils/SubDomain.pm: handle new format "null" log entries (LP: #446524) - - -- Marc Deslauriers Fri, 16 Oct 2009 14:40:04 -0400 - -apparmor (2.3.1+1403-0ubuntu26) karmic; urgency=low - - * abstractions/ubuntu-browsers: add Dooble - * abstractions/ubuntu-browsers: add chromium (LP: #448812) - * abstractions/gnome: add read for /etc/orbitrc - * abstractions/audio: add read for /etc/pulse/* for when ~/.pulse/* doesn't - exist and these files are used for fallback - - -- Jamie Strandboge Wed, 14 Oct 2009 07:59:03 -0500 - -apparmor (2.3.1+1403-0ubuntu25) karmic; urgency=low - - * Do not use tools in /usr during initial start-up (LP: #439726). - - -- Kees Cook Fri, 02 Oct 2009 16:52:04 -0700 - -apparmor (2.3.1+1403-0ubuntu24) karmic; urgency=low - - * abstractions/X: allow mouse themes (LP: #438051) - - -- Jamie Strandboge Thu, 01 Oct 2009 16:07:25 -0500 - -apparmor (2.3.1+1403-0ubuntu23) karmic; urgency=low - - [ Kees Cook ] - * Really fix quiet mode in initramfs (LP: #435285). - * Handle older kernel versions when loading profiles (LP: #429872): - - parser/parser_{interface,main}.c: detect kernel version and downgrade. - - debian/apparmor.functions, parser/parser_main.c: keep kernel features - recorded in cache directory. - - parser/parser_{interface,main}.c: add --skip-kernel-load for testing. - - parser/tst/caching.*: add caching tests. - [ Jamie Strandboge ] - * abstractions/audio: add a few more files for pulseaudio - - -- Kees Cook Fri, 25 Sep 2009 09:54:01 -0700 - -apparmor (2.3.1+1403-0ubuntu22) karmic; urgency=low - - * Do not run AppArmor on the LiveCD, again (LP: #131976). - * More aggressively stay quiet when booting in quiet mode (LP: #435285). - - -- Kees Cook Wed, 23 Sep 2009 15:40:22 -0700 - -apparmor (2.3.1+1403-0ubuntu21) karmic; urgency=low - - * debian/apparmor.{init-bottom,functions,initramfs}: perform initial - apparmor rule loading in initramfs. - - -- Kees Cook Mon, 21 Sep 2009 14:16:26 -0700 - -apparmor (2.3.1+1403-0ubuntu20) karmic; urgency=low - - * added disabled apache2 profile (FFE LP: #430812): - - add profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2: new - apache2 profile - - add profiles/apparmor.d/apache2.d/phpsysinfo: example profile for the - phpsysinfo application - - profiles/Makefile: handle the apache2.d directory - - add debian/libapache2-mod-apparmor.postinst: reload apparmor after - installation since we now ship a profile in this package - - add debian/libapache2-mod-apparmor.preinst: disable apache2 profile - if the user does not already have a profile defined - - add debian/libapache2-mod-apparmor.postrm: remove disabled symlink - on purge - - debian/rules: move apache2 profile to the libapache2-mod-apparmor - package and create apache2.d directory - * utils/SubDomain.pm: handle "open" log entries (LP: #427966) - * added ouid parsing support (LP: #431929): - - libraries/libapparmor/testsuite/test_multi.c - - libraries/libapparmor/src/{scanner.l,grammar.y,aalogparse.h, - libaalogparse.c} - - -- Marc Deslauriers Sat, 19 Sep 2009 09:32:02 -0400 - -apparmor (2.3.1+1403-0ubuntu19) karmic; urgency=low - - [ Jamie Strandboge ] - * abstractions/fonts: allow links in @{HOME}/.fontconfig/** - - [ Kees Cook ] - * debian/apparmor.init: expect that the securityfs is mounted, and only - test for the mounted filesystem against the type column when it is not - found. - - -- Kees Cook Wed, 09 Sep 2009 11:42:07 -0700 - -apparmor (2.3.1+1403-0ubuntu18) karmic; urgency=low - - * added the following abstractions: - - ubuntu-browsers: Ux transitions to graphical browsers - - ubuntu-console-browsers: Ux transitions to text-mode browsers - - ubuntu-console-email: Ux transitions to text-mode email clients - - ubuntu-email: Ux transitions to graphical email clients - - ubuntu-gnome-terminal: ix transition for gnome-terminal - - ubuntu-konsole: ix transition for konsole - - ubuntu-xterm: ix transition for xterm - - -- Jamie Strandboge Thu, 03 Sep 2009 11:57:39 -0500 - -apparmor (2.3.1+1403-0ubuntu17) karmic; urgency=low - - * abstractions/base: workaround for ecryptfs and apparmor by allowing - 'owner' match for files in .Private. (LP: #359338) - - -- Jamie Strandboge Mon, 31 Aug 2009 15:38:54 -0500 - -apparmor (2.3.1+1403-0ubuntu16) karmic; urgency=low - - * profiles/apparmor.d/*dovecot*: add first-pass at complain-only - profiles for basic dovecot operation. - - -- Kees Cook Wed, 26 Aug 2009 15:19:46 -0700 - -apparmor (2.3.1+1403-0ubuntu15) karmic; urgency=low - - * utils/SubDomain.pm: don't abort when an include file only contains - hats (LP: #400367) - - -- Marc Deslauriers Wed, 26 Aug 2009 11:35:58 -0400 - -apparmor (2.3.1+1403-0ubuntu14) karmic; urgency=low - - * Pull upstream changes for 64bit capabilities (svn 1427, 1437, 1438). - * Pull upstream changes for pux exec mode (svn 1439). - * debian/apparmor.init: "find" -name is not brace-aware (LP: #418364). - - -- Kees Cook Mon, 24 Aug 2009 18:01:05 -0700 - -apparmor (2.3.1+1403-0ubuntu13) karmic; urgency=low - - [ Kees Cook ] - * parser/parser_main.c: add --skip-read-cache to force reading of - uncached profiles while still allowing for --write-cache to work. - * parser/apparmor_parser.pod: add all missing option documentation. - - [ Jamie Strandboge ] - * abstractions/kde: update for kde4 - - -- Jamie Strandboge Wed, 19 Aug 2009 12:07:06 -0500 - -apparmor (2.3.1+1403-0ubuntu12) karmic; urgency=low - - * abstractions/base: add more locale paths (LP: #413454) - - -- Jamie Strandboge Fri, 14 Aug 2009 07:31:03 -0500 - -apparmor (2.3.1+1403-0ubuntu11) karmic; urgency=low - - * utils/enforce: remove /etc/apparmor.d/disable/ symlink - LP: #413153 - * debian/rules: don't install usr.sbin.ntpd or tunables/ntpd. Can remove - this when we create a new orig.tar.gz - - -- Jamie Strandboge Wed, 12 Aug 2009 10:04:34 -0500 - -apparmor (2.3.1+1403-0ubuntu10) karmic; urgency=low - - * remove apparmor.d/usr.sbin.ntpd and apparmor.d/tunables/ntpd since ntpd - will begin shipping its own profile - - -- Jamie Strandboge Wed, 12 Aug 2009 10:02:53 -0500 - -apparmor (2.3.1+1403-0ubuntu9) karmic; urgency=low - - * Revert 64-bit capabilities (LP: #408773). - - -- Kees Cook Tue, 04 Aug 2009 11:51:27 +0100 - -apparmor (2.3.1+1403-0ubuntu8) karmic; urgency=low - - * Update to upstream subversion r1431. - - change_profile can use regex (LP: #390810, #401931) - * debian/apparmor.init: always clear cache on reload. - - -- Kees Cook Mon, 03 Aug 2009 07:46:33 -0700 - -apparmor (2.3.1+1403-0ubuntu7) karmic; urgency=low - - * profiles/apparmor.d/abstractions/base: add /proc/sys/crypto (LP: #392337). - - -- Kees Cook Sat, 25 Jul 2009 09:04:46 -0700 - -apparmor (2.3.1+1403-0ubuntu6) karmic; urgency=low - - [ Kees Cook ] - * parser/parser_policy.c: return errors instead of exiting. - * debian/apparmor.init: skip more suffixes. - * parser/parser_lex.l: define file suffixes to ignore. - * parser/parser_main.c: disable cache for parsing reports. - * debian/apparmor.init: also remove unparsed profiles. - - [ Jamie Strandboge ] - * update gnome abstraction for /var/run/gdm/auth*/database - * utils/SubDomain.pm: parse profiles in subdirectories, not just include - files (LP: #401935) - - -- Jamie Strandboge Mon, 20 Jul 2009 11:45:24 -0500 - -apparmor (2.3.1+1403-0ubuntu5) karmic; urgency=low - - * Always use --replace when loading profiles so that if profiles - are loaded outside of the init script (e.g. dhcp3), the init - script does not abort (LP: #401109). - * parser/parser_main.c: more carefully create cache files. - - -- Kees Cook Sun, 19 Jul 2009 07:48:11 -0700 - -apparmor (2.3.1+1403-0ubuntu4) karmic; urgency=low - - * utils/SubDomain.pm: exclude new cache directory. - * parser/parser_main.c: - - allow OPTION_REMOVE to work again (LP: #400781). - - warn about using stdin. - - do not cache disabled profiles. - - report cached loading if not quiet. - * debian/apparmor.init: - - do not depend on aa-status. - - only write cache from init script. - - -- Kees Cook Fri, 17 Jul 2009 10:10:05 -0700 - -apparmor (2.3.1+1403-0ubuntu3) karmic; urgency=low - - * debian/apparmor.init: more cleanly handle disabled AppArmor. - - -- Kees Cook Fri, 17 Jul 2009 00:12:19 -0700 - -apparmor (2.3.1+1403-0ubuntu2) karmic; urgency=low - - * improve profile loading speed (LP: #382944): - - parser/parser_lex.l: move include handling into flex parser. - - parser/parser_main.c: - - move disable/complain logic into loader. - - add binary caching. - - debian/apparmor.init: reduce to bare minimum. - - -- Kees Cook Wed, 15 Jul 2009 17:05:49 -0700 - -apparmor (2.3.1+1403-0ubuntu1) karmic; urgency=low - - [ Kees Cook ] - * New upstream bundle (svn1403). - * debian/apparmor.init: add specific Start/Stop dependencies - (LP: #372441). - * debian/control: correctly use lsb-base not sysv for Depends. - - [ Jamie Strandboge ] - * add abstractions/launchpad-integration - * abstractions/audio: add pulseaudio - * add abstractions/private-files* for explicitly denying access to sensitive - files. - - -- Kees Cook Fri, 10 Jul 2009 08:37:54 -0700 - -apparmor (2.3+1289-0ubuntu15) karmic; urgency=low - - * Depend on upstart 0.6.0 which contains upstart-compat-sysv now - - -- Scott James Remnant Fri, 10 Jul 2009 10:28:45 +0100 - -apparmor (2.3+1289-0ubuntu14) jaunty; urgency=low - - * abstractions/smbpass: Add *.ldb used in Samba 3.2 and above (LP: #357581) - - -- Thierry Carrez Wed, 08 Apr 2009 13:42:21 +0200 - -apparmor (2.3+1289-0ubuntu13) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/gnome: allow /proc/$pid/mounts for gvfs. - * abstractions/python: clean up allowed paths (LP: #350820), thanks to - Jonathan Davies. - - [ Jamie Strandboge ] - * abstractions/user-tmp: allow 'k' for files in tmp dirs (LP: #351275) - - -- Jamie Strandboge Tue, 31 Mar 2009 09:57:57 -0500 - -apparmor (2.3+1289-0ubuntu12) jaunty; urgency=low - - * expand allowed library paths to handle unexpected architectures - (LP: #349819). - - -- Kees Cook Fri, 27 Mar 2009 13:48:11 -0700 - -apparmor (2.3+1289-0ubuntu11) jaunty; urgency=low - - * fix path to winbindd_privileged/pipe in winbind abstraction (LP: #348541) - - -- Jamie Strandboge Fri, 27 Mar 2009 08:29:13 -0500 - -apparmor (2.3+1289-0ubuntu10) jaunty; urgency=low - - * utils/SubDomain.pm: - - teach utils about rearranged syslog audit messages (LP: #340183) - from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1393 - - fix corruption of profiles, from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1354 - - don't ask about networking events over and over again, from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1296 - - use apparmor logdir instead of /tmp to write debugging log - - -- Steve Beattie Thu, 19 Mar 2009 03:05:07 -0700 - -apparmor (2.3+1289-0ubuntu9) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/base: allow /proc/$pid/maps (LP: #343287). - * abstractions/*: clean up lib, lib32, lib64 semantics (LP: #342200). - * abstractions/nameservice: fix up paths for nscd (LP: #342198). - * parser/rc.apparmor.functions, debian/apparmor.init: LSB-ify startup - messages (LP: #295200). - - [ Steve Beattie ] - * libapparmor/src/scanner.l: adjust lexer to fix matching updated audit - messages (LP: #340183) from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1389 - * debian/source_apparmor.py: add a per-package apport hook (LP: #342554). - - -- Kees Cook Wed, 18 Mar 2009 21:18:01 -0700 - -apparmor (2.3+1289-0ubuntu8) jaunty; urgency=low - - * abstractions/ssl_keys: allow read access to all of /etc/ssl (LP: #317109) - * utils/SubDomain.pm: re-add dropped patch to not process disable/ as - include files, and also don't process force-complain/ (LP: #331534) - - -- Jamie Strandboge Thu, 12 Mar 2009 12:53:08 -0500 - -apparmor (2.3+1289-0ubuntu7) jaunty; urgency=low - - * abstractions/dbus: add machine-id - * abstractions/audio: add libcanberra paths - * abstractions/freedesktop.org: add user-dirs.dirs - - -- Jamie Strandboge Thu, 12 Feb 2009 11:28:15 -0600 - -apparmor (2.3+1289-0ubuntu6) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/X: add DRI paths. - * parser/Makefile: blacklist AF_PHONET. - - [ Jamie Strandboge ] - * update usr.sbin.smbd profile to write to /var/lib/samba/** and - read/write to /var/run/dbus/system_bus_socket (LP: #294802) - * abstractions/freedesktop.org: use /usr/share/mime/**, @{HOME}/.icons/, - and @{HOME}/.recently-used.xbel* - * abstractions/gnome: add gvfs remote-volume-monitors paths and printing - files - - -- Kees Cook Mon, 22 Dec 2008 17:20:10 -0800 - -apparmor (2.3+1289-0ubuntu5) jaunty; urgency=low - - * abstractions/nameservice: allow read access to - /etc/resolvconf/run/resolv.conf (LP: #286080) - * adjust src/grammar.y and src/scanner.l to account for the moved type=NNNN - field in 2.6.27 kernels and capture non-matching logfile input instead of - printing it to stdout (LP: #271252). Patch thanks to Jesse Michael and - Steve Beattie. - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1310 - * add syslog test cases to testsuite. Patch thanks to Steve Beattie. - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1307 - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1308 - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1309 - - -- Jamie Strandboge Tue, 21 Oct 2008 09:09:58 -0500 - -apparmor (2.3+1289-0ubuntu4) intrepid; urgency=low - - * parser/rc.apparmor.functions: fix typo seen when admin changes - the default location of the apparmor.d directory (LP: #280467). - * abstractions/{samba,base}: clean up unneeded "m" permissions. - * abstractions/perl: add missing default perl paths. - - -- Kees Cook Wed, 08 Oct 2008 16:42:10 -0700 - -apparmor (2.3+1289-0ubuntu3) intrepid; urgency=low - - * add locking permission to /var/log/wtmp abstraction, thanks to - Martin Pitt (LP: #253328). - * utils/logprof.conf: repository updated for Intrepid (LP: #258818). - * profiles/apparmor.d/usr.sbin.nscd: added cache directory (LP: #144383). - * parser/rc.apparmor.functions: redirect stderr (LP: #244013). - * parser/Makefile: blacklist "AF_ISDN". - - -- Kees Cook Wed, 30 Jul 2008 09:29:03 -0700 - -apparmor (2.3+1289-0ubuntu2) intrepid; urgency=low - - [ Mathias Gug ] - * debian/control: - - move apparmor-profiles to a suggested package by apparmor. - - [ Kees Cook ] - * debian/control - - move libterm-readline-gnu-perl to "suggests". - - drop apparmor-modules-source since it no longer exists. - - -- Kees Cook Wed, 02 Jul 2008 12:35:12 -0700 - -apparmor (2.3+1289-0ubuntu1) intrepid; urgency=low - - * Updated to upstream subversion v1289. - - new parser requires new AppArmor kernel LSM. - * debian/control: - - add libapparmor-perl, and associated Depends - - bump standards version to 3.7.3.0 (no changes needed) - * debian/rules: - - adjust "clean" rule to be more effective. - - -- Kees Cook Sat, 28 Jun 2008 15:38:12 -0700 - -apparmor (2.1+1075-0ubuntu10) intrepid; urgency=low - - [ Jamie Strandboge ] - * added abstractions/smbpass and #include it in abstractions/authentication - to allow access to /var/lib/samba/*.tdb. LP: #217787 - - [ Mathias Gug ] - * update likewise-open authentication abstraction: allow access to - privileged pipe (LP: #235646). - * Update smbd profile to include access to /var/spool/samba/ (printer - sharing) and utmp update (LP: #237066). - * Update esound location in audio profile (LP: #229127). - Thanks to Adam Mondl. - * Add dnsmasq profile (LP: #148590). Thanks to John Dong. - - -- Mathias Gug Mon, 09 Jun 2008 18:24:09 -0400 - -apparmor (2.1+1075-0ubuntu9) hardy; urgency=low - - * parser/rc.apparmor.functions: do not abort if parser is missing, in - the case of an unpurged "apparmor" init script running under SELinux. - - -- Kees Cook Mon, 07 Apr 2008 13:25:06 -0700 - -apparmor (2.1+1075-0ubuntu8) hardy; urgency=low - - * Sync bugfixes from upstream 8.04 branch, svn 1161. - - documentation updated to reflect AppArmor 2.1 features. - - minor profile updates (nscd, ntpd, opera) - - util/SubDomain.pm: corrected mask merging and type detection. - - -- Kees Cook Wed, 02 Apr 2008 15:48:58 -0700 - -apparmor (2.1+1075-0ubuntu7) hardy; urgency=low - - * profiles/apparmor.d/abstractions/nameservice: (LP: #207912) - - fix ldap path - - add nsswitch "db" backend paths - - -- Kees Cook Thu, 27 Mar 2008 14:19:06 -0700 - -apparmor (2.1+1075-0ubuntu6) hardy; urgency=low - - [ Kees Cook ] - * utils/SubDomain.pm: - - fix up mask parsing to match kernel version (LP: #202920). - - fix up syslog parsing regexp to match broken kernels (LP: #202888). - * profiles/apparmor.d/abstractions/base: add licenses path for reading. - * profiles/apparmor.d/abstractions/freedesktop.org: include /usr/local. - * profiles/apparmor.d/usr.sbin.smbd: include print client abstraction. - * profiles/apparmor.d/abstractions/nameservice: include missing gai.conf - (LP: #202991). - - [ Jamie Strandboge ] - * add Debian Policy compliant way to toggle complain mode (LP: #203137) - - parser/rc.apparmor.functions: add '-C' to PARSER_ARGS if - force-complain/ exists - - utils/enforce: remove symlink in force-complain/ - - debian/rules: create /etc/apparmor.d/force-complain - - -- Kees Cook Mon, 17 Mar 2008 10:28:23 -0700 - -apparmor (2.1+1075-0ubuntu5) hardy; urgency=low - - * profiles/apparmor.d/abstractions/python: update shared python locations. - * debian/control: adjust Depends to allow sysvinit (LP: #199871). - - -- Kees Cook Tue, 11 Mar 2008 15:25:11 -0700 - -apparmor (2.1+1075-0ubuntu4) hardy; urgency=low - - [ Jamie Strandboge ] - * removed usr.sbin.named and usr.sbin.mysqld, as these will be provided - be bind9 and mysql-server-5.0, respectively. - - [ Mathias Gug ] - * profiles/apparmor.d/abstractions/ssl_keys: add ssl_keys abstraction, to - be used by profiles accessing ssl privates keys. - - [ Rick Clark ] - * added abstraction for likewise-open. - - -- Mathias Gug Wed, 13 Feb 2008 19:16:12 -0500 - -apparmor (2.1+1075-0ubuntu3) hardy; urgency=low - - * profiles/apparmor.d/abstractions/fonts: add missing ~/.fonts.conf - * profiles/apparmor.d/sbin.klogd: add newly needed @{PROC}/kallsyms - - -- Kees Cook Wed, 16 Jan 2008 14:16:18 -0800 - -apparmor (2.1+1075-0ubuntu2) hardy; urgency=low - - * utils/apparmor_status: fix module loaded test to handle built-in. - - -- Kees Cook Thu, 03 Jan 2008 17:24:40 -0800 - -apparmor (2.1+1075-0ubuntu1) hardy; urgency=low - - [ Mathias Gug ] - * profiles/apparmor.d/abstractions/nameservice: update nameservice - abstraction to support nscd setup. - - [ Kees Cook ] - * merge with upstream trunk revision 1075. - * debian/{control,apparmor.postrm,apparmor.postinst,apparmor.initramfs}: - dropped module hook since module is loaded in kernel automatically now. - * debian/rules: tweaked get-orig-source to use defined variables. - * debian/copyright: mention "get-orig-source" build rule. - * debian/{rules,control,libpam-apparmor.docs}: add libpam-apparmor now - that PAM is 0.99. - - -- Kees Cook Thu, 03 Jan 2008 13:29:31 -0800 - -apparmor (2.1+993-0ubuntu3) gutsy; urgency=low - - [ Mathias Gug ] - * Add mdns4 resolution to nameservice abstraction. (LP: #148579). - * Update syslog-ng profile. (LP: #148708). - * Add xen tls libraries to base abstraction. (LP: #150282). - * Update cups-client abstraction: add /var/run/cups/cups.sock. (LP: #151269) - - [ Kees Cook ] - * Adjust KDE abstractions for Ubuntu paths (LP: #148309). - - -- Kees Cook Fri, 12 Oct 2007 12:54:36 -0700 - -apparmor (2.1+993-0ubuntu2) gutsy; urgency=low - - [ Mathias Gug ] - * debian/control: Set maintainer to Ubuntu Core Developers. - * utils/SubDomain.pm, utils/logprog.conf: refactor readprofiledir() to not - fail on non-existing profile directory. Fixes LP: #141128. - * debian/rules: don't compress profiles in doc/extras/. - * utils/SubDomain.pm: Fix regex so that aa-logprof can find audit messages - in syslog files. Fixes LP: #140508. - * Update usr.sbin.nscd profile. Fixes LP: #144383. - - [ Kees Cook ] - * abstractions/gnupg: drop bad attempt at general-purpose client rule. - * abstractions/fonts: adjust for new syntax, add more local fonts paths. - * abstractions/nameservice: add mmap permission to some /etc files. - - -- Kees Cook Tue, 25 Sep 2007 10:23:29 -0700 - -apparmor (2.1+993-0ubuntu1) gutsy; urgency=low - - * new merge from upstream: - * fixes to support new audit messages sent by the kernel module. - * bump in minor library version for libapparmor. - * debian/control: Add perl libterm-readkey-perl and librpc-xml-perl - dependencies for apparmor-utils. Fixes LP: #139757, LP: #139091. - * utils/SubDomain.pm: Re-enable RPC client for remote repositories. - * profiles/apparmor.d/sbin.syslogd: update profile. - Fixes LP: #140672, LP: #140274. - - -- Mathias Gug Tue, 18 Sep 2007 11:12:50 -0400 - -apparmor (2.1+961-0ubuntu5) gutsy; urgency=low - - * utils/SubDomain.pm, parser/rc.apparmor.functions: skip .dpkg-dist profiles. - * debian/rules, debian/apparmor.postinst: fix postinst script failure on - upgrades. Fix LP: #139683. - - -- Mathias Gug Fri, 14 Sep 2007 17:20:01 -0400 - -apparmor (2.1+961-0ubuntu4) gutsy; urgency=low - - [ Mathias Gug ] - * debian/rules: Fix libapparmor-dev build. - * apparmor-profiles: remove gnupg.moved. - - [ Kees Cook ] - * abstractions: adjust gnome for new syntax. - * abstractions: adjust aspell to add locking. - - -- Kees Cook Fri, 14 Sep 2007 09:34:15 -0700 - -apparmor (2.1+961-0ubuntu3) gutsy; urgency=low - - [ Mathias Gug ] - * Update avahi-daemon profile: add m permission to /etc/password and - /etc/group. - - [ Kees Cook ] - * Rename libapparmor1-dev back to libapparmor-dev. - - -- Kees Cook Thu, 13 Sep 2007 15:44:30 -0700 - -apparmor (2.1+961-0ubuntu2) gutsy; urgency=low - - [ Mathias Gug ] - * Disable html documentation: Fixes LP: #139091. - * parser/Makefile, debian/rules: disable html documentation building. - * debian/control: remove latex2html dependency. - * profiles/apparmor.d/usr.sbin.avahi-daemon: add sys_chroot capability. - Fixes LP: #139092. - - [ Kees Cook ] - * profiles/apparmor.d/abstractions/user-tmp: adjust directory permissions - for newly unmasked /tmp handling (LP: #138978). - * utils/SubDomain.pm: disable remote repositories until RPC::XML MIR - clears (LP: 139091). - * utils/*.pod: adjust for Ubuntu paths and "aa-" prefixes (LP: #116647). - * Fix upgrades to not unload profiles, which would cause programs to - become unconfined: - - debian/rules: don't stop apparmor on upgrades. - - debian/apparmor.postinst: reload profiles after a configure. - - -- Kees Cook Wed, 12 Sep 2007 13:14:02 -0700 - -apparmor (2.1+961-0ubuntu1) gutsy; urgency=low - - * New upstream version. - * Support resolvconf. Fix LP: #132468. - * Move package maintainance to bzr: - * Apply all patches directly into the tree with dpatch apply-all. - * debian/patches/: remove all patches as they are applied inline now. - * debian/control, debian/control.modules.in: remove dpatch from - Build Depends. - * debian/rules: - * remove dpatch include. - * remove patch and unpatch dependencies - * debian/control: - * Rename libapparmor-dev to libapparmor1-dev. - Add Provides: and Conflict: tags. - * Remove universe component in Section tag. - * Remove apparmor-utils depends on bsdutils. - * Update apparmor-modules Recommends to apparmor-modules-2.1. - * utils/: - * Add audit man page. - * Fix mod_appamor library: remove rpath info. - * debian/rules: remove rpath info. - * debian/control: add chrpath as a build dependency. - * Remove apparmor-modules-source package: - * debian/conrol: remove apparmor-modules-source package. - * debian/apparmor.postinst, debian/apparmor.preinst, - debian/apparmor.prerm: remove error_handler function. - * debian/rules: remove error_handler option from dh_installinit. - * debian/apparmor-modules-_KVERS_.postinst.modules.in, - debian/control.modules.in: remove control and postinst files. - - -- Mathias Gug Tue, 11 Sep 2007 10:44:56 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu25) gutsy; urgency=low - - * debian/rules: move tunables/ and abstractions/ in apparmor package. - Fixes LP: #130114. - - -- Mathias Gug Mon, 06 Aug 2007 14:40:37 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu24) gutsy; urgency=low - - * Cannot Depend on apparmor-modules-* in apparmor due to germinate - issues. Moved to Recommends. - - -- Kees Cook Mon, 23 Jul 2007 11:08:38 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu23) gutsy; urgency=low - - * debian/control: add explicit Depends on l-u-m apparmor kernel modules. - - -- Kees Cook Wed, 18 Jul 2007 21:07:03 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu22) gutsy; urgency=low - - * 13-subdomain.pm-skip-files.dpatch: update isSkippable function in - SubDomain.pm to skip the same files as rc.apparmor.functions (used by the - init script) : .dpkg-old, .dpkg-new and symlinks in disable/ - sub-directory. - - -- Mathias Gug Thu, 12 Jul 2007 06:56:45 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu21) gutsy; urgency=low - - * 07-apparmor-init-script.dpatch, debian/rules: skip profiles that have a - link in /etc/apparmor.d/disable. Update rules file : create - /etc/apparmor.d/disable. - - -- Mathias Gug Mon, 09 Jul 2007 11:07:29 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu20) gutsy; urgency=low - - * debian/control - - fix typo in XS-Vcs. - - adjust apparmor-modules-source to no longer be required and document - the fact that the modules come from the linux-ubuntu-modules package - now. - - add initramfs-tools for loading apparmor modules early. - * debian/apparmor.{initramfs,postinst,prerm}, debian/rules: install - initramfs hook and update-initramfs for adding armor modules for boot. - - -- Kees Cook Fri, 06 Jul 2007 03:41:06 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu19) gutsy; urgency=low - - * Update 11-getprocattr-api.dpatch: pass back the correct string pointer - so as to not corrupt kernel memory (LP: #123081). - * debian/control: add XS-Vcs for bzr branch. - - -- Kees Cook Tue, 03 Jul 2007 09:07:52 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu18) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: add m permission for all libraries - under /usr/lib/**, so that ssl libraries optimized for i686 can be - accessed. - * 09-profile-usr-sbin-mysqld.dpatch: add m permission to /etc/passwd, - /etc/group. - * 12-profile-samba.dpatch: add profile for smbd and nmbd daemons from - samba. - * 99-complain-all-profiles.dpatch: turn complain mode for smbd and nmbd - profiles. - - -- Mathias Gug Fri, 29 Jun 2007 15:19:15 +0200 - -apparmor (2.0.1+510.dfsg-0ubuntu17) gutsy; urgency=low - - * Update 11-getprocattr-api.dpatch: match upstream more closely, check - for errors. - - -- Kees Cook Tue, 26 Jun 2007 16:00:08 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu16) gutsy; urgency=low - - * Added 11-getprocattr-api.dpatch: update kernel module for getprocattr - API change (LP: #122444). - - -- Kees Cook Tue, 26 Jun 2007 15:21:54 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu15) gutsy; urgency=low - - * debian/apparmor.init: do not unload apparmor module on stop, since it - already defaults to capabilities-compatible fall back and we don't want - to lose the started process knowledge of the module for the next load of - the parser. - * Added 10-namespace-header.dpatch: include namespace_sem extern, since - mnt_namespace.h is missing it currently. - * Updated 07-apparmor-init-script.dpatch: ignore .dpkg-old profiles. - - -- Kees Cook Tue, 26 Jun 2007 10:04:54 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu14) gutsy; urgency=low - - * Correct missing libapparmor1 file contents. - - -- Kees Cook Thu, 21 Jun 2007 08:04:42 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu13) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: add /lib/tls/i686/cmov/lib* to base - abstraction to support i686 optimized libraries from libc6-i686 package. - * 09-profile-usr-sbin-mysqld.dpatch: - * add profile usr.sbin.mysqld - * update abstractions/mysql - * debian/rules: remove extras/usr.sbin.mysqld. - * 99-complain-all-profiles.dpatch: - * put mysqld profile in complain mode. - * put named profile in complain mode. - - -- Mathias Gug Wed, 20 Jun 2007 12:12:28 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu12) gutsy; urgency=low - - * Add missing dh_makeshlibs call to rules, fix up libapparmor naming. - - -- Kees Cook Wed, 20 Jun 2007 09:15:48 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu11) gutsy; urgency=low - - * Packaged libapparmor, libapparmor-dev, and libapache2-mod-apparmor. - - -- Kees Cook Mon, 18 Jun 2007 18:27:46 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu10) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch, 06-profile-usr-sbin-named.dpatch: - move /dev/random into abstractions/base. - * 06-profile-usr-sbin-named.dpatch: Add sys_chroot capability. - * debian/rules: don't package aa-eventd and Reports.pm as they use perl - modules not maintained in main. - Reports.pm is only used by Yast for now. aa-eventd maintains an - sqlite database of audit messages which is used by Reports.pm. - If configured (not by default), aa-eventd can also send emails when - AppArmor audit messages are emited. - * debian/control: Add universe component to Section: header. Needed to make - it work with PPA. - - -- Mathias Gug Fri, 15 Jun 2007 12:47:05 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu9) gutsy; urgency=low - - * 06-profile-usr-sbin-named.dpatch : Generate a new profile for - /usr/sbin/named to make it work with bind9. - * debian/apparmor.init, 07-apparmor-init-script.dpatch: merge ubuntu - changes with the latest version from upstream. - * 99-complain-all-profiles.dpatch : put all profiles into complain mode by - default. - Add a small script (put-all-profiles-in-complain-mode.sh) in - debian/ that takes care of automatically setting all profiles into - complain mode. This script should be used by the maintainer to set all - profiles in complain mode before packaging them. - - -- Mathias Gug Wed, 6 Jun 2007 13:41:57 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu8) gutsy; urgency=low - - * Start apparmor as early as possible in the boot process : just after - mountall in rcS.d. Add preinst script to remove symlinks previously - installed in rc*.d/. - (LP: #116624). - * Sync 04-apparmor-status.dpatch with upstream apparmor_status. The previous - patch has been merged in upstream. - * Update klogd profile : add /var/run/klogd/klogd.pid and - /var/run/klogd/kmsg to the profile. - - -- Mathias Gug Thu, 31 May 2007 14:26:03 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu7) gutsy; urgency=low - - * 03-profile-usr-sbin-ntpd.dpatch: udpdate profile for ntpd daemon. Add - /var/lib/ntp/ntp.drift and /var/log/ntpstats/peerstats* to the profile. - - * 04-apparmor-status.dpatch: improve apparmor_status script. Report more - detailed information. - - -- Mathias Gug Tue, 29 May 2007 13:05:55 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu6) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: Update abstractions for changes - specific to Gnome, Debian, and 32bit on 64bit environments. - * debian/control: adjust Recommends to apparmor-modules-source - (LP: #113553). - * debian/apparmor.init: moved rmmod/modprobe into init script, and dropped - alias to avoid confusion and move control of the LSM closer to loading - the profiles and work around capability already being loaded in the - initrd (LP: #113887). - - -- Kees Cook Thu, 17 May 2007 20:34:41 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu5) gutsy; urgency=low - - * 01-logger-path.dpatch: Fix path to logger (LP: #112147). - - -- Kees Cook Thu, 03 May 2007 11:59:34 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu4) feisty; urgency=low - - * debian/control: move apparmor-modules to Recommends to Avoid - uninstallable situation when AppArmor modules haven't yet been - compiled/installed. - - -- Kees Cook Wed, 11 Apr 2007 11:39:39 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu3) feisty; urgency=low - - * debian/rules, debian/apparmor.{postinst,prerm}: ignore init script - failures so that they don't block package installs/upgrades/uninstalls. - - -- Kees Cook Wed, 11 Apr 2007 08:52:37 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu2) feisty; urgency=low - - * debian/control: add missing Depend on 'dpatch' for modules-source. - - -- Kees Cook Sat, 7 Apr 2007 09:35:16 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu1) feisty; urgency=low - - * Initial release, thanks to Magnus Runesson and Jesse Michael - (LP: #95334). - - -- Kees Cook Fri, 23 Mar 2007 16:42:01 -0700 diff -Nru apparmor-2.10/debian/changelog.OTHER apparmor-2.10/debian/changelog.OTHER --- apparmor-2.10/debian/changelog.OTHER 2015-09-01 21:16:56.000000000 +0000 +++ apparmor-2.10/debian/changelog.OTHER 1970-01-01 00:00:00.000000000 +0000 @@ -1,3232 +0,0 @@ -apparmor (2.10-0ubuntu3) wily; urgency=medium - - * debian/libapparmor-dev.manpages: add 5 missing libapparmor manpages - - -- Steve Beattie Thu, 27 Aug 2015 15:57:16 -0700 - -apparmor (2.10-0ubuntu2) wily; urgency=medium - - * debian/patches/aa-status-dont_require_python3-apparmor.patch: - make aa-status(8) work even when python3-apparmor is not installed, - otherwise dh_apparmor postinst snippets can fail (LP: #1480492) - * debian/control: make apparmor-utils depend on the same package - version of python3-apparmor - - -- Steve Beattie Fri, 31 Jul 2015 16:35:03 -0700 - -apparmor (2.10-0ubuntu1) wily; urgency=medium - - * Update to apparmor 2.10 - - libapparmor added functions to ease loading profile cache files to - help support systemd on-demand load of policy (LP: #1385414) - - apparmor parser: fixed policy generation to allow matching - embedded NULs in abstract unix socket names (LP: #1413410) - - aa-status: don't traceback when not permitted to read current - set of apparmor policy (LP: #1466768) - - aa-logprof: don't crash on policies that have an #include of a - directory (LP: #1471425) - - aa-logprof: fix crash when network rejections occur when file - operations are performed on network sockets (LP: #1466812) - * dropped reproducible-pdf.patch, incorporated upstream - * debian/patches/tests-fix_sysctl_test.patch: fix sysctl test failure - with 4.1 kernel and newer. - * debian/control: add alternate dependency on linux-initramfs-tool - (LP: #1109029) - * debian/libapparmor1.symbols: update symbols file for added symbols - in libapparmor - - -- Steve Beattie Thu, 23 Jul 2015 01:57:43 -0700 - -apparmor (2.9.2-0ubuntu2) wily; urgency=medium - - * No-change rebuild for python3.5 transition - - -- Steve Langasek Wed, 22 Jul 2015 04:07:28 +0000 - -apparmor (2.9.2-0ubuntu1) wily; urgency=medium - - * Update to apparmor 2.9.2 - - Fix minitools to work with multiple profiles at once (LP: #1378095) - - Parse mounts that have non-ascii UTF-8 chars (LP: #1310598) - - Update dovecot profiles (LP: #1296667) - - Allow ubuntu-helpers to build texlive fonts (LP: #1010909) - * dropped patches incorporated upstream: - add-mir-abstraction-lp1422521.patch, systemd-dev-log-lp1413232.patch - parser-fix_modifier_compilation_+_tests.patch, - tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch, - GDM_X_authority-lp1432126.patch, and - debian/patches/easyprof-framework-policy.patch - * Partial merge with debian apparmor package: - - debian/rules: enable the bindnow hardening flag during build. - - debian/upstream/signing-key.asc: add new upstream public - signing key - - debian/watch: fix watch file, add gpg signature checking - - install libapparmor.so dev symlink under /usr not /lib - - debian/patches/reproducible-pdf.patch: make techdoc.pdf - reproducible even in face of timezone variations. - - debian/control: sync fields - - debian/debhelper/postrm-apparmor: remove - /etc/apparmor.d/{disable,} on package purge - - debian/libapache2-mod-apparmor.postrm: on package purge, delete - /etc/apparmor.d/{,disable} if empty - - debian/libapparmor1.symbols: Use Build-Depends-Package in the - symbols file. - - debian/copyright: sync - - -- Steve Beattie Mon, 11 May 2015 22:03:04 -0700 - -apparmor (2.9.1-0ubuntu9) vivid; urgency=medium - - * Make debian/lib/apparmor/profile-load executable. - - -- Serge Hallyn Thu, 02 Apr 2015 13:00:35 -0500 - -apparmor (2.9.1-0ubuntu8) vivid; urgency=medium - - [ Steve Beattie ] - * debian/rules: run make check on the libapparmor library - * add-chromium-browser.patch: add support for chromium policies - (LP: #1419294) - * debian/apparmor.