Format: 1.8 Date: Mon, 05 Mar 2018 12:50:46 +0000 Source: apparmor Binary: apparmor apparmor-utils apparmor-profiles libapparmor-dev libapparmor1 libapparmor-perl libapache2-mod-apparmor libpam-apparmor apparmor-notify python-libapparmor python3-libapparmor python-apparmor python3-apparmor dh-apparmor apparmor-easyprof Architecture: source Version: 2.12-3ubuntu1~test.3 Distribution: bionic Urgency: medium Maintainer: Ubuntu Developers Changed-By: Tyler Hicks Description: apparmor - user-space parser utility for AppArmor apparmor-easyprof - AppArmor easyprof profiling tool apparmor-notify - AppArmor notification system apparmor-profiles - experimental profiles for AppArmor security policies apparmor-utils - utilities for controlling AppArmor dh-apparmor - AppArmor debhelper routines libapache2-mod-apparmor - changehat AppArmor library as an