{init,upstart}: add support for triggering - aa-profile-hook runs when packages are updated via snappy system - image updates (LP: #1434143) - * parser-fix_modifier_compilation_+_tests.patch: fix compilation - of audit modifiers for exec and pivot_root and deny modifiers on - link rules as well as significantly expand related tests - (LP: #1431717, LP: #1432045, LP: #1433829) - * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work - around pivot_root test failures due to init=systemd (LP: #1436109) - * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority - file to X abstraction (LP: #1432126) - - [ Jamie Strandboge ] - * easyprof-framework-policy.patch: add --include-templates-dir and - --include-policy-groups-dir options to easyprof to support framework - policy on snappy - - [ Robie Basak ] - * Add /lib/apparmor/profile-load; moved from - /lib/init/apparmor-profile-load from the upstart package. A wrapper at - the original path is now provided by init-system-helpers. (LP: #1432683) - - -- Jamie Strandboge Sat, 28 Mar 2015 07:22:30 -0500 - -apparmor (2.9.1-0ubuntu7) vivid; urgency=medium - - * systemd-dev-log-lp1413232.patch: Allow writes to the systemd journal - socket /{,var}/run/systemd/journal/dev-log. This can be dropped with - with AppArmor 2.9.2. (LP: #1413232) - - -- Jamie Strandboge Fri, 06 Mar 2015 06:22:34 -0600 - -apparmor (2.9.1-0ubuntu6) vivid; urgency=medium - - * add-mir-abstractions-lp1422521.patch: add correct location of - mir specific libraries and mir unprivileged client socket - to mir abstraction (LP: #1422521) - - -- Steve Beattie Tue, 03 Mar 2015 10:42:24 -0800 - -apparmor (2.9.1-0ubuntu5) vivid; urgency=medium - - * debian/apparmor.init: Replace unnecessary $remote_fs dependency with - $local_fs. This is sufficient as during boot we don't use anything from - /usr. It's also necessary to avoid dependency cycles when using NFS (as - its dependencies should be covered by AppArmor). (LP: #1312976) - - -- Martin Pitt Tue, 03 Mar 2015 08:54:33 +0100 - -apparmor (2.9.1-0ubuntu4) vivid; urgency=medium - - * Update to apparmor 2.9.1 - - make parser mount rule options consistent with documentation - (LP: #1401619) - - make parser fail if unknown mount options are encountered - (LP: #1401621) - - stop aa-logprof from asking about already allowed network rules - (LP: #1380367) - - make utils offer abstractions for network rules (LP: #1380367) - - make libapparmor understand logs generated by syslog-ng - (LP: #1399027) - - stop python utilities from adding duplicate quotes (LP: #1328707) - - work around aa-cleanprof crashes (LP: #1382236) - - other bug fixes, performance improvements, and testcases added to - the python utils. - - policy updates for dnsmasq, nscd, and others - - translation updates - * Partial sync with debian apparmor package: - - debian/apparmor-profiles.install: add additional dovecot and - smbldap-useradd profiles - - debian/control: fix typo in apparmor-docs description, fix file - overwrite issues with python-apparmor, apparmor-docs - - debian/rules: improved repeat-build cleanup logic. - - Add Turkish translation of debconf messages. Thanks to - Mert Dirik for the patch! - - debian/apparmor.postrm: Remove - /var/lib/apparmor/profiles/.apparmor.md5sums and parent - directories on package purge. - * add-mir-abstractions-lp1422521.patch: add mir abstraction to cover - mir specific libraries (LP: #1422521) - * debian/rules: remove no longer needed references to PERLDIR when - installing from utils/ - - -- Steve Beattie Tue, 17 Feb 2015 16:31:25 -0800 - -apparmor (2.8.98-0ubuntu4) vivid; urgency=medium - - * Ship libapparmor in /lib instead of /usr as we want to use it in systemd - now. (LP: #1397960) - - -- Martin Pitt Mon, 01 Dec 2014 15:37:32 +0100 - -apparmor (2.8.98-0ubuntu3) vivid; urgency=medium - - * debian/lib/apparmor/functions: disable expr tree simplification for - /var/lib/apparmor/profiles (LP: #1383858) - * parser-dont-skip-read-cache-with-optimizations.patch: don't skip read - cache when specifying '-O' (LP: #1385947) - - -- Jamie Strandboge Tue, 28 Oct 2014 17:41:08 -0500 - -apparmor (2.8.98-0ubuntu2) utopic; urgency=medium - - * Updated to apparmor 2.9.beta4 (aka apparmor 2.8.98) - - fix logparsing memory leak (LP: #1340927) - - incorporate fixes to regression testsuite to compensate for - af_unix mediation, as well as extend test coverage - (LP: #1375403, LP: #1375516) - - fix libapparmor's log parsing code to accept additional rejection - types (LP: #1375413) - - fix X abstraction for changed lightdm xauthority file locations - (LP: #1339727) - - parser: disable downgrade and not enforced rule messages - by default (LP: #1302735) - - fix error when using regex profile names in IPC rules - (LP: #1373085) - - update base abstraction for /proc/sys/kernel/cap_last_cap for dnsmasq - (LP: #1378977) - - update freedesktop.org for @{HOME}/.config/mimeapps.list (LP: #1377140) - - update gnome abstraction for access to @/dbus-vfs-daemon/socket-* - (LP: #1375067) - - update ubuntu-browsers.d/java abstraction for icedtea plugin access - in /{,var/}run/user/*/icedteaplugin-* (LP: #1293439) - - update user-mail abstraction for /var/mail (LP: #1192965) - - updates and fixes to the python utilities - - translation updates - - [ Steve Beattie ] - * Removed upstreamed patches: - drop-peer_addr-with-local-addr-in-base.patch, - update_socketpair_tests_for_af_unix.patch, - fix_socketpair_tests.patch, sanitized-helpers-updates.patch, - 01-tests-unix_socket_lists.patch, - 02-tests-accept_unix_rules_in_mkprofile.patch, - 03-tests-unix_sockets_v7_pathnames.patch, - 04-tests-migrate_from_poll_to_sockio_timeout.patch, - 05-tests-add_abstract_socket_tests.patch, - 06-tests-use_socketpair_and_none.patch, - 07-parser-fix_local_perms.patch, - 08-phpsysinfo-policy-updates.patch, - 09-apache2-policy-instructions.patch, - 10-lp1371771.patch, 11-lp1371765.patch, - lp1169881.patch - * refreshed etc-writable.patch and libapparmor-layout-deb.patch - * debian/control: add breaks on python3-apparmor against older - apparmor-utils that used to be where python bits lived - (LP: #1373259) - * debian/apport/source_apparmor.py: - - fixes the apparmor apport hook so it does not raise an exception if - a non-unicode character is found in /var/log/kern.log or in - /var/log/syslog. This should work under python3 or python2.7 - (LP: #1304447) - - adjusts the add_info() function to take the expected additional ui - argument, though it has no need for it. - - converts the log parsing code to use with statements so as not to - leak open file descriptors - - updates the set of packages to query to see if installed and if so, - report the version of. - - adjust import to make pyflakes job easier - - minor pep8 cleanups - - [ Jamie Strandboge ] - * add-chromium-browser.patch: - - don't allow writing to the oom score and adjust files since this allows - chromium to change the values for any process matching our UID - - allow writing to /run/shm/shmfd-* - - add a few signal rules from base abstraction for the sandbox - * debian/apparmor.upstart: check if click-apparmor md5sums changed so we - regenerate the policy if it changes too (LP: #1371574) - * debian/apparmor.init: make corresponding upstart change to initscript - * debian/lib/apparmor/functions: fall back to using -n1 if the parser failed - to load a profile set. This should be removed when the parser properly - handles profile sets with corrupted profiles (LP: 1377338) - * debian/control: fix typo (LP: #1187447) - - -- Steve Beattie Thu, 09 Oct 2014 22:39:32 -0700 - -apparmor (2.8.96~2652-0ubuntu7) utopic; urgency=medium - - * add-chromium-browser.patch: user addr=none instead of peer=(addr=none) - (LP: #1374363) - - -- Jamie Strandboge Sat, 27 Sep 2014 07:41:07 -0500 - -apparmor (2.8.96~2652-0ubuntu6) utopic; urgency=medium - - * lp1169881.patch: add /usr/bin/gnome-gmail to ubuntu-email (LP: #1169881) - * debian/control: update Breaks on lxc 1.1.0~alpha1-0ubuntu5~ (LP: #1373555) - - -- Jamie Strandboge Thu, 25 Sep 2014 09:03:06 -0500 - -apparmor (2.8.96~2652-0ubuntu5) utopic; urgency=medium - - [ Jamie Strandboge ] - * sanitized-helpers-updates.patch: update ubuntu-helpers for unix mediation - * 10-lp1371771.patch: don't exit prematurely and fail to load remaining - policy if encounter a corrupt cache file (LP: #1371771) - * 11-lp1371765.patch: if a cache load fails, attempt to rebuild and load it - (LP: #1371765) - * debian/lib/apparmor/functions: - - don't return 0 on parsing failure. Patch thanks to Felix Geyer - (LP: #1370228) - - use xargs -n1 when we don't have cache files, but omit it when we do. - This allows taking full advantage of xargs -P when we need it most, - without the cost when we don't. - - [ Steve Beattie ] - * update_socketpair_tests_for_af_unix.patch, - fix_socketpair_tests.patch: update socketpair regression tests for - af_unix socket mediation - - -- Jamie Strandboge Mon, 22 Sep 2014 09:39:10 -0500 - -apparmor (2.8.96~2652-0ubuntu4) utopic; urgency=medium - - * debian/apparmor.{upstart,init}: make sure we always update the .md5sums - for apparmor-easyprof-ubuntu even when apparmor is updated (before if both - were updated, aa-clickhook -f would be run on the 1st and 2nd boot rather - than just the 1st) - * debian/apparmor.postinst: update the cached .md5sums file on upgrade to - avoid running on install and then again on first boot after upgrade. This - change only affects apt upgrades and not system-image upgrades since - system-image upgrades always use the existing .md5sums if they exist (see - /etc/system-image/writable-paths). - * ubuntu-manpage-updates.patch: adjust for move to upstart job and click - policy - * debian/lib/apparmor/functions: don't pass costly '-n1' to xargs in - foreach_configured_profile() when loading valid cache files. This used to - be needed when apparmor_parser would generate different binary caches when - compiling policy one profile at a time and all at once. That bug is long - fixed and removing -n1 gives a significant performance improvement for - boots with valid cache files (~65% on armhf) - - -- Jamie Strandboge Fri, 12 Sep 2014 13:45:35 -0500 - -apparmor (2.8.96~2652-0ubuntu3) utopic; urgency=medium - - * 08-phpsysinfo-policy-updates.patch: update for new phpsysinfo on Ubuntu - 14.10 - * 09-apache2-policy-instructions.patch: update for recent Debian/Ubuntu - packaging - * debian/control: update Breaks for apparmor-easyprof-ubuntu, libvirt-bin, - and lightdm. Add Breaks on rsyslog. - - -- Jamie Strandboge Mon, 08 Sep 2014 16:13:10 -0500 - -apparmor (2.8.96~2652-0ubuntu2) utopic; urgency=medium - - * 07-parser-fix_local_perms.patch: do not output local permissions for rules - that have peer_conditionals. Patch from John Johansen - - -- Jamie Strandboge Fri, 05 Sep 2014 23:34:53 -0500 - -apparmor (2.8.96~2652-0ubuntu1) utopic; urgency=medium - - * Updated to r2652 snapshot of 2.8.96 (LP: #1362199, LP: #1341152) - - [ Steve Beattie ] - * removed upstreamed patches: - - dnsmasq-libvirtd-signal-ptrace.patch - - update-base-abstraction-for-signals-and-ptrace.patch - - update-nameservice-abstraction-for-extrausers.patch - - debian/apparmor-profiles.install: dropped program-chunks/postfix-common, - moved to abstractions/ and covered by apparmor.install - - refreshed libapparmor-layout-deb.patch patch - * Add in Tyler Hicks' regression test improvements: - - 01-tests-unix_socket_lists.patch, - - 02-tests-accept_unix_rules_in_mkprofile.patch, - - 03-tests-unix_sockets_v7_pathnames.patch, - - 04-tests-migrate_from_poll_to_sockio_timeout.patch, - - 05-tests-add_abstract_socket_tests.patch, - * 07-parser-fix_local_perms.patch: do not output local permissions - for rules that have peer_conditionals - - [ Jamie Strandboge ] - * add-chromium-browser.patch: update for unix socket mediation - * drop-peer_addr-with-local-addr-in-base.patch: don't use peer=(addr=none) - with getattr, getopt, setopt and shutdown - - [ Tyler Hicks ] - * debian/lib/apparmor/functions, debian/apparmor.init, - debian/apparmor.upstart: Ensure system policy cache cannot become stale - after image based upgrades that update the system profiles (LP: #1350673) - * parser-include-usr-share-apparmor.patch, debian/apparmor.install: Adjust - the default parser.conf file, to add /usr/share/apparmor as an additional - search path when resolving include directives in profiles, and install the - file in /etc/apparmor. Ubuntu places hardware specific access rules in - /usr/share/apparmor/hardware. This change allows these files to be - included without using an absolute path (e.g., - '#include '). - - -- Jamie Strandboge Fri, 05 Sep 2014 16:27:48 -0500 - -apparmor (2.8.96~2541-0ubuntu3.1) utopic; urgency=medium - - * Updates for perl 5.20 multiarch transition - - debian/libapparmor-perl.install: don't hardcode usr/lib/perl5 but - instead use $Config{vendorarch} in an executable install file. Make it - executable - - debian/control: Build-Depends on debhelper (>= 9) (9 is needed to use - an executable install file) - - debian/patches/perl-multiarch.patch: - + add @{multiarch} paths to perl abstraction - + update logprof.conf, severity.db and corresponding tests for updated - perl path - - -- Jamie Strandboge Tue, 19 Aug 2014 14:33:02 -0500 - -apparmor (2.8.96~2541-0ubuntu2) utopic; urgency=medium - - * update-nameservice-abstraction-for-extrausers.patch: update nameservice - abstraction to allow passwd and group when using libnss-extrausers - - -- Jamie Strandboge Mon, 28 Jul 2014 08:16:39 -0500 - -apparmor (2.8.96~2541-0ubuntu1) utopic; urgency=medium - - * Updated to r2541 snapshot of 2.8.96: - - removed upstreamed patches: convert-to-rules.patch, list-fns.patch, - parse-mode.patch, add-decimal-interp.patch, policy_mediates.patch, - fix-failpath.patch, feature_file.patch, fix-network.patch, - aare-to-class.patch, add-mediation-unix.patch, parser_version.patch, - caching.patch, label-class.patch, fix-lexer-debug.patch, - use-diff-encode.patch, fix-serialize.patch, - fix-ppc-endian-ftbfs.patch, opt_arg.patch, tests-cond-dbus.patch, - initialize-mount-flags.patch, fix-typo-in-dbus_write.patch, - limited-mount-rule-support.patch, bare-capability-rule-support.patch, - check-config-for-sysctl.patch, increase-swap-size.patch, - test-v6-policy.patch, test-mount-mediation.patch, - mediate-signals.patch, change-signal-syntax.patch, - mediate-ptrace.patch, change-ptrace-syntax.patch, - test-signal-rules.patch, test-ptrace-rules.patch, - update-tests-for-new-semantics.patch, - fix-garbage-in-preprocessor-output.patch, - fix-double-comma-in-preprocessor-output.patch, - symtab-tests-and-seenlist-bug.patch, add-profile-name-variable.patch, - fix-names-treated-as-condlistid.patch, manpage-signal-ptrace.patch, - python-utils-file-support.patch, python-utils-signal-support.patch, - python-utils-ptrace-support.patch, - python-utils-pivot_root-support.patch. - * Added upstart job (LP: #1305108) - - debian/apparmor.upstart: new upstart job. - - debian/apparmor.init: added click handling, move some code to - unload_obsolete_profiles(). - - debian/lib/apparmor/functions: add unload_obsolete_profiles(). - - debian/apparmor.postinst, debian/apparmor-profiles.postinst: reload - profiles directly since invoke-rc.d won't allow to do this easily - with upstart and systemd jobs. - - debian/rules: pass --no-start to dh_installinit since we're handling - reloading profiles manually in the postinst scripts. - - debian/control: add a versioned apparmor Depends to the - apparmor-profiles package to make sure the required tools are - installed for the postinst script. - - -- Marc Deslauriers Fri, 20 Jun 2014 07:20:34 -0400 - -apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium - - * debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin, - lightdm and apparmor-easyprof-ubuntu - - -- Jamie Strandboge Fri, 04 Apr 2014 01:07:24 -0500 - -apparmor (2.8.95~2430-0ubuntu4) trusty; urgency=medium - - [ John Johansen, Steve Beattie ] - * Add userspace support for AppArmor signals and ptrace mediation - (LP: #1298611) - + debian/patches/mediate-signals.patch, - debian/patches/change-signal-syntax.patch: Parse signal rules with - apparmor_parser. See the apparmor.d(5) man page for syntax details. - + debian/patches/change-ptrace-syntax.patch, - debian/patches/mediate-ptrace.patch: Parse ptrace rules with - apparmor_parser. See the apparmor.d(5) man page for syntax details. - + debian/patches/test-signal-rules.patch, - debian/patches/test-ptrace-rules.patch, - debian/patches/update-tests-for-new-semantics.patch: Update existing - tests and add new tests for signal and ptrace mediation - + debian/patches/fix-garbage-in-preprocessor-output.patch: Fix bug causing - apparmor_parser preprocessor output to contain garbage after include - statements - + debian/patches/fix-double-comma-in-preprocessor-output.patch: Fix bug - causing apparmor_parser preprocessor output to contain double commas - after some rules - + debian/patches/symtab-tests-and-seenlist-bug.patch, - debian/patches/add-profile-name-variable.patch: Add ${profile_name} - variable for use in profiles when rules need to specify the current - profile's name. This is useful for signal and ptrace rules that specify - + debian/patches/fix-names-treated-as-condlistid.patch: Fix - apparmor_parser bug that caused mount and dbus rules to fail for sets of - values - - [ Jamie Strandboge ] - * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch: - Adjust the base abstraction for signals and ptrace mediation. Profiles - that use the base abstraction can deny any of the granted permissions to - achieve tighter confinement. - * debian/patches/manpage-signal-ptrace.patch: Update the apparmor.d man - page to document signal rules, ptrace rules, and variables for use in - AppArmor profiles - * debian/patches/dnsmasq-libvirtd-signal-ptrace.patch: Update the dnsmasq - profile to allow libvirtd to send signals to and ptrace read the dnsmasq - process - * debian/patches/update-chromium-browser.patch: Adjust the chromium-browser - profile for permissions needed in newer chromium-browser versions and add - the rules needed for AppArmor ptrace mediation - - [ Tyler Hicks ] - * Add new rule type support to aa.py to fix tracebacks when using the Python - utilities in apparmor-utils on systems with AppArmor profiles containing - previously unsupported rule types - - debian/patches/python-utils-file-support.patch: Support path rules - containing the "file" prefix (LP: #1295346) - - debian/patches/python-utils-signal-support.patch: Parse and write signal - rules (LP: #1300316) - - debian/patches/python-utils-ptrace-support.patch: Parse and write ptrace - rules (LP: #1300317) - - debian/patches/python-utils-pivot_root-support.patch: Parse and write - pivot_root rules (LP: #1298678) - - -- Tyler Hicks Thu, 03 Apr 2014 15:50:26 -0500 - -apparmor (2.8.95~2430-0ubuntu3) trusty; urgency=medium - - [ Jamie Strandboge ] - * debian/lib/apparmor/functions: properly calculate number of profiles in - /var/lib/apparmor/profiles (LP: #1295816) - * autostart aa-notify via /etc/xdg/autostart instead of /etc/X11/Xsession.d - (LP: #1288241) - - remove debian/notify/90apparmor-notify - - add debian/notify/apparmor-notify.desktop - - debian/apparmor-notify.install: adjust for the above - - add debian/apparmor-notify.maintscript to remove 90apparmor-notify - * debian/notify/notify.conf: use_group should be set to "sudo" instead of - "admin" (LP: #1009666) - - [ Tyler Hicks ] - * debian/patches/initialize-mount-flags.patch: Initialize the variables - containing mount rule flags to zero. Otherwise, the parser may set - unexpected bits in the mount flags field for rules that do not specify - mount flags. The uninitialized mount flag variables may have caused - unexpected AppArmor denials during mount mediation. (LP: #1296459) - * debian/patches/fix-typo-in-dbus_write.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to write out network rules instead of dbus rules - * debian/patches/limited-mount-rule-support.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to traceback when encountering a mount rule (LP: #1294825) - * debian/patches/bare-capability-rule-support.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to traceback when encountering a bare capability rule - (LP: #1294819) - * debian/patches/check-config-for-sysctl.patch, - debian/patches/increase-swap-size.patch: Fix bugs in the regression test - suite that caused errors when running on ppc64el - * debian/patches/test-v6-policy.patch, - debian/patches/test-mount-mediation.patch: Improve the regression tests - by increasing the mount rule test coverage - - -- Tyler Hicks Thu, 27 Mar 2014 14:12:29 -0500 - -apparmor (2.8.95~2430-0ubuntu2) trusty; urgency=medium - - * debian/control: Depends on python-pkg-resources for python-apparmor and - python3-pkg-resources for python3-apparmor to fix autopkgtests in - click-apparmor and apparmor-easyprof-ubuntu - - -- Jamie Strandboge Thu, 20 Mar 2014 19:33:51 -0500 - -apparmor (2.8.95~2430-0ubuntu1) trusty; urgency=low - - [ Jamie Strandboge ] - - * debian/debhelper/dh_apparmor: exit with error if aa-easyprof does not - exist - * debian/control: drop Depends on apparmor-easyprof to Suggests for - dh-apparmor - - [ Seth Arnold, Jamie Strandboge, Steve Beattie, John Johansen, Tyler Hicks ] - - * New upstream snapshot (LP: #1278702, #1061693, #1285653) dropping very - large Ubuntu delta and fixing the following bugs: - - Adjust fonts abstraction for libthai (LP: #1278702) - - Support translated XDG user directories (LP: #1061693) - - Adjust abstractions/web-data to include /var/www/html (LP: #1285653) - Refresh 0002-add-debian-integration-to-lighttpd.patch to include - /etc/lighttpd/conf-available/*.conf - - Adjust debian/libapparmor1.symbols to reflect new upstream versioning - for the aa_query_label() function - - Raise exceptions in Python bindings when something fails - * ship new Python replacements for previous Perl-based tools - - debian/apparmor-utils.install: remove usr/share/perl5/Immunix/*.pm and - add usr/sbin/aa-autodep, usr/sbin/aa-cleanprof and usr/sbin/aa-mergeprof - - debian/control: - + remove various Perl dependencies - + add python-apparmor and python3-apparmor - + python3-apparmor Breaks: apparmor-easyprof to move the file since it - ships dist-packages/apparmor/__init__.py now - - debian/apparmor-utils.manpages: ship new manpages for aa-cleanprof and - aa-mergeprof - - debian/rules: build and install Python tools - * debian/apparmor.install: - - install apparmorfs, dovecot, kernelvars, securityfs, sys, - and xdg-user-dirs tunables and xdg-user-dirs.d directory - * debian/apparmor.dirs: - - install /etc/apparmor.d/tunables/xdg-user-dirs.d - * debian/rules: delete upstream-provided xdg-user-dirs.d/site.local - * debian/apparmor.postinst: create xdg-user-dirs.d/site.local - * debian/apparmor.postrm: remove xdg-user-dirs.d - * Remaining patches: - - add-chromium-browser.patch - - add-debian-integration-to-lighttpd.patch - - ubuntu-manpage-updates.patch - - libapparmor-layout-deb.patch - - libapparmor-mention-dbus-method-in-getcon-man.patch - - etc-writable.patch - - aa-utils_are_bilingual.patch - * New patches: - - convert-to-rules.patch - - list-fns.patch - - parse-mode.patch - - add-decimal-interp.patch - - policy_mediates.patch - - fix-failpath.patch - - feature_file.patch - - fix-network.patch - - aare-to-class.patch - - add-mediation-unix.patch - - parser_version.patch - - caching.patch - - label-class.patch - - fix-lexer-debug.patch - - use-diff-encode.patch - - fix-serialize.patch - - fix-ppc-endian-ftbfs.patch - - opt_arg.patch - - tests-cond-dbus.patch - * Move manpages from libapparmor1 to libapparmor-dev - - debian/libapparmor-dev.manpages: install aa_change_hat.2, - aa_change_profile.2, aa_find_mountpoint.2, aa_getcon.2 - - debian/control: libapparmor-dev Replaces: and Breaks: libapparmor1 - * Move /usr/lib/python3/dist-packages/apparmor/__init__.py from - apparmor-easyprof to python3-apparmor - - debian/control: python3-apparmor Breaks: apparmor-easyprof - - debian/apparmor-easyprof.install: remove - usr/lib/python*.*/site-packages/apparmor* - * New profiles and abstractions: - - debian/apparmor.install: tunables/dovecot, tunables/kernelvars, - tunables/xdg-user-dirs, tunables/xdg-user-dirs.d - - -- Seth Arnold Wed, 19 Mar 2014 20:29:27 -0700 - -apparmor (2.8.94-0ubuntu1.4) trusty; urgency=low - - * Test merge from upstream new pyutils branch (rev 2385) - - -- Steve Beattie Thu, 13 Feb 2014 14:16:24 -0800 - -apparmor (2.8.0-0ubuntu38) trusty; urgency=low - - [ Tyler Hicks ] - * 0084-parser-add-dbus-eavesdrop-perm.patch: Add an eavesdrop permission to - the dbus rule type, allowing confined applications to eavesdrop. The only - valid conditional for eavesdrop rules is 'bus'. See the apparmor.d(5) man - page for more information. (LP: #1262440) - - [ Steve Beattie ] - * 0085-push-normalize-tree-ops-into-expr-tree-classes.patch: Improve - parser performance in some cases - - [ John Johansen ] - * 0086-add-diff-state-compression-to-dfa.patch: Implement differential - state compression in the parser - * 0087-fix-dfa-minimization.patch: Fix a parser bug that caused some DFAs to - not be fully minimized (LP: #1262938) - * 0088-fix-pol-generation-for-small-dfas.patch: Fixes bugs in the parser - when generating policy for some small DFAs - - -- Tyler Hicks Mon, 13 Jan 2014 11:17:42 -0600 - -apparmor (2.8.0-0ubuntu37) trusty; urgency=low - - [ Jan Rękorajski ] - * 0082-parser-fix-FTBFS-with-bison-3.patch: Fix parser FTBFS with bison 3 - - [ Steve Beattie ] - * 0083-libapparmor-require-libtoolize.patch: Fix FTBFS by switching - the autogen.sh script to use libtoolize instead of libtool - - -- Tyler Hicks Fri, 10 Jan 2014 13:48:43 -0600 - -apparmor (2.8.0-0ubuntu36) trusty; urgency=medium - - * Rebuild for python3.4 as a supported python version. - - -- Matthias Klose Sat, 04 Jan 2014 18:30:59 +0000 - -apparmor (2.8.0-0ubuntu35) trusty; urgency=low - - * abstractions/nameservice: Also allow access to the sssd nss pipe. - - -- Stéphane Graber Fri, 29 Nov 2013 13:44:49 -0500 - -apparmor (2.8.0-0ubuntu34) trusty; urgency=low - - [ Tyler Hicks ] - * 0078-parser-check-for-dbus-kernel-support.patch: The parser should not - include D-Bus rules in the binary policy that it loads into the kernel if - the kernel does not support D-Bus rules (LP: #1231778) - * 0079-utils-ignore-unsupported-log-events.patch: aa-logprof should ignore - audit events that it does not yet support instead of treating them as - errors (LP: #1243932) - * 0080-tests-use-ldconfig-for-library-detection.patch: Fix libapparmor - detection in regression tests after the multiarch changes - - [ Jamie Strandboge ] - * 0081-python-abstraction-updates.patch: Add rules in support of Python 3.3 - - [ Chad Miller ] - * debian/patches/0001-add-chromium-browser.patch: Follow new chromium-browser - sandbox name. Keep old name for now to allow transition. LP: #1247269 - - -- Tyler Hicks Mon, 04 Nov 2013 15:57:30 -0800 - -apparmor (2.8.0-0ubuntu33) trusty; urgency=low - - * Convert to dh. - * Bump to debhelper compat level 9 for multiarch support. - * Mark libapparmor1, libapparmor-dev Multi-Arch: same. LP: #1246067. - - -- Steve Langasek Thu, 31 Oct 2013 13:23:57 -0700 - -apparmor (2.8.0-0ubuntu32) trusty; urgency=low - - * no change rebuild for perl 5.18 - - -- Jamie Strandboge Mon, 21 Oct 2013 13:28:26 -0500 - -apparmor (2.8.0-0ubuntu31) saucy; urgency=low - - * 0077_aa-status-is-bilingual.patch: aa-status was written to work with - python 2 or 3. Upstream is still using 2, so adjust ours to use - /usr/bin/python3 to avoid pulling python 2 back to the desktop images - - -- Jamie Strandboge Fri, 11 Oct 2013 15:35:03 -0500 - -apparmor (2.8.0-0ubuntu30) saucy; urgency=low - - [ Tyler Hicks ] - * debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an - abstraction for the accessibility bus. It is currently very permissive, - like the dbus and dbus-session abstractions, and grants all permissions on - the accessibility bus. (LP: #1226141) - * debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount - rules. Both rule classes suffered from unexpected auditing behavior when - using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier - resulting in accesses being audited and the 'audit deny' modifier - resulting in accesses not being audited. (LP: #1226356) - * debian/patches/0072-lp1229393.patch: Fix cache location for .features - file, which was not being written to the proper location if the parameter - --cache-loc= is passed to apparmor_parser. This bug resulted in using the - .features file from /etc/apparmor.d/cache or always recompiling policy. - Patch thanks to John Johansen. (LP: #1229393) - * debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX - domain sockets to include read and write permissions. Both permissions are - required when a process connects to a UNIX domain socket. Also include new - tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for - helping with the policy updates and testing. (LP: #1208988) - * debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only - grant access to specific pulseaudio files in the pulse runtime directory - to remove access to potentially dangerous files (LP: #1211380) - - [ Jamie Strandboge ] - * debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia - (LP: #1228882) - * 0076_sanitized_helper_dbus_access.patch: allow applications run under - sanitized_helper to connect to DBus - - -- Tyler Hicks Fri, 04 Oct 2013 17:29:52 -0700 - -apparmor (2.8.0-0ubuntu29) saucy; urgency=low - - * Add 0070-etc-writable.patch: Allow reading time configuration from - /etc/writable, as we have it on the phone. (LP: #1227520) - - -- Martin Pitt Tue, 01 Oct 2013 09:55:15 +0200 - -apparmor (2.8.0-0ubuntu28) saucy; urgency=low - - [ Tyler Hicks ] - * Move the aa-exec man page out of apparmor-utils into apparmor, since - aa-exec is now in apparmor - - debian/control: adjust Breaks/Replaces to use apparmor-utils - (<< 2.8.0-0ubuntu28) - - debian/apparmor.manpages: install the aa-exec man page - - debian/apparmor-utils.manpages: don't install the aa-exec man page - * debian/patches/0065-lp1220861.patch: Always NUL-terminate confinement - context strings returned from libapparmor (LP: #1220861) - * debian/patches/0066-lp1196880.patch: Don't assign mode pointer in - aa_getprocattr() if caller passed in NULL (LP: #1196880) - * debian/patches/0067-libapparmor-mode-strings-are-not-to-be-freed.patch: - Update man page and code comments to make it clear that freeing the *con - string returned from libapparmor's getcon functions also frees the *mode - string - * debian/patches/0068-libapparmor-mention-dbus-method-in-getcon-man.patch: - Document the D-Bus method, in the aa_getcon man page, that returns the - AppArmor task confinement string of a D-Bus connection - - [ Jamie Strandboge ] - * debian/patches/0069-p11kit-abstraction.patch: p11-kit needs access to - /usr/share/p11-kit/modules - - -- Jamie Strandboge Tue, 10 Sep 2013 12:06:06 -0500 - -apparmor (2.8.0-0ubuntu27) saucy; urgency=low - - * debian/apport/source_apparmor.py: AppArmor logs DBus messages to syslog, - adjust apport hook to also search there for denials - - -- Jamie Strandboge Tue, 03 Sep 2013 10:25:45 -0500 - -apparmor (2.8.0-0ubuntu26) saucy; urgency=low - - * debian/patches/0064-lp1218099.patch: add support for variable expansion in - dbus rules (LP: #1218099) - - -- Jamie Strandboge Thu, 29 Aug 2013 16:28:36 -0500 - -apparmor (2.8.0-0ubuntu25) saucy; urgency=low - - [ Tyler Hicks ] - * Add support for mediation of D-Bus messages and services. AppArmor D-Bus - rules are described in the apparmor.d(5) man page. dbus-daemon will use - libapparmor to perform queries against the AppArmor policies to determine - if a connection should be able to send messages to another connection, if - a connection should be able to receive messages from another connection, - and if a connection should be able to bind to a well-known name. - - 0042-Fix-mount-rule-preprocessor-output.patch, - 0043-libapparmor-Safeguard-aa_getpeercon-buffer-reallocat.patch, - 0044-libapparmor-fix-return-value-of-aa_getpeercon_raw.patch, - 0045-libapparmor-Move-mode-parsing-into-separate-function.patch, - 0046-libapparmor-Parse-mode-from-confinement-string-in-ge.patch, - 0047-libapparmor-Make-aa_getpeercon_raw-similar-to-aa_get.patch, - 0048-libapparmor-Update-aa_getcon-man-page-to-reflect-get.patch: - Backport parser and libapparmor pre-requisites for D-Bus mediation - - 0049-parser-Update-man-page-for-DBus-rules.patch: Update apparmor.d man - page - - 0050-parser-Add-support-for-DBus-rules.patch, - 0051-parser-Regression-tests-for-DBus-rules.patch, - 0052-parser-Binary-profile-equality-tests-for-DBus-rules.patch: Add - apparmor_parser support for D-Bus mediation rules - - 0053-libapparmor-Export-a-label-based-query-interface.patch, - debian/libapparmor1.symbols: Provide the libapparmor interface necessary - for trusted helpers to make security decisions based upon AppArmor - policy - - 0054-libaalogparse-Parse-dbus-daemon-audit-messages.patch, - 0055-libaalogparse-Regression-tests-for-dbus-daemon-audit.patch: Allow - applications to parse denials, generated by dbus-daemon, using - libaalogparse and add a set of regression tests - - 0056-tests-Add-an-optional-final-check-to-checktestfg.patch, - 0057-tests-Add-required-features-check.patch, - 0058-tests-Add-regression-tests-for-dbus.patch: Add regression tests - which start their own dbus-daemon, load profiles containing D-Bus rules, - and confine simple D-Bus service and client applications - - 0059-dbus-rules-for-dbus-abstractions.patch: Add bus-specific, but - otherwise permissive, D-Bus rules to the dbus and dbus-session - abstractions. Confined applications that use D-Bus should already be - including these abstractions in their profiles so this should be a - seamless transition for those profiles. - * 0060-utils-make_clean_fixup.patch: Clean up the Python cache in the - AppArmor tests directory - * 0061-profiles-dnsmasq-needs-dbus-abstraction.patch: Dnsmasq uses the - system D-Bus when it is started with --enable-dbus, so its AppArmor - profile needs to include the system bus abstraction - * 0062-fix-clone-test-on-arm.patch: Fix compiler error when building - regression tests on ARM - * 0063-utils-ignore-unsupported-rules.patch: Utilities that use the - Immunix::AppArmor perl module, such as aa-logprof and aa-genprof, error - out when they encounter rules unsupported by the perl module. This patch - ignores unsupported rules. - - [ Jamie Strandboge ] - * debian/control: don't have easyprof Depends on apparmor-easyprof-ubuntu - - -- Tyler Hicks Mon, 26 Aug 2013 15:32:12 -0700 - -apparmor (2.8.0-0ubuntu24) saucy; urgency=low - - * 0040-libapparmor-support-pkg-config.patch: Make it easier for other - sources to build against libapparmor with pkg-config - - debian/control: Add pkg-config as a Build-Depends - - debian/libapparmor-dev.install: Install libapparmor pkg-config file - * 0041-parser-fix-flags.patch: Minimal fix for cache failures when the - feature file is larger than the feature buffer used for cache version - comparison - - -- Tyler Hicks Thu, 15 Aug 2013 16:34:53 -0700 - -apparmor (2.8.0-0ubuntu23) saucy; urgency=low - - * debian/patches/0038-lp1200392.patch: allow mmap of fglrx dri libraries - (LP: #1200392) - * debian/patches/0039-fix-parser-cache-loc.patch: fix apparmor cache - tempfile location to use passed arg - * debian/lib/apparmor/functions: update to also load from - /var/lib/apparmor/profiles and write cache to /var/cache/apparmor - * debian/apparmor.dirs: create /var/cache/apparmor and - /var/lib/apparmor/profiles - - -- Jamie Strandboge Tue, 23 Jul 2013 21:36:40 -0500 - -apparmor (2.8.0-0ubuntu22) saucy; urgency=low - - * Refresh easyprof - - drop 0034-easyprof-dont-add-vendor-dir.patch - - drop 0035-easyprof-update-manpage-for-sdk-base.patch - * debian/patches/0037-easyprof-sdk-pt2.patch: update easyprof for the - following: - - don't add vendor directory to self.templates and self.policy_groups - - utils/aa-easyprof: adjust error message for manifest read failure - - utils/aa-easyprof: adjust to use EnvironmentError on failed read of the - manifest - - utils/apparmor/easyprof.py: clean up set_template() - - utils/apparmor/easyprof.py: read_paths should use 'rk' - - utils/test/test-aa-easyprof.py: adjust tests for above - - utils/apparmor/easyprof.py - + valid_path should verify os.path.normpath(path) == (path) - + adjust valid_profile_name() to start with alpha-numeric and allow - Debian source package names and version, plus '_' - + adjust tests for above - - update valid_variable() to check for valid_path if '/' is in the value - - adjust valid_path() to have a relative_ok flag (default to False) - - adjust valid_path() to verify path is same as normalized path - - add some valid_path() test cases - - adjust to always quote template vars in policy output - - add a couple tests that have spaces in the binary and template var - - update manifest JSON structure to use - m['security']['profiles']['profile_name'] instead of - m['security']['profile_name'] - - -- Jamie Strandboge Sun, 07 Jul 2013 19:37:56 -0500 - -apparmor (2.8.0-0ubuntu21) saucy; urgency=low - - * Apache 2.4 transition (LP: #1197617, Closes: 666808). Based on patch from - intrigeri - - debian/control: - + Build-Depends on apache2-dev and dh-apache2 instead of - apache2-prefork-dev - + adjust libapache2-mod-apparmor to not Depends on apache2.2-common - + adjust libapache2-mod-apparmor to Pre-Depends: ${misc:Pre-Depends} - - create debian/libapache2-mod-apparmor.apache2 - - debian/rules: adjust to use dh_apache2 --noenable - - debian/libapache2-mod-apparmor.maintscript: remove old prefork profile - - debian/libapache2-mod-apparmor.install: install new usr.sbin.apache2 - profile - - debian/libapache2-mod-apparmor.{preinst,postinst,postrm}: update to use - usr.sbin.apache2 - - debian/libapache2-mod-apparmor.postinst: remove the disable symlink for - old prefork profile - - debian/patches/0036-libapache2-mod-apparmor-profile-2.4.patch: update - mod_apparmor man page to mention loading mpm_prefork, add new - usr.sbin.apache2 profile and remove old prefork profile - * debian/rules: honor DEB_BUILD_OPTIONS=nocheck - - -- Jamie Strandboge Thu, 04 Jul 2013 10:20:20 -0500 - -apparmor (2.8.0-0ubuntu20) saucy; urgency=low - - * remove debian/patches/0033-add-ubuntu-sdk-abstractions.patch. We will - for now ship policy groups instead of abstractions like this - * debian/apparmor.maintscript: rm_conffile on ubuntu-sdk-base - * debian/patches/0035-easyprof-update-manpage-for-sdk-base.patch: add - sdk-base as a typical policy group - - -- Jamie Strandboge Wed, 03 Jul 2013 17:29:57 -0500 - -apparmor (2.8.0-0ubuntu19) saucy; urgency=low - - * debian/patches/0034-easyprof-dont-add-vendor-dir.patch: don't add vendor - directory to self.templates and self.policy_groups - * debian/patches/0030-easyprof-sdk.patch: mentioned patch has been forwarded - upstream - - -- Jamie Strandboge Tue, 02 Jul 2013 09:24:23 -0500 - -apparmor (2.8.0-0ubuntu18) saucy; urgency=low - - * debian/patches/0030-easyprof-sdk.patch: refreshed for the following: - - man page updates - - add --output-format=json option - - add --verify-manifest - - add --policy-version and --policy-vendor which to better work with - vendor templates (ie, with apparmor-easyprof-ubuntu) - - restructed JSON format (should be final version now). This converts - abstractions and policy_groups to proper JSON lists and allows for - multiple profiles in the JSON file, keyed off of the profile name - - add --output-directory option as an alternative to stdout (particularly - useful when using multiple profiles in a JSON file) - - also remove ubuntu-sdk-base abstraction. This may move out but for now - put it in a different patch - - add verify_options() and some utility functions for input validation - - unconditionally quote profile name and binary - - remove Ubuntu-specific checks in verify_manifest and check profile_name - with binary harder - * debian/patches/0033-add-ubuntu-sdk-abstractions.patch: add ubuntu-sdk-base - abstraction - - -- Jamie Strandboge Mon, 01 Jul 2013 17:20:33 -0500 - -apparmor (2.8.0-0ubuntu17) saucy; urgency=low - - * debian/patches/0032-lp1195362.patch: don't pull in unused perl modules - (LP: #1195362) - * debian/rules: use dh_perl -d with libapparmor-perl to Depends on perl-base - instead of perl - * debian/patches/0030-easyprof-sdk.patch: update to remove the ubuntu - specific templates and policy groups. These will be shipped in - apparmor-easyprof-ubuntu - * debian/control: have apparmor-easyprof Depends on apparmor-easyprof-ubuntu - - -- Jamie Strandboge Fri, 28 Jun 2013 12:01:06 -0500 - -apparmor (2.8.0-0ubuntu16) saucy; urgency=low - - * debian/patches/0030-easyprof-sdk.patch: update to have - - /usr/share/icons/gnome/index.theme should have 'rk' added to qmlscene - policy group - - add ubuntu-sdk-html5 template - - add qmlscene-webview policygroup - * debian/patches/0031-move-poppler-cmap-to-fonts.patch: more than just - gnome applications access /usr/share/poppler/cMap/** - - -- Jamie Strandboge Tue, 25 Jun 2013 15:58:33 -0500 - -apparmor (2.8.0-0ubuntu15) saucy; urgency=low - - * move aa-exec out of apparmor-utils into apparmor, since we want it in the - default install - - debian/control: adjust Breaks/Replaces to use apparmor-utils - <<2.8.0-0ubuntu15) and have apparmor Depends on libapparmor-perl - - debian/apparmor.install: install aa-exec - - debian/apparmor-utils.install: don't install aa-exec - - -- Jamie Strandboge Tue, 25 Jun 2013 11:48:25 -0500 - -apparmor (2.8.0-0ubuntu14) saucy-proposed; urgency=low - - * debian/patches/0029-easyprof-update-for-aa-sandbox.patch: add aa-sandbox - utility to source, but don't install yet. This includes code refactoring - for easyprof, which is required for the next patch - * debian/patches/0030-easyprof-sdk.patch: add SDK support to easyprof (don't - include DBus includes yet) - * create apparmor-easyprof package - - adjust debian/control for new packages and Breaks/Replaces on - apparmor-utils 2.8.0-0ubuntu14 - - create debian/apparmor-easyprof.install - - debian/apparmor-utils.install: don't install easyprof. python libraries - moved to easyprof for now since it is the only consumer - - debian/apparmor-utils.manpages: move easyprof manpage to - debian/apparmor-easyprof.manpages - - debian/rules: dh_python3 should also run on apparmor-easyprof - * debian/control: dh-apparmor should Depends on apparmor-easyprof - * debian/debhelper/dh_apparmor: update to support --manifest argument - - -- Jamie Strandboge Mon, 24 Jun 2013 09:49:44 -0500 - -apparmor (2.8.0-0ubuntu13) saucy-proposed; urgency=low - - * 0021-webapps_abstraction.patch: update to allow 'w' access to - ~/.local/share/unity-webapps/availableapps*.db and 'rk' access to - ~/.config/libaccounts-glib/accounts.db (LP: #1169633) - - -- Jamie Strandboge Mon, 10 Jun 2013 10:49:46 -0500 - -apparmor (2.8.0-0ubuntu12) saucy; urgency=low - - * 0027-add-gnome-keyring-to-strict.patch: add @{HOME}/.gnome2/keyrings/** to - abstractions/private-files-strict - * 0028-add-upstart-to-private.patch: deny writes to upstart user sessions - jobs in abstractions/private-files - - -- Jamie Strandboge Mon, 13 May 2013 13:04:54 -0500 - -apparmor (2.8.0-0ubuntu11) raring; urgency=low - - * 0025-update-pulseaudio-paths.patch: update path for pulseaudio directory - and cookie files - * 0026-add-vm_overcommit_memory.patch: add read access to - @{PROC}/sys/vm/overcommit_memory - * update 0001-add-chromium-browser.patch: - - additional accesses required by newer chromium-browser. Patch based on - work by Simon Deziel (LP: #1154164) - - don't include abstractions already included via gnome abstraction - - allow access to dconf/gsettings, required now - - -- Jamie Strandboge Mon, 08 Apr 2013 14:57:14 -0500 - -apparmor (2.8.0-0ubuntu10) raring; urgency=low - - * debian/patches/0001-add-chromium-browser.patch: add accesses for chromium - 23 (LP: #1091862) - - -- Jamie Strandboge Tue, 18 Dec 2012 15:20:05 -0600 - -apparmor (2.8.0-0ubuntu9) raring; urgency=low - - * debian/control: make libnotify-bin a Suggests rather than a Recommends - since it is assumed to already be installed on the desktop and so server - environments don't have to pull in a lot of X dependencies (LP: #1061879) - - -- Jamie Strandboge Tue, 18 Dec 2012 10:47:50 -0600 - -apparmor (2.8.0-0ubuntu8) raring; urgency=low - - [ Steve Beattie ] - * 0024-lp1091642-parser-reset_matchflags.patch: prevent reuse of - matchflags in parser dfa backend and add testcase demonstrating the - problem (LP: #1091642) - - [ Jamie Strandboge ] - * debian/debhelper/postinst-apparmor: quote all occurences of #PROFILE#. - - -- Steve Beattie Tue, 18 Dec 2012 04:53:28 -0800 - -apparmor (2.8.0-0ubuntu7) raring; urgency=low - - * Rebuild to drop python3.2 extension. - - -- Matthias Klose Thu, 08 Nov 2012 11:15:26 +0000 - -apparmor (2.8.0-0ubuntu6) raring-proposed; urgency=low - - * Build python swig modules for all supported pythons. - * Use dh_python2 instead of obsolete dh_python. - * Remove duplicate chrpath from control. - * Remove unneeded quilt dependency. - * Bump standards version to 3.9.4, no changes needed. - - -- Dmitrijs Ledkovs Tue, 23 Oct 2012 12:37:39 +0100 - -apparmor (2.8.0-0ubuntu5) quantal; urgency=low - - [ Micah Gersten ] - * Allow /etc/vdpau_wrapper.cfg r and /var/lib/xine/gxine.desktop r - in the multimedia browser abstraction (LP: #1057642) - - update profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia - - [ Steve Beattie ] - * debian/control: make libnotify-bin a Recommends rather than a - Depends for use in server environments (LP: #1061879) - * debian/patches/0020-coredump_tests.patch: fix coredump regression - tests (LP: #1050430) - * debian/patches/0021-webapps_abstraction.patch: add a few items - triggered by using and installing webapps in firefox (LP: #1056418) - * debian/patches/0022-aa-decode-stdin.patch: fix aa-decode to process - stdin correctly and decode encoded profiles names - - -- Steve Beattie Tue, 09 Oct 2012 12:44:56 -0700 - -apparmor (2.8.0-0ubuntu4) quantal; urgency=low - - * Allow /var/lib/sss/mc/{group|passwd} for systems using sssd. - (LP: #1056391) - - -- Stéphane Graber Tue, 25 Sep 2012 14:59:57 -0400 - -apparmor (2.8.0-0ubuntu3) quantal; urgency=low - - * remove 0010-lp972367.patch and 0012-lp964510.patch which should have been - dropped in 2.8.0-0ubuntu1 since they are included upstream - * debian/patches/0001-add-chromium-browser.patch: - - add a couple of small accesses - - add a child profile for xdgsettings (LP: #1045986) - - -- Jamie Strandboge Mon, 17 Sep 2012 08:26:46 -0500 - -apparmor (2.8.0-0ubuntu2) quantal; urgency=low - - * 0015-fontconfig.patch: update fonts abstraction for new fontconfig paths - * 0016-cap-block-suspend.patch: add CAP_BLOCK_SUSPEND to severity.db. In - the next version of AppArmor, this will replace 0006-cap-epollwakeup.patch - * 0017-gnome-poppler-data.patch: update gnome abstraction for poppler cMap - tables - - -- Jamie Strandboge Tue, 14 Aug 2012 11:27:15 -0500 - -apparmor (2.8.0-0ubuntu1) quantal; urgency=low - - * New upstream release - - Drop the following patches, now included upstream: - 0003-add-aa-easyprof.patch - 0005-clean-common-from-vim.patch - 0006-use-linux-capability-h.patch - 0008-apparmor-lp963756.patch - 0009-apparmor-lp959560-part1.patch - 0010-apparmor-lp959560-part2.patch - 0011-apparmor-lp872446.patch - 0012-apparmor-lp978584.patch - 0013-apparmor-lp800826.patch - 0014-apparmor-lp979095.patch - 0015-apparmor-lp963756.patch - 0016-apparmor-lp968956.patch - 0017-apparmor-lp979135.patch - 0018-lp990931.patch - * Rename 0007-ubuntu-manpage-updates.patch to 0003 - * debian/patches/0005-lp1019274.patch: add python3 support. Patch based - on work from Dmitrijs Ledkovs. (LP: #1019274) - * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for - CAP_EPOLLWAKEUP - * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to - adjust scripts to use PYTHON if it is defined - * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb - when calling setup.py - * enable python3 in the build: - - debian/rules: - + use python3 as default PYTHON - + build libapparmor with both python2 and python3 - - debian/control: - + Build-Depends on python3-all-dev and python3 - + adjust apparmor to Depends on ${python3:Depends} - + adjust apparmor-utils to Depends on ${python3:Depends} - + add python3-libapparmor package - - add debian/python3-libapparmor.install - - debian/python-libapparmor.install: adjust to use python2 and - dist-packages - * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for - IcedTea 7 (LP: #1003856) - * debian/patches/0010-lp972367.patch: allow software center to work again - from browsers (LP: #972367) - * debian/patches/0011-lp1013887.patch: let sanitized helper work with - /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887) - * debian/patches/0012-lp964510.patch: allow Google Chrome and - chromium-browser to work under sanitized helper (LP: #964510) - * debian/patches/0013-lp987578.patch: ubuntu-integration does not work - properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578) - * debian/patches/0014-lp933440.patch: update skype example profile to work - with latest skype. Based on work by Ivan Frederiks (LP: #933440) - - -- Jamie Strandboge Thu, 05 Jul 2012 10:53:17 -0500 - -apparmor (2.7.102-0ubuntu5) quantal; urgency=low - - * debian/debhelper/postrm.apparmor: do not delete local files if main - conffile still exists since it probably means it is owned by a - new/different package. (LP: #986892) - - -- Clint Byrum Mon, 11 Jun 2012 21:40:33 -0700 - -apparmor (2.7.102-0ubuntu4) quantal; urgency=low - - * Fix FTBFS (LP: #1000055). Patch thanks to Steve Beattie. - - debian/control: Build-Depends on texlive-latex-recommended - - debian/rules: add V=1 for 'make' and 'make check' when building the - parser - * debian/patches/0018-lp990931.patch: adjust path for thunderbird to include - non-versioned path - - LP: #990931 - - -- Jamie Strandboge Fri, 18 May 2012 15:02:02 -0500 - -apparmor (2.7.102-0ubuntu3) precise; urgency=low - - [ Jamie Strandboge ] - * debian/patches/0007-ubuntu-manpage-updates.patch: update apparmor(5) - to describe Ubuntu's two-stage policy load and how to add utilize it - when developing policy (LP: #974089) - - [ Serge Hallyn ] - * debian/apparmor.init: do nothing in a container. This can be - removed once stacked profiles are supported and used by lxc. - (LP: #978297) - - [ Steve Beattie ] - * debian/patches/0008-apparmor-lp963756.patch: Fix permission mapping - for change_profile onexec (LP: #963756) - * debian/patches/0009-apparmor-lp959560-part1.patch, - debian/patches/0010-apparmor-lp959560-part2.patch: Update the parser - to support the 'in' keyword for value lists, and make mount - operations aware of 'in' keyword so they can affect the flags build - list (LP: #959560) - * debian/patches/0011-apparmor-lp872446.patch: fix logprof missing - exec events in complain mode (LP: #872446) - * debian/patches/0012-apparmor-lp978584.patch: allow inet6 access in - dovecot imap-login profile (LP: #978584) - * debian/patches/0013-apparmor-lp800826.patch: fix libapparmor - log parsing library from dropping apparmor network events that - contain ip addresses or ports in them (LP: #800826) - * debian/patches/0014-apparmor-lp979095.patch: document new mount rule - syntax and usage in apparmor.d(5) manpage (LP: #979095) - * debian/patches/0015-apparmor-lp963756.patch: Fix change_onexec - for profiles without attachment specification (LP: #963756, - LP: #978038) - * debian/patches/0016-apparmor-lp968956.patch: Fix protocol error when - loading policy to kernels without compat patches (LP: #968956) - * debian/patches/0017-apparmor-lp979135.patch: Fix change_profile to - grant access to /proc/attr api (LP: #979135) - - -- Steve Beattie Thu, 12 Apr 2012 06:17:42 -0500 - -apparmor (2.7.102-0ubuntu2) precise; urgency=low - - * debian/control: Make dh-apparmor Multi-Arch: foreign, so that it can - satisfy cross-build-dependencies. - - -- Colin Watson Sat, 31 Mar 2012 02:28:05 +0100 - -apparmor (2.7.102-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes the following issues in support of LXC - AppArmor support for beta-2: - - Fix the return size of aa_getprocattr (LP: #962521) - - Fix mnt_flags passed for remount - - Fix dfa minimization around the nonmatching state - - Factor all the permissions dump code into a single perms method - * debian/apparmor-utils.install: - - AppArmor now installs apparmor.vim. Move it into place - - install aa-exec - * debian/apparmor-utils.manpages: install aa-exec man page - * debian/patches/0003-add-aa-easyprof.patch: refresh for Makefile changes - * debian/patches/0005-clean-common-from-vim.patch: clean up 'common' - symlink - * 0006-use-linux-capability-h.patch: Use linux/capability.h instead of - sys/capability.h - - -- Jamie Strandboge Thu, 22 Mar 2012 15:39:56 -0500 - -apparmor (2.7.101-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes: LP: #948147 - * debian/lib/apparmor/functions: Update to support the feature directory so - that caching will work on kernels that support the feature dir. Patch - based on work from John Johansen. LP: #954469 - - -- Jamie Strandboge Thu, 15 Mar 2012 15:57:02 -0500 - -apparmor (2.7.100-0ubuntu1) precise; urgency=low - - * New upstream bug fix release which fixes (in addition to other bugs): - - LP: #940362 - - LP: #947617 - - LP: #949891 - * Drop the following patches, included upstream: - - 0004-lp918879.patch - - 0007-lp941506.patch - - 0008-lp941503.patch - - 0009-lp943161.patch - * Drop the following patch, no longer required: - - 0005-disable-minimization.patch - * Rename 0006-lp941808.patch 0004-lp941808.patch - * debian/patches/0001-add-chromium-browser.patch: update for additional - denials with newer chromium-browser. (LP: #937723) - * debian/put-all-profiles-in-complain-mode.sh: deal with existing flags - - -- Jamie Strandboge Fri, 09 Mar 2012 06:56:48 -0600 - -apparmor (2.7.99-0ubuntu4) precise; urgency=low - - * Restore dpkg-maintscript-helper changes from 2.7.0-0ubuntu6, lost in - 2.7.99-0ubuntu1. - - -- Colin Watson Mon, 05 Mar 2012 16:11:01 +0000 - -apparmor (2.7.99-0ubuntu3) precise; urgency=low - - * debian/patches/0009-lp943161.patch: update to not fail when - default-jre-headless is installed (LP: #945019) - - -- Jamie Strandboge Fri, 02 Mar 2012 12:47:03 -0600 - -apparmor (2.7.99-0ubuntu2) precise; urgency=low - - * debian/control: dh-apparmor should Breaks/Replaces on debhelper - 9.20120115ubuntu3, not 9.20120115ubuntu2 - * debian/patches/0006-lp941808.patch: allow writes to - /{,var/}run/sendsigs.omit.d/*dnsmasq.pid for network manager integration - (LP: #941808) - * debian/patches/0007-lp941506.patch: allow reads to ~/.drirc in the X - abstraction (LP: #941506) - * debian/patches/0008-lp941503.patch: allow read access to - /usr/share/texmf/fonts in fonts abstraction (LP: #941503) - * debian/patches/0009-lp943161.patch: fix path to java in - ubuntu-browsers.d/java (LP: #943161) - - -- Jamie Strandboge Fri, 02 Mar 2012 07:50:50 -0600 - -apparmor (2.7.99-0ubuntu1) precise; urgency=low - - * New upstream release which also pulls in 2.7.0-1 changes from Debian. - For the sake of simplicity, I have added the 2.7.0-1 changelog entry after - 2.7.0-0ubuntu7 even though chronologically it appeared in Debian between - 2.7.0-0ubuntu4 and 2.7.0-0ubuntu5. - - LP: #940422 (FFe) - * Drop the following patches, included upstream: - - 0003-commits-through-r1882.patch - - 0004-lp887992.patch - - 0005-lp884748.patch - - 0006-lp870992.patch - - 0007-lp860856.patch - - 0008-lp852062.patch - - 0009-lp851977.patch - - 0010-lp890894.patch - - 0011-lp817956.patch - - 0012-lp458922.patch - - 0013-lp769148.patch - - 0014-lp904548.patch - - 0015-lp712584.patch - - 0016-lp562831.patch - - 0017-lp662906.patch - - 0018-deny-home-pki-so.patch - - 0019-lp899963.patch - - 0020-lp912754a.patch - - 0021-lp912754b.patch - - 0022-workaround-lp851986.patch - - 0023-syslog-ng-needs-dac-read-search.patch - - 0024-fix-python-and-ruby-autogeneration.patch - - 0025-lp914184.patch - - 0026-lp914190.patch - - 0027-lp914386.patch - - 0028-testsuite-fixes.patch - - 0029-lp917628.patch - - 0030-lp916285.patch - - 0031-lp917639.patch - - 0032-lp917641.patch - - 0033-add-ubuntu-helpers-to-plugins-common.patch - - 0034-lp917859.patch - - 0035-kde-should-use-kde4.patch - - 0036-lp929531.patch - - 0036-fix-manpage-errors.patch - * Rename 0037-add-aa-easyprof.patch 0003-add-aa-easyprof.patch - * debian/apparmor-profiles.postrm: clean out autogenerated files created by - apparmor-profiles.postinst (Closes: 656451) - * debian/patches/0004-lp918879.patch: allow /etc/drirc in the X abstraction - (LP: #918879) - * debian/patches/0005-disable-minimization.patch: do to LP: 940362, - minimization is not working correctly. Disable it for now. - - -- Jamie Strandboge Fri, 24 Feb 2012 09:04:45 -0600 - -apparmor (2.7.0-1) unstable; urgency=low - - * debian/po/pt.po add new Portuguese translation, thanks to Pedro Ribeiro, - (Closes: 651434). - * debian/control: do not require initramfs-tools on !linux-any - (Closes: 651297). - * debian/{control,rules,debhelper/*}: move dh_apparmor into separate - binary package, out of debhelper (Closes: 649784). - * debian/{control,rules}: fix up lack of real build-indep. - * debian/patches/0036-fix-manpage-errors.patch: minor man page cleanups. - * merge changes from Ubuntu (r1443). - - -- Kees Cook Thu, 09 Feb 2012 15:24:08 -0800 - -apparmor (2.7.0-0ubuntu7) precise; urgency=low - - * debian/patches/0037-add-aa-easyprof.patch: add the aa-easyprof tool - * apparmor-utils.dirs, apparmor-utils.install, apparmor-utils.manpages: - install aa-easyprof and supporting files - * python-libapparmor.install: only install LibAppArmor* - * debian/rules: use dh_python2 with apparmor-utils - * debian/control: apparmor-utils should Depends on ${python:Depends} - - -- Jamie Strandboge Wed, 15 Feb 2012 07:40:38 -0600 - -apparmor (2.7.0-0ubuntu6) precise; urgency=low - - * debian/apparmor.{preinst,postinst,postrm,maintscript}, debian/control: - Use maintscript support in dh_installdeb rather than writing out - dpkg-maintscript-helper commands by hand. We now simply Pre-Depend on a - new enough version of dpkg rather than using 'dpkg-maintscript-helper - supports' guards, leading to more predictable behaviour on upgrades. - - -- Colin Watson Sat, 11 Feb 2012 15:11:01 +0000 - -apparmor (2.7.0-0ubuntu5) precise; urgency=low - - * debian/patches/0036-lp929531.patch: adjust base abstraction to allow read - access to /sys/devices/system/cpu/online (LP: #929531) - - -- Jamie Strandboge Thu, 09 Feb 2012 08:04:13 -0600 - -apparmor (2.7.0-0ubuntu4) precise; urgency=low - - * debian/patches/0034-lp917859.patch: adjust aspell abstraction for user - customizable dictionaries (LP: #917859) - * debian/patches/0035-kde-should-use-kde4.patch: adjust abstractions to - use kde{,4} instead of kde - * debian/control: update Vcs-Bzr - - -- Jamie Strandboge Wed, 18 Jan 2012 16:27:30 -0600 - -apparmor (2.7.0-0ubuntu3) precise; urgency=low - - * debian/patches/0029-lp917628.patch: Adjust dnsmasq profile for - NetworkManager integration (LP: #917628) - * debian/patches/0030-lp916285.patch: update ubuntu-browsers.d/text-editors - to work with emacs2[2-9] (LP: #916285) - * debian/patches/0031-lp917639.patch: update p11-kit to allow mmap of - libraries in pkcs directories (LP: #917639) - * debian/patches/0032-lp917641.patch: ubuntu-integration abstraction for - multiarch with gst-plugin-scanner (LP: #917641) - * debian/patches/0033-add-ubuntu-helpers-to-plugins-common.patch: include - ubuntu-helpers in the plugins-common abstraction - - -- Jamie Strandboge Tue, 17 Jan 2012 07:18:34 -0600 - -apparmor (2.7.0-0ubuntu2) precise; urgency=low - - * debian/patches/0022-workaround-lp851986.patch: update sanitized_helper - to include inet6 - - -- Jamie Strandboge Fri, 13 Jan 2012 11:21:30 +0100 - -apparmor (2.7.0-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes the following: - - LP: #794974 - - LP: #815883 - - LP: #840973 - * Drop the following patches, included upstream: - - af_names-generation.patch - - 0004-adjust-logprof-log-search-order.patch - - 0005-lp826914.patch - - 0006-lp838275.patch - - 0007-fix-introspection-tests.patch - * Rename 0003-add-debian-integration-to-lighttpd.patch to 0002 - * debian/patches/0003-commits-through-r1882.patch: several bug, - documentation and performance fixes on our road to AppArmor 2.8 - (LP: #840734, LP: #905412) - * debian/patches/0004-lp887992.patch: cups-client abstraction should allow - owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions - (LP: #887992) - * update debian/patches/0001-add-chromium-browser.patch for deeper - directories of /sys/devices/pci (LP: #885833) - * debian/patches/0005-lp884748.patch: allow kate as text editor in the - browsers abstraction (LP: #884748) - * debian/patches/0006-lp870992.patch: abstractions/fonts should allow access - to ~/.fonts.conf.d (LP: #870992) - * debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py - in the python abstraction, which is needed for apport hooks to work in - python applications (LP: #860856) - * debian/patches/0008-lp852062.patch: update binaries for transmission - clients (LP: #852062) - * debian/patches/0009-lp851977.patch: allow ixr access to exo-open for - Xubuntu and friends (LP: #851977) - * debian/patches/0010-lp890894.patch: allow access to Thunar as well as - thunar in ubuntu-integration abstraction (LP: #890894) - * debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile - (LP: #817956) - * debian/patches/0012-lp458922.patch: update dovecot deliver profile to - access various .conf files for dovecot (LP: #458922) - * debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection - (LP: #769148) - * debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv - (LP: #904548) - * debian/patches/0015-lp712584.patch: Nvidia users need access to - /dev/nvidia* files for various plugins to work right. Since these are all - focused around multimedia, add the acceses to the multimedia abstraction. - (LP: #712584) - * debian/patches/0016-lp562831.patch: allow fireclam plugin to work - (LP: #562831) - * debian/patches/0017-lp662906.patch: allow software-center in the ubuntu - integration browser abstraction (LP: #662906) - * debian/patches/0018-deny-home-pki-so.patch: update private-files - abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847) - * debian/patches/0019-lp899963.patch: add audacity to the - ubuntu-media-players abstraction (LP: #899963) - * debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit - abstraction and add it to the authentication abstraction (LP: #912754) - * debian/patches/0022-workaround-lp851986.patch: instead of using Ux - in the ubuntu and launchpad abstractions, use a helper child profile. - This will help work around the lack of environment filtering - (LP: #851986) - * debian/patches/0023-syslog-ng-needs-dac-read-search.patch: adjust syslog-ng - profile for dac_read_search - * debian/patches/0024-fix-python-and-ruby-autogeneration.patch: fix python - and ruby autogeneration when using aa-autodep and aa-genprof - * debian/patches/0025-lp914184.patch: allow the creation of enchant .config - directory in the enchant abstraction (LP: #914184) - * debian/patches/0026-lp914190.patch: block write access to ~/.kde/env - because KDE automatically sources scripts in that folder on startup - (LP: #914190) - * debian/pathes/0027-lp914386.patch: add xdg-desktop abstraction and - adjust gnome and kde abstractions to use it (LP: #914386) - * debian/patches/0028-testsuite-fixes.patch: testsuite fixes in the kernel - regression tests - - -- Jamie Strandboge Thu, 12 Jan 2012 12:55:17 +0100 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu3) precise; urgency=low - - * Rebuild for Perl 5.14. - - -- Colin Watson Tue, 15 Nov 2011 22:10:05 +0000 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu2) oneiric; urgency=low - - * 0007-fix-introspection-tests.patch: Add missing introspection regression - test that should have been checked in with the introspection patches. - - -- Jamie Strandboge Tue, 04 Oct 2011 13:13:05 -0500 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu1) oneiric; urgency=low - - * 0004-adjust-logprof-log-search-order.patch: Adjust the search order to use - just /var/log/audit/audit.log and /var/log/syslog. (LP: #835838) - * 0005-lp826914.patch: fix missing multiarch in abstraction/X (LP: #826914) - * 0006-lp838275.patch: adjust ubuntu-email abstraction for thunderbird 7 - (LP: #838275) - - -- Jamie Strandboge Fri, 02 Sep 2011 12:30:10 -0500 - -apparmor (2.7.0~beta1+bzr1774-1) unstable; urgency=low - - * New upstream devel snapshot: - - drop 0002-lp750381.patch, taken upstream. - - drop 0004-lp754889.patch, taken upstream. - - drop 0005-lp761217.patch, taken upstream. - - drop 0100-manpage-typo.patch, taken upstream. - - drop 0101-declarations.patch, solved differently upstream. - - drop 0102-manpage-release-name.patch, taken upstream. - - drop 0103-kfreebsd-compile.patch, taken upstream. - - drop define-path-max.patch, taken upstream. - - drop indep-build.patch, taken upstream. - - debian/libapparmor1.manpages: add new function man pages. - * Merge with Ubuntu: - - drop 0104-python-aa-status.patch, taken upstream. - - drop 0105-lightdm.patch, taken upstream. - - drop 0106-lp810270.patch, taken upstream. - - drop 0107-lp767308.patch, taken upstream. - - drop 0108-gnome-mimeinfo.patch, taken upstream. - - drop 0109-add-profile-repo-info.patch, taken upstream. - * Add af_names-generation.patch to allow arbitrary socket.h file location. - - -- Kees Cook Wed, 10 Aug 2011 18:12:34 -0700 - -apparmor (2.6.1-4ubuntu5) oneiric; urgency=low - - * debian/patches/0109-add-profile-repo-info.patch: add a blurb about the - new profiles repository to aa-genprof, along with a link to the wiki - page. - - -- Marc Deslauriers Mon, 18 Jul 2011 10:49:13 -0400 - -apparmor (2.6.1-4ubuntu4) oneiric; urgency=low - - * debian/patches/0106-lp810270.patch: updated to use upstream commits - - -- Jamie Strandboge Fri, 15 Jul 2011 14:08:38 -0500 - -apparmor (2.6.1-4ubuntu3) oneiric; urgency=low - - * debian/patches/0106-lp810270.patch: adjustments for /var/run -> /run, - /var/lock -> /run/lock and /dev/shm -> /run/shm transition (LP: #810270) - * debian/patches/0107-lp767308.patch: allow read access to - /usr/local/share/ca-certificates (LP: #767308) - * debian/patches/0001-add-chromium-browser.patch: updates for newer chromium - (LP: #776648) - * debian/patches/0108-gnome-mimeinfo.patch: allow read access to - /usr/share/gnome/applications/mimeinfo.cache in the gnome abstraction - - -- Jamie Strandboge Thu, 14 Jul 2011 09:39:49 -0500 - -apparmor (2.6.1-4ubuntu2) oneiric; urgency=low - - * debian/patches/0105-lightdm.patch: allow owner read access to - /var/run/lightdm/authority/[0-9]* - - -- Jamie Strandboge Wed, 22 Jun 2011 16:29:11 -0500 - -apparmor (2.6.1-4ubuntu1) oneiric; urgency=low - - * Get rid of Perl in main AppArmor package so we can remove perl-modules - from the installation cd: - - debian/patches/0104-python-aa-status.patch: switch aa-status to - Python - - debian/apparmor.*, debian/apparmor-utils.*: move aa-status, symlink - and manpages to main apparmor package. - - debian/control: add appropriate Breaks/Replaces/Depends because of - the file move, add ${python:Depends} to apparmor Depends, add - apparmor-utils to apparmor Suggests. - - debian/rules: add apparmor package to dh_python2. - * debian/lib/apparmor/functions: fix hat separator (LP: #788616) - - Based on upstream revision 1733 - - -- Marc Deslauriers Wed, 01 Jun 2011 11:03:20 -0400 - -apparmor (2.6.1-4) unstable; urgency=low - - * debian/po: add new translations: - - zh_CN.po: Simplified Chinese, thanks to Aron Xu (Closes: 624853). - - da.po: Danish, thanks to Joe Dalton (Closes: 625252). - - sv.po: Swedish, thanks to Martin Bagge (Closes: 625264). - - cs.po: Czech, thanks to Michal Šimůnek (Closes: 625465). - - de.po: German, thanks to Chris Leick (Closes: 625931). - - nl.po: Dutch, thanks to Jeroen Schot (Closes: 626269). - - ja.po: Japanese, thanks to Hideki Yamane (Closes: 626803). - - it.po: Italian, thanks to Dario Santamaria (Closes: 626836). - - fr.po: French, thanks to Julien Patriarca (Closes: 626903). - - es.po: Spanish, thanks to Francisco Javier Cuadrado (Closes: 627031). - * debian/patches/define-path-max.patch: fix Hurd FTBFS. - * debian/patches/indep-build.patch: allow split indep/arch builds. - * debian/{control,rules,non-linux}: add fake parser for non-Linux - builds so that apparmor-utils is installable (Closes: 625977). - - -- Kees Cook Fri, 27 May 2011 13:51:18 -0700 - -apparmor (2.6.1-3) unstable; urgency=low - - * debian/control: add sneaky missing Build-Dep on liblocale-gettext-perl - (fixes FTBFS on some extremely minimal chroots, Closes: 624566). - * debian/patches/0101-declarations.patch: add missing declarations needed - for sensitive compilers (fixes FTBFS on mips/mipsel). - * debian/patches/0102-manpage-release-name.patch: update manpage release - names to match others. - * debian/patches/0103-kfreebsd-compile.patch, debian/{control,rules}: - attempt to build as much as possible (no parser) on non-Linux systems. - * debian/po/ru.po: add translation, thanks to Yuri Kozlov (Closes: 624741). - - -- Kees Cook Sun, 01 May 2011 19:29:07 -0700 - -apparmor (2.6.1-2) unstable; urgency=low - - * debian/copyright: clarify for some full organization names. - - -- Kees Cook Wed, 27 Apr 2011 10:38:07 -0700 - -apparmor (2.6.1-1) unstable; urgency=low - - * Initial Debian upload (Closes: 622922). - * debian/patches/0100-manpage-typo.patch: fix lintian error in manpage. - * debian/clean: update for Debian build. - * debian/copyright: rearrange and add a few missing files. - * debian/source/format, debian/rules: convert to 3.0 quilt format. - * debian/{rules,apparmor-profiles.postinst}: deal with lack of dh_apparmor. - - -- Kees Cook Sat, 23 Apr 2011 12:14:55 -0700 - -apparmor (2.6.1-0ubuntu3) natty; urgency=low - - * debian/patches/0003-add-debian-integration-to-lighttpd.patch: updates for - lighttpd example profile to work in Debian/Ubuntu (LP: #582814) - * debian/patches/0004-lp754889.patch: add several image viewers to - ubuntu-browsers.d/multimedia abstraction (LP: #754889) - * debian/patches/0005-lp761217.patch: abstractions/private-files updates for - zsh and several other shells (LP: #761217) - * debian/patches/0001-add-chromium-browser.patch: fixes for multiarch and - crash reporter (LP: #764786) - - -- Jamie Strandboge Mon, 18 Apr 2011 09:23:50 -0500 - -apparmor (2.6.1-0ubuntu2) natty; urgency=low - - * debian/patches/0002-lp750381.path: adjust ubuntu-media-players abstraction - to allow reading of configs required by gnash and owner writing of - @{HOME}/.gnash (LP: #750381) - - -- Jamie Strandboge Thu, 07 Apr 2011 10:09:24 -0500 - -apparmor (2.6.1-0ubuntu1) natty; urgency=low - - * New upstream release. - - Fixes breakage of mod_apparmor apache2 module (LP: #737074) - - Fixes profile matching when an attachement doesn't contain a - regex (LP: #731155) - - Fixes parser acceptance of missing network protocols (LP: #732837) - - Patches taken upstream and dropped: - + debian/patches/0002-lp727478.patch - + debian/patches/0003-test-lp727478.patch - + debian/patches/0004-lp736870.patch - * debian/apparmor.install, debian/apparmor.dirs: add new multiarch - tunable file and directory - * debian/python-libapparmor.install: loosen directory specification - for resiliancy against different python versions - - -- Steve Beattie Thu, 24 Mar 2011 01:55:12 -0700 - -apparmor (2.6.0-0ubuntu4) natty; urgency=low - - * Update debian/patches/0004-lp736870.patch (LP: #736870): - - armel triplet doesn't match '*-linux-gnu' - - /lib/tls for libc6-xen needs handling - - gnome, kde, kerberosclient, and authentication abstractions also need - updating for multiarch. - - -- Steve Langasek Tue, 22 Mar 2011 15:18:54 -0700 - -apparmor (2.6.0-0ubuntu3) natty; urgency=low - - * debian/patches/0004-lp736870.patch: add multiarch support to abstractions - (LP: #736870) - - -- Jamie Strandboge Thu, 17 Mar 2011 09:17:01 -0500 - -apparmor (2.6.0-0ubuntu2) natty; urgency=low - - * debian/patches/0002-lp727478.patch: Override AF_MAX for kernels that don't - support proper masking. Patch thanks to John Johansen (LP: #727478) - * debian/patches/0003-test-lp727478.patch: add tcp.sh test as partial - networking test - - -- Jamie Strandboge Thu, 03 Mar 2011 16:40:08 -0600 - -apparmor (2.6.0-0ubuntu1) natty; urgency=low - - [ Steve Beattie ] - * New upstream 2.6.0 release (LP: #724193) - - Patches taken upstream and dropped: - + 0001-ubuntu-buildd.patch - + 0003-add-libvirt-support-to-dnsmasq.patch - + 0004-lp698194.patch - + 0005-aa-disable.patch - - debian/rules: remove library path settings for mod_apparmor and - pam_apprmor builds; upstream handles this properly now. - - debian/apparmor-utils.install: handle upstream SubDomain.pm => - AppArmor.pm renaming - * debian/lib/apparmor/functions: handle profile names with embedded - spaces (LP: #655523) - * debian/rules, debian/control, debian/python-libapparmor: build - a python-libapparmor package. - - [ Jamie Strandboge ] - * debian/copyright: update and reformat according to DEP-5 - * debian/lib/apparmor/functions: don't unload dynamically generated libvirt - profiles on reload, restart, and force-reload (LP: #702774) - * debian/control: use Section: python for python-libapparmor - - -- Steve Beattie Thu, 24 Feb 2011 01:41:58 -0800 - -apparmor (2.6~devel+bzr1617-0ubuntu2) natty; urgency=low - - * debian/patches/0005-aa-disable.patch: add aa-disable - * debian/apparmor-utils.install: install aa-disable - * debian/apparmor-utils.manpages: install aa-disable man page - - -- Jamie Strandboge Mon, 07 Feb 2011 11:23:50 -0600 - -apparmor (2.6~devel+bzr1617-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1617. Closes the following bugs: - - LP: #692406: temporarily disable the defunct repository until an - alternative can be used - - LP: #649497: add ibus abstraction - - LP: #652562: allow 'rw' to /var/log/samba/cores/ - - LP: #658135: allow access to /usr/lib32 and /usr/lib64 for dri modules - * 0002-add-chromium-browser.patch: add /dev/shm/.org.chromium.* - (LP: #692866) - * rename debian/patches/0010-ubuntu-buildd.patch to 0001-ubuntu-buildd.patch - and adjust debian/patches/series - * debian/patches/0003-add-libvirt-support-to-dnsmasq.patch (LP: #697239): - - allow read and write access to libvirt pid files for dnsmasq - - allow net_admin capability for DHCP server - - allow net_raw and network inet raw for ICMP pings when used as a DHCP - server - * debian/patches/0004-lp698194 (LP: #698194): - - abstractions/private-files: don't allow wl to autostart directories - - abstractions/private-files-strict: don't allow access to chromium, - kwallet and popular mail clients - - -- Jamie Strandboge Fri, 07 Jan 2011 12:44:26 -0600 - -apparmor (2.6~devel+bzr1601-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1601 to gain parser speed - improvements and man page fixes. Closes the following bugs: - - LP: #349049: document audit, deny and owner rule qualifiers - - LP: #466228: ubuntu-browsers.d/multimedia: allow flash printing - - LP: #644983: add ubuntu-browsers.d/ubuntu-integration-xul - - LP: #692216: use aa_change_hat() instead of change_hat() - - LP: #692217: add aa_change_profile.pod manpage - * debian/control: explicitly depend on gettext module. - * ship apparmor vim syntax file (LP: #646800): - - debian/vim-apparmor.yaml: vim addon definition file. - - debian/apparmor-utils.install: add apparmor.vim and vim-apparmor.yaml. - * debian/libapparmor1.manpages: ship aa_change_profile manpage. - - -- Kees Cook Mon, 20 Dec 2010 14:37:38 -0800 - -apparmor (2.6~devel+bzr1527-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1527, drop patches taken upstream: - - debian/patches/0001-fix-release.patch - - debian/patches/0003-local-includes.patch - - debian/patches/0004-ubuntu-abstractions-updates.patch - - debian/patches/0005-lp648900.patch - - debian/patches/0006-testsuite-fixes.patch - - debian/patches/0007-honor-cflags.patch - - debian/patches/0008-lp652674.patch - - debian/patches/0009-sensible-browser-pix.patch - * Rework packaging for more sanity. - - debian/control: - - bump debhelper build depend to Ubuntu-specific v8. - - switch apparmor-profiles to arch all as it ships only text. - - update Homepage to new domain. - - expand long descriptions to keep lintian happy. - - debian/compat: bump to 8. - - README.Debian: removed, hopelessly out of date. - - debian/copyright: - - updated for changes to upstream source layout. - - fixed lintian warnings. - - debian/rules: - - ditch mv/install in favor of *.install,*.dir files. - - replace "dh_clean -k" with "dh_prep" - - use dh_clean's debian/clean file instead of manual rm. - - scan for all profiles to run through dh_apparmor. - - debian/*.{install,dirs,manpages,docs}: - - explicitly list all files needed for packaging - - debian/apparmor.{preinst,postinst,postrm}: - - add dpkg-maintscript-helper calls to clean up old script locations. - - drop old conffile cleanups, since they predate Lucid. - - debian/apparmor.init: - - move functions to /lib/apparmor. - - start on $remote_fs due to using /usr tools during init. - - use LC_COLLATE=C for proper sorting. - - debian/libapparmor1.symbols: created initial symbols file. - - debian/apparmor-docs.doc-base: include doc-base details for techdoc. - - debian/notify/90apparmor-notify: use new command name. - - lib/apparmor/functions: use LC_COLLATE=C for proper sorting. - - -- Kees Cook Thu, 04 Nov 2010 18:06:34 -0700 - -apparmor (2.5.1-0ubuntu4) natty; urgency=low - - * debian/patches/0004-ubuntu-abstractions-updates.patch: updated to add - /usr/bin/emacs-snapshot-gtk PUxr - * debian/patches/0009-sensible-browser-pix.patch: use Pix for - sensible-browser - * debian/patches/0010-ubuntu-buildd.patch: skip parser caching test if - the AppArmor securityfs introspection directory is not mounted, as - is the case on Ubuntu buildds. - - -- Jamie Strandboge Tue, 02 Nov 2010 12:17:21 -0500 - -apparmor (2.5.1-0ubuntu3) natty; urgency=low - - * debian/control: use the correct version for Conflicts/Replaces - - -- Jamie Strandboge Tue, 19 Oct 2010 19:53:26 -0500 - -apparmor (2.5.1-0ubuntu2) natty; urgency=low - - * debian/{rules,control}: move apache2 abstractions into the base package - so we can put apache2 profiles into the -profiles package without - aa-logprof bailing out. Patch by Marc Deslauriers. - (LP: #539441) - - -- Jamie Strandboge Tue, 19 Oct 2010 15:44:43 -0500 - -apparmor (2.5.1-0ubuntu1) natty; urgency=low - - * New upstream release (LP: #660077) - - The following patches were refreshed: - + 0001-fix-release.patch - + 0003-local-includes.patch - + 0008-lp648900.patch: renamed as 0005-lp648900.patch - - The following patches were dropped (included upstream): - + 0005-lp601583.patch - + 0006-network-interface-enumeration.patch - + 0007-gnome-updates.patch - * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head - of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211) - * debian/patches/0007-honor-cflags.patch: have the parser makefile honor - CFLAGS environment variable. Brings back missing symbols for the retracer - * debian/patches/0008-lp652674.patch: fix warnings for messages without - denied or requested masks (LP: #652674) - * debian/apparmor.init: fix path to aa-status (LP: #654841) - * debian/apport/source_apparmor.py: apport hook should use - root_command_hook() for running apparmor_status (LP: #655529) - * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber - cmdline details (LP: #657091) - - -- Jamie Strandboge Fri, 15 Oct 2010 12:23:00 -0500 - -apparmor (2.5.1~rc1-0ubuntu2) maverick; urgency=low - - * abstractions/ubuntu-email: adjustment for ever-changing thunderbird path - (LP: #648900) - - -- Jamie Strandboge Mon, 27 Sep 2010 09:00:06 -0500 - -apparmor (2.5.1~rc1-0ubuntu1) maverick; urgency=low - - [ Jamie Strandboge ] - * New upstream RC release (revision 1413). In addition to getting the tools - to work with the maverick kernel, this update fixes: - - LP: #619521 - - LP: #633369 - - LP: #626451 - - LP: #581525 - - LP: #623467 (link and unlink still need to be addressed) - * Dropped the following patches, included upstream: - - 0002-lp615177.patch - - 0004-ubuntu-pux.patch - - 0006-kde4-config-pux.patch - - 0007-lp605835.patch - - 0012-lp625041.patch - - 0013-lp623586.patch - * Update the following patches: - - rename 0010-fix-release.patch as 0001-fix-release.patch since this will - likely always need to be here - - rename 0005-add-chromium-browser.patch as - 0002-add-chromium-browser.patch - - rename 0001-local-includes.patch as 0003-local-includes.patch and update - to use r1493 (from trunk) of local/README file. This can be dropped in - 2.6. - - collect the ubuntu abstractions updates pulled from trunk into - 0004-ubuntu-abstractions-updates.patch. This can be dropped in 2.6. - - rename 0008-lp601583.patch as 0005-lp601583.patch. This can be dropped - in 2.5.1 final. - * fix up some lintian warnings: - - debian/control: - + don't use 'Section' in apparmor-notify, since it is the same as the - source - + updates Standards-Version to 3.9.1 - + add ${misc:Depends} to libapparmor-dev and apparmor-notify - - add debian/source/format - - debian/libapache2-mod-apparmor.postrm: use #DEBHELPER# - - debian/libapache2-mod-apparmor.preinst: use #DEBHELPER# - - add debian/watch - * debian/notify/notify.conf: set show_notifications="yes" by default - * debian/patches/0006-network-interface-enumeration.patch: allow network - interface enumeration. This can be dropped in 2.5.1 final. - * debian/patches/0007-gnome-updates.patch: update for font/icon/mime - locations in current gnome. This can be dropped in 2.5.1 final. - - [ Kees Cook ] - * debian/apparmor.init: rename "stop" to "teardown", drop caches on - "stop" and warn about the dangers of "teardown". - - -- Jamie Strandboge Fri, 10 Sep 2010 11:07:19 -0500 - -apparmor (2.5.1~pre1393-0ubuntu6) maverick; urgency=low - - * debian/profiles/chromium-browser: updated to have the proper path to - local/ - * debian/patches/0011-lp514356+573344+593413.patch: browser abstraction - updates for /net, kmozillahelper and gnome-appearance-properties - (LP: #593413, LP: #514356, LP: #573344) - * debian/patches/0012-lp625041.patch: add sensible-browser (LP: #625041) - * debian/patches/0013-lp623586.patch: allow access to ghostscript fonts when - not using defoma (LP: #623586) - - -- Jamie Strandboge Fri, 03 Sep 2010 07:39:31 -0500 - -apparmor (2.5.1~pre1393-0ubuntu5) maverick; urgency=low - - * debian/patches/0007-lp605835.patch: allow ca-certificates in ssl_certs - abstraction (LP: #605835) - * debian/patches/0008-lp601583.patch: adjust X abstraction for newer gdm - (LP: #601583) - * debian/patches/0009-lp565753.patch: add ubuntu-feed-readers abstraction - and have ubuntu-browsers.d/multimedia use it (LP: #565753) - * debian/apparmor.config: don't try to read in the existing value from - /etc/apparmor.d/tunables/home.d/ubuntu, but instead always use what is - in debconf. (LP: #561694) - * add aa-update-browser for giving a programmatic way to update browser - profiles to use browser abstractions - - add debian/aa-update-browser - - add debian/aa-update-browser.8 - - debian/rules: install aa-update-browser* - * debian/patches/0003-ubuntu-browsers-d.patch: updated to generalize java - child profile names - * debian/patches/0010-fix-release.patch: update common/Make.rules to use - lsb_release - - -- Jamie Strandboge Wed, 11 Aug 2010 09:24:23 -0500 - -apparmor (2.5.1~pre1393-0ubuntu4) maverick; urgency=low - - * debian/patches/0001-local-includes.patch: updated to adjust local/README - to have upstream clarifications - * debian/patches/0003-ubuntu-browsers-d.patch: add ubuntu-browsers.d/* - abstractions - * debian/patches/0004-ubuntu-pux.patch: use 'PUx' instead of 'Ux' in - abstractions/ubuntu-* - * add chromium-browser profile. All this can be removed once - chromium-browser ships its own profile: - - debian/patches/0005-add-chromium-browser.patch: add preliminary - profiles/apparmor.d/usr.bin.chromium-browser - - debian/profiles/chromium-browser: added for use with ubuntu-browsers.d - - debian/rules: ship debian/profiles/chromium-browser in apparmor-profiles - * don't make /etc/apparmor.d/local/* from apparmor-profiles conffiles - - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 - - debian/rules: use dh_apparmor instead of shipping the files as conffiles - - debian/apparmor-profiles.postinst: move DEBHELPER before initscript - reload - - debian/apparmor-profiles.postrm: added to remove chromium-browser config - file - * debian/patches/0006-kde4-config-pux.patch: remove kde4-config from kde - abstraction and add it to kde ubuntu-browsers abstraction - - -- Jamie Strandboge Tue, 10 Aug 2010 14:31:32 -0500 - -apparmor (2.5.1~pre1393-0ubuntu3) maverick; urgency=low - - * debian/patches/0002-lp615177.patch: 'owner' match in commit 1406 too - strict for /tmp/ and /var/tmp/ (LP: #615177) - - -- Jamie Strandboge Mon, 09 Aug 2010 10:17:05 -0500 - -apparmor (2.5.1~pre1393-0ubuntu2) maverick; urgency=low - - * debian/rules: move local/usr.lib.apache2.mpm-prefork.apache2 to - libapache2-mod-apparmor - - -- Jamie Strandboge Fri, 06 Aug 2010 13:38:59 -0500 - -apparmor (2.5.1~pre1393-0ubuntu1) maverick; urgency=low - - * Update to upstream bzr revision 1393 from lp:apparmor/2.5. - * add dbus-session abstraction (LP: #566207) - * require owner in user-tmp abstraction (LP: #578922) - * don't use uninitialized $opt_s (LP: #582075) - * allow thunderbird 3 in abstractions/ubuntu-email (LP: #590462) - * allow gmplayer in abstractions/ubuntu-media-players (LP: #591421) - * debian/control: updated branches. - * debian/patches/0001-local-includes.patch: backported patch from trunk to - allow local administrators to customize their profiles without modifying - a shipped profile - * debian/rules: - - don't pass RELEASE to libapparmor's 'make install' as it breaks the - build and isn't used by the Makfile anyway - - install apparmor.d/local/README in apparmor, not apparmor-profiles - - don't install apparmor.d/local/usr.sbin.ntpd - * Drop the following patches already included upstream: - - 0001-lp538561.patch - - 0002-aalogprof-warnings.patch - - 0003-fix-memleaks.patch - - 0004-lp549557.patch - - 0005-lp538661.patch - - 0006-lp611248.patch - - -- Jamie Strandboge Thu, 05 Aug 2010 16:10:46 -0500 - -apparmor (2.5-0ubuntu4) maverick; urgency=low - - * debian/patches/0006-lp611248.patch: allow access to gdk-pixbuf loaders - LP: #611248 - - -- Jamie Strandboge Tue, 03 Aug 2010 09:32:10 -0500 - -apparmor (2.5-0ubuntu3) lucid; urgency=low - - [ Jamie Strandboge ] - * debian/patches/lp-549557.patch: have apparmor_notify deal with log file - rotation. (LP: #549557) - * debian/notify/notify.conf: set show_notifications="yes" - * debian/patches/0005-lp538661.patch: adjust php5 abstraction for cgi config - file path and extensions (LP: #538661) - - [ Kees Cook ] - * debian/apparmor.functions: do not load in parallel, this is causing - weird side-effects. - - -- Jamie Strandboge Tue, 30 Mar 2010 11:31:49 -0500 - -apparmor (2.5-0ubuntu2) lucid; urgency=low - - [ Jamie Strandboge ] - * debian/patches/0001-lp538561.patch: add 'k' to /var/lib/samba/**.tdb in - the samba abstraction (LP: #538561) - - [ Marc Deslauriers ] - * debian/patches/0002-aalogprof-warnings.patch: get rid of warnings when - aa-logprof is run. - * debian/{rules,control}: move apache2 abstractions into the base package - so we can put apache2 profiles into the -profiles package without - aa-logprof bailing out. (LP: #539441) - * debian/patches/0003-fix-memleaks.patch: include a couple of leak - patches from upstream. - - -- Marc Deslauriers Fri, 26 Mar 2010 11:39:18 -0400 - -apparmor (2.5-0ubuntu1) lucid; urgency=low - - * New upstream release. - * debian/control: updated branches. - * debian/copyright: updated download locations. - * debian/rules: drop unneeded build variables. - * common/Make.rules: set distributor. - - -- Kees Cook Thu, 11 Mar 2010 00:08:08 -0800 - -apparmor (2.5~pre+bzr1367-0ubuntu1) lucid; urgency=low - - * Update to upstream bzr revision 1367 - * debian/notify/90apparmor-notify: sleep for 60 seconds for boot speed and - to make sure that X is all the way up so the notifications look pretty - - -- Jamie Strandboge Mon, 08 Mar 2010 13:53:50 -0600 - -apparmor (2.5~pre+bzr1364-0ubuntu1) lucid; urgency=low - - * Update to upstream bzr revision 1364. - * debian/apparmor.functions: ignore .dpkg-bak files when loading too. - - -- Kees Cook Wed, 17 Feb 2010 13:36:21 -0800 - -apparmor (2.5~pre+bzr1362-0ubuntu2) lucid; urgency=low - - * debian/apparmor.postinst: on upgrades, prepopulate apparmor/homedirs - if it is not preseeded. Will check /etc/passwd for UIDs >= 1000 and - < 30000 for unique dirnames of home directories that are not /home. Fully - resolves (LP: #447292) - - -- Jamie Strandboge Wed, 17 Feb 2010 09:42:55 -0600 - -apparmor (2.5~pre+bzr1362-0ubuntu1) lucid; urgency=low - - [ Kees Cook ] - * Update to upstream bzr revision 1362. - - This release includes DFA minimization, transition table compression, - and improved partitioning performance (LP: #503869). - - drop 0001-tunable-alias.patch, now upstream. - * debian/apparmor.postinst: update home.d template to note the trailing - slash, even if the debconf template mentions it too. - * debian/apparmor.functions: go fully parallel with parsing to use all - CPUs in the case of needing to regenerate caches. - * debian/rules: enable library testsuite during build. - * debian/control: add dejagnu for library testsuite. - * debian/{rules,control}: use chrpath to drop rpath in libapparmor-perl. - - [ Jamie Strandboge ] - * debian/control: add apparmor-notify - * add debian/notify/notify.conf - * add debian/notify/90apparmor-notify - * add debian/apparmor-notify.install: install notify.conf to /etc/apparmor - and 90apparmor-notify to /etc/X11/Xsession.d - * debian/rules: - - remove upstream notify.conf since we will install our own via debhelper - - move apparmor_notify script and man pages to apparmor-notify - - -- Kees Cook Sat, 13 Feb 2010 12:19:30 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu4) lucid; urgency=low - - * 0001-tunable-alias.patch: backport r1330 to make it easier for people - to use AppArmor's alias rules (LP: #160002) - - -- Jamie Strandboge Mon, 11 Jan 2010 14:31:06 -0600 - -apparmor (2.3.1+bzr1312-0ubuntu3) lucid; urgency=low - - * debian/apparmor.{init,functions}: - - add "recache" argument to init script for liveCD cache generation. - - skip start/stop/reload when running on liveCD. - - -- Kees Cook Fri, 08 Jan 2010 08:39:14 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu2) lucid; urgency=low - - * debian/rules: disable profiling support for released version. - - -- Kees Cook Wed, 06 Jan 2010 16:57:58 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu1) lucid; urgency=low - - [ Kees Cook ] - * Update to upstream bzr revision 1312. - * debian/apparmor.postrm: fix comment typo. - * debain/rules: switch to bzr for upstream versioning. - * debian/rules: install apache2-* abstractions into apache2-mod package. - * drop debian/patches/0001-likewise-home-tunables.patch: this is causing - too much time in the parser (see LP 503869). The default install is - suffering, so move this configuration to likewise-open (see LP 274350). - - [ Jamie Strandboge ] - * debian/rules: - - don't ship tunables/home.d/site.local - - correct path for moving apache2 abstraction - * add debconf question for adjusting HOMEDIRS (LP: #447292) - - add debian/apparmor.config - - debian/apparmor.postinst: query debconf and adjust - tunables/home.d/ubuntu - - debian/apparmor.postrm: on purge, remove tunables/home.d/ubuntu and run - db_purge - - debian/control: Build-Depends on po-debconf and have apparmor Depends on - debconf - - add debian/po/* - - debian/rules: use dh_installdebconf -papparmor - - added debian/templates - - -- Kees Cook Wed, 06 Jan 2010 15:51:33 -0800 - -apparmor (2.3.1+1403-0ubuntu31) lucid; urgency=low - - * Remove initramfs hooks, as early profile loading is handled - on a service-by-service basis with Upstart jobs now. - - -- Kees Cook Fri, 04 Dec 2009 13:22:04 -0800 - -apparmor (2.3.1+1403-0ubuntu30) lucid; urgency=low - - [ Jamie Strandboge ] - * convert to using quilt - - debian/control: Build-Depends on quilt - - add debian/README.source - - debian/rules: include /usr/share/quilt/quilt.make and adjust - targets for patching - * debian/patches/0001-likewise-home-tunables.patch: tunables/home: add - /home/likewise-open/*/ to HOMEDIRS (LP: #274350) - * Merge to upstream bzr rev 1308. - - really add chromium-browser (LP: #488559) - - add official google-chrome (LP: #481661) - - [ Kees Cook ] - * parser/parser_main.c: use nanosec ctime resolution when checking - cache file times. - * parser/tst/caching.sh: add tests for cache use based on timestamps. - - -- Jamie Strandboge Fri, 04 Dec 2009 11:11:01 -0600 - -apparmor (2.3.1+1403-0ubuntu29) lucid; urgency=low - - * parser/Makefile: generate af_names.h based on bits/socket.h since - linux/socket.h no longer has what we need (LP: #474751) - * usr.sbin.dnsmasq: fully address LP: #445818 - - more pidfile refinements - - allow access to /var/run/dnsmasq - - allow access to /etc/dnsmasq.d - - allow dac_override so it can write its pidfile - * abstractions/ubuntu-browsers: add chromium-browser - - -- Jamie Strandboge Wed, 04 Nov 2009 17:07:23 -0600 - -apparmor (2.3.1+1403-0ubuntu28) lucid; urgency=low - - [ Jamie Strandboge ] - * update skype profile in extras. Based on work by Андрей Калинин. - (LP: #226624) - * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778) - * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and - epiphany-webkit were already present, but the recent changes in - epiphany packaging require /usr/bin/epiphany) (LP: #472952) - * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818) - * abstractions/gnome: allow access to ~/.themes (LP: #460125) - * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config - (LP: #447006) - - [ Marc Deslauriers ] - * utils/Subdomain.pm: don't skip reading profiles that are also in the - cache directory (LP: #446449) - * utils/Subdomain.pm: correctly parse PUxr modes - * utils/Subdomain.pm: support include directories - - -- Jamie Strandboge Wed, 04 Nov 2009 11:02:27 -0600 - -apparmor (2.3.1+1403-0ubuntu27) karmic; urgency=low - - * utils/SubDomain.pm: handle new format "null" log entries (LP: #446524) - - -- Marc Deslauriers Fri, 16 Oct 2009 14:40:04 -0400 - -apparmor (2.3.1+1403-0ubuntu26) karmic; urgency=low - - * abstractions/ubuntu-browsers: add Dooble - * abstractions/ubuntu-browsers: add chromium (LP: #448812) - * abstractions/gnome: add read for /etc/orbitrc - * abstractions/audio: add read for /etc/pulse/* for when ~/.pulse/* doesn't - exist and these files are used for fallback - - -- Jamie Strandboge Wed, 14 Oct 2009 07:59:03 -0500 - -apparmor (2.3.1+1403-0ubuntu25) karmic; urgency=low - - * Do not use tools in /usr during initial start-up (LP: #439726). - - -- Kees Cook Fri, 02 Oct 2009 16:52:04 -0700 - -apparmor (2.3.1+1403-0ubuntu24) karmic; urgency=low - - * abstractions/X: allow mouse themes (LP: #438051) - - -- Jamie Strandboge Thu, 01 Oct 2009 16:07:25 -0500 - -apparmor (2.3.1+1403-0ubuntu23) karmic; urgency=low - - [ Kees Cook ] - * Really fix quiet mode in initramfs (LP: #435285). - * Handle older kernel versions when loading profiles (LP: #429872): - - parser/parser_{interface,main}.c: detect kernel version and downgrade. - - debian/apparmor.functions, parser/parser_main.c: keep kernel features - recorded in cache directory. - - parser/parser_{interface,main}.c: add --skip-kernel-load for testing. - - parser/tst/caching.*: add caching tests. - [ Jamie Strandboge ] - * abstractions/audio: add a few more files for pulseaudio - - -- Kees Cook Fri, 25 Sep 2009 09:54:01 -0700 - -apparmor (2.3.1+1403-0ubuntu22) karmic; urgency=low - - * Do not run AppArmor on the LiveCD, again (LP: #131976). - * More aggressively stay quiet when booting in quiet mode (LP: #435285). - - -- Kees Cook Wed, 23 Sep 2009 15:40:22 -0700 - -apparmor (2.3.1+1403-0ubuntu21) karmic; urgency=low - - * debian/apparmor.{init-bottom,functions,initramfs}: perform initial - apparmor rule loading in initramfs. - - -- Kees Cook Mon, 21 Sep 2009 14:16:26 -0700 - -apparmor (2.3.1+1403-0ubuntu20) karmic; urgency=low - - * added disabled apache2 profile (FFE LP: #430812): - - add profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2: new - apache2 profile - - add profiles/apparmor.d/apache2.d/phpsysinfo: example profile for the - phpsysinfo application - - profiles/Makefile: handle the apache2.d directory - - add debian/libapache2-mod-apparmor.postinst: reload apparmor after - installation since we now ship a profile in this package - - add debian/libapache2-mod-apparmor.preinst: disable apache2 profile - if the user does not already have a profile defined - - add debian/libapache2-mod-apparmor.postrm: remove disabled symlink - on purge - - debian/rules: move apache2 profile to the libapache2-mod-apparmor - package and create apache2.d directory - * utils/SubDomain.pm: handle "open" log entries (LP: #427966) - * added ouid parsing support (LP: #431929): - - libraries/libapparmor/testsuite/test_multi.c - - libraries/libapparmor/src/{scanner.l,grammar.y,aalogparse.h, - libaalogparse.c} - - -- Marc Deslauriers Sat, 19 Sep 2009 09:32:02 -0400 - -apparmor (2.3.1+1403-0ubuntu19) karmic; urgency=low - - [ Jamie Strandboge ] - * abstractions/fonts: allow links in @{HOME}/.fontconfig/** - - [ Kees Cook ] - * debian/apparmor.init: expect that the securityfs is mounted, and only - test for the mounted filesystem against the type column when it is not - found. - - -- Kees Cook Wed, 09 Sep 2009 11:42:07 -0700 - -apparmor (2.3.1+1403-0ubuntu18) karmic; urgency=low - - * added the following abstractions: - - ubuntu-browsers: Ux transitions to graphical browsers - - ubuntu-console-browsers: Ux transitions to text-mode browsers - - ubuntu-console-email: Ux transitions to text-mode email clients - - ubuntu-email: Ux transitions to graphical email clients - - ubuntu-gnome-terminal: ix transition for gnome-terminal - - ubuntu-konsole: ix transition for konsole - - ubuntu-xterm: ix transition for xterm - - -- Jamie Strandboge Thu, 03 Sep 2009 11:57:39 -0500 - -apparmor (2.3.1+1403-0ubuntu17) karmic; urgency=low - - * abstractions/base: workaround for ecryptfs and apparmor by allowing - 'owner' match for files in .Private. (LP: #359338) - - -- Jamie Strandboge Mon, 31 Aug 2009 15:38:54 -0500 - -apparmor (2.3.1+1403-0ubuntu16) karmic; urgency=low - - * profiles/apparmor.d/*dovecot*: add first-pass at complain-only - profiles for basic dovecot operation. - - -- Kees Cook Wed, 26 Aug 2009 15:19:46 -0700 - -apparmor (2.3.1+1403-0ubuntu15) karmic; urgency=low - - * utils/SubDomain.pm: don't abort when an include file only contains - hats (LP: #400367) - - -- Marc Deslauriers Wed, 26 Aug 2009 11:35:58 -0400 - -apparmor (2.3.1+1403-0ubuntu14) karmic; urgency=low - - * Pull upstream changes for 64bit capabilities (svn 1427, 1437, 1438). - * Pull upstream changes for pux exec mode (svn 1439). - * debian/apparmor.init: "find" -name is not brace-aware (LP: #418364). - - -- Kees Cook Mon, 24 Aug 2009 18:01:05 -0700 - -apparmor (2.3.1+1403-0ubuntu13) karmic; urgency=low - - [ Kees Cook ] - * parser/parser_main.c: add --skip-read-cache to force reading of - uncached profiles while still allowing for --write-cache to work. - * parser/apparmor_parser.pod: add all missing option documentation. - - [ Jamie Strandboge ] - * abstractions/kde: update for kde4 - - -- Jamie Strandboge Wed, 19 Aug 2009 12:07:06 -0500 - -apparmor (2.3.1+1403-0ubuntu12) karmic; urgency=low - - * abstractions/base: add more locale paths (LP: #413454) - - -- Jamie Strandboge Fri, 14 Aug 2009 07:31:03 -0500 - -apparmor (2.3.1+1403-0ubuntu11) karmic; urgency=low - - * utils/enforce: remove /etc/apparmor.d/disable/ symlink - LP: #413153 - * debian/rules: don't install usr.sbin.ntpd or tunables/ntpd. Can remove - this when we create a new orig.tar.gz - - -- Jamie Strandboge Wed, 12 Aug 2009 10:04:34 -0500 - -apparmor (2.3.1+1403-0ubuntu10) karmic; urgency=low - - * remove apparmor.d/usr.sbin.ntpd and apparmor.d/tunables/ntpd since ntpd - will begin shipping its own profile - - -- Jamie Strandboge Wed, 12 Aug 2009 10:02:53 -0500 - -apparmor (2.3.1+1403-0ubuntu9) karmic; urgency=low - - * Revert 64-bit capabilities (LP: #408773). - - -- Kees Cook Tue, 04 Aug 2009 11:51:27 +0100 - -apparmor (2.3.1+1403-0ubuntu8) karmic; urgency=low - - * Update to upstream subversion r1431. - - change_profile can use regex (LP: #390810, #401931) - * debian/apparmor.init: always clear cache on reload. - - -- Kees Cook Mon, 03 Aug 2009 07:46:33 -0700 - -apparmor (2.3.1+1403-0ubuntu7) karmic; urgency=low - - * profiles/apparmor.d/abstractions/base: add /proc/sys/crypto (LP: #392337). - - -- Kees Cook Sat, 25 Jul 2009 09:04:46 -0700 - -apparmor (2.3.1+1403-0ubuntu6) karmic; urgency=low - - [ Kees Cook ] - * parser/parser_policy.c: return errors instead of exiting. - * debian/apparmor.init: skip more suffixes. - * parser/parser_lex.l: define file suffixes to ignore. - * parser/parser_main.c: disable cache for parsing reports. - * debian/apparmor.init: also remove unparsed profiles. - - [ Jamie Strandboge ] - * update gnome abstraction for /var/run/gdm/auth*/database - * utils/SubDomain.pm: parse profiles in subdirectories, not just include - files (LP: #401935) - - -- Jamie Strandboge Mon, 20 Jul 2009 11:45:24 -0500 - -apparmor (2.3.1+1403-0ubuntu5) karmic; urgency=low - - * Always use --replace when loading profiles so that if profiles - are loaded outside of the init script (e.g. dhcp3), the init - script does not abort (LP: #401109). - * parser/parser_main.c: more carefully create cache files. - - -- Kees Cook Sun, 19 Jul 2009 07:48:11 -0700 - -apparmor (2.3.1+1403-0ubuntu4) karmic; urgency=low - - * utils/SubDomain.pm: exclude new cache directory. - * parser/parser_main.c: - - allow OPTION_REMOVE to work again (LP: #400781). - - warn about using stdin. - - do not cache disabled profiles. - - report cached loading if not quiet. - * debian/apparmor.init: - - do not depend on aa-status. - - only write cache from init script. - - -- Kees Cook Fri, 17 Jul 2009 10:10:05 -0700 - -apparmor (2.3.1+1403-0ubuntu3) karmic; urgency=low - - * debian/apparmor.init: more cleanly handle disabled AppArmor. - - -- Kees Cook Fri, 17 Jul 2009 00:12:19 -0700 - -apparmor (2.3.1+1403-0ubuntu2) karmic; urgency=low - - * improve profile loading speed (LP: #382944): - - parser/parser_lex.l: move include handling into flex parser. - - parser/parser_main.c: - - move disable/complain logic into loader. - - add binary caching. - - debian/apparmor.init: reduce to bare minimum. - - -- Kees Cook Wed, 15 Jul 2009 17:05:49 -0700 - -apparmor (2.3.1+1403-0ubuntu1) karmic; urgency=low - - [ Kees Cook ] - * New upstream bundle (svn1403). - * debian/apparmor.init: add specific Start/Stop dependencies - (LP: #372441). - * debian/control: correctly use lsb-base not sysv for Depends. - - [ Jamie Strandboge ] - * add abstractions/launchpad-integration - * abstractions/audio: add pulseaudio - * add abstractions/private-files* for explicitly denying access to sensitive - files. - - -- Kees Cook Fri, 10 Jul 2009 08:37:54 -0700 - -apparmor (2.3+1289-0ubuntu15) karmic; urgency=low - - * Depend on upstart 0.6.0 which contains upstart-compat-sysv now - - -- Scott James Remnant Fri, 10 Jul 2009 10:28:45 +0100 - -apparmor (2.3+1289-0ubuntu14) jaunty; urgency=low - - * abstractions/smbpass: Add *.ldb used in Samba 3.2 and above (LP: #357581) - - -- Thierry Carrez Wed, 08 Apr 2009 13:42:21 +0200 - -apparmor (2.3+1289-0ubuntu13) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/gnome: allow /proc/$pid/mounts for gvfs. - * abstractions/python: clean up allowed paths (LP: #350820), thanks to - Jonathan Davies. - - [ Jamie Strandboge ] - * abstractions/user-tmp: allow 'k' for files in tmp dirs (LP: #351275) - - -- Jamie Strandboge Tue, 31 Mar 2009 09:57:57 -0500 - -apparmor (2.3+1289-0ubuntu12) jaunty; urgency=low - - * expand allowed library paths to handle unexpected architectures - (LP: #349819). - - -- Kees Cook Fri, 27 Mar 2009 13:48:11 -0700 - -apparmor (2.3+1289-0ubuntu11) jaunty; urgency=low - - * fix path to winbindd_privileged/pipe in winbind abstraction (LP: #348541) - - -- Jamie Strandboge Fri, 27 Mar 2009 08:29:13 -0500 - -apparmor (2.3+1289-0ubuntu10) jaunty; urgency=low - - * utils/SubDomain.pm: - - teach utils about rearranged syslog audit messages (LP: #340183) - from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1393 - - fix corruption of profiles, from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1354 - - don't ask about networking events over and over again, from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1296 - - use apparmor logdir instead of /tmp to write debugging log - - -- Steve Beattie Thu, 19 Mar 2009 03:05:07 -0700 - -apparmor (2.3+1289-0ubuntu9) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/base: allow /proc/$pid/maps (LP: #343287). - * abstractions/*: clean up lib, lib32, lib64 semantics (LP: #342200). - * abstractions/nameservice: fix up paths for nscd (LP: #342198). - * parser/rc.apparmor.functions, debian/apparmor.init: LSB-ify startup - messages (LP: #295200). - - [ Steve Beattie ] - * libapparmor/src/scanner.l: adjust lexer to fix matching updated audit - messages (LP: #340183) from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1389 - * debian/source_apparmor.py: add a per-package apport hook (LP: #342554). - - -- Kees Cook Wed, 18 Mar 2009 21:18:01 -0700 - -apparmor (2.3+1289-0ubuntu8) jaunty; urgency=low - - * abstractions/ssl_keys: allow read access to all of /etc/ssl (LP: #317109) - * utils/SubDomain.pm: re-add dropped patch to not process disable/ as - include files, and also don't process force-complain/ (LP: #331534) - - -- Jamie Strandboge Thu, 12 Mar 2009 12:53:08 -0500 - -apparmor (2.3+1289-0ubuntu7) jaunty; urgency=low - - * abstractions/dbus: add machine-id - * abstractions/audio: add libcanberra paths - * abstractions/freedesktop.org: add user-dirs.dirs - - -- Jamie Strandboge Thu, 12 Feb 2009 11:28:15 -0600 - -apparmor (2.3+1289-0ubuntu6) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/X: add DRI paths. - * parser/Makefile: blacklist AF_PHONET. - - [ Jamie Strandboge ] - * update usr.sbin.smbd profile to write to /var/lib/samba/** and - read/write to /var/run/dbus/system_bus_socket (LP: #294802) - * abstractions/freedesktop.org: use /usr/share/mime/**, @{HOME}/.icons/, - and @{HOME}/.recently-used.xbel* - * abstractions/gnome: add gvfs remote-volume-monitors paths and printing - files - - -- Kees Cook Mon, 22 Dec 2008 17:20:10 -0800 - -apparmor (2.3+1289-0ubuntu5) jaunty; urgency=low - - * abstractions/nameservice: allow read access to - /etc/resolvconf/run/resolv.conf (LP: #286080) - * adjust src/grammar.y and src/scanner.l to account for the moved type=NNNN - field in 2.6.27 kernels and capture non-matching logfile input instead of - printing it to stdout (LP: #271252). Patch thanks to Jesse Michael and - Steve Beattie. - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1310 - * add syslog test cases to testsuite. Patch thanks to Steve Beattie. - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1307 - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1308 - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1309 - - -- Jamie Strandboge Tue, 21 Oct 2008 09:09:58 -0500 - -apparmor (2.3+1289-0ubuntu4) intrepid; urgency=low - - * parser/rc.apparmor.functions: fix typo seen when admin changes - the default location of the apparmor.d directory (LP: #280467). - * abstractions/{samba,base}: clean up unneeded "m" permissions. - * abstractions/perl: add missing default perl paths. - - -- Kees Cook Wed, 08 Oct 2008 16:42:10 -0700 - -apparmor (2.3+1289-0ubuntu3) intrepid; urgency=low - - * add locking permission to /var/log/wtmp abstraction, thanks to - Martin Pitt (LP: #253328). - * utils/logprof.conf: repository updated for Intrepid (LP: #258818). - * profiles/apparmor.d/usr.sbin.nscd: added cache directory (LP: #144383). - * parser/rc.apparmor.functions: redirect stderr (LP: #244013). - * parser/Makefile: blacklist "AF_ISDN". - - -- Kees Cook Wed, 30 Jul 2008 09:29:03 -0700 - -apparmor (2.3+1289-0ubuntu2) intrepid; urgency=low - - [ Mathias Gug ] - * debian/control: - - move apparmor-profiles to a suggested package by apparmor. - - [ Kees Cook ] - * debian/control - - move libterm-readline-gnu-perl to "suggests". - - drop apparmor-modules-source since it no longer exists. - - -- Kees Cook Wed, 02 Jul 2008 12:35:12 -0700 - -apparmor (2.3+1289-0ubuntu1) intrepid; urgency=low - - * Updated to upstream subversion v1289. - - new parser requires new AppArmor kernel LSM. - * debian/control: - - add libapparmor-perl, and associated Depends - - bump standards version to 3.7.3.0 (no changes needed) - * debian/rules: - - adjust "clean" rule to be more effective. - - -- Kees Cook Sat, 28 Jun 2008 15:38:12 -0700 - -apparmor (2.1+1075-0ubuntu10) intrepid; urgency=low - - [ Jamie Strandboge ] - * added abstractions/smbpass and #include it in abstractions/authentication - to allow access to /var/lib/samba/*.tdb. LP: #217787 - - [ Mathias Gug ] - * update likewise-open authentication abstraction: allow access to - privileged pipe (LP: #235646). - * Update smbd profile to include access to /var/spool/samba/ (printer - sharing) and utmp update (LP: #237066). - * Update esound location in audio profile (LP: #229127). - Thanks to Adam Mondl. - * Add dnsmasq profile (LP: #148590). Thanks to John Dong. - - -- Mathias Gug Mon, 09 Jun 2008 18:24:09 -0400 - -apparmor (2.1+1075-0ubuntu9) hardy; urgency=low - - * parser/rc.apparmor.functions: do not abort if parser is missing, in - the case of an unpurged "apparmor" init script running under SELinux. - - -- Kees Cook Mon, 07 Apr 2008 13:25:06 -0700 - -apparmor (2.1+1075-0ubuntu8) hardy; urgency=low - - * Sync bugfixes from upstream 8.04 branch, svn 1161. - - documentation updated to reflect AppArmor 2.1 features. - - minor profile updates (nscd, ntpd, opera) - - util/SubDomain.pm: corrected mask merging and type detection. - - -- Kees Cook Wed, 02 Apr 2008 15:48:58 -0700 - -apparmor (2.1+1075-0ubuntu7) hardy; urgency=low - - * profiles/apparmor.d/abstractions/nameservice: (LP: #207912) - - fix ldap path - - add nsswitch "db" backend paths - - -- Kees Cook Thu, 27 Mar 2008 14:19:06 -0700 - -apparmor (2.1+1075-0ubuntu6) hardy; urgency=low - - [ Kees Cook ] - * utils/SubDomain.pm: - - fix up mask parsing to match kernel version (LP: #202920). - - fix up syslog parsing regexp to match broken kernels (LP: #202888). - * profiles/apparmor.d/abstractions/base: add licenses path for reading. - * profiles/apparmor.d/abstractions/freedesktop.org: include /usr/local. - * profiles/apparmor.d/usr.sbin.smbd: include print client abstraction. - * profiles/apparmor.d/abstractions/nameservice: include missing gai.conf - (LP: #202991). - - [ Jamie Strandboge ] - * add Debian Policy compliant way to toggle complain mode (LP: #203137) - - parser/rc.apparmor.functions: add '-C' to PARSER_ARGS if - force-complain/ exists - - utils/enforce: remove symlink in force-complain/ - - debian/rules: create /etc/apparmor.d/force-complain - - -- Kees Cook Mon, 17 Mar 2008 10:28:23 -0700 - -apparmor (2.1+1075-0ubuntu5) hardy; urgency=low - - * profiles/apparmor.d/abstractions/python: update shared python locations. - * debian/control: adjust Depends to allow sysvinit (LP: #199871). - - -- Kees Cook Tue, 11 Mar 2008 15:25:11 -0700 - -apparmor (2.1+1075-0ubuntu4) hardy; urgency=low - - [ Jamie Strandboge ] - * removed usr.sbin.named and usr.sbin.mysqld, as these will be provided - be bind9 and mysql-server-5.0, respectively. - - [ Mathias Gug ] - * profiles/apparmor.d/abstractions/ssl_keys: add ssl_keys abstraction, to - be used by profiles accessing ssl privates keys. - - [ Rick Clark ] - * added abstraction for likewise-open. - - -- Mathias Gug Wed, 13 Feb 2008 19:16:12 -0500 - -apparmor (2.1+1075-0ubuntu3) hardy; urgency=low - - * profiles/apparmor.d/abstractions/fonts: add missing ~/.fonts.conf - * profiles/apparmor.d/sbin.klogd: add newly needed @{PROC}/kallsyms - - -- Kees Cook Wed, 16 Jan 2008 14:16:18 -0800 - -apparmor (2.1+1075-0ubuntu2) hardy; urgency=low - - * utils/apparmor_status: fix module loaded test to handle built-in. - - -- Kees Cook Thu, 03 Jan 2008 17:24:40 -0800 - -apparmor (2.1+1075-0ubuntu1) hardy; urgency=low - - [ Mathias Gug ] - * profiles/apparmor.d/abstractions/nameservice: update nameservice - abstraction to support nscd setup. - - [ Kees Cook ] - * merge with upstream trunk revision 1075. - * debian/{control,apparmor.postrm,apparmor.postinst,apparmor.initramfs}: - dropped module hook since module is loaded in kernel automatically now. - * debian/rules: tweaked get-orig-source to use defined variables. - * debian/copyright: mention "get-orig-source" build rule. - * debian/{rules,control,libpam-apparmor.docs}: add libpam-apparmor now - that PAM is 0.99. - - -- Kees Cook Thu, 03 Jan 2008 13:29:31 -0800 - -apparmor (2.1+993-0ubuntu3) gutsy; urgency=low - - [ Mathias Gug ] - * Add mdns4 resolution to nameservice abstraction. (LP: #148579). - * Update syslog-ng profile. (LP: #148708). - * Add xen tls libraries to base abstraction. (LP: #150282). - * Update cups-client abstraction: add /var/run/cups/cups.sock. (LP: #151269) - - [ Kees Cook ] - * Adjust KDE abstractions for Ubuntu paths (LP: #148309). - - -- Kees Cook Fri, 12 Oct 2007 12:54:36 -0700 - -apparmor (2.1+993-0ubuntu2) gutsy; urgency=low - - [ Mathias Gug ] - * debian/control: Set maintainer to Ubuntu Core Developers. - * utils/SubDomain.pm, utils/logprog.conf: refactor readprofiledir() to not - fail on non-existing profile directory. Fixes LP: #141128. - * debian/rules: don't compress profiles in doc/extras/. - * utils/SubDomain.pm: Fix regex so that aa-logprof can find audit messages - in syslog files. Fixes LP: #140508. - * Update usr.sbin.nscd profile. Fixes LP: #144383. - - [ Kees Cook ] - * abstractions/gnupg: drop bad attempt at general-purpose client rule. - * abstractions/fonts: adjust for new syntax, add more local fonts paths. - * abstractions/nameservice: add mmap permission to some /etc files. - - -- Kees Cook Tue, 25 Sep 2007 10:23:29 -0700 - -apparmor (2.1+993-0ubuntu1) gutsy; urgency=low - - * new merge from upstream: - * fixes to support new audit messages sent by the kernel module. - * bump in minor library version for libapparmor. - * debian/control: Add perl libterm-readkey-perl and librpc-xml-perl - dependencies for apparmor-utils. Fixes LP: #139757, LP: #139091. - * utils/SubDomain.pm: Re-enable RPC client for remote repositories. - * profiles/apparmor.d/sbin.syslogd: update profile. - Fixes LP: #140672, LP: #140274. - - -- Mathias Gug Tue, 18 Sep 2007 11:12:50 -0400 - -apparmor (2.1+961-0ubuntu5) gutsy; urgency=low - - * utils/SubDomain.pm, parser/rc.apparmor.functions: skip .dpkg-dist profiles. - * debian/rules, debian/apparmor.postinst: fix postinst script failure on - upgrades. Fix LP: #139683. - - -- Mathias Gug Fri, 14 Sep 2007 17:20:01 -0400 - -apparmor (2.1+961-0ubuntu4) gutsy; urgency=low - - [ Mathias Gug ] - * debian/rules: Fix libapparmor-dev build. - * apparmor-profiles: remove gnupg.moved. - - [ Kees Cook ] - * abstractions: adjust gnome for new syntax. - * abstractions: adjust aspell to add locking. - - -- Kees Cook Fri, 14 Sep 2007 09:34:15 -0700 - -apparmor (2.1+961-0ubuntu3) gutsy; urgency=low - - [ Mathias Gug ] - * Update avahi-daemon profile: add m permission to /etc/password and - /etc/group. - - [ Kees Cook ] - * Rename libapparmor1-dev back to libapparmor-dev. - - -- Kees Cook Thu, 13 Sep 2007 15:44:30 -0700 - -apparmor (2.1+961-0ubuntu2) gutsy; urgency=low - - [ Mathias Gug ] - * Disable html documentation: Fixes LP: #139091. - * parser/Makefile, debian/rules: disable html documentation building. - * debian/control: remove latex2html dependency. - * profiles/apparmor.d/usr.sbin.avahi-daemon: add sys_chroot capability. - Fixes LP: #139092. - - [ Kees Cook ] - * profiles/apparmor.d/abstractions/user-tmp: adjust directory permissions - for newly unmasked /tmp handling (LP: #138978). - * utils/SubDomain.pm: disable remote repositories until RPC::XML MIR - clears (LP: 139091). - * utils/*.pod: adjust for Ubuntu paths and "aa-" prefixes (LP: #116647). - * Fix upgrades to not unload profiles, which would cause programs to - become unconfined: - - debian/rules: don't stop apparmor on upgrades. - - debian/apparmor.postinst: reload profiles after a configure. - - -- Kees Cook Wed, 12 Sep 2007 13:14:02 -0700 - -apparmor (2.1+961-0ubuntu1) gutsy; urgency=low - - * New upstream version. - * Support resolvconf. Fix LP: #132468. - * Move package maintainance to bzr: - * Apply all patches directly into the tree with dpatch apply-all. - * debian/patches/: remove all patches as they are applied inline now. - * debian/control, debian/control.modules.in: remove dpatch from - Build Depends. - * debian/rules: - * remove dpatch include. - * remove patch and unpatch dependencies - * debian/control: - * Rename libapparmor-dev to libapparmor1-dev. - Add Provides: and Conflict: tags. - * Remove universe component in Section tag. - * Remove apparmor-utils depends on bsdutils. - * Update apparmor-modules Recommends to apparmor-modules-2.1. - * utils/: - * Add audit man page. - * Fix mod_appamor library: remove rpath info. - * debian/rules: remove rpath info. - * debian/control: add chrpath as a build dependency. - * Remove apparmor-modules-source package: - * debian/conrol: remove apparmor-modules-source package. - * debian/apparmor.postinst, debian/apparmor.preinst, - debian/apparmor.prerm: remove error_handler function. - * debian/rules: remove error_handler option from dh_installinit. - * debian/apparmor-modules-_KVERS_.postinst.modules.in, - debian/control.modules.in: remove control and postinst files. - - -- Mathias Gug Tue, 11 Sep 2007 10:44:56 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu25) gutsy; urgency=low - - * debian/rules: move tunables/ and abstractions/ in apparmor package. - Fixes LP: #130114. - - -- Mathias Gug Mon, 06 Aug 2007 14:40:37 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu24) gutsy; urgency=low - - * Cannot Depend on apparmor-modules-* in apparmor due to germinate - issues. Moved to Recommends. - - -- Kees Cook Mon, 23 Jul 2007 11:08:38 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu23) gutsy; urgency=low - - * debian/control: add explicit Depends on l-u-m apparmor kernel modules. - - -- Kees Cook Wed, 18 Jul 2007 21:07:03 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu22) gutsy; urgency=low - - * 13-subdomain.pm-skip-files.dpatch: update isSkippable function in - SubDomain.pm to skip the same files as rc.apparmor.functions (used by the - init script) : .dpkg-old, .dpkg-new and symlinks in disable/ - sub-directory. - - -- Mathias Gug Thu, 12 Jul 2007 06:56:45 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu21) gutsy; urgency=low - - * 07-apparmor-init-script.dpatch, debian/rules: skip profiles that have a - link in /etc/apparmor.d/disable. Update rules file : create - /etc/apparmor.d/disable. - - -- Mathias Gug Mon, 09 Jul 2007 11:07:29 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu20) gutsy; urgency=low - - * debian/control - - fix typo in XS-Vcs. - - adjust apparmor-modules-source to no longer be required and document - the fact that the modules come from the linux-ubuntu-modules package - now. - - add initramfs-tools for loading apparmor modules early. - * debian/apparmor.{initramfs,postinst,prerm}, debian/rules: install - initramfs hook and update-initramfs for adding armor modules for boot. - - -- Kees Cook Fri, 06 Jul 2007 03:41:06 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu19) gutsy; urgency=low - - * Update 11-getprocattr-api.dpatch: pass back the correct string pointer - so as to not corrupt kernel memory (LP: #123081). - * debian/control: add XS-Vcs for bzr branch. - - -- Kees Cook Tue, 03 Jul 2007 09:07:52 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu18) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: add m permission for all libraries - under /usr/lib/**, so that ssl libraries optimized for i686 can be - accessed. - * 09-profile-usr-sbin-mysqld.dpatch: add m permission to /etc/passwd, - /etc/group. - * 12-profile-samba.dpatch: add profile for smbd and nmbd daemons from - samba. - * 99-complain-all-profiles.dpatch: turn complain mode for smbd and nmbd - profiles. - - -- Mathias Gug Fri, 29 Jun 2007 15:19:15 +0200 - -apparmor (2.0.1+510.dfsg-0ubuntu17) gutsy; urgency=low - - * Update 11-getprocattr-api.dpatch: match upstream more closely, check - for errors. - - -- Kees Cook Tue, 26 Jun 2007 16:00:08 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu16) gutsy; urgency=low - - * Added 11-getprocattr-api.dpatch: update kernel module for getprocattr - API change (LP: #122444). - - -- Kees Cook Tue, 26 Jun 2007 15:21:54 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu15) gutsy; urgency=low - - * debian/apparmor.init: do not unload apparmor module on stop, since it - already defaults to capabilities-compatible fall back and we don't want - to lose the started process knowledge of the module for the next load of - the parser. - * Added 10-namespace-header.dpatch: include namespace_sem extern, since - mnt_namespace.h is missing it currently. - * Updated 07-apparmor-init-script.dpatch: ignore .dpkg-old profiles. - - -- Kees Cook Tue, 26 Jun 2007 10:04:54 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu14) gutsy; urgency=low - - * Correct missing libapparmor1 file contents. - - -- Kees Cook Thu, 21 Jun 2007 08:04:42 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu13) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: add /lib/tls/i686/cmov/lib* to base - abstraction to support i686 optimized libraries from libc6-i686 package. - * 09-profile-usr-sbin-mysqld.dpatch: - * add profile usr.sbin.mysqld - * update abstractions/mysql - * debian/rules: remove extras/usr.sbin.mysqld. - * 99-complain-all-profiles.dpatch: - * put mysqld profile in complain mode. - * put named profile in complain mode. - - -- Mathias Gug Wed, 20 Jun 2007 12:12:28 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu12) gutsy; urgency=low - - * Add missing dh_makeshlibs call to rules, fix up libapparmor naming. - - -- Kees Cook Wed, 20 Jun 2007 09:15:48 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu11) gutsy; urgency=low - - * Packaged libapparmor, libapparmor-dev, and libapache2-mod-apparmor. - - -- Kees Cook Mon, 18 Jun 2007 18:27:46 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu10) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch, 06-profile-usr-sbin-named.dpatch: - move /dev/random into abstractions/base. - * 06-profile-usr-sbin-named.dpatch: Add sys_chroot capability. - * debian/rules: don't package aa-eventd and Reports.pm as they use perl - modules not maintained in main. - Reports.pm is only used by Yast for now. aa-eventd maintains an - sqlite database of audit messages which is used by Reports.pm. - If configured (not by default), aa-eventd can also send emails when - AppArmor audit messages are emited. - * debian/control: Add universe component to Section: header. Needed to make - it work with PPA. - - -- Mathias Gug Fri, 15 Jun 2007 12:47:05 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu9) gutsy; urgency=low - - * 06-profile-usr-sbin-named.dpatch : Generate a new profile for - /usr/sbin/named to make it work with bind9. - * debian/apparmor.init, 07-apparmor-init-script.dpatch: merge ubuntu - changes with the latest version from upstream. - * 99-complain-all-profiles.dpatch : put all profiles into complain mode by - default. - Add a small script (put-all-profiles-in-complain-mode.sh) in - debian/ that takes care of automatically setting all profiles into - complain mode. This script should be used by the maintainer to set all - profiles in complain mode before packaging them. - - -- Mathias Gug Wed, 6 Jun 2007 13:41:57 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu8) gutsy; urgency=low - - * Start apparmor as early as possible in the boot process : just after - mountall in rcS.d. Add preinst script to remove symlinks previously - installed in rc*.d/. - (LP: #116624). - * Sync 04-apparmor-status.dpatch with upstream apparmor_status. The previous - patch has been merged in upstream. - * Update klogd profile : add /var/run/klogd/klogd.pid and - /var/run/klogd/kmsg to the profile. - - -- Mathias Gug Thu, 31 May 2007 14:26:03 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu7) gutsy; urgency=low - - * 03-profile-usr-sbin-ntpd.dpatch: udpdate profile for ntpd daemon. Add - /var/lib/ntp/ntp.drift and /var/log/ntpstats/peerstats* to the profile. - - * 04-apparmor-status.dpatch: improve apparmor_status script. Report more - detailed information. - - -- Mathias Gug Tue, 29 May 2007 13:05:55 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu6) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: Update abstractions for changes - specific to Gnome, Debian, and 32bit on 64bit environments. - * debian/control: adjust Recommends to apparmor-modules-source - (LP: #113553). - * debian/apparmor.init: moved rmmod/modprobe into init script, and dropped - alias to avoid confusion and move control of the LSM closer to loading - the profiles and work around capability already being loaded in the - initrd (LP: #113887). - - -- Kees Cook Thu, 17 May 2007 20:34:41 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu5) gutsy; urgency=low - - * 01-logger-path.dpatch: Fix path to logger (LP: #112147). - - -- Kees Cook Thu, 03 May 2007 11:59:34 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu4) feisty; urgency=low - - * debian/control: move apparmor-modules to Recommends to Avoid - uninstallable situation when AppArmor modules haven't yet been - compiled/installed. - - -- Kees Cook Wed, 11 Apr 2007 11:39:39 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu3) feisty; urgency=low - - * debian/rules, debian/apparmor.{postinst,prerm}: ignore init script - failures so that they don't block package installs/upgrades/uninstalls. - - -- Kees Cook Wed, 11 Apr 2007 08:52:37 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu2) feisty; urgency=low - - * debian/control: add missing Depend on 'dpatch' for modules-source. - - -- Kees Cook Sat, 7 Apr 2007 09:35:16 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu1) feisty; urgency=low - - * Initial release, thanks to Magnus Runesson and Jesse Michael - (LP: #95334). - - -- Kees Cook Fri, 23 Mar 2007 16:42:01 -0700 diff -Nru apparmor-2.10/debian/changelog.THIS apparmor-2.10/debian/changelog.THIS --- apparmor-2.10/debian/changelog.THIS 2015-09-01 21:16:56.000000000 +0000 +++ apparmor-2.10/debian/changelog.THIS 1970-01-01 00:00:00.000000000 +0000 @@ -1,3250 +0,0 @@ -apparmor (2.10-0ubuntu4) wily; urgency=medium - - * Rebuild against python3.5. - - -- Dimitri John Ledkov Sat, 15 Aug 2015 22:12:50 +0100 - -apparmor (2.10-0ubuntu3) wily; urgency=medium - - * debian/patches/parser-fix-cache-file-mtime-regression.patch: Fix a bug - that resulted in the mtime of generate policy cache files to be set - incorrectly. The mtime of cache files should be the newest mtime detected - on the profile and abstraction files used to generate the policy cache - file. However, the bug caused the mtime of the policy cache file to either - not be updated or to be updated to an incorrect time. (LP: #1484178) - * debian/patches/parser-verify-cache-file-mtime.patch: Add tests to verify - that the policy cache file's mtime is being set correctly and that cache - handling is correct when the profile or abstraction files are newer than - the policy cache file. - * debian/patches/parser-run-caching-tests-without-apparmorfs.patch, - debian/patches/parser-do-cleanup-when-test-was-skipped.patch: Enable the - caching tests to run on the buildds even though apparmorfs isn't mounted. - - -- Tyler Hicks Wed, 12 Aug 2015 13:01:56 -0500 - -apparmor (2.10-0ubuntu2) wily; urgency=medium - - * debian/patches/aa-status-dont_require_python3-apparmor.patch: - make aa-status(8) work even when python3-apparmor is not installed, - otherwise dh_apparmor postinst snippets can fail (LP: #1480492) - * debian/control: make apparmor-utils depend on the same package - version of python3-apparmor - - -- Steve Beattie Fri, 31 Jul 2015 16:35:03 -0700 - -apparmor (2.10-0ubuntu1) wily; urgency=medium - - * Update to apparmor 2.10 - - libapparmor added functions to ease loading profile cache files to - help support systemd on-demand load of policy (LP: #1385414) - - apparmor parser: fixed policy generation to allow matching - embedded NULs in abstract unix socket names (LP: #1413410) - - aa-status: don't traceback when not permitted to read current - set of apparmor policy (LP: #1466768) - - aa-logprof: don't crash on policies that have an #include of a - directory (LP: #1471425) - - aa-logprof: fix crash when network rejections occur when file - operations are performed on network sockets (LP: #1466812) - * dropped reproducible-pdf.patch, incorporated upstream - * debian/patches/tests-fix_sysctl_test.patch: fix sysctl test failure - with 4.1 kernel and newer. - * debian/control: add alternate dependency on linux-initramfs-tool - (LP: #1109029) - * debian/libapparmor1.symbols: update symbols file for added symbols - in libapparmor - - -- Steve Beattie Thu, 23 Jul 2015 01:57:43 -0700 - -apparmor (2.9.2-0ubuntu2) wily; urgency=medium - - * No-change rebuild for python3.5 transition - - -- Steve Langasek Wed, 22 Jul 2015 04:07:28 +0000 - -apparmor (2.9.2-0ubuntu1) wily; urgency=medium - - * Update to apparmor 2.9.2 - - Fix minitools to work with multiple profiles at once (LP: #1378095) - - Parse mounts that have non-ascii UTF-8 chars (LP: #1310598) - - Update dovecot profiles (LP: #1296667) - - Allow ubuntu-helpers to build texlive fonts (LP: #1010909) - * dropped patches incorporated upstream: - add-mir-abstraction-lp1422521.patch, systemd-dev-log-lp1413232.patch - parser-fix_modifier_compilation_+_tests.patch, - tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch, - GDM_X_authority-lp1432126.patch, and - debian/patches/easyprof-framework-policy.patch - * Partial merge with debian apparmor package: - - debian/rules: enable the bindnow hardening flag during build. - - debian/upstream/signing-key.asc: add new upstream public - signing key - - debian/watch: fix watch file, add gpg signature checking - - install libapparmor.so dev symlink under /usr not /lib - - debian/patches/reproducible-pdf.patch: make techdoc.pdf - reproducible even in face of timezone variations. - - debian/control: sync fields - - debian/debhelper/postrm-apparmor: remove - /etc/apparmor.d/{disable,} on package purge - - debian/libapache2-mod-apparmor.postrm: on package purge, delete - /etc/apparmor.d/{,disable} if empty - - debian/libapparmor1.symbols: Use Build-Depends-Package in the - symbols file. - - debian/copyright: sync - - -- Steve Beattie Mon, 11 May 2015 22:03:04 -0700 - -apparmor (2.9.1-0ubuntu9) vivid; urgency=medium - - * Make debian/lib/apparmor/profile-load executable. - - -- Serge Hallyn Thu, 02 Apr 2015 13:00:35 -0500 - -apparmor (2.9.1-0ubuntu8) vivid; urgency=medium - - [ Steve Beattie ] - * debian/rules: run make check on the libapparmor library - * add-chromium-browser.patch: add support for chromium policies - (LP: #1419294) - * debian/apparmor.{init,upstart}: add support for triggering - aa-profile-hook runs when packages are updated via snappy system - image updates (LP: #1434143) - * parser-fix_modifier_compilation_+_tests.patch: fix compilation - of audit modifiers for exec and pivot_root and deny modifiers on - link rules as well as significantly expand related tests - (LP: #1431717, LP: #1432045, LP: #1433829) - * tests-fix_systemd_breakage_in_pivot_root-lp1436109.patch: work - around pivot_root test failures due to init=systemd (LP: #1436109) - * GDM_X_authority-lp1432126.patch: add location GDM creates Xauthority - file to X abstraction (LP: #1432126) - - [ Jamie Strandboge ] - * easyprof-framework-policy.patch: add --include-templates-dir and - --include-policy-groups-dir options to easyprof to support framework - policy on snappy - - [ Robie Basak ] - * Add /lib/apparmor/profile-load; moved from - /lib/init/apparmor-profile-load from the upstart package. A wrapper at - the original path is now provided by init-system-helpers. (LP: #1432683) - - -- Jamie Strandboge Sat, 28 Mar 2015 07:22:30 -0500 - -apparmor (2.9.1-0ubuntu7) vivid; urgency=medium - - * systemd-dev-log-lp1413232.patch: Allow writes to the systemd journal - socket /{,var}/run/systemd/journal/dev-log. This can be dropped with - with AppArmor 2.9.2. (LP: #1413232) - - -- Jamie Strandboge Fri, 06 Mar 2015 06:22:34 -0600 - -apparmor (2.9.1-0ubuntu6) vivid; urgency=medium - - * add-mir-abstractions-lp1422521.patch: add correct location of - mir specific libraries and mir unprivileged client socket - to mir abstraction (LP: #1422521) - - -- Steve Beattie Tue, 03 Mar 2015 10:42:24 -0800 - -apparmor (2.9.1-0ubuntu5) vivid; urgency=medium - - * debian/apparmor.init: Replace unnecessary $remote_fs dependency with - $local_fs. This is sufficient as during boot we don't use anything from - /usr. It's also necessary to avoid dependency cycles when using NFS (as - its dependencies should be covered by AppArmor). (LP: #1312976) - - -- Martin Pitt Tue, 03 Mar 2015 08:54:33 +0100 - -apparmor (2.9.1-0ubuntu4) vivid; urgency=medium - - * Update to apparmor 2.9.1 - - make parser mount rule options consistent with documentation - (LP: #1401619) - - make parser fail if unknown mount options are encountered - (LP: #1401621) - - stop aa-logprof from asking about already allowed network rules - (LP: #1380367) - - make utils offer abstractions for network rules (LP: #1380367) - - make libapparmor understand logs generated by syslog-ng - (LP: #1399027) - - stop python utilities from adding duplicate quotes (LP: #1328707) - - work around aa-cleanprof crashes (LP: #1382236) - - other bug fixes, performance improvements, and testcases added to - the python utils. - - policy updates for dnsmasq, nscd, and others - - translation updates - * Partial sync with debian apparmor package: - - debian/apparmor-profiles.install: add additional dovecot and - smbldap-useradd profiles - - debian/control: fix typo in apparmor-docs description, fix file - overwrite issues with python-apparmor, apparmor-docs - - debian/rules: improved repeat-build cleanup logic. - - Add Turkish translation of debconf messages. Thanks to - Mert Dirik for the patch! - - debian/apparmor.postrm: Remove - /var/lib/apparmor/profiles/.apparmor.md5sums and parent - directories on package purge. - * add-mir-abstractions-lp1422521.patch: add mir abstraction to cover - mir specific libraries (LP: #1422521) - * debian/rules: remove no longer needed references to PERLDIR when - installing from utils/ - - -- Steve Beattie Tue, 17 Feb 2015 16:31:25 -0800 - -apparmor (2.8.98-0ubuntu4) vivid; urgency=medium - - * Ship libapparmor in /lib instead of /usr as we want to use it in systemd - now. (LP: #1397960) - - -- Martin Pitt Mon, 01 Dec 2014 15:37:32 +0100 - -apparmor (2.8.98-0ubuntu3) vivid; urgency=medium - - * debian/lib/apparmor/functions: disable expr tree simplification for - /var/lib/apparmor/profiles (LP: #1383858) - * parser-dont-skip-read-cache-with-optimizations.patch: don't skip read - cache when specifying '-O' (LP: #1385947) - - -- Jamie Strandboge Tue, 28 Oct 2014 17:41:08 -0500 - -apparmor (2.8.98-0ubuntu2) utopic; urgency=medium - - * Updated to apparmor 2.9.beta4 (aka apparmor 2.8.98) - - fix logparsing memory leak (LP: #1340927) - - incorporate fixes to regression testsuite to compensate for - af_unix mediation, as well as extend test coverage - (LP: #1375403, LP: #1375516) - - fix libapparmor's log parsing code to accept additional rejection - types (LP: #1375413) - - fix X abstraction for changed lightdm xauthority file locations - (LP: #1339727) - - parser: disable downgrade and not enforced rule messages - by default (LP: #1302735) - - fix error when using regex profile names in IPC rules - (LP: #1373085) - - update base abstraction for /proc/sys/kernel/cap_last_cap for dnsmasq - (LP: #1378977) - - update freedesktop.org for @{HOME}/.config/mimeapps.list (LP: #1377140) - - update gnome abstraction for access to @/dbus-vfs-daemon/socket-* - (LP: #1375067) - - update ubuntu-browsers.d/java abstraction for icedtea plugin access - in /{,var/}run/user/*/icedteaplugin-* (LP: #1293439) - - update user-mail abstraction for /var/mail (LP: #1192965) - - updates and fixes to the python utilities - - translation updates - - [ Steve Beattie ] - * Removed upstreamed patches: - drop-peer_addr-with-local-addr-in-base.patch, - update_socketpair_tests_for_af_unix.patch, - fix_socketpair_tests.patch, sanitized-helpers-updates.patch, - 01-tests-unix_socket_lists.patch, - 02-tests-accept_unix_rules_in_mkprofile.patch, - 03-tests-unix_sockets_v7_pathnames.patch, - 04-tests-migrate_from_poll_to_sockio_timeout.patch, - 05-tests-add_abstract_socket_tests.patch, - 06-tests-use_socketpair_and_none.patch, - 07-parser-fix_local_perms.patch, - 08-phpsysinfo-policy-updates.patch, - 09-apache2-policy-instructions.patch, - 10-lp1371771.patch, 11-lp1371765.patch, - lp1169881.patch - * refreshed etc-writable.patch and libapparmor-layout-deb.patch - * debian/control: add breaks on python3-apparmor against older - apparmor-utils that used to be where python bits lived - (LP: #1373259) - * debian/apport/source_apparmor.py: - - fixes the apparmor apport hook so it does not raise an exception if - a non-unicode character is found in /var/log/kern.log or in - /var/log/syslog. This should work under python3 or python2.7 - (LP: #1304447) - - adjusts the add_info() function to take the expected additional ui - argument, though it has no need for it. - - converts the log parsing code to use with statements so as not to - leak open file descriptors - - updates the set of packages to query to see if installed and if so, - report the version of. - - adjust import to make pyflakes job easier - - minor pep8 cleanups - - [ Jamie Strandboge ] - * add-chromium-browser.patch: - - don't allow writing to the oom score and adjust files since this allows - chromium to change the values for any process matching our UID - - allow writing to /run/shm/shmfd-* - - add a few signal rules from base abstraction for the sandbox - * debian/apparmor.upstart: check if click-apparmor md5sums changed so we - regenerate the policy if it changes too (LP: #1371574) - * debian/apparmor.init: make corresponding upstart change to initscript - * debian/lib/apparmor/functions: fall back to using -n1 if the parser failed - to load a profile set. This should be removed when the parser properly - handles profile sets with corrupted profiles (LP: 1377338) - * debian/control: fix typo (LP: #1187447) - - -- Steve Beattie Thu, 09 Oct 2014 22:39:32 -0700 - -apparmor (2.8.96~2652-0ubuntu7) utopic; urgency=medium - - * add-chromium-browser.patch: user addr=none instead of peer=(addr=none) - (LP: #1374363) - - -- Jamie Strandboge Sat, 27 Sep 2014 07:41:07 -0500 - -apparmor (2.8.96~2652-0ubuntu6) utopic; urgency=medium - - * lp1169881.patch: add /usr/bin/gnome-gmail to ubuntu-email (LP: #1169881) - * debian/control: update Breaks on lxc 1.1.0~alpha1-0ubuntu5~ (LP: #1373555) - - -- Jamie Strandboge Thu, 25 Sep 2014 09:03:06 -0500 - -apparmor (2.8.96~2652-0ubuntu5) utopic; urgency=medium - - [ Jamie Strandboge ] - * sanitized-helpers-updates.patch: update ubuntu-helpers for unix mediation - * 10-lp1371771.patch: don't exit prematurely and fail to load remaining - policy if encounter a corrupt cache file (LP: #1371771) - * 11-lp1371765.patch: if a cache load fails, attempt to rebuild and load it - (LP: #1371765) - * debian/lib/apparmor/functions: - - don't return 0 on parsing failure. Patch thanks to Felix Geyer - (LP: #1370228) - - use xargs -n1 when we don't have cache files, but omit it when we do. - This allows taking full advantage of xargs -P when we need it most, - without the cost when we don't. - - [ Steve Beattie ] - * update_socketpair_tests_for_af_unix.patch, - fix_socketpair_tests.patch: update socketpair regression tests for - af_unix socket mediation - - -- Jamie Strandboge Mon, 22 Sep 2014 09:39:10 -0500 - -apparmor (2.8.96~2652-0ubuntu4) utopic; urgency=medium - - * debian/apparmor.{upstart,init}: make sure we always update the .md5sums - for apparmor-easyprof-ubuntu even when apparmor is updated (before if both - were updated, aa-clickhook -f would be run on the 1st and 2nd boot rather - than just the 1st) - * debian/apparmor.postinst: update the cached .md5sums file on upgrade to - avoid running on install and then again on first boot after upgrade. This - change only affects apt upgrades and not system-image upgrades since - system-image upgrades always use the existing .md5sums if they exist (see - /etc/system-image/writable-paths). - * ubuntu-manpage-updates.patch: adjust for move to upstart job and click - policy - * debian/lib/apparmor/functions: don't pass costly '-n1' to xargs in - foreach_configured_profile() when loading valid cache files. This used to - be needed when apparmor_parser would generate different binary caches when - compiling policy one profile at a time and all at once. That bug is long - fixed and removing -n1 gives a significant performance improvement for - boots with valid cache files (~65% on armhf) - - -- Jamie Strandboge Fri, 12 Sep 2014 13:45:35 -0500 - -apparmor (2.8.96~2652-0ubuntu3) utopic; urgency=medium - - * 08-phpsysinfo-policy-updates.patch: update for new phpsysinfo on Ubuntu - 14.10 - * 09-apache2-policy-instructions.patch: update for recent Debian/Ubuntu - packaging - * debian/control: update Breaks for apparmor-easyprof-ubuntu, libvirt-bin, - and lightdm. Add Breaks on rsyslog. - - -- Jamie Strandboge Mon, 08 Sep 2014 16:13:10 -0500 - -apparmor (2.8.96~2652-0ubuntu2) utopic; urgency=medium - - * 07-parser-fix_local_perms.patch: do not output local permissions for rules - that have peer_conditionals. Patch from John Johansen - - -- Jamie Strandboge Fri, 05 Sep 2014 23:34:53 -0500 - -apparmor (2.8.96~2652-0ubuntu1) utopic; urgency=medium - - * Updated to r2652 snapshot of 2.8.96 (LP: #1362199, LP: #1341152) - - [ Steve Beattie ] - * removed upstreamed patches: - - dnsmasq-libvirtd-signal-ptrace.patch - - update-base-abstraction-for-signals-and-ptrace.patch - - update-nameservice-abstraction-for-extrausers.patch - - debian/apparmor-profiles.install: dropped program-chunks/postfix-common, - moved to abstractions/ and covered by apparmor.install - - refreshed libapparmor-layout-deb.patch patch - * Add in Tyler Hicks' regression test improvements: - - 01-tests-unix_socket_lists.patch, - - 02-tests-accept_unix_rules_in_mkprofile.patch, - - 03-tests-unix_sockets_v7_pathnames.patch, - - 04-tests-migrate_from_poll_to_sockio_timeout.patch, - - 05-tests-add_abstract_socket_tests.patch, - * 07-parser-fix_local_perms.patch: do not output local permissions - for rules that have peer_conditionals - - [ Jamie Strandboge ] - * add-chromium-browser.patch: update for unix socket mediation - * drop-peer_addr-with-local-addr-in-base.patch: don't use peer=(addr=none) - with getattr, getopt, setopt and shutdown - - [ Tyler Hicks ] - * debian/lib/apparmor/functions, debian/apparmor.init, - debian/apparmor.upstart: Ensure system policy cache cannot become stale - after image based upgrades that update the system profiles (LP: #1350673) - * parser-include-usr-share-apparmor.patch, debian/apparmor.install: Adjust - the default parser.conf file, to add /usr/share/apparmor as an additional - search path when resolving include directives in profiles, and install the - file in /etc/apparmor. Ubuntu places hardware specific access rules in - /usr/share/apparmor/hardware. This change allows these files to be - included without using an absolute path (e.g., - '#include '). - - -- Jamie Strandboge Fri, 05 Sep 2014 16:27:48 -0500 - -apparmor (2.8.96~2541-0ubuntu3.1) utopic; urgency=medium - - * Updates for perl 5.20 multiarch transition - - debian/libapparmor-perl.install: don't hardcode usr/lib/perl5 but - instead use $Config{vendorarch} in an executable install file. Make it - executable - - debian/control: Build-Depends on debhelper (>= 9) (9 is needed to use - an executable install file) - - debian/patches/perl-multiarch.patch: - + add @{multiarch} paths to perl abstraction - + update logprof.conf, severity.db and corresponding tests for updated - perl path - - -- Jamie Strandboge Tue, 19 Aug 2014 14:33:02 -0500 - -apparmor (2.8.96~2541-0ubuntu2) utopic; urgency=medium - - * update-nameservice-abstraction-for-extrausers.patch: update nameservice - abstraction to allow passwd and group when using libnss-extrausers - - -- Jamie Strandboge Mon, 28 Jul 2014 08:16:39 -0500 - -apparmor (2.8.96~2541-0ubuntu1) utopic; urgency=medium - - * Updated to r2541 snapshot of 2.8.96: - - removed upstreamed patches: convert-to-rules.patch, list-fns.patch, - parse-mode.patch, add-decimal-interp.patch, policy_mediates.patch, - fix-failpath.patch, feature_file.patch, fix-network.patch, - aare-to-class.patch, add-mediation-unix.patch, parser_version.patch, - caching.patch, label-class.patch, fix-lexer-debug.patch, - use-diff-encode.patch, fix-serialize.patch, - fix-ppc-endian-ftbfs.patch, opt_arg.patch, tests-cond-dbus.patch, - initialize-mount-flags.patch, fix-typo-in-dbus_write.patch, - limited-mount-rule-support.patch, bare-capability-rule-support.patch, - check-config-for-sysctl.patch, increase-swap-size.patch, - test-v6-policy.patch, test-mount-mediation.patch, - mediate-signals.patch, change-signal-syntax.patch, - mediate-ptrace.patch, change-ptrace-syntax.patch, - test-signal-rules.patch, test-ptrace-rules.patch, - update-tests-for-new-semantics.patch, - fix-garbage-in-preprocessor-output.patch, - fix-double-comma-in-preprocessor-output.patch, - symtab-tests-and-seenlist-bug.patch, add-profile-name-variable.patch, - fix-names-treated-as-condlistid.patch, manpage-signal-ptrace.patch, - python-utils-file-support.patch, python-utils-signal-support.patch, - python-utils-ptrace-support.patch, - python-utils-pivot_root-support.patch. - * Added upstart job (LP: #1305108) - - debian/apparmor.upstart: new upstart job. - - debian/apparmor.init: added click handling, move some code to - unload_obsolete_profiles(). - - debian/lib/apparmor/functions: add unload_obsolete_profiles(). - - debian/apparmor.postinst, debian/apparmor-profiles.postinst: reload - profiles directly since invoke-rc.d won't allow to do this easily - with upstart and systemd jobs. - - debian/rules: pass --no-start to dh_installinit since we're handling - reloading profiles manually in the postinst scripts. - - debian/control: add a versioned apparmor Depends to the - apparmor-profiles package to make sure the required tools are - installed for the postinst script. - - -- Marc Deslauriers Fri, 20 Jun 2014 07:20:34 -0400 - -apparmor (2.8.95~2430-0ubuntu5) trusty; urgency=medium - - * debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin, - lightdm and apparmor-easyprof-ubuntu - - -- Jamie Strandboge Fri, 04 Apr 2014 01:07:24 -0500 - -apparmor (2.8.95~2430-0ubuntu4) trusty; urgency=medium - - [ John Johansen, Steve Beattie ] - * Add userspace support for AppArmor signals and ptrace mediation - (LP: #1298611) - + debian/patches/mediate-signals.patch, - debian/patches/change-signal-syntax.patch: Parse signal rules with - apparmor_parser. See the apparmor.d(5) man page for syntax details. - + debian/patches/change-ptrace-syntax.patch, - debian/patches/mediate-ptrace.patch: Parse ptrace rules with - apparmor_parser. See the apparmor.d(5) man page for syntax details. - + debian/patches/test-signal-rules.patch, - debian/patches/test-ptrace-rules.patch, - debian/patches/update-tests-for-new-semantics.patch: Update existing - tests and add new tests for signal and ptrace mediation - + debian/patches/fix-garbage-in-preprocessor-output.patch: Fix bug causing - apparmor_parser preprocessor output to contain garbage after include - statements - + debian/patches/fix-double-comma-in-preprocessor-output.patch: Fix bug - causing apparmor_parser preprocessor output to contain double commas - after some rules - + debian/patches/symtab-tests-and-seenlist-bug.patch, - debian/patches/add-profile-name-variable.patch: Add ${profile_name} - variable for use in profiles when rules need to specify the current - profile's name. This is useful for signal and ptrace rules that specify - + debian/patches/fix-names-treated-as-condlistid.patch: Fix - apparmor_parser bug that caused mount and dbus rules to fail for sets of - values - - [ Jamie Strandboge ] - * debian/patches/update-base-abstraction-for-signals-and-ptrace.patch: - Adjust the base abstraction for signals and ptrace mediation. Profiles - that use the base abstraction can deny any of the granted permissions to - achieve tighter confinement. - * debian/patches/manpage-signal-ptrace.patch: Update the apparmor.d man - page to document signal rules, ptrace rules, and variables for use in - AppArmor profiles - * debian/patches/dnsmasq-libvirtd-signal-ptrace.patch: Update the dnsmasq - profile to allow libvirtd to send signals to and ptrace read the dnsmasq - process - * debian/patches/update-chromium-browser.patch: Adjust the chromium-browser - profile for permissions needed in newer chromium-browser versions and add - the rules needed for AppArmor ptrace mediation - - [ Tyler Hicks ] - * Add new rule type support to aa.py to fix tracebacks when using the Python - utilities in apparmor-utils on systems with AppArmor profiles containing - previously unsupported rule types - - debian/patches/python-utils-file-support.patch: Support path rules - containing the "file" prefix (LP: #1295346) - - debian/patches/python-utils-signal-support.patch: Parse and write signal - rules (LP: #1300316) - - debian/patches/python-utils-ptrace-support.patch: Parse and write ptrace - rules (LP: #1300317) - - debian/patches/python-utils-pivot_root-support.patch: Parse and write - pivot_root rules (LP: #1298678) - - -- Tyler Hicks Thu, 03 Apr 2014 15:50:26 -0500 - -apparmor (2.8.95~2430-0ubuntu3) trusty; urgency=medium - - [ Jamie Strandboge ] - * debian/lib/apparmor/functions: properly calculate number of profiles in - /var/lib/apparmor/profiles (LP: #1295816) - * autostart aa-notify via /etc/xdg/autostart instead of /etc/X11/Xsession.d - (LP: #1288241) - - remove debian/notify/90apparmor-notify - - add debian/notify/apparmor-notify.desktop - - debian/apparmor-notify.install: adjust for the above - - add debian/apparmor-notify.maintscript to remove 90apparmor-notify - * debian/notify/notify.conf: use_group should be set to "sudo" instead of - "admin" (LP: #1009666) - - [ Tyler Hicks ] - * debian/patches/initialize-mount-flags.patch: Initialize the variables - containing mount rule flags to zero. Otherwise, the parser may set - unexpected bits in the mount flags field for rules that do not specify - mount flags. The uninitialized mount flag variables may have caused - unexpected AppArmor denials during mount mediation. (LP: #1296459) - * debian/patches/fix-typo-in-dbus_write.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to write out network rules instead of dbus rules - * debian/patches/limited-mount-rule-support.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to traceback when encountering a mount rule (LP: #1294825) - * debian/patches/bare-capability-rule-support.patch: Fix a bug in the - apparmor/aa.py module that caused the utilities in the apparmor-utils - package to traceback when encountering a bare capability rule - (LP: #1294819) - * debian/patches/check-config-for-sysctl.patch, - debian/patches/increase-swap-size.patch: Fix bugs in the regression test - suite that caused errors when running on ppc64el - * debian/patches/test-v6-policy.patch, - debian/patches/test-mount-mediation.patch: Improve the regression tests - by increasing the mount rule test coverage - - -- Tyler Hicks Thu, 27 Mar 2014 14:12:29 -0500 - -apparmor (2.8.95~2430-0ubuntu2) trusty; urgency=medium - - * debian/control: Depends on python-pkg-resources for python-apparmor and - python3-pkg-resources for python3-apparmor to fix autopkgtests in - click-apparmor and apparmor-easyprof-ubuntu - - -- Jamie Strandboge Thu, 20 Mar 2014 19:33:51 -0500 - -apparmor (2.8.95~2430-0ubuntu1) trusty; urgency=low - - [ Jamie Strandboge ] - - * debian/debhelper/dh_apparmor: exit with error if aa-easyprof does not - exist - * debian/control: drop Depends on apparmor-easyprof to Suggests for - dh-apparmor - - [ Seth Arnold, Jamie Strandboge, Steve Beattie, John Johansen, Tyler Hicks ] - - * New upstream snapshot (LP: #1278702, #1061693, #1285653) dropping very - large Ubuntu delta and fixing the following bugs: - - Adjust fonts abstraction for libthai (LP: #1278702) - - Support translated XDG user directories (LP: #1061693) - - Adjust abstractions/web-data to include /var/www/html (LP: #1285653) - Refresh 0002-add-debian-integration-to-lighttpd.patch to include - /etc/lighttpd/conf-available/*.conf - - Adjust debian/libapparmor1.symbols to reflect new upstream versioning - for the aa_query_label() function - - Raise exceptions in Python bindings when something fails - * ship new Python replacements for previous Perl-based tools - - debian/apparmor-utils.install: remove usr/share/perl5/Immunix/*.pm and - add usr/sbin/aa-autodep, usr/sbin/aa-cleanprof and usr/sbin/aa-mergeprof - - debian/control: - + remove various Perl dependencies - + add python-apparmor and python3-apparmor - + python3-apparmor Breaks: apparmor-easyprof to move the file since it - ships dist-packages/apparmor/__init__.py now - - debian/apparmor-utils.manpages: ship new manpages for aa-cleanprof and - aa-mergeprof - - debian/rules: build and install Python tools - * debian/apparmor.install: - - install apparmorfs, dovecot, kernelvars, securityfs, sys, - and xdg-user-dirs tunables and xdg-user-dirs.d directory - * debian/apparmor.dirs: - - install /etc/apparmor.d/tunables/xdg-user-dirs.d - * debian/rules: delete upstream-provided xdg-user-dirs.d/site.local - * debian/apparmor.postinst: create xdg-user-dirs.d/site.local - * debian/apparmor.postrm: remove xdg-user-dirs.d - * Remaining patches: - - add-chromium-browser.patch - - add-debian-integration-to-lighttpd.patch - - ubuntu-manpage-updates.patch - - libapparmor-layout-deb.patch - - libapparmor-mention-dbus-method-in-getcon-man.patch - - etc-writable.patch - - aa-utils_are_bilingual.patch - * New patches: - - convert-to-rules.patch - - list-fns.patch - - parse-mode.patch - - add-decimal-interp.patch - - policy_mediates.patch - - fix-failpath.patch - - feature_file.patch - - fix-network.patch - - aare-to-class.patch - - add-mediation-unix.patch - - parser_version.patch - - caching.patch - - label-class.patch - - fix-lexer-debug.patch - - use-diff-encode.patch - - fix-serialize.patch - - fix-ppc-endian-ftbfs.patch - - opt_arg.patch - - tests-cond-dbus.patch - * Move manpages from libapparmor1 to libapparmor-dev - - debian/libapparmor-dev.manpages: install aa_change_hat.2, - aa_change_profile.2, aa_find_mountpoint.2, aa_getcon.2 - - debian/control: libapparmor-dev Replaces: and Breaks: libapparmor1 - * Move /usr/lib/python3/dist-packages/apparmor/__init__.py from - apparmor-easyprof to python3-apparmor - - debian/control: python3-apparmor Breaks: apparmor-easyprof - - debian/apparmor-easyprof.install: remove - usr/lib/python*.*/site-packages/apparmor* - * New profiles and abstractions: - - debian/apparmor.install: tunables/dovecot, tunables/kernelvars, - tunables/xdg-user-dirs, tunables/xdg-user-dirs.d - - -- Seth Arnold Wed, 19 Mar 2014 20:29:27 -0700 - -apparmor (2.8.94-0ubuntu1.4) trusty; urgency=low - - * Test merge from upstream new pyutils branch (rev 2385) - - -- Steve Beattie Thu, 13 Feb 2014 14:16:24 -0800 - -apparmor (2.8.0-0ubuntu38) trusty; urgency=low - - [ Tyler Hicks ] - * 0084-parser-add-dbus-eavesdrop-perm.patch: Add an eavesdrop permission to - the dbus rule type, allowing confined applications to eavesdrop. The only - valid conditional for eavesdrop rules is 'bus'. See the apparmor.d(5) man - page for more information. (LP: #1262440) - - [ Steve Beattie ] - * 0085-push-normalize-tree-ops-into-expr-tree-classes.patch: Improve - parser performance in some cases - - [ John Johansen ] - * 0086-add-diff-state-compression-to-dfa.patch: Implement differential - state compression in the parser - * 0087-fix-dfa-minimization.patch: Fix a parser bug that caused some DFAs to - not be fully minimized (LP: #1262938) - * 0088-fix-pol-generation-for-small-dfas.patch: Fixes bugs in the parser - when generating policy for some small DFAs - - -- Tyler Hicks Mon, 13 Jan 2014 11:17:42 -0600 - -apparmor (2.8.0-0ubuntu37) trusty; urgency=low - - [ Jan Rękorajski ] - * 0082-parser-fix-FTBFS-with-bison-3.patch: Fix parser FTBFS with bison 3 - - [ Steve Beattie ] - * 0083-libapparmor-require-libtoolize.patch: Fix FTBFS by switching - the autogen.sh script to use libtoolize instead of libtool - - -- Tyler Hicks Fri, 10 Jan 2014 13:48:43 -0600 - -apparmor (2.8.0-0ubuntu36) trusty; urgency=medium - - * Rebuild for python3.4 as a supported python version. - - -- Matthias Klose Sat, 04 Jan 2014 18:30:59 +0000 - -apparmor (2.8.0-0ubuntu35) trusty; urgency=low - - * abstractions/nameservice: Also allow access to the sssd nss pipe. - - -- Stéphane Graber Fri, 29 Nov 2013 13:44:49 -0500 - -apparmor (2.8.0-0ubuntu34) trusty; urgency=low - - [ Tyler Hicks ] - * 0078-parser-check-for-dbus-kernel-support.patch: The parser should not - include D-Bus rules in the binary policy that it loads into the kernel if - the kernel does not support D-Bus rules (LP: #1231778) - * 0079-utils-ignore-unsupported-log-events.patch: aa-logprof should ignore - audit events that it does not yet support instead of treating them as - errors (LP: #1243932) - * 0080-tests-use-ldconfig-for-library-detection.patch: Fix libapparmor - detection in regression tests after the multiarch changes - - [ Jamie Strandboge ] - * 0081-python-abstraction-updates.patch: Add rules in support of Python 3.3 - - [ Chad Miller ] - * debian/patches/0001-add-chromium-browser.patch: Follow new chromium-browser - sandbox name. Keep old name for now to allow transition. LP: #1247269 - - -- Tyler Hicks Mon, 04 Nov 2013 15:57:30 -0800 - -apparmor (2.8.0-0ubuntu33) trusty; urgency=low - - * Convert to dh. - * Bump to debhelper compat level 9 for multiarch support. - * Mark libapparmor1, libapparmor-dev Multi-Arch: same. LP: #1246067. - - -- Steve Langasek Thu, 31 Oct 2013 13:23:57 -0700 - -apparmor (2.8.0-0ubuntu32) trusty; urgency=low - - * no change rebuild for perl 5.18 - - -- Jamie Strandboge Mon, 21 Oct 2013 13:28:26 -0500 - -apparmor (2.8.0-0ubuntu31) saucy; urgency=low - - * 0077_aa-status-is-bilingual.patch: aa-status was written to work with - python 2 or 3. Upstream is still using 2, so adjust ours to use - /usr/bin/python3 to avoid pulling python 2 back to the desktop images - - -- Jamie Strandboge Fri, 11 Oct 2013 15:35:03 -0500 - -apparmor (2.8.0-0ubuntu30) saucy; urgency=low - - [ Tyler Hicks ] - * debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an - abstraction for the accessibility bus. It is currently very permissive, - like the dbus and dbus-session abstractions, and grants all permissions on - the accessibility bus. (LP: #1226141) - * debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount - rules. Both rule classes suffered from unexpected auditing behavior when - using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier - resulting in accesses being audited and the 'audit deny' modifier - resulting in accesses not being audited. (LP: #1226356) - * debian/patches/0072-lp1229393.patch: Fix cache location for .features - file, which was not being written to the proper location if the parameter - --cache-loc= is passed to apparmor_parser. This bug resulted in using the - .features file from /etc/apparmor.d/cache or always recompiling policy. - Patch thanks to John Johansen. (LP: #1229393) - * debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX - domain sockets to include read and write permissions. Both permissions are - required when a process connects to a UNIX domain socket. Also include new - tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for - helping with the policy updates and testing. (LP: #1208988) - * debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only - grant access to specific pulseaudio files in the pulse runtime directory - to remove access to potentially dangerous files (LP: #1211380) - - [ Jamie Strandboge ] - * debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia - (LP: #1228882) - * 0076_sanitized_helper_dbus_access.patch: allow applications run under - sanitized_helper to connect to DBus - - -- Tyler Hicks Fri, 04 Oct 2013 17:29:52 -0700 - -apparmor (2.8.0-0ubuntu29) saucy; urgency=low - - * Add 0070-etc-writable.patch: Allow reading time configuration from - /etc/writable, as we have it on the phone. (LP: #1227520) - - -- Martin Pitt Tue, 01 Oct 2013 09:55:15 +0200 - -apparmor (2.8.0-0ubuntu28) saucy; urgency=low - - [ Tyler Hicks ] - * Move the aa-exec man page out of apparmor-utils into apparmor, since - aa-exec is now in apparmor - - debian/control: adjust Breaks/Replaces to use apparmor-utils - (<< 2.8.0-0ubuntu28) - - debian/apparmor.manpages: install the aa-exec man page - - debian/apparmor-utils.manpages: don't install the aa-exec man page - * debian/patches/0065-lp1220861.patch: Always NUL-terminate confinement - context strings returned from libapparmor (LP: #1220861) - * debian/patches/0066-lp1196880.patch: Don't assign mode pointer in - aa_getprocattr() if caller passed in NULL (LP: #1196880) - * debian/patches/0067-libapparmor-mode-strings-are-not-to-be-freed.patch: - Update man page and code comments to make it clear that freeing the *con - string returned from libapparmor's getcon functions also frees the *mode - string - * debian/patches/0068-libapparmor-mention-dbus-method-in-getcon-man.patch: - Document the D-Bus method, in the aa_getcon man page, that returns the - AppArmor task confinement string of a D-Bus connection - - [ Jamie Strandboge ] - * debian/patches/0069-p11kit-abstraction.patch: p11-kit needs access to - /usr/share/p11-kit/modules - - -- Jamie Strandboge Tue, 10 Sep 2013 12:06:06 -0500 - -apparmor (2.8.0-0ubuntu27) saucy; urgency=low - - * debian/apport/source_apparmor.py: AppArmor logs DBus messages to syslog, - adjust apport hook to also search there for denials - - -- Jamie Strandboge Tue, 03 Sep 2013 10:25:45 -0500 - -apparmor (2.8.0-0ubuntu26) saucy; urgency=low - - * debian/patches/0064-lp1218099.patch: add support for variable expansion in - dbus rules (LP: #1218099) - - -- Jamie Strandboge Thu, 29 Aug 2013 16:28:36 -0500 - -apparmor (2.8.0-0ubuntu25) saucy; urgency=low - - [ Tyler Hicks ] - * Add support for mediation of D-Bus messages and services. AppArmor D-Bus - rules are described in the apparmor.d(5) man page. dbus-daemon will use - libapparmor to perform queries against the AppArmor policies to determine - if a connection should be able to send messages to another connection, if - a connection should be able to receive messages from another connection, - and if a connection should be able to bind to a well-known name. - - 0042-Fix-mount-rule-preprocessor-output.patch, - 0043-libapparmor-Safeguard-aa_getpeercon-buffer-reallocat.patch, - 0044-libapparmor-fix-return-value-of-aa_getpeercon_raw.patch, - 0045-libapparmor-Move-mode-parsing-into-separate-function.patch, - 0046-libapparmor-Parse-mode-from-confinement-string-in-ge.patch, - 0047-libapparmor-Make-aa_getpeercon_raw-similar-to-aa_get.patch, - 0048-libapparmor-Update-aa_getcon-man-page-to-reflect-get.patch: - Backport parser and libapparmor pre-requisites for D-Bus mediation - - 0049-parser-Update-man-page-for-DBus-rules.patch: Update apparmor.d man - page - - 0050-parser-Add-support-for-DBus-rules.patch, - 0051-parser-Regression-tests-for-DBus-rules.patch, - 0052-parser-Binary-profile-equality-tests-for-DBus-rules.patch: Add - apparmor_parser support for D-Bus mediation rules - - 0053-libapparmor-Export-a-label-based-query-interface.patch, - debian/libapparmor1.symbols: Provide the libapparmor interface necessary - for trusted helpers to make security decisions based upon AppArmor - policy - - 0054-libaalogparse-Parse-dbus-daemon-audit-messages.patch, - 0055-libaalogparse-Regression-tests-for-dbus-daemon-audit.patch: Allow - applications to parse denials, generated by dbus-daemon, using - libaalogparse and add a set of regression tests - - 0056-tests-Add-an-optional-final-check-to-checktestfg.patch, - 0057-tests-Add-required-features-check.patch, - 0058-tests-Add-regression-tests-for-dbus.patch: Add regression tests - which start their own dbus-daemon, load profiles containing D-Bus rules, - and confine simple D-Bus service and client applications - - 0059-dbus-rules-for-dbus-abstractions.patch: Add bus-specific, but - otherwise permissive, D-Bus rules to the dbus and dbus-session - abstractions. Confined applications that use D-Bus should already be - including these abstractions in their profiles so this should be a - seamless transition for those profiles. - * 0060-utils-make_clean_fixup.patch: Clean up the Python cache in the - AppArmor tests directory - * 0061-profiles-dnsmasq-needs-dbus-abstraction.patch: Dnsmasq uses the - system D-Bus when it is started with --enable-dbus, so its AppArmor - profile needs to include the system bus abstraction - * 0062-fix-clone-test-on-arm.patch: Fix compiler error when building - regression tests on ARM - * 0063-utils-ignore-unsupported-rules.patch: Utilities that use the - Immunix::AppArmor perl module, such as aa-logprof and aa-genprof, error - out when they encounter rules unsupported by the perl module. This patch - ignores unsupported rules. - - [ Jamie Strandboge ] - * debian/control: don't have easyprof Depends on apparmor-easyprof-ubuntu - - -- Tyler Hicks Mon, 26 Aug 2013 15:32:12 -0700 - -apparmor (2.8.0-0ubuntu24) saucy; urgency=low - - * 0040-libapparmor-support-pkg-config.patch: Make it easier for other - sources to build against libapparmor with pkg-config - - debian/control: Add pkg-config as a Build-Depends - - debian/libapparmor-dev.install: Install libapparmor pkg-config file - * 0041-parser-fix-flags.patch: Minimal fix for cache failures when the - feature file is larger than the feature buffer used for cache version - comparison - - -- Tyler Hicks Thu, 15 Aug 2013 16:34:53 -0700 - -apparmor (2.8.0-0ubuntu23) saucy; urgency=low - - * debian/patches/0038-lp1200392.patch: allow mmap of fglrx dri libraries - (LP: #1200392) - * debian/patches/0039-fix-parser-cache-loc.patch: fix apparmor cache - tempfile location to use passed arg - * debian/lib/apparmor/functions: update to also load from - /var/lib/apparmor/profiles and write cache to /var/cache/apparmor - * debian/apparmor.dirs: create /var/cache/apparmor and - /var/lib/apparmor/profiles - - -- Jamie Strandboge Tue, 23 Jul 2013 21:36:40 -0500 - -apparmor (2.8.0-0ubuntu22) saucy; urgency=low - - * Refresh easyprof - - drop 0034-easyprof-dont-add-vendor-dir.patch - - drop 0035-easyprof-update-manpage-for-sdk-base.patch - * debian/patches/0037-easyprof-sdk-pt2.patch: update easyprof for the - following: - - don't add vendor directory to self.templates and self.policy_groups - - utils/aa-easyprof: adjust error message for manifest read failure - - utils/aa-easyprof: adjust to use EnvironmentError on failed read of the - manifest - - utils/apparmor/easyprof.py: clean up set_template() - - utils/apparmor/easyprof.py: read_paths should use 'rk' - - utils/test/test-aa-easyprof.py: adjust tests for above - - utils/apparmor/easyprof.py - + valid_path should verify os.path.normpath(path) == (path) - + adjust valid_profile_name() to start with alpha-numeric and allow - Debian source package names and version, plus '_' - + adjust tests for above - - update valid_variable() to check for valid_path if '/' is in the value - - adjust valid_path() to have a relative_ok flag (default to False) - - adjust valid_path() to verify path is same as normalized path - - add some valid_path() test cases - - adjust to always quote template vars in policy output - - add a couple tests that have spaces in the binary and template var - - update manifest JSON structure to use - m['security']['profiles']['profile_name'] instead of - m['security']['profile_name'] - - -- Jamie Strandboge Sun, 07 Jul 2013 19:37:56 -0500 - -apparmor (2.8.0-0ubuntu21) saucy; urgency=low - - * Apache 2.4 transition (LP: #1197617, Closes: 666808). Based on patch from - intrigeri - - debian/control: - + Build-Depends on apache2-dev and dh-apache2 instead of - apache2-prefork-dev - + adjust libapache2-mod-apparmor to not Depends on apache2.2-common - + adjust libapache2-mod-apparmor to Pre-Depends: ${misc:Pre-Depends} - - create debian/libapache2-mod-apparmor.apache2 - - debian/rules: adjust to use dh_apache2 --noenable - - debian/libapache2-mod-apparmor.maintscript: remove old prefork profile - - debian/libapache2-mod-apparmor.install: install new usr.sbin.apache2 - profile - - debian/libapache2-mod-apparmor.{preinst,postinst,postrm}: update to use - usr.sbin.apache2 - - debian/libapache2-mod-apparmor.postinst: remove the disable symlink for - old prefork profile - - debian/patches/0036-libapache2-mod-apparmor-profile-2.4.patch: update - mod_apparmor man page to mention loading mpm_prefork, add new - usr.sbin.apache2 profile and remove old prefork profile - * debian/rules: honor DEB_BUILD_OPTIONS=nocheck - - -- Jamie Strandboge Thu, 04 Jul 2013 10:20:20 -0500 - -apparmor (2.8.0-0ubuntu20) saucy; urgency=low - - * remove debian/patches/0033-add-ubuntu-sdk-abstractions.patch. We will - for now ship policy groups instead of abstractions like this - * debian/apparmor.maintscript: rm_conffile on ubuntu-sdk-base - * debian/patches/0035-easyprof-update-manpage-for-sdk-base.patch: add - sdk-base as a typical policy group - - -- Jamie Strandboge Wed, 03 Jul 2013 17:29:57 -0500 - -apparmor (2.8.0-0ubuntu19) saucy; urgency=low - - * debian/patches/0034-easyprof-dont-add-vendor-dir.patch: don't add vendor - directory to self.templates and self.policy_groups - * debian/patches/0030-easyprof-sdk.patch: mentioned patch has been forwarded - upstream - - -- Jamie Strandboge Tue, 02 Jul 2013 09:24:23 -0500 - -apparmor (2.8.0-0ubuntu18) saucy; urgency=low - - * debian/patches/0030-easyprof-sdk.patch: refreshed for the following: - - man page updates - - add --output-format=json option - - add --verify-manifest - - add --policy-version and --policy-vendor which to better work with - vendor templates (ie, with apparmor-easyprof-ubuntu) - - restructed JSON format (should be final version now). This converts - abstractions and policy_groups to proper JSON lists and allows for - multiple profiles in the JSON file, keyed off of the profile name - - add --output-directory option as an alternative to stdout (particularly - useful when using multiple profiles in a JSON file) - - also remove ubuntu-sdk-base abstraction. This may move out but for now - put it in a different patch - - add verify_options() and some utility functions for input validation - - unconditionally quote profile name and binary - - remove Ubuntu-specific checks in verify_manifest and check profile_name - with binary harder - * debian/patches/0033-add-ubuntu-sdk-abstractions.patch: add ubuntu-sdk-base - abstraction - - -- Jamie Strandboge Mon, 01 Jul 2013 17:20:33 -0500 - -apparmor (2.8.0-0ubuntu17) saucy; urgency=low - - * debian/patches/0032-lp1195362.patch: don't pull in unused perl modules - (LP: #1195362) - * debian/rules: use dh_perl -d with libapparmor-perl to Depends on perl-base - instead of perl - * debian/patches/0030-easyprof-sdk.patch: update to remove the ubuntu - specific templates and policy groups. These will be shipped in - apparmor-easyprof-ubuntu - * debian/control: have apparmor-easyprof Depends on apparmor-easyprof-ubuntu - - -- Jamie Strandboge Fri, 28 Jun 2013 12:01:06 -0500 - -apparmor (2.8.0-0ubuntu16) saucy; urgency=low - - * debian/patches/0030-easyprof-sdk.patch: update to have - - /usr/share/icons/gnome/index.theme should have 'rk' added to qmlscene - policy group - - add ubuntu-sdk-html5 template - - add qmlscene-webview policygroup - * debian/patches/0031-move-poppler-cmap-to-fonts.patch: more than just - gnome applications access /usr/share/poppler/cMap/** - - -- Jamie Strandboge Tue, 25 Jun 2013 15:58:33 -0500 - -apparmor (2.8.0-0ubuntu15) saucy; urgency=low - - * move aa-exec out of apparmor-utils into apparmor, since we want it in the - default install - - debian/control: adjust Breaks/Replaces to use apparmor-utils - <<2.8.0-0ubuntu15) and have apparmor Depends on libapparmor-perl - - debian/apparmor.install: install aa-exec - - debian/apparmor-utils.install: don't install aa-exec - - -- Jamie Strandboge Tue, 25 Jun 2013 11:48:25 -0500 - -apparmor (2.8.0-0ubuntu14) saucy-proposed; urgency=low - - * debian/patches/0029-easyprof-update-for-aa-sandbox.patch: add aa-sandbox - utility to source, but don't install yet. This includes code refactoring - for easyprof, which is required for the next patch - * debian/patches/0030-easyprof-sdk.patch: add SDK support to easyprof (don't - include DBus includes yet) - * create apparmor-easyprof package - - adjust debian/control for new packages and Breaks/Replaces on - apparmor-utils 2.8.0-0ubuntu14 - - create debian/apparmor-easyprof.install - - debian/apparmor-utils.install: don't install easyprof. python libraries - moved to easyprof for now since it is the only consumer - - debian/apparmor-utils.manpages: move easyprof manpage to - debian/apparmor-easyprof.manpages - - debian/rules: dh_python3 should also run on apparmor-easyprof - * debian/control: dh-apparmor should Depends on apparmor-easyprof - * debian/debhelper/dh_apparmor: update to support --manifest argument - - -- Jamie Strandboge Mon, 24 Jun 2013 09:49:44 -0500 - -apparmor (2.8.0-0ubuntu13) saucy-proposed; urgency=low - - * 0021-webapps_abstraction.patch: update to allow 'w' access to - ~/.local/share/unity-webapps/availableapps*.db and 'rk' access to - ~/.config/libaccounts-glib/accounts.db (LP: #1169633) - - -- Jamie Strandboge Mon, 10 Jun 2013 10:49:46 -0500 - -apparmor (2.8.0-0ubuntu12) saucy; urgency=low - - * 0027-add-gnome-keyring-to-strict.patch: add @{HOME}/.gnome2/keyrings/** to - abstractions/private-files-strict - * 0028-add-upstart-to-private.patch: deny writes to upstart user sessions - jobs in abstractions/private-files - - -- Jamie Strandboge Mon, 13 May 2013 13:04:54 -0500 - -apparmor (2.8.0-0ubuntu11) raring; urgency=low - - * 0025-update-pulseaudio-paths.patch: update path for pulseaudio directory - and cookie files - * 0026-add-vm_overcommit_memory.patch: add read access to - @{PROC}/sys/vm/overcommit_memory - * update 0001-add-chromium-browser.patch: - - additional accesses required by newer chromium-browser. Patch based on - work by Simon Deziel (LP: #1154164) - - don't include abstractions already included via gnome abstraction - - allow access to dconf/gsettings, required now - - -- Jamie Strandboge Mon, 08 Apr 2013 14:57:14 -0500 - -apparmor (2.8.0-0ubuntu10) raring; urgency=low - - * debian/patches/0001-add-chromium-browser.patch: add accesses for chromium - 23 (LP: #1091862) - - -- Jamie Strandboge Tue, 18 Dec 2012 15:20:05 -0600 - -apparmor (2.8.0-0ubuntu9) raring; urgency=low - - * debian/control: make libnotify-bin a Suggests rather than a Recommends - since it is assumed to already be installed on the desktop and so server - environments don't have to pull in a lot of X dependencies (LP: #1061879) - - -- Jamie Strandboge Tue, 18 Dec 2012 10:47:50 -0600 - -apparmor (2.8.0-0ubuntu8) raring; urgency=low - - [ Steve Beattie ] - * 0024-lp1091642-parser-reset_matchflags.patch: prevent reuse of - matchflags in parser dfa backend and add testcase demonstrating the - problem (LP: #1091642) - - [ Jamie Strandboge ] - * debian/debhelper/postinst-apparmor: quote all occurences of #PROFILE#. - - -- Steve Beattie Tue, 18 Dec 2012 04:53:28 -0800 - -apparmor (2.8.0-0ubuntu7) raring; urgency=low - - * Rebuild to drop python3.2 extension. - - -- Matthias Klose Thu, 08 Nov 2012 11:15:26 +0000 - -apparmor (2.8.0-0ubuntu6) raring-proposed; urgency=low - - * Build python swig modules for all supported pythons. - * Use dh_python2 instead of obsolete dh_python. - * Remove duplicate chrpath from control. - * Remove unneeded quilt dependency. - * Bump standards version to 3.9.4, no changes needed. - - -- Dmitrijs Ledkovs Tue, 23 Oct 2012 12:37:39 +0100 - -apparmor (2.8.0-0ubuntu5) quantal; urgency=low - - [ Micah Gersten ] - * Allow /etc/vdpau_wrapper.cfg r and /var/lib/xine/gxine.desktop r - in the multimedia browser abstraction (LP: #1057642) - - update profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia - - [ Steve Beattie ] - * debian/control: make libnotify-bin a Recommends rather than a - Depends for use in server environments (LP: #1061879) - * debian/patches/0020-coredump_tests.patch: fix coredump regression - tests (LP: #1050430) - * debian/patches/0021-webapps_abstraction.patch: add a few items - triggered by using and installing webapps in firefox (LP: #1056418) - * debian/patches/0022-aa-decode-stdin.patch: fix aa-decode to process - stdin correctly and decode encoded profiles names - - -- Steve Beattie Tue, 09 Oct 2012 12:44:56 -0700 - -apparmor (2.8.0-0ubuntu4) quantal; urgency=low - - * Allow /var/lib/sss/mc/{group|passwd} for systems using sssd. - (LP: #1056391) - - -- Stéphane Graber Tue, 25 Sep 2012 14:59:57 -0400 - -apparmor (2.8.0-0ubuntu3) quantal; urgency=low - - * remove 0010-lp972367.patch and 0012-lp964510.patch which should have been - dropped in 2.8.0-0ubuntu1 since they are included upstream - * debian/patches/0001-add-chromium-browser.patch: - - add a couple of small accesses - - add a child profile for xdgsettings (LP: #1045986) - - -- Jamie Strandboge Mon, 17 Sep 2012 08:26:46 -0500 - -apparmor (2.8.0-0ubuntu2) quantal; urgency=low - - * 0015-fontconfig.patch: update fonts abstraction for new fontconfig paths - * 0016-cap-block-suspend.patch: add CAP_BLOCK_SUSPEND to severity.db. In - the next version of AppArmor, this will replace 0006-cap-epollwakeup.patch - * 0017-gnome-poppler-data.patch: update gnome abstraction for poppler cMap - tables - - -- Jamie Strandboge Tue, 14 Aug 2012 11:27:15 -0500 - -apparmor (2.8.0-0ubuntu1) quantal; urgency=low - - * New upstream release - - Drop the following patches, now included upstream: - 0003-add-aa-easyprof.patch - 0005-clean-common-from-vim.patch - 0006-use-linux-capability-h.patch - 0008-apparmor-lp963756.patch - 0009-apparmor-lp959560-part1.patch - 0010-apparmor-lp959560-part2.patch - 0011-apparmor-lp872446.patch - 0012-apparmor-lp978584.patch - 0013-apparmor-lp800826.patch - 0014-apparmor-lp979095.patch - 0015-apparmor-lp963756.patch - 0016-apparmor-lp968956.patch - 0017-apparmor-lp979135.patch - 0018-lp990931.patch - * Rename 0007-ubuntu-manpage-updates.patch to 0003 - * debian/patches/0005-lp1019274.patch: add python3 support. Patch based - on work from Dmitrijs Ledkovs. (LP: #1019274) - * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for - CAP_EPOLLWAKEUP - * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to - adjust scripts to use PYTHON if it is defined - * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb - when calling setup.py - * enable python3 in the build: - - debian/rules: - + use python3 as default PYTHON - + build libapparmor with both python2 and python3 - - debian/control: - + Build-Depends on python3-all-dev and python3 - + adjust apparmor to Depends on ${python3:Depends} - + adjust apparmor-utils to Depends on ${python3:Depends} - + add python3-libapparmor package - - add debian/python3-libapparmor.install - - debian/python-libapparmor.install: adjust to use python2 and - dist-packages - * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for - IcedTea 7 (LP: #1003856) - * debian/patches/0010-lp972367.patch: allow software center to work again - from browsers (LP: #972367) - * debian/patches/0011-lp1013887.patch: let sanitized helper work with - /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887) - * debian/patches/0012-lp964510.patch: allow Google Chrome and - chromium-browser to work under sanitized helper (LP: #964510) - * debian/patches/0013-lp987578.patch: ubuntu-integration does not work - properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578) - * debian/patches/0014-lp933440.patch: update skype example profile to work - with latest skype. Based on work by Ivan Frederiks (LP: #933440) - - -- Jamie Strandboge Thu, 05 Jul 2012 10:53:17 -0500 - -apparmor (2.7.102-0ubuntu5) quantal; urgency=low - - * debian/debhelper/postrm.apparmor: do not delete local files if main - conffile still exists since it probably means it is owned by a - new/different package. (LP: #986892) - - -- Clint Byrum Mon, 11 Jun 2012 21:40:33 -0700 - -apparmor (2.7.102-0ubuntu4) quantal; urgency=low - - * Fix FTBFS (LP: #1000055). Patch thanks to Steve Beattie. - - debian/control: Build-Depends on texlive-latex-recommended - - debian/rules: add V=1 for 'make' and 'make check' when building the - parser - * debian/patches/0018-lp990931.patch: adjust path for thunderbird to include - non-versioned path - - LP: #990931 - - -- Jamie Strandboge Fri, 18 May 2012 15:02:02 -0500 - -apparmor (2.7.102-0ubuntu3) precise; urgency=low - - [ Jamie Strandboge ] - * debian/patches/0007-ubuntu-manpage-updates.patch: update apparmor(5) - to describe Ubuntu's two-stage policy load and how to add utilize it - when developing policy (LP: #974089) - - [ Serge Hallyn ] - * debian/apparmor.init: do nothing in a container. This can be - removed once stacked profiles are supported and used by lxc. - (LP: #978297) - - [ Steve Beattie ] - * debian/patches/0008-apparmor-lp963756.patch: Fix permission mapping - for change_profile onexec (LP: #963756) - * debian/patches/0009-apparmor-lp959560-part1.patch, - debian/patches/0010-apparmor-lp959560-part2.patch: Update the parser - to support the 'in' keyword for value lists, and make mount - operations aware of 'in' keyword so they can affect the flags build - list (LP: #959560) - * debian/patches/0011-apparmor-lp872446.patch: fix logprof missing - exec events in complain mode (LP: #872446) - * debian/patches/0012-apparmor-lp978584.patch: allow inet6 access in - dovecot imap-login profile (LP: #978584) - * debian/patches/0013-apparmor-lp800826.patch: fix libapparmor - log parsing library from dropping apparmor network events that - contain ip addresses or ports in them (LP: #800826) - * debian/patches/0014-apparmor-lp979095.patch: document new mount rule - syntax and usage in apparmor.d(5) manpage (LP: #979095) - * debian/patches/0015-apparmor-lp963756.patch: Fix change_onexec - for profiles without attachment specification (LP: #963756, - LP: #978038) - * debian/patches/0016-apparmor-lp968956.patch: Fix protocol error when - loading policy to kernels without compat patches (LP: #968956) - * debian/patches/0017-apparmor-lp979135.patch: Fix change_profile to - grant access to /proc/attr api (LP: #979135) - - -- Steve Beattie Thu, 12 Apr 2012 06:17:42 -0500 - -apparmor (2.7.102-0ubuntu2) precise; urgency=low - - * debian/control: Make dh-apparmor Multi-Arch: foreign, so that it can - satisfy cross-build-dependencies. - - -- Colin Watson Sat, 31 Mar 2012 02:28:05 +0100 - -apparmor (2.7.102-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes the following issues in support of LXC - AppArmor support for beta-2: - - Fix the return size of aa_getprocattr (LP: #962521) - - Fix mnt_flags passed for remount - - Fix dfa minimization around the nonmatching state - - Factor all the permissions dump code into a single perms method - * debian/apparmor-utils.install: - - AppArmor now installs apparmor.vim. Move it into place - - install aa-exec - * debian/apparmor-utils.manpages: install aa-exec man page - * debian/patches/0003-add-aa-easyprof.patch: refresh for Makefile changes - * debian/patches/0005-clean-common-from-vim.patch: clean up 'common' - symlink - * 0006-use-linux-capability-h.patch: Use linux/capability.h instead of - sys/capability.h - - -- Jamie Strandboge Thu, 22 Mar 2012 15:39:56 -0500 - -apparmor (2.7.101-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes: LP: #948147 - * debian/lib/apparmor/functions: Update to support the feature directory so - that caching will work on kernels that support the feature dir. Patch - based on work from John Johansen. LP: #954469 - - -- Jamie Strandboge Thu, 15 Mar 2012 15:57:02 -0500 - -apparmor (2.7.100-0ubuntu1) precise; urgency=low - - * New upstream bug fix release which fixes (in addition to other bugs): - - LP: #940362 - - LP: #947617 - - LP: #949891 - * Drop the following patches, included upstream: - - 0004-lp918879.patch - - 0007-lp941506.patch - - 0008-lp941503.patch - - 0009-lp943161.patch - * Drop the following patch, no longer required: - - 0005-disable-minimization.patch - * Rename 0006-lp941808.patch 0004-lp941808.patch - * debian/patches/0001-add-chromium-browser.patch: update for additional - denials with newer chromium-browser. (LP: #937723) - * debian/put-all-profiles-in-complain-mode.sh: deal with existing flags - - -- Jamie Strandboge Fri, 09 Mar 2012 06:56:48 -0600 - -apparmor (2.7.99-0ubuntu4) precise; urgency=low - - * Restore dpkg-maintscript-helper changes from 2.7.0-0ubuntu6, lost in - 2.7.99-0ubuntu1. - - -- Colin Watson Mon, 05 Mar 2012 16:11:01 +0000 - -apparmor (2.7.99-0ubuntu3) precise; urgency=low - - * debian/patches/0009-lp943161.patch: update to not fail when - default-jre-headless is installed (LP: #945019) - - -- Jamie Strandboge Fri, 02 Mar 2012 12:47:03 -0600 - -apparmor (2.7.99-0ubuntu2) precise; urgency=low - - * debian/control: dh-apparmor should Breaks/Replaces on debhelper - 9.20120115ubuntu3, not 9.20120115ubuntu2 - * debian/patches/0006-lp941808.patch: allow writes to - /{,var/}run/sendsigs.omit.d/*dnsmasq.pid for network manager integration - (LP: #941808) - * debian/patches/0007-lp941506.patch: allow reads to ~/.drirc in the X - abstraction (LP: #941506) - * debian/patches/0008-lp941503.patch: allow read access to - /usr/share/texmf/fonts in fonts abstraction (LP: #941503) - * debian/patches/0009-lp943161.patch: fix path to java in - ubuntu-browsers.d/java (LP: #943161) - - -- Jamie Strandboge Fri, 02 Mar 2012 07:50:50 -0600 - -apparmor (2.7.99-0ubuntu1) precise; urgency=low - - * New upstream release which also pulls in 2.7.0-1 changes from Debian. - For the sake of simplicity, I have added the 2.7.0-1 changelog entry after - 2.7.0-0ubuntu7 even though chronologically it appeared in Debian between - 2.7.0-0ubuntu4 and 2.7.0-0ubuntu5. - - LP: #940422 (FFe) - * Drop the following patches, included upstream: - - 0003-commits-through-r1882.patch - - 0004-lp887992.patch - - 0005-lp884748.patch - - 0006-lp870992.patch - - 0007-lp860856.patch - - 0008-lp852062.patch - - 0009-lp851977.patch - - 0010-lp890894.patch - - 0011-lp817956.patch - - 0012-lp458922.patch - - 0013-lp769148.patch - - 0014-lp904548.patch - - 0015-lp712584.patch - - 0016-lp562831.patch - - 0017-lp662906.patch - - 0018-deny-home-pki-so.patch - - 0019-lp899963.patch - - 0020-lp912754a.patch - - 0021-lp912754b.patch - - 0022-workaround-lp851986.patch - - 0023-syslog-ng-needs-dac-read-search.patch - - 0024-fix-python-and-ruby-autogeneration.patch - - 0025-lp914184.patch - - 0026-lp914190.patch - - 0027-lp914386.patch - - 0028-testsuite-fixes.patch - - 0029-lp917628.patch - - 0030-lp916285.patch - - 0031-lp917639.patch - - 0032-lp917641.patch - - 0033-add-ubuntu-helpers-to-plugins-common.patch - - 0034-lp917859.patch - - 0035-kde-should-use-kde4.patch - - 0036-lp929531.patch - - 0036-fix-manpage-errors.patch - * Rename 0037-add-aa-easyprof.patch 0003-add-aa-easyprof.patch - * debian/apparmor-profiles.postrm: clean out autogenerated files created by - apparmor-profiles.postinst (Closes: 656451) - * debian/patches/0004-lp918879.patch: allow /etc/drirc in the X abstraction - (LP: #918879) - * debian/patches/0005-disable-minimization.patch: do to LP: 940362, - minimization is not working correctly. Disable it for now. - - -- Jamie Strandboge Fri, 24 Feb 2012 09:04:45 -0600 - -apparmor (2.7.0-1) unstable; urgency=low - - * debian/po/pt.po add new Portuguese translation, thanks to Pedro Ribeiro, - (Closes: 651434). - * debian/control: do not require initramfs-tools on !linux-any - (Closes: 651297). - * debian/{control,rules,debhelper/*}: move dh_apparmor into separate - binary package, out of debhelper (Closes: 649784). - * debian/{control,rules}: fix up lack of real build-indep. - * debian/patches/0036-fix-manpage-errors.patch: minor man page cleanups. - * merge changes from Ubuntu (r1443). - - -- Kees Cook Thu, 09 Feb 2012 15:24:08 -0800 - -apparmor (2.7.0-0ubuntu7) precise; urgency=low - - * debian/patches/0037-add-aa-easyprof.patch: add the aa-easyprof tool - * apparmor-utils.dirs, apparmor-utils.install, apparmor-utils.manpages: - install aa-easyprof and supporting files - * python-libapparmor.install: only install LibAppArmor* - * debian/rules: use dh_python2 with apparmor-utils - * debian/control: apparmor-utils should Depends on ${python:Depends} - - -- Jamie Strandboge Wed, 15 Feb 2012 07:40:38 -0600 - -apparmor (2.7.0-0ubuntu6) precise; urgency=low - - * debian/apparmor.{preinst,postinst,postrm,maintscript}, debian/control: - Use maintscript support in dh_installdeb rather than writing out - dpkg-maintscript-helper commands by hand. We now simply Pre-Depend on a - new enough version of dpkg rather than using 'dpkg-maintscript-helper - supports' guards, leading to more predictable behaviour on upgrades. - - -- Colin Watson Sat, 11 Feb 2012 15:11:01 +0000 - -apparmor (2.7.0-0ubuntu5) precise; urgency=low - - * debian/patches/0036-lp929531.patch: adjust base abstraction to allow read - access to /sys/devices/system/cpu/online (LP: #929531) - - -- Jamie Strandboge Thu, 09 Feb 2012 08:04:13 -0600 - -apparmor (2.7.0-0ubuntu4) precise; urgency=low - - * debian/patches/0034-lp917859.patch: adjust aspell abstraction for user - customizable dictionaries (LP: #917859) - * debian/patches/0035-kde-should-use-kde4.patch: adjust abstractions to - use kde{,4} instead of kde - * debian/control: update Vcs-Bzr - - -- Jamie Strandboge Wed, 18 Jan 2012 16:27:30 -0600 - -apparmor (2.7.0-0ubuntu3) precise; urgency=low - - * debian/patches/0029-lp917628.patch: Adjust dnsmasq profile for - NetworkManager integration (LP: #917628) - * debian/patches/0030-lp916285.patch: update ubuntu-browsers.d/text-editors - to work with emacs2[2-9] (LP: #916285) - * debian/patches/0031-lp917639.patch: update p11-kit to allow mmap of - libraries in pkcs directories (LP: #917639) - * debian/patches/0032-lp917641.patch: ubuntu-integration abstraction for - multiarch with gst-plugin-scanner (LP: #917641) - * debian/patches/0033-add-ubuntu-helpers-to-plugins-common.patch: include - ubuntu-helpers in the plugins-common abstraction - - -- Jamie Strandboge Tue, 17 Jan 2012 07:18:34 -0600 - -apparmor (2.7.0-0ubuntu2) precise; urgency=low - - * debian/patches/0022-workaround-lp851986.patch: update sanitized_helper - to include inet6 - - -- Jamie Strandboge Fri, 13 Jan 2012 11:21:30 +0100 - -apparmor (2.7.0-0ubuntu1) precise; urgency=low - - * New upstream release. Fixes the following: - - LP: #794974 - - LP: #815883 - - LP: #840973 - * Drop the following patches, included upstream: - - af_names-generation.patch - - 0004-adjust-logprof-log-search-order.patch - - 0005-lp826914.patch - - 0006-lp838275.patch - - 0007-fix-introspection-tests.patch - * Rename 0003-add-debian-integration-to-lighttpd.patch to 0002 - * debian/patches/0003-commits-through-r1882.patch: several bug, - documentation and performance fixes on our road to AppArmor 2.8 - (LP: #840734, LP: #905412) - * debian/patches/0004-lp887992.patch: cups-client abstraction should allow - owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions - (LP: #887992) - * update debian/patches/0001-add-chromium-browser.patch for deeper - directories of /sys/devices/pci (LP: #885833) - * debian/patches/0005-lp884748.patch: allow kate as text editor in the - browsers abstraction (LP: #884748) - * debian/patches/0006-lp870992.patch: abstractions/fonts should allow access - to ~/.fonts.conf.d (LP: #870992) - * debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py - in the python abstraction, which is needed for apport hooks to work in - python applications (LP: #860856) - * debian/patches/0008-lp852062.patch: update binaries for transmission - clients (LP: #852062) - * debian/patches/0009-lp851977.patch: allow ixr access to exo-open for - Xubuntu and friends (LP: #851977) - * debian/patches/0010-lp890894.patch: allow access to Thunar as well as - thunar in ubuntu-integration abstraction (LP: #890894) - * debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile - (LP: #817956) - * debian/patches/0012-lp458922.patch: update dovecot deliver profile to - access various .conf files for dovecot (LP: #458922) - * debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection - (LP: #769148) - * debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv - (LP: #904548) - * debian/patches/0015-lp712584.patch: Nvidia users need access to - /dev/nvidia* files for various plugins to work right. Since these are all - focused around multimedia, add the acceses to the multimedia abstraction. - (LP: #712584) - * debian/patches/0016-lp562831.patch: allow fireclam plugin to work - (LP: #562831) - * debian/patches/0017-lp662906.patch: allow software-center in the ubuntu - integration browser abstraction (LP: #662906) - * debian/patches/0018-deny-home-pki-so.patch: update private-files - abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847) - * debian/patches/0019-lp899963.patch: add audacity to the - ubuntu-media-players abstraction (LP: #899963) - * debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit - abstraction and add it to the authentication abstraction (LP: #912754) - * debian/patches/0022-workaround-lp851986.patch: instead of using Ux - in the ubuntu and launchpad abstractions, use a helper child profile. - This will help work around the lack of environment filtering - (LP: #851986) - * debian/patches/0023-syslog-ng-needs-dac-read-search.patch: adjust syslog-ng - profile for dac_read_search - * debian/patches/0024-fix-python-and-ruby-autogeneration.patch: fix python - and ruby autogeneration when using aa-autodep and aa-genprof - * debian/patches/0025-lp914184.patch: allow the creation of enchant .config - directory in the enchant abstraction (LP: #914184) - * debian/patches/0026-lp914190.patch: block write access to ~/.kde/env - because KDE automatically sources scripts in that folder on startup - (LP: #914190) - * debian/pathes/0027-lp914386.patch: add xdg-desktop abstraction and - adjust gnome and kde abstractions to use it (LP: #914386) - * debian/patches/0028-testsuite-fixes.patch: testsuite fixes in the kernel - regression tests - - -- Jamie Strandboge Thu, 12 Jan 2012 12:55:17 +0100 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu3) precise; urgency=low - - * Rebuild for Perl 5.14. - - -- Colin Watson Tue, 15 Nov 2011 22:10:05 +0000 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu2) oneiric; urgency=low - - * 0007-fix-introspection-tests.patch: Add missing introspection regression - test that should have been checked in with the introspection patches. - - -- Jamie Strandboge Tue, 04 Oct 2011 13:13:05 -0500 - -apparmor (2.7.0~beta1+bzr1774-1ubuntu1) oneiric; urgency=low - - * 0004-adjust-logprof-log-search-order.patch: Adjust the search order to use - just /var/log/audit/audit.log and /var/log/syslog. (LP: #835838) - * 0005-lp826914.patch: fix missing multiarch in abstraction/X (LP: #826914) - * 0006-lp838275.patch: adjust ubuntu-email abstraction for thunderbird 7 - (LP: #838275) - - -- Jamie Strandboge Fri, 02 Sep 2011 12:30:10 -0500 - -apparmor (2.7.0~beta1+bzr1774-1) unstable; urgency=low - - * New upstream devel snapshot: - - drop 0002-lp750381.patch, taken upstream. - - drop 0004-lp754889.patch, taken upstream. - - drop 0005-lp761217.patch, taken upstream. - - drop 0100-manpage-typo.patch, taken upstream. - - drop 0101-declarations.patch, solved differently upstream. - - drop 0102-manpage-release-name.patch, taken upstream. - - drop 0103-kfreebsd-compile.patch, taken upstream. - - drop define-path-max.patch, taken upstream. - - drop indep-build.patch, taken upstream. - - debian/libapparmor1.manpages: add new function man pages. - * Merge with Ubuntu: - - drop 0104-python-aa-status.patch, taken upstream. - - drop 0105-lightdm.patch, taken upstream. - - drop 0106-lp810270.patch, taken upstream. - - drop 0107-lp767308.patch, taken upstream. - - drop 0108-gnome-mimeinfo.patch, taken upstream. - - drop 0109-add-profile-repo-info.patch, taken upstream. - * Add af_names-generation.patch to allow arbitrary socket.h file location. - - -- Kees Cook Wed, 10 Aug 2011 18:12:34 -0700 - -apparmor (2.6.1-4ubuntu5) oneiric; urgency=low - - * debian/patches/0109-add-profile-repo-info.patch: add a blurb about the - new profiles repository to aa-genprof, along with a link to the wiki - page. - - -- Marc Deslauriers Mon, 18 Jul 2011 10:49:13 -0400 - -apparmor (2.6.1-4ubuntu4) oneiric; urgency=low - - * debian/patches/0106-lp810270.patch: updated to use upstream commits - - -- Jamie Strandboge Fri, 15 Jul 2011 14:08:38 -0500 - -apparmor (2.6.1-4ubuntu3) oneiric; urgency=low - - * debian/patches/0106-lp810270.patch: adjustments for /var/run -> /run, - /var/lock -> /run/lock and /dev/shm -> /run/shm transition (LP: #810270) - * debian/patches/0107-lp767308.patch: allow read access to - /usr/local/share/ca-certificates (LP: #767308) - * debian/patches/0001-add-chromium-browser.patch: updates for newer chromium - (LP: #776648) - * debian/patches/0108-gnome-mimeinfo.patch: allow read access to - /usr/share/gnome/applications/mimeinfo.cache in the gnome abstraction - - -- Jamie Strandboge Thu, 14 Jul 2011 09:39:49 -0500 - -apparmor (2.6.1-4ubuntu2) oneiric; urgency=low - - * debian/patches/0105-lightdm.patch: allow owner read access to - /var/run/lightdm/authority/[0-9]* - - -- Jamie Strandboge Wed, 22 Jun 2011 16:29:11 -0500 - -apparmor (2.6.1-4ubuntu1) oneiric; urgency=low - - * Get rid of Perl in main AppArmor package so we can remove perl-modules - from the installation cd: - - debian/patches/0104-python-aa-status.patch: switch aa-status to - Python - - debian/apparmor.*, debian/apparmor-utils.*: move aa-status, symlink - and manpages to main apparmor package. - - debian/control: add appropriate Breaks/Replaces/Depends because of - the file move, add ${python:Depends} to apparmor Depends, add - apparmor-utils to apparmor Suggests. - - debian/rules: add apparmor package to dh_python2. - * debian/lib/apparmor/functions: fix hat separator (LP: #788616) - - Based on upstream revision 1733 - - -- Marc Deslauriers Wed, 01 Jun 2011 11:03:20 -0400 - -apparmor (2.6.1-4) unstable; urgency=low - - * debian/po: add new translations: - - zh_CN.po: Simplified Chinese, thanks to Aron Xu (Closes: 624853). - - da.po: Danish, thanks to Joe Dalton (Closes: 625252). - - sv.po: Swedish, thanks to Martin Bagge (Closes: 625264). - - cs.po: Czech, thanks to Michal Šimůnek (Closes: 625465). - - de.po: German, thanks to Chris Leick (Closes: 625931). - - nl.po: Dutch, thanks to Jeroen Schot (Closes: 626269). - - ja.po: Japanese, thanks to Hideki Yamane (Closes: 626803). - - it.po: Italian, thanks to Dario Santamaria (Closes: 626836). - - fr.po: French, thanks to Julien Patriarca (Closes: 626903). - - es.po: Spanish, thanks to Francisco Javier Cuadrado (Closes: 627031). - * debian/patches/define-path-max.patch: fix Hurd FTBFS. - * debian/patches/indep-build.patch: allow split indep/arch builds. - * debian/{control,rules,non-linux}: add fake parser for non-Linux - builds so that apparmor-utils is installable (Closes: 625977). - - -- Kees Cook Fri, 27 May 2011 13:51:18 -0700 - -apparmor (2.6.1-3) unstable; urgency=low - - * debian/control: add sneaky missing Build-Dep on liblocale-gettext-perl - (fixes FTBFS on some extremely minimal chroots, Closes: 624566). - * debian/patches/0101-declarations.patch: add missing declarations needed - for sensitive compilers (fixes FTBFS on mips/mipsel). - * debian/patches/0102-manpage-release-name.patch: update manpage release - names to match others. - * debian/patches/0103-kfreebsd-compile.patch, debian/{control,rules}: - attempt to build as much as possible (no parser) on non-Linux systems. - * debian/po/ru.po: add translation, thanks to Yuri Kozlov (Closes: 624741). - - -- Kees Cook Sun, 01 May 2011 19:29:07 -0700 - -apparmor (2.6.1-2) unstable; urgency=low - - * debian/copyright: clarify for some full organization names. - - -- Kees Cook Wed, 27 Apr 2011 10:38:07 -0700 - -apparmor (2.6.1-1) unstable; urgency=low - - * Initial Debian upload (Closes: 622922). - * debian/patches/0100-manpage-typo.patch: fix lintian error in manpage. - * debian/clean: update for Debian build. - * debian/copyright: rearrange and add a few missing files. - * debian/source/format, debian/rules: convert to 3.0 quilt format. - * debian/{rules,apparmor-profiles.postinst}: deal with lack of dh_apparmor. - - -- Kees Cook Sat, 23 Apr 2011 12:14:55 -0700 - -apparmor (2.6.1-0ubuntu3) natty; urgency=low - - * debian/patches/0003-add-debian-integration-to-lighttpd.patch: updates for - lighttpd example profile to work in Debian/Ubuntu (LP: #582814) - * debian/patches/0004-lp754889.patch: add several image viewers to - ubuntu-browsers.d/multimedia abstraction (LP: #754889) - * debian/patches/0005-lp761217.patch: abstractions/private-files updates for - zsh and several other shells (LP: #761217) - * debian/patches/0001-add-chromium-browser.patch: fixes for multiarch and - crash reporter (LP: #764786) - - -- Jamie Strandboge Mon, 18 Apr 2011 09:23:50 -0500 - -apparmor (2.6.1-0ubuntu2) natty; urgency=low - - * debian/patches/0002-lp750381.path: adjust ubuntu-media-players abstraction - to allow reading of configs required by gnash and owner writing of - @{HOME}/.gnash (LP: #750381) - - -- Jamie Strandboge Thu, 07 Apr 2011 10:09:24 -0500 - -apparmor (2.6.1-0ubuntu1) natty; urgency=low - - * New upstream release. - - Fixes breakage of mod_apparmor apache2 module (LP: #737074) - - Fixes profile matching when an attachement doesn't contain a - regex (LP: #731155) - - Fixes parser acceptance of missing network protocols (LP: #732837) - - Patches taken upstream and dropped: - + debian/patches/0002-lp727478.patch - + debian/patches/0003-test-lp727478.patch - + debian/patches/0004-lp736870.patch - * debian/apparmor.install, debian/apparmor.dirs: add new multiarch - tunable file and directory - * debian/python-libapparmor.install: loosen directory specification - for resiliancy against different python versions - - -- Steve Beattie Thu, 24 Mar 2011 01:55:12 -0700 - -apparmor (2.6.0-0ubuntu4) natty; urgency=low - - * Update debian/patches/0004-lp736870.patch (LP: #736870): - - armel triplet doesn't match '*-linux-gnu' - - /lib/tls for libc6-xen needs handling - - gnome, kde, kerberosclient, and authentication abstractions also need - updating for multiarch. - - -- Steve Langasek Tue, 22 Mar 2011 15:18:54 -0700 - -apparmor (2.6.0-0ubuntu3) natty; urgency=low - - * debian/patches/0004-lp736870.patch: add multiarch support to abstractions - (LP: #736870) - - -- Jamie Strandboge Thu, 17 Mar 2011 09:17:01 -0500 - -apparmor (2.6.0-0ubuntu2) natty; urgency=low - - * debian/patches/0002-lp727478.patch: Override AF_MAX for kernels that don't - support proper masking. Patch thanks to John Johansen (LP: #727478) - * debian/patches/0003-test-lp727478.patch: add tcp.sh test as partial - networking test - - -- Jamie Strandboge Thu, 03 Mar 2011 16:40:08 -0600 - -apparmor (2.6.0-0ubuntu1) natty; urgency=low - - [ Steve Beattie ] - * New upstream 2.6.0 release (LP: #724193) - - Patches taken upstream and dropped: - + 0001-ubuntu-buildd.patch - + 0003-add-libvirt-support-to-dnsmasq.patch - + 0004-lp698194.patch - + 0005-aa-disable.patch - - debian/rules: remove library path settings for mod_apparmor and - pam_apprmor builds; upstream handles this properly now. - - debian/apparmor-utils.install: handle upstream SubDomain.pm => - AppArmor.pm renaming - * debian/lib/apparmor/functions: handle profile names with embedded - spaces (LP: #655523) - * debian/rules, debian/control, debian/python-libapparmor: build - a python-libapparmor package. - - [ Jamie Strandboge ] - * debian/copyright: update and reformat according to DEP-5 - * debian/lib/apparmor/functions: don't unload dynamically generated libvirt - profiles on reload, restart, and force-reload (LP: #702774) - * debian/control: use Section: python for python-libapparmor - - -- Steve Beattie Thu, 24 Feb 2011 01:41:58 -0800 - -apparmor (2.6~devel+bzr1617-0ubuntu2) natty; urgency=low - - * debian/patches/0005-aa-disable.patch: add aa-disable - * debian/apparmor-utils.install: install aa-disable - * debian/apparmor-utils.manpages: install aa-disable man page - - -- Jamie Strandboge Mon, 07 Feb 2011 11:23:50 -0600 - -apparmor (2.6~devel+bzr1617-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1617. Closes the following bugs: - - LP: #692406: temporarily disable the defunct repository until an - alternative can be used - - LP: #649497: add ibus abstraction - - LP: #652562: allow 'rw' to /var/log/samba/cores/ - - LP: #658135: allow access to /usr/lib32 and /usr/lib64 for dri modules - * 0002-add-chromium-browser.patch: add /dev/shm/.org.chromium.* - (LP: #692866) - * rename debian/patches/0010-ubuntu-buildd.patch to 0001-ubuntu-buildd.patch - and adjust debian/patches/series - * debian/patches/0003-add-libvirt-support-to-dnsmasq.patch (LP: #697239): - - allow read and write access to libvirt pid files for dnsmasq - - allow net_admin capability for DHCP server - - allow net_raw and network inet raw for ICMP pings when used as a DHCP - server - * debian/patches/0004-lp698194 (LP: #698194): - - abstractions/private-files: don't allow wl to autostart directories - - abstractions/private-files-strict: don't allow access to chromium, - kwallet and popular mail clients - - -- Jamie Strandboge Fri, 07 Jan 2011 12:44:26 -0600 - -apparmor (2.6~devel+bzr1601-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1601 to gain parser speed - improvements and man page fixes. Closes the following bugs: - - LP: #349049: document audit, deny and owner rule qualifiers - - LP: #466228: ubuntu-browsers.d/multimedia: allow flash printing - - LP: #644983: add ubuntu-browsers.d/ubuntu-integration-xul - - LP: #692216: use aa_change_hat() instead of change_hat() - - LP: #692217: add aa_change_profile.pod manpage - * debian/control: explicitly depend on gettext module. - * ship apparmor vim syntax file (LP: #646800): - - debian/vim-apparmor.yaml: vim addon definition file. - - debian/apparmor-utils.install: add apparmor.vim and vim-apparmor.yaml. - * debian/libapparmor1.manpages: ship aa_change_profile manpage. - - -- Kees Cook Mon, 20 Dec 2010 14:37:38 -0800 - -apparmor (2.6~devel+bzr1527-0ubuntu1) natty; urgency=low - - * Merge with upstream bzr revision 1527, drop patches taken upstream: - - debian/patches/0001-fix-release.patch - - debian/patches/0003-local-includes.patch - - debian/patches/0004-ubuntu-abstractions-updates.patch - - debian/patches/0005-lp648900.patch - - debian/patches/0006-testsuite-fixes.patch - - debian/patches/0007-honor-cflags.patch - - debian/patches/0008-lp652674.patch - - debian/patches/0009-sensible-browser-pix.patch - * Rework packaging for more sanity. - - debian/control: - - bump debhelper build depend to Ubuntu-specific v8. - - switch apparmor-profiles to arch all as it ships only text. - - update Homepage to new domain. - - expand long descriptions to keep lintian happy. - - debian/compat: bump to 8. - - README.Debian: removed, hopelessly out of date. - - debian/copyright: - - updated for changes to upstream source layout. - - fixed lintian warnings. - - debian/rules: - - ditch mv/install in favor of *.install,*.dir files. - - replace "dh_clean -k" with "dh_prep" - - use dh_clean's debian/clean file instead of manual rm. - - scan for all profiles to run through dh_apparmor. - - debian/*.{install,dirs,manpages,docs}: - - explicitly list all files needed for packaging - - debian/apparmor.{preinst,postinst,postrm}: - - add dpkg-maintscript-helper calls to clean up old script locations. - - drop old conffile cleanups, since they predate Lucid. - - debian/apparmor.init: - - move functions to /lib/apparmor. - - start on $remote_fs due to using /usr tools during init. - - use LC_COLLATE=C for proper sorting. - - debian/libapparmor1.symbols: created initial symbols file. - - debian/apparmor-docs.doc-base: include doc-base details for techdoc. - - debian/notify/90apparmor-notify: use new command name. - - lib/apparmor/functions: use LC_COLLATE=C for proper sorting. - - -- Kees Cook Thu, 04 Nov 2010 18:06:34 -0700 - -apparmor (2.5.1-0ubuntu4) natty; urgency=low - - * debian/patches/0004-ubuntu-abstractions-updates.patch: updated to add - /usr/bin/emacs-snapshot-gtk PUxr - * debian/patches/0009-sensible-browser-pix.patch: use Pix for - sensible-browser - * debian/patches/0010-ubuntu-buildd.patch: skip parser caching test if - the AppArmor securityfs introspection directory is not mounted, as - is the case on Ubuntu buildds. - - -- Jamie Strandboge Tue, 02 Nov 2010 12:17:21 -0500 - -apparmor (2.5.1-0ubuntu3) natty; urgency=low - - * debian/control: use the correct version for Conflicts/Replaces - - -- Jamie Strandboge Tue, 19 Oct 2010 19:53:26 -0500 - -apparmor (2.5.1-0ubuntu2) natty; urgency=low - - * debian/{rules,control}: move apache2 abstractions into the base package - so we can put apache2 profiles into the -profiles package without - aa-logprof bailing out. Patch by Marc Deslauriers. - (LP: #539441) - - -- Jamie Strandboge Tue, 19 Oct 2010 15:44:43 -0500 - -apparmor (2.5.1-0ubuntu1) natty; urgency=low - - * New upstream release (LP: #660077) - - The following patches were refreshed: - + 0001-fix-release.patch - + 0003-local-includes.patch - + 0008-lp648900.patch: renamed as 0005-lp648900.patch - - The following patches were dropped (included upstream): - + 0005-lp601583.patch - + 0006-network-interface-enumeration.patch - + 0007-gnome-updates.patch - * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head - of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211) - * debian/patches/0007-honor-cflags.patch: have the parser makefile honor - CFLAGS environment variable. Brings back missing symbols for the retracer - * debian/patches/0008-lp652674.patch: fix warnings for messages without - denied or requested masks (LP: #652674) - * debian/apparmor.init: fix path to aa-status (LP: #654841) - * debian/apport/source_apparmor.py: apport hook should use - root_command_hook() for running apparmor_status (LP: #655529) - * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber - cmdline details (LP: #657091) - - -- Jamie Strandboge Fri, 15 Oct 2010 12:23:00 -0500 - -apparmor (2.5.1~rc1-0ubuntu2) maverick; urgency=low - - * abstractions/ubuntu-email: adjustment for ever-changing thunderbird path - (LP: #648900) - - -- Jamie Strandboge Mon, 27 Sep 2010 09:00:06 -0500 - -apparmor (2.5.1~rc1-0ubuntu1) maverick; urgency=low - - [ Jamie Strandboge ] - * New upstream RC release (revision 1413). In addition to getting the tools - to work with the maverick kernel, this update fixes: - - LP: #619521 - - LP: #633369 - - LP: #626451 - - LP: #581525 - - LP: #623467 (link and unlink still need to be addressed) - * Dropped the following patches, included upstream: - - 0002-lp615177.patch - - 0004-ubuntu-pux.patch - - 0006-kde4-config-pux.patch - - 0007-lp605835.patch - - 0012-lp625041.patch - - 0013-lp623586.patch - * Update the following patches: - - rename 0010-fix-release.patch as 0001-fix-release.patch since this will - likely always need to be here - - rename 0005-add-chromium-browser.patch as - 0002-add-chromium-browser.patch - - rename 0001-local-includes.patch as 0003-local-includes.patch and update - to use r1493 (from trunk) of local/README file. This can be dropped in - 2.6. - - collect the ubuntu abstractions updates pulled from trunk into - 0004-ubuntu-abstractions-updates.patch. This can be dropped in 2.6. - - rename 0008-lp601583.patch as 0005-lp601583.patch. This can be dropped - in 2.5.1 final. - * fix up some lintian warnings: - - debian/control: - + don't use 'Section' in apparmor-notify, since it is the same as the - source - + updates Standards-Version to 3.9.1 - + add ${misc:Depends} to libapparmor-dev and apparmor-notify - - add debian/source/format - - debian/libapache2-mod-apparmor.postrm: use #DEBHELPER# - - debian/libapache2-mod-apparmor.preinst: use #DEBHELPER# - - add debian/watch - * debian/notify/notify.conf: set show_notifications="yes" by default - * debian/patches/0006-network-interface-enumeration.patch: allow network - interface enumeration. This can be dropped in 2.5.1 final. - * debian/patches/0007-gnome-updates.patch: update for font/icon/mime - locations in current gnome. This can be dropped in 2.5.1 final. - - [ Kees Cook ] - * debian/apparmor.init: rename "stop" to "teardown", drop caches on - "stop" and warn about the dangers of "teardown". - - -- Jamie Strandboge Fri, 10 Sep 2010 11:07:19 -0500 - -apparmor (2.5.1~pre1393-0ubuntu6) maverick; urgency=low - - * debian/profiles/chromium-browser: updated to have the proper path to - local/ - * debian/patches/0011-lp514356+573344+593413.patch: browser abstraction - updates for /net, kmozillahelper and gnome-appearance-properties - (LP: #593413, LP: #514356, LP: #573344) - * debian/patches/0012-lp625041.patch: add sensible-browser (LP: #625041) - * debian/patches/0013-lp623586.patch: allow access to ghostscript fonts when - not using defoma (LP: #623586) - - -- Jamie Strandboge Fri, 03 Sep 2010 07:39:31 -0500 - -apparmor (2.5.1~pre1393-0ubuntu5) maverick; urgency=low - - * debian/patches/0007-lp605835.patch: allow ca-certificates in ssl_certs - abstraction (LP: #605835) - * debian/patches/0008-lp601583.patch: adjust X abstraction for newer gdm - (LP: #601583) - * debian/patches/0009-lp565753.patch: add ubuntu-feed-readers abstraction - and have ubuntu-browsers.d/multimedia use it (LP: #565753) - * debian/apparmor.config: don't try to read in the existing value from - /etc/apparmor.d/tunables/home.d/ubuntu, but instead always use what is - in debconf. (LP: #561694) - * add aa-update-browser for giving a programmatic way to update browser - profiles to use browser abstractions - - add debian/aa-update-browser - - add debian/aa-update-browser.8 - - debian/rules: install aa-update-browser* - * debian/patches/0003-ubuntu-browsers-d.patch: updated to generalize java - child profile names - * debian/patches/0010-fix-release.patch: update common/Make.rules to use - lsb_release - - -- Jamie Strandboge Wed, 11 Aug 2010 09:24:23 -0500 - -apparmor (2.5.1~pre1393-0ubuntu4) maverick; urgency=low - - * debian/patches/0001-local-includes.patch: updated to adjust local/README - to have upstream clarifications - * debian/patches/0003-ubuntu-browsers-d.patch: add ubuntu-browsers.d/* - abstractions - * debian/patches/0004-ubuntu-pux.patch: use 'PUx' instead of 'Ux' in - abstractions/ubuntu-* - * add chromium-browser profile. All this can be removed once - chromium-browser ships its own profile: - - debian/patches/0005-add-chromium-browser.patch: add preliminary - profiles/apparmor.d/usr.bin.chromium-browser - - debian/profiles/chromium-browser: added for use with ubuntu-browsers.d - - debian/rules: ship debian/profiles/chromium-browser in apparmor-profiles - * don't make /etc/apparmor.d/local/* from apparmor-profiles conffiles - - debian/control: Build-Depends on debhelper 7.4.20ubuntu5 - - debian/rules: use dh_apparmor instead of shipping the files as conffiles - - debian/apparmor-profiles.postinst: move DEBHELPER before initscript - reload - - debian/apparmor-profiles.postrm: added to remove chromium-browser config - file - * debian/patches/0006-kde4-config-pux.patch: remove kde4-config from kde - abstraction and add it to kde ubuntu-browsers abstraction - - -- Jamie Strandboge Tue, 10 Aug 2010 14:31:32 -0500 - -apparmor (2.5.1~pre1393-0ubuntu3) maverick; urgency=low - - * debian/patches/0002-lp615177.patch: 'owner' match in commit 1406 too - strict for /tmp/ and /var/tmp/ (LP: #615177) - - -- Jamie Strandboge Mon, 09 Aug 2010 10:17:05 -0500 - -apparmor (2.5.1~pre1393-0ubuntu2) maverick; urgency=low - - * debian/rules: move local/usr.lib.apache2.mpm-prefork.apache2 to - libapache2-mod-apparmor - - -- Jamie Strandboge Fri, 06 Aug 2010 13:38:59 -0500 - -apparmor (2.5.1~pre1393-0ubuntu1) maverick; urgency=low - - * Update to upstream bzr revision 1393 from lp:apparmor/2.5. - * add dbus-session abstraction (LP: #566207) - * require owner in user-tmp abstraction (LP: #578922) - * don't use uninitialized $opt_s (LP: #582075) - * allow thunderbird 3 in abstractions/ubuntu-email (LP: #590462) - * allow gmplayer in abstractions/ubuntu-media-players (LP: #591421) - * debian/control: updated branches. - * debian/patches/0001-local-includes.patch: backported patch from trunk to - allow local administrators to customize their profiles without modifying - a shipped profile - * debian/rules: - - don't pass RELEASE to libapparmor's 'make install' as it breaks the - build and isn't used by the Makfile anyway - - install apparmor.d/local/README in apparmor, not apparmor-profiles - - don't install apparmor.d/local/usr.sbin.ntpd - * Drop the following patches already included upstream: - - 0001-lp538561.patch - - 0002-aalogprof-warnings.patch - - 0003-fix-memleaks.patch - - 0004-lp549557.patch - - 0005-lp538661.patch - - 0006-lp611248.patch - - -- Jamie Strandboge Thu, 05 Aug 2010 16:10:46 -0500 - -apparmor (2.5-0ubuntu4) maverick; urgency=low - - * debian/patches/0006-lp611248.patch: allow access to gdk-pixbuf loaders - LP: #611248 - - -- Jamie Strandboge Tue, 03 Aug 2010 09:32:10 -0500 - -apparmor (2.5-0ubuntu3) lucid; urgency=low - - [ Jamie Strandboge ] - * debian/patches/lp-549557.patch: have apparmor_notify deal with log file - rotation. (LP: #549557) - * debian/notify/notify.conf: set show_notifications="yes" - * debian/patches/0005-lp538661.patch: adjust php5 abstraction for cgi config - file path and extensions (LP: #538661) - - [ Kees Cook ] - * debian/apparmor.functions: do not load in parallel, this is causing - weird side-effects. - - -- Jamie Strandboge Tue, 30 Mar 2010 11:31:49 -0500 - -apparmor (2.5-0ubuntu2) lucid; urgency=low - - [ Jamie Strandboge ] - * debian/patches/0001-lp538561.patch: add 'k' to /var/lib/samba/**.tdb in - the samba abstraction (LP: #538561) - - [ Marc Deslauriers ] - * debian/patches/0002-aalogprof-warnings.patch: get rid of warnings when - aa-logprof is run. - * debian/{rules,control}: move apache2 abstractions into the base package - so we can put apache2 profiles into the -profiles package without - aa-logprof bailing out. (LP: #539441) - * debian/patches/0003-fix-memleaks.patch: include a couple of leak - patches from upstream. - - -- Marc Deslauriers Fri, 26 Mar 2010 11:39:18 -0400 - -apparmor (2.5-0ubuntu1) lucid; urgency=low - - * New upstream release. - * debian/control: updated branches. - * debian/copyright: updated download locations. - * debian/rules: drop unneeded build variables. - * common/Make.rules: set distributor. - - -- Kees Cook Thu, 11 Mar 2010 00:08:08 -0800 - -apparmor (2.5~pre+bzr1367-0ubuntu1) lucid; urgency=low - - * Update to upstream bzr revision 1367 - * debian/notify/90apparmor-notify: sleep for 60 seconds for boot speed and - to make sure that X is all the way up so the notifications look pretty - - -- Jamie Strandboge Mon, 08 Mar 2010 13:53:50 -0600 - -apparmor (2.5~pre+bzr1364-0ubuntu1) lucid; urgency=low - - * Update to upstream bzr revision 1364. - * debian/apparmor.functions: ignore .dpkg-bak files when loading too. - - -- Kees Cook Wed, 17 Feb 2010 13:36:21 -0800 - -apparmor (2.5~pre+bzr1362-0ubuntu2) lucid; urgency=low - - * debian/apparmor.postinst: on upgrades, prepopulate apparmor/homedirs - if it is not preseeded. Will check /etc/passwd for UIDs >= 1000 and - < 30000 for unique dirnames of home directories that are not /home. Fully - resolves (LP: #447292) - - -- Jamie Strandboge Wed, 17 Feb 2010 09:42:55 -0600 - -apparmor (2.5~pre+bzr1362-0ubuntu1) lucid; urgency=low - - [ Kees Cook ] - * Update to upstream bzr revision 1362. - - This release includes DFA minimization, transition table compression, - and improved partitioning performance (LP: #503869). - - drop 0001-tunable-alias.patch, now upstream. - * debian/apparmor.postinst: update home.d template to note the trailing - slash, even if the debconf template mentions it too. - * debian/apparmor.functions: go fully parallel with parsing to use all - CPUs in the case of needing to regenerate caches. - * debian/rules: enable library testsuite during build. - * debian/control: add dejagnu for library testsuite. - * debian/{rules,control}: use chrpath to drop rpath in libapparmor-perl. - - [ Jamie Strandboge ] - * debian/control: add apparmor-notify - * add debian/notify/notify.conf - * add debian/notify/90apparmor-notify - * add debian/apparmor-notify.install: install notify.conf to /etc/apparmor - and 90apparmor-notify to /etc/X11/Xsession.d - * debian/rules: - - remove upstream notify.conf since we will install our own via debhelper - - move apparmor_notify script and man pages to apparmor-notify - - -- Kees Cook Sat, 13 Feb 2010 12:19:30 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu4) lucid; urgency=low - - * 0001-tunable-alias.patch: backport r1330 to make it easier for people - to use AppArmor's alias rules (LP: #160002) - - -- Jamie Strandboge Mon, 11 Jan 2010 14:31:06 -0600 - -apparmor (2.3.1+bzr1312-0ubuntu3) lucid; urgency=low - - * debian/apparmor.{init,functions}: - - add "recache" argument to init script for liveCD cache generation. - - skip start/stop/reload when running on liveCD. - - -- Kees Cook Fri, 08 Jan 2010 08:39:14 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu2) lucid; urgency=low - - * debian/rules: disable profiling support for released version. - - -- Kees Cook Wed, 06 Jan 2010 16:57:58 -0800 - -apparmor (2.3.1+bzr1312-0ubuntu1) lucid; urgency=low - - [ Kees Cook ] - * Update to upstream bzr revision 1312. - * debian/apparmor.postrm: fix comment typo. - * debain/rules: switch to bzr for upstream versioning. - * debian/rules: install apache2-* abstractions into apache2-mod package. - * drop debian/patches/0001-likewise-home-tunables.patch: this is causing - too much time in the parser (see LP 503869). The default install is - suffering, so move this configuration to likewise-open (see LP 274350). - - [ Jamie Strandboge ] - * debian/rules: - - don't ship tunables/home.d/site.local - - correct path for moving apache2 abstraction - * add debconf question for adjusting HOMEDIRS (LP: #447292) - - add debian/apparmor.config - - debian/apparmor.postinst: query debconf and adjust - tunables/home.d/ubuntu - - debian/apparmor.postrm: on purge, remove tunables/home.d/ubuntu and run - db_purge - - debian/control: Build-Depends on po-debconf and have apparmor Depends on - debconf - - add debian/po/* - - debian/rules: use dh_installdebconf -papparmor - - added debian/templates - - -- Kees Cook Wed, 06 Jan 2010 15:51:33 -0800 - -apparmor (2.3.1+1403-0ubuntu31) lucid; urgency=low - - * Remove initramfs hooks, as early profile loading is handled - on a service-by-service basis with Upstart jobs now. - - -- Kees Cook Fri, 04 Dec 2009 13:22:04 -0800 - -apparmor (2.3.1+1403-0ubuntu30) lucid; urgency=low - - [ Jamie Strandboge ] - * convert to using quilt - - debian/control: Build-Depends on quilt - - add debian/README.source - - debian/rules: include /usr/share/quilt/quilt.make and adjust - targets for patching - * debian/patches/0001-likewise-home-tunables.patch: tunables/home: add - /home/likewise-open/*/ to HOMEDIRS (LP: #274350) - * Merge to upstream bzr rev 1308. - - really add chromium-browser (LP: #488559) - - add official google-chrome (LP: #481661) - - [ Kees Cook ] - * parser/parser_main.c: use nanosec ctime resolution when checking - cache file times. - * parser/tst/caching.sh: add tests for cache use based on timestamps. - - -- Jamie Strandboge Fri, 04 Dec 2009 11:11:01 -0600 - -apparmor (2.3.1+1403-0ubuntu29) lucid; urgency=low - - * parser/Makefile: generate af_names.h based on bits/socket.h since - linux/socket.h no longer has what we need (LP: #474751) - * usr.sbin.dnsmasq: fully address LP: #445818 - - more pidfile refinements - - allow access to /var/run/dnsmasq - - allow access to /etc/dnsmasq.d - - allow dac_override so it can write its pidfile - * abstractions/ubuntu-browsers: add chromium-browser - - -- Jamie Strandboge Wed, 04 Nov 2009 17:07:23 -0600 - -apparmor (2.3.1+1403-0ubuntu28) lucid; urgency=low - - [ Jamie Strandboge ] - * update skype profile in extras. Based on work by Андрей Калинин. - (LP: #226624) - * abstractions/ubuntu-browsers: add opera and icecat (LP: #432778) - * abstractions/ubuntu-browsers: add epiphany (epiphany-browser and - epiphany-webkit were already present, but the recent changes in - epiphany packaging require /usr/bin/epiphany) (LP: #472952) - * usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818) - * abstractions/gnome: allow access to ~/.themes (LP: #460125) - * abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config - (LP: #447006) - - [ Marc Deslauriers ] - * utils/Subdomain.pm: don't skip reading profiles that are also in the - cache directory (LP: #446449) - * utils/Subdomain.pm: correctly parse PUxr modes - * utils/Subdomain.pm: support include directories - - -- Jamie Strandboge Wed, 04 Nov 2009 11:02:27 -0600 - -apparmor (2.3.1+1403-0ubuntu27) karmic; urgency=low - - * utils/SubDomain.pm: handle new format "null" log entries (LP: #446524) - - -- Marc Deslauriers Fri, 16 Oct 2009 14:40:04 -0400 - -apparmor (2.3.1+1403-0ubuntu26) karmic; urgency=low - - * abstractions/ubuntu-browsers: add Dooble - * abstractions/ubuntu-browsers: add chromium (LP: #448812) - * abstractions/gnome: add read for /etc/orbitrc - * abstractions/audio: add read for /etc/pulse/* for when ~/.pulse/* doesn't - exist and these files are used for fallback - - -- Jamie Strandboge Wed, 14 Oct 2009 07:59:03 -0500 - -apparmor (2.3.1+1403-0ubuntu25) karmic; urgency=low - - * Do not use tools in /usr during initial start-up (LP: #439726). - - -- Kees Cook Fri, 02 Oct 2009 16:52:04 -0700 - -apparmor (2.3.1+1403-0ubuntu24) karmic; urgency=low - - * abstractions/X: allow mouse themes (LP: #438051) - - -- Jamie Strandboge Thu, 01 Oct 2009 16:07:25 -0500 - -apparmor (2.3.1+1403-0ubuntu23) karmic; urgency=low - - [ Kees Cook ] - * Really fix quiet mode in initramfs (LP: #435285). - * Handle older kernel versions when loading profiles (LP: #429872): - - parser/parser_{interface,main}.c: detect kernel version and downgrade. - - debian/apparmor.functions, parser/parser_main.c: keep kernel features - recorded in cache directory. - - parser/parser_{interface,main}.c: add --skip-kernel-load for testing. - - parser/tst/caching.*: add caching tests. - [ Jamie Strandboge ] - * abstractions/audio: add a few more files for pulseaudio - - -- Kees Cook Fri, 25 Sep 2009 09:54:01 -0700 - -apparmor (2.3.1+1403-0ubuntu22) karmic; urgency=low - - * Do not run AppArmor on the LiveCD, again (LP: #131976). - * More aggressively stay quiet when booting in quiet mode (LP: #435285). - - -- Kees Cook Wed, 23 Sep 2009 15:40:22 -0700 - -apparmor (2.3.1+1403-0ubuntu21) karmic; urgency=low - - * debian/apparmor.{init-bottom,functions,initramfs}: perform initial - apparmor rule loading in initramfs. - - -- Kees Cook Mon, 21 Sep 2009 14:16:26 -0700 - -apparmor (2.3.1+1403-0ubuntu20) karmic; urgency=low - - * added disabled apache2 profile (FFE LP: #430812): - - add profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2: new - apache2 profile - - add profiles/apparmor.d/apache2.d/phpsysinfo: example profile for the - phpsysinfo application - - profiles/Makefile: handle the apache2.d directory - - add debian/libapache2-mod-apparmor.postinst: reload apparmor after - installation since we now ship a profile in this package - - add debian/libapache2-mod-apparmor.preinst: disable apache2 profile - if the user does not already have a profile defined - - add debian/libapache2-mod-apparmor.postrm: remove disabled symlink - on purge - - debian/rules: move apache2 profile to the libapache2-mod-apparmor - package and create apache2.d directory - * utils/SubDomain.pm: handle "open" log entries (LP: #427966) - * added ouid parsing support (LP: #431929): - - libraries/libapparmor/testsuite/test_multi.c - - libraries/libapparmor/src/{scanner.l,grammar.y,aalogparse.h, - libaalogparse.c} - - -- Marc Deslauriers Sat, 19 Sep 2009 09:32:02 -0400 - -apparmor (2.3.1+1403-0ubuntu19) karmic; urgency=low - - [ Jamie Strandboge ] - * abstractions/fonts: allow links in @{HOME}/.fontconfig/** - - [ Kees Cook ] - * debian/apparmor.init: expect that the securityfs is mounted, and only - test for the mounted filesystem against the type column when it is not - found. - - -- Kees Cook Wed, 09 Sep 2009 11:42:07 -0700 - -apparmor (2.3.1+1403-0ubuntu18) karmic; urgency=low - - * added the following abstractions: - - ubuntu-browsers: Ux transitions to graphical browsers - - ubuntu-console-browsers: Ux transitions to text-mode browsers - - ubuntu-console-email: Ux transitions to text-mode email clients - - ubuntu-email: Ux transitions to graphical email clients - - ubuntu-gnome-terminal: ix transition for gnome-terminal - - ubuntu-konsole: ix transition for konsole - - ubuntu-xterm: ix transition for xterm - - -- Jamie Strandboge Thu, 03 Sep 2009 11:57:39 -0500 - -apparmor (2.3.1+1403-0ubuntu17) karmic; urgency=low - - * abstractions/base: workaround for ecryptfs and apparmor by allowing - 'owner' match for files in .Private. (LP: #359338) - - -- Jamie Strandboge Mon, 31 Aug 2009 15:38:54 -0500 - -apparmor (2.3.1+1403-0ubuntu16) karmic; urgency=low - - * profiles/apparmor.d/*dovecot*: add first-pass at complain-only - profiles for basic dovecot operation. - - -- Kees Cook Wed, 26 Aug 2009 15:19:46 -0700 - -apparmor (2.3.1+1403-0ubuntu15) karmic; urgency=low - - * utils/SubDomain.pm: don't abort when an include file only contains - hats (LP: #400367) - - -- Marc Deslauriers Wed, 26 Aug 2009 11:35:58 -0400 - -apparmor (2.3.1+1403-0ubuntu14) karmic; urgency=low - - * Pull upstream changes for 64bit capabilities (svn 1427, 1437, 1438). - * Pull upstream changes for pux exec mode (svn 1439). - * debian/apparmor.init: "find" -name is not brace-aware (LP: #418364). - - -- Kees Cook Mon, 24 Aug 2009 18:01:05 -0700 - -apparmor (2.3.1+1403-0ubuntu13) karmic; urgency=low - - [ Kees Cook ] - * parser/parser_main.c: add --skip-read-cache to force reading of - uncached profiles while still allowing for --write-cache to work. - * parser/apparmor_parser.pod: add all missing option documentation. - - [ Jamie Strandboge ] - * abstractions/kde: update for kde4 - - -- Jamie Strandboge Wed, 19 Aug 2009 12:07:06 -0500 - -apparmor (2.3.1+1403-0ubuntu12) karmic; urgency=low - - * abstractions/base: add more locale paths (LP: #413454) - - -- Jamie Strandboge Fri, 14 Aug 2009 07:31:03 -0500 - -apparmor (2.3.1+1403-0ubuntu11) karmic; urgency=low - - * utils/enforce: remove /etc/apparmor.d/disable/ symlink - LP: #413153 - * debian/rules: don't install usr.sbin.ntpd or tunables/ntpd. Can remove - this when we create a new orig.tar.gz - - -- Jamie Strandboge Wed, 12 Aug 2009 10:04:34 -0500 - -apparmor (2.3.1+1403-0ubuntu10) karmic; urgency=low - - * remove apparmor.d/usr.sbin.ntpd and apparmor.d/tunables/ntpd since ntpd - will begin shipping its own profile - - -- Jamie Strandboge Wed, 12 Aug 2009 10:02:53 -0500 - -apparmor (2.3.1+1403-0ubuntu9) karmic; urgency=low - - * Revert 64-bit capabilities (LP: #408773). - - -- Kees Cook Tue, 04 Aug 2009 11:51:27 +0100 - -apparmor (2.3.1+1403-0ubuntu8) karmic; urgency=low - - * Update to upstream subversion r1431. - - change_profile can use regex (LP: #390810, #401931) - * debian/apparmor.init: always clear cache on reload. - - -- Kees Cook Mon, 03 Aug 2009 07:46:33 -0700 - -apparmor (2.3.1+1403-0ubuntu7) karmic; urgency=low - - * profiles/apparmor.d/abstractions/base: add /proc/sys/crypto (LP: #392337). - - -- Kees Cook Sat, 25 Jul 2009 09:04:46 -0700 - -apparmor (2.3.1+1403-0ubuntu6) karmic; urgency=low - - [ Kees Cook ] - * parser/parser_policy.c: return errors instead of exiting. - * debian/apparmor.init: skip more suffixes. - * parser/parser_lex.l: define file suffixes to ignore. - * parser/parser_main.c: disable cache for parsing reports. - * debian/apparmor.init: also remove unparsed profiles. - - [ Jamie Strandboge ] - * update gnome abstraction for /var/run/gdm/auth*/database - * utils/SubDomain.pm: parse profiles in subdirectories, not just include - files (LP: #401935) - - -- Jamie Strandboge Mon, 20 Jul 2009 11:45:24 -0500 - -apparmor (2.3.1+1403-0ubuntu5) karmic; urgency=low - - * Always use --replace when loading profiles so that if profiles - are loaded outside of the init script (e.g. dhcp3), the init - script does not abort (LP: #401109). - * parser/parser_main.c: more carefully create cache files. - - -- Kees Cook Sun, 19 Jul 2009 07:48:11 -0700 - -apparmor (2.3.1+1403-0ubuntu4) karmic; urgency=low - - * utils/SubDomain.pm: exclude new cache directory. - * parser/parser_main.c: - - allow OPTION_REMOVE to work again (LP: #400781). - - warn about using stdin. - - do not cache disabled profiles. - - report cached loading if not quiet. - * debian/apparmor.init: - - do not depend on aa-status. - - only write cache from init script. - - -- Kees Cook Fri, 17 Jul 2009 10:10:05 -0700 - -apparmor (2.3.1+1403-0ubuntu3) karmic; urgency=low - - * debian/apparmor.init: more cleanly handle disabled AppArmor. - - -- Kees Cook Fri, 17 Jul 2009 00:12:19 -0700 - -apparmor (2.3.1+1403-0ubuntu2) karmic; urgency=low - - * improve profile loading speed (LP: #382944): - - parser/parser_lex.l: move include handling into flex parser. - - parser/parser_main.c: - - move disable/complain logic into loader. - - add binary caching. - - debian/apparmor.init: reduce to bare minimum. - - -- Kees Cook Wed, 15 Jul 2009 17:05:49 -0700 - -apparmor (2.3.1+1403-0ubuntu1) karmic; urgency=low - - [ Kees Cook ] - * New upstream bundle (svn1403). - * debian/apparmor.init: add specific Start/Stop dependencies - (LP: #372441). - * debian/control: correctly use lsb-base not sysv for Depends. - - [ Jamie Strandboge ] - * add abstractions/launchpad-integration - * abstractions/audio: add pulseaudio - * add abstractions/private-files* for explicitly denying access to sensitive - files. - - -- Kees Cook Fri, 10 Jul 2009 08:37:54 -0700 - -apparmor (2.3+1289-0ubuntu15) karmic; urgency=low - - * Depend on upstart 0.6.0 which contains upstart-compat-sysv now - - -- Scott James Remnant Fri, 10 Jul 2009 10:28:45 +0100 - -apparmor (2.3+1289-0ubuntu14) jaunty; urgency=low - - * abstractions/smbpass: Add *.ldb used in Samba 3.2 and above (LP: #357581) - - -- Thierry Carrez Wed, 08 Apr 2009 13:42:21 +0200 - -apparmor (2.3+1289-0ubuntu13) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/gnome: allow /proc/$pid/mounts for gvfs. - * abstractions/python: clean up allowed paths (LP: #350820), thanks to - Jonathan Davies. - - [ Jamie Strandboge ] - * abstractions/user-tmp: allow 'k' for files in tmp dirs (LP: #351275) - - -- Jamie Strandboge Tue, 31 Mar 2009 09:57:57 -0500 - -apparmor (2.3+1289-0ubuntu12) jaunty; urgency=low - - * expand allowed library paths to handle unexpected architectures - (LP: #349819). - - -- Kees Cook Fri, 27 Mar 2009 13:48:11 -0700 - -apparmor (2.3+1289-0ubuntu11) jaunty; urgency=low - - * fix path to winbindd_privileged/pipe in winbind abstraction (LP: #348541) - - -- Jamie Strandboge Fri, 27 Mar 2009 08:29:13 -0500 - -apparmor (2.3+1289-0ubuntu10) jaunty; urgency=low - - * utils/SubDomain.pm: - - teach utils about rearranged syslog audit messages (LP: #340183) - from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1393 - - fix corruption of profiles, from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1354 - - don't ask about networking events over and over again, from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1296 - - use apparmor logdir instead of /tmp to write debugging log - - -- Steve Beattie Thu, 19 Mar 2009 03:05:07 -0700 - -apparmor (2.3+1289-0ubuntu9) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/base: allow /proc/$pid/maps (LP: #343287). - * abstractions/*: clean up lib, lib32, lib64 semantics (LP: #342200). - * abstractions/nameservice: fix up paths for nscd (LP: #342198). - * parser/rc.apparmor.functions, debian/apparmor.init: LSB-ify startup - messages (LP: #295200). - - [ Steve Beattie ] - * libapparmor/src/scanner.l: adjust lexer to fix matching updated audit - messages (LP: #340183) from upstream commit - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1389 - * debian/source_apparmor.py: add a per-package apport hook (LP: #342554). - - -- Kees Cook Wed, 18 Mar 2009 21:18:01 -0700 - -apparmor (2.3+1289-0ubuntu8) jaunty; urgency=low - - * abstractions/ssl_keys: allow read access to all of /etc/ssl (LP: #317109) - * utils/SubDomain.pm: re-add dropped patch to not process disable/ as - include files, and also don't process force-complain/ (LP: #331534) - - -- Jamie Strandboge Thu, 12 Mar 2009 12:53:08 -0500 - -apparmor (2.3+1289-0ubuntu7) jaunty; urgency=low - - * abstractions/dbus: add machine-id - * abstractions/audio: add libcanberra paths - * abstractions/freedesktop.org: add user-dirs.dirs - - -- Jamie Strandboge Thu, 12 Feb 2009 11:28:15 -0600 - -apparmor (2.3+1289-0ubuntu6) jaunty; urgency=low - - [ Kees Cook ] - * abstractions/X: add DRI paths. - * parser/Makefile: blacklist AF_PHONET. - - [ Jamie Strandboge ] - * update usr.sbin.smbd profile to write to /var/lib/samba/** and - read/write to /var/run/dbus/system_bus_socket (LP: #294802) - * abstractions/freedesktop.org: use /usr/share/mime/**, @{HOME}/.icons/, - and @{HOME}/.recently-used.xbel* - * abstractions/gnome: add gvfs remote-volume-monitors paths and printing - files - - -- Kees Cook Mon, 22 Dec 2008 17:20:10 -0800 - -apparmor (2.3+1289-0ubuntu5) jaunty; urgency=low - - * abstractions/nameservice: allow read access to - /etc/resolvconf/run/resolv.conf (LP: #286080) - * adjust src/grammar.y and src/scanner.l to account for the moved type=NNNN - field in 2.6.27 kernels and capture non-matching logfile input instead of - printing it to stdout (LP: #271252). Patch thanks to Jesse Michael and - Steve Beattie. - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1310 - * add syslog test cases to testsuite. Patch thanks to Steve Beattie. - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1307 - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1308 - - https://forgesvn1.novell.com/viewsvn/apparmor?view=rev&revision=1309 - - -- Jamie Strandboge Tue, 21 Oct 2008 09:09:58 -0500 - -apparmor (2.3+1289-0ubuntu4) intrepid; urgency=low - - * parser/rc.apparmor.functions: fix typo seen when admin changes - the default location of the apparmor.d directory (LP: #280467). - * abstractions/{samba,base}: clean up unneeded "m" permissions. - * abstractions/perl: add missing default perl paths. - - -- Kees Cook Wed, 08 Oct 2008 16:42:10 -0700 - -apparmor (2.3+1289-0ubuntu3) intrepid; urgency=low - - * add locking permission to /var/log/wtmp abstraction, thanks to - Martin Pitt (LP: #253328). - * utils/logprof.conf: repository updated for Intrepid (LP: #258818). - * profiles/apparmor.d/usr.sbin.nscd: added cache directory (LP: #144383). - * parser/rc.apparmor.functions: redirect stderr (LP: #244013). - * parser/Makefile: blacklist "AF_ISDN". - - -- Kees Cook Wed, 30 Jul 2008 09:29:03 -0700 - -apparmor (2.3+1289-0ubuntu2) intrepid; urgency=low - - [ Mathias Gug ] - * debian/control: - - move apparmor-profiles to a suggested package by apparmor. - - [ Kees Cook ] - * debian/control - - move libterm-readline-gnu-perl to "suggests". - - drop apparmor-modules-source since it no longer exists. - - -- Kees Cook Wed, 02 Jul 2008 12:35:12 -0700 - -apparmor (2.3+1289-0ubuntu1) intrepid; urgency=low - - * Updated to upstream subversion v1289. - - new parser requires new AppArmor kernel LSM. - * debian/control: - - add libapparmor-perl, and associated Depends - - bump standards version to 3.7.3.0 (no changes needed) - * debian/rules: - - adjust "clean" rule to be more effective. - - -- Kees Cook Sat, 28 Jun 2008 15:38:12 -0700 - -apparmor (2.1+1075-0ubuntu10) intrepid; urgency=low - - [ Jamie Strandboge ] - * added abstractions/smbpass and #include it in abstractions/authentication - to allow access to /var/lib/samba/*.tdb. LP: #217787 - - [ Mathias Gug ] - * update likewise-open authentication abstraction: allow access to - privileged pipe (LP: #235646). - * Update smbd profile to include access to /var/spool/samba/ (printer - sharing) and utmp update (LP: #237066). - * Update esound location in audio profile (LP: #229127). - Thanks to Adam Mondl. - * Add dnsmasq profile (LP: #148590). Thanks to John Dong. - - -- Mathias Gug Mon, 09 Jun 2008 18:24:09 -0400 - -apparmor (2.1+1075-0ubuntu9) hardy; urgency=low - - * parser/rc.apparmor.functions: do not abort if parser is missing, in - the case of an unpurged "apparmor" init script running under SELinux. - - -- Kees Cook Mon, 07 Apr 2008 13:25:06 -0700 - -apparmor (2.1+1075-0ubuntu8) hardy; urgency=low - - * Sync bugfixes from upstream 8.04 branch, svn 1161. - - documentation updated to reflect AppArmor 2.1 features. - - minor profile updates (nscd, ntpd, opera) - - util/SubDomain.pm: corrected mask merging and type detection. - - -- Kees Cook Wed, 02 Apr 2008 15:48:58 -0700 - -apparmor (2.1+1075-0ubuntu7) hardy; urgency=low - - * profiles/apparmor.d/abstractions/nameservice: (LP: #207912) - - fix ldap path - - add nsswitch "db" backend paths - - -- Kees Cook Thu, 27 Mar 2008 14:19:06 -0700 - -apparmor (2.1+1075-0ubuntu6) hardy; urgency=low - - [ Kees Cook ] - * utils/SubDomain.pm: - - fix up mask parsing to match kernel version (LP: #202920). - - fix up syslog parsing regexp to match broken kernels (LP: #202888). - * profiles/apparmor.d/abstractions/base: add licenses path for reading. - * profiles/apparmor.d/abstractions/freedesktop.org: include /usr/local. - * profiles/apparmor.d/usr.sbin.smbd: include print client abstraction. - * profiles/apparmor.d/abstractions/nameservice: include missing gai.conf - (LP: #202991). - - [ Jamie Strandboge ] - * add Debian Policy compliant way to toggle complain mode (LP: #203137) - - parser/rc.apparmor.functions: add '-C' to PARSER_ARGS if - force-complain/ exists - - utils/enforce: remove symlink in force-complain/ - - debian/rules: create /etc/apparmor.d/force-complain - - -- Kees Cook Mon, 17 Mar 2008 10:28:23 -0700 - -apparmor (2.1+1075-0ubuntu5) hardy; urgency=low - - * profiles/apparmor.d/abstractions/python: update shared python locations. - * debian/control: adjust Depends to allow sysvinit (LP: #199871). - - -- Kees Cook Tue, 11 Mar 2008 15:25:11 -0700 - -apparmor (2.1+1075-0ubuntu4) hardy; urgency=low - - [ Jamie Strandboge ] - * removed usr.sbin.named and usr.sbin.mysqld, as these will be provided - be bind9 and mysql-server-5.0, respectively. - - [ Mathias Gug ] - * profiles/apparmor.d/abstractions/ssl_keys: add ssl_keys abstraction, to - be used by profiles accessing ssl privates keys. - - [ Rick Clark ] - * added abstraction for likewise-open. - - -- Mathias Gug Wed, 13 Feb 2008 19:16:12 -0500 - -apparmor (2.1+1075-0ubuntu3) hardy; urgency=low - - * profiles/apparmor.d/abstractions/fonts: add missing ~/.fonts.conf - * profiles/apparmor.d/sbin.klogd: add newly needed @{PROC}/kallsyms - - -- Kees Cook Wed, 16 Jan 2008 14:16:18 -0800 - -apparmor (2.1+1075-0ubuntu2) hardy; urgency=low - - * utils/apparmor_status: fix module loaded test to handle built-in. - - -- Kees Cook Thu, 03 Jan 2008 17:24:40 -0800 - -apparmor (2.1+1075-0ubuntu1) hardy; urgency=low - - [ Mathias Gug ] - * profiles/apparmor.d/abstractions/nameservice: update nameservice - abstraction to support nscd setup. - - [ Kees Cook ] - * merge with upstream trunk revision 1075. - * debian/{control,apparmor.postrm,apparmor.postinst,apparmor.initramfs}: - dropped module hook since module is loaded in kernel automatically now. - * debian/rules: tweaked get-orig-source to use defined variables. - * debian/copyright: mention "get-orig-source" build rule. - * debian/{rules,control,libpam-apparmor.docs}: add libpam-apparmor now - that PAM is 0.99. - - -- Kees Cook Thu, 03 Jan 2008 13:29:31 -0800 - -apparmor (2.1+993-0ubuntu3) gutsy; urgency=low - - [ Mathias Gug ] - * Add mdns4 resolution to nameservice abstraction. (LP: #148579). - * Update syslog-ng profile. (LP: #148708). - * Add xen tls libraries to base abstraction. (LP: #150282). - * Update cups-client abstraction: add /var/run/cups/cups.sock. (LP: #151269) - - [ Kees Cook ] - * Adjust KDE abstractions for Ubuntu paths (LP: #148309). - - -- Kees Cook Fri, 12 Oct 2007 12:54:36 -0700 - -apparmor (2.1+993-0ubuntu2) gutsy; urgency=low - - [ Mathias Gug ] - * debian/control: Set maintainer to Ubuntu Core Developers. - * utils/SubDomain.pm, utils/logprog.conf: refactor readprofiledir() to not - fail on non-existing profile directory. Fixes LP: #141128. - * debian/rules: don't compress profiles in doc/extras/. - * utils/SubDomain.pm: Fix regex so that aa-logprof can find audit messages - in syslog files. Fixes LP: #140508. - * Update usr.sbin.nscd profile. Fixes LP: #144383. - - [ Kees Cook ] - * abstractions/gnupg: drop bad attempt at general-purpose client rule. - * abstractions/fonts: adjust for new syntax, add more local fonts paths. - * abstractions/nameservice: add mmap permission to some /etc files. - - -- Kees Cook Tue, 25 Sep 2007 10:23:29 -0700 - -apparmor (2.1+993-0ubuntu1) gutsy; urgency=low - - * new merge from upstream: - * fixes to support new audit messages sent by the kernel module. - * bump in minor library version for libapparmor. - * debian/control: Add perl libterm-readkey-perl and librpc-xml-perl - dependencies for apparmor-utils. Fixes LP: #139757, LP: #139091. - * utils/SubDomain.pm: Re-enable RPC client for remote repositories. - * profiles/apparmor.d/sbin.syslogd: update profile. - Fixes LP: #140672, LP: #140274. - - -- Mathias Gug Tue, 18 Sep 2007 11:12:50 -0400 - -apparmor (2.1+961-0ubuntu5) gutsy; urgency=low - - * utils/SubDomain.pm, parser/rc.apparmor.functions: skip .dpkg-dist profiles. - * debian/rules, debian/apparmor.postinst: fix postinst script failure on - upgrades. Fix LP: #139683. - - -- Mathias Gug Fri, 14 Sep 2007 17:20:01 -0400 - -apparmor (2.1+961-0ubuntu4) gutsy; urgency=low - - [ Mathias Gug ] - * debian/rules: Fix libapparmor-dev build. - * apparmor-profiles: remove gnupg.moved. - - [ Kees Cook ] - * abstractions: adjust gnome for new syntax. - * abstractions: adjust aspell to add locking. - - -- Kees Cook Fri, 14 Sep 2007 09:34:15 -0700 - -apparmor (2.1+961-0ubuntu3) gutsy; urgency=low - - [ Mathias Gug ] - * Update avahi-daemon profile: add m permission to /etc/password and - /etc/group. - - [ Kees Cook ] - * Rename libapparmor1-dev back to libapparmor-dev. - - -- Kees Cook Thu, 13 Sep 2007 15:44:30 -0700 - -apparmor (2.1+961-0ubuntu2) gutsy; urgency=low - - [ Mathias Gug ] - * Disable html documentation: Fixes LP: #139091. - * parser/Makefile, debian/rules: disable html documentation building. - * debian/control: remove latex2html dependency. - * profiles/apparmor.d/usr.sbin.avahi-daemon: add sys_chroot capability. - Fixes LP: #139092. - - [ Kees Cook ] - * profiles/apparmor.d/abstractions/user-tmp: adjust directory permissions - for newly unmasked /tmp handling (LP: #138978). - * utils/SubDomain.pm: disable remote repositories until RPC::XML MIR - clears (LP: 139091). - * utils/*.pod: adjust for Ubuntu paths and "aa-" prefixes (LP: #116647). - * Fix upgrades to not unload profiles, which would cause programs to - become unconfined: - - debian/rules: don't stop apparmor on upgrades. - - debian/apparmor.postinst: reload profiles after a configure. - - -- Kees Cook Wed, 12 Sep 2007 13:14:02 -0700 - -apparmor (2.1+961-0ubuntu1) gutsy; urgency=low - - * New upstream version. - * Support resolvconf. Fix LP: #132468. - * Move package maintainance to bzr: - * Apply all patches directly into the tree with dpatch apply-all. - * debian/patches/: remove all patches as they are applied inline now. - * debian/control, debian/control.modules.in: remove dpatch from - Build Depends. - * debian/rules: - * remove dpatch include. - * remove patch and unpatch dependencies - * debian/control: - * Rename libapparmor-dev to libapparmor1-dev. - Add Provides: and Conflict: tags. - * Remove universe component in Section tag. - * Remove apparmor-utils depends on bsdutils. - * Update apparmor-modules Recommends to apparmor-modules-2.1. - * utils/: - * Add audit man page. - * Fix mod_appamor library: remove rpath info. - * debian/rules: remove rpath info. - * debian/control: add chrpath as a build dependency. - * Remove apparmor-modules-source package: - * debian/conrol: remove apparmor-modules-source package. - * debian/apparmor.postinst, debian/apparmor.preinst, - debian/apparmor.prerm: remove error_handler function. - * debian/rules: remove error_handler option from dh_installinit. - * debian/apparmor-modules-_KVERS_.postinst.modules.in, - debian/control.modules.in: remove control and postinst files. - - -- Mathias Gug Tue, 11 Sep 2007 10:44:56 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu25) gutsy; urgency=low - - * debian/rules: move tunables/ and abstractions/ in apparmor package. - Fixes LP: #130114. - - -- Mathias Gug Mon, 06 Aug 2007 14:40:37 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu24) gutsy; urgency=low - - * Cannot Depend on apparmor-modules-* in apparmor due to germinate - issues. Moved to Recommends. - - -- Kees Cook Mon, 23 Jul 2007 11:08:38 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu23) gutsy; urgency=low - - * debian/control: add explicit Depends on l-u-m apparmor kernel modules. - - -- Kees Cook Wed, 18 Jul 2007 21:07:03 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu22) gutsy; urgency=low - - * 13-subdomain.pm-skip-files.dpatch: update isSkippable function in - SubDomain.pm to skip the same files as rc.apparmor.functions (used by the - init script) : .dpkg-old, .dpkg-new and symlinks in disable/ - sub-directory. - - -- Mathias Gug Thu, 12 Jul 2007 06:56:45 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu21) gutsy; urgency=low - - * 07-apparmor-init-script.dpatch, debian/rules: skip profiles that have a - link in /etc/apparmor.d/disable. Update rules file : create - /etc/apparmor.d/disable. - - -- Mathias Gug Mon, 09 Jul 2007 11:07:29 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu20) gutsy; urgency=low - - * debian/control - - fix typo in XS-Vcs. - - adjust apparmor-modules-source to no longer be required and document - the fact that the modules come from the linux-ubuntu-modules package - now. - - add initramfs-tools for loading apparmor modules early. - * debian/apparmor.{initramfs,postinst,prerm}, debian/rules: install - initramfs hook and update-initramfs for adding armor modules for boot. - - -- Kees Cook Fri, 06 Jul 2007 03:41:06 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu19) gutsy; urgency=low - - * Update 11-getprocattr-api.dpatch: pass back the correct string pointer - so as to not corrupt kernel memory (LP: #123081). - * debian/control: add XS-Vcs for bzr branch. - - -- Kees Cook Tue, 03 Jul 2007 09:07:52 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu18) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: add m permission for all libraries - under /usr/lib/**, so that ssl libraries optimized for i686 can be - accessed. - * 09-profile-usr-sbin-mysqld.dpatch: add m permission to /etc/passwd, - /etc/group. - * 12-profile-samba.dpatch: add profile for smbd and nmbd daemons from - samba. - * 99-complain-all-profiles.dpatch: turn complain mode for smbd and nmbd - profiles. - - -- Mathias Gug Fri, 29 Jun 2007 15:19:15 +0200 - -apparmor (2.0.1+510.dfsg-0ubuntu17) gutsy; urgency=low - - * Update 11-getprocattr-api.dpatch: match upstream more closely, check - for errors. - - -- Kees Cook Tue, 26 Jun 2007 16:00:08 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu16) gutsy; urgency=low - - * Added 11-getprocattr-api.dpatch: update kernel module for getprocattr - API change (LP: #122444). - - -- Kees Cook Tue, 26 Jun 2007 15:21:54 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu15) gutsy; urgency=low - - * debian/apparmor.init: do not unload apparmor module on stop, since it - already defaults to capabilities-compatible fall back and we don't want - to lose the started process knowledge of the module for the next load of - the parser. - * Added 10-namespace-header.dpatch: include namespace_sem extern, since - mnt_namespace.h is missing it currently. - * Updated 07-apparmor-init-script.dpatch: ignore .dpkg-old profiles. - - -- Kees Cook Tue, 26 Jun 2007 10:04:54 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu14) gutsy; urgency=low - - * Correct missing libapparmor1 file contents. - - -- Kees Cook Thu, 21 Jun 2007 08:04:42 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu13) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: add /lib/tls/i686/cmov/lib* to base - abstraction to support i686 optimized libraries from libc6-i686 package. - * 09-profile-usr-sbin-mysqld.dpatch: - * add profile usr.sbin.mysqld - * update abstractions/mysql - * debian/rules: remove extras/usr.sbin.mysqld. - * 99-complain-all-profiles.dpatch: - * put mysqld profile in complain mode. - * put named profile in complain mode. - - -- Mathias Gug Wed, 20 Jun 2007 12:12:28 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu12) gutsy; urgency=low - - * Add missing dh_makeshlibs call to rules, fix up libapparmor naming. - - -- Kees Cook Wed, 20 Jun 2007 09:15:48 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu11) gutsy; urgency=low - - * Packaged libapparmor, libapparmor-dev, and libapache2-mod-apparmor. - - -- Kees Cook Mon, 18 Jun 2007 18:27:46 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu10) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch, 06-profile-usr-sbin-named.dpatch: - move /dev/random into abstractions/base. - * 06-profile-usr-sbin-named.dpatch: Add sys_chroot capability. - * debian/rules: don't package aa-eventd and Reports.pm as they use perl - modules not maintained in main. - Reports.pm is only used by Yast for now. aa-eventd maintains an - sqlite database of audit messages which is used by Reports.pm. - If configured (not by default), aa-eventd can also send emails when - AppArmor audit messages are emited. - * debian/control: Add universe component to Section: header. Needed to make - it work with PPA. - - -- Mathias Gug Fri, 15 Jun 2007 12:47:05 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu9) gutsy; urgency=low - - * 06-profile-usr-sbin-named.dpatch : Generate a new profile for - /usr/sbin/named to make it work with bind9. - * debian/apparmor.init, 07-apparmor-init-script.dpatch: merge ubuntu - changes with the latest version from upstream. - * 99-complain-all-profiles.dpatch : put all profiles into complain mode by - default. - Add a small script (put-all-profiles-in-complain-mode.sh) in - debian/ that takes care of automatically setting all profiles into - complain mode. This script should be used by the maintainer to set all - profiles in complain mode before packaging them. - - -- Mathias Gug Wed, 6 Jun 2007 13:41:57 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu8) gutsy; urgency=low - - * Start apparmor as early as possible in the boot process : just after - mountall in rcS.d. Add preinst script to remove symlinks previously - installed in rc*.d/. - (LP: #116624). - * Sync 04-apparmor-status.dpatch with upstream apparmor_status. The previous - patch has been merged in upstream. - * Update klogd profile : add /var/run/klogd/klogd.pid and - /var/run/klogd/kmsg to the profile. - - -- Mathias Gug Thu, 31 May 2007 14:26:03 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu7) gutsy; urgency=low - - * 03-profile-usr-sbin-ntpd.dpatch: udpdate profile for ntpd daemon. Add - /var/lib/ntp/ntp.drift and /var/log/ntpstats/peerstats* to the profile. - - * 04-apparmor-status.dpatch: improve apparmor_status script. Report more - detailed information. - - -- Mathias Gug Tue, 29 May 2007 13:05:55 -0400 - -apparmor (2.0.1+510.dfsg-0ubuntu6) gutsy; urgency=low - - * 02-profile-abstractions-ubuntu.dpatch: Update abstractions for changes - specific to Gnome, Debian, and 32bit on 64bit environments. - * debian/control: adjust Recommends to apparmor-modules-source - (LP: #113553). - * debian/apparmor.init: moved rmmod/modprobe into init script, and dropped - alias to avoid confusion and move control of the LSM closer to loading - the profiles and work around capability already being loaded in the - initrd (LP: #113887). - - -- Kees Cook Thu, 17 May 2007 20:34:41 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu5) gutsy; urgency=low - - * 01-logger-path.dpatch: Fix path to logger (LP: #112147). - - -- Kees Cook Thu, 03 May 2007 11:59:34 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu4) feisty; urgency=low - - * debian/control: move apparmor-modules to Recommends to Avoid - uninstallable situation when AppArmor modules haven't yet been - compiled/installed. - - -- Kees Cook Wed, 11 Apr 2007 11:39:39 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu3) feisty; urgency=low - - * debian/rules, debian/apparmor.{postinst,prerm}: ignore init script - failures so that they don't block package installs/upgrades/uninstalls. - - -- Kees Cook Wed, 11 Apr 2007 08:52:37 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu2) feisty; urgency=low - - * debian/control: add missing Depend on 'dpatch' for modules-source. - - -- Kees Cook Sat, 7 Apr 2007 09:35:16 -0700 - -apparmor (2.0.1+510.dfsg-0ubuntu1) feisty; urgency=low - - * Initial release, thanks to Magnus Runesson and Jesse Michael - (LP: #95334). - - -- Kees Cook Fri, 23 Mar 2007 16:42:01 -0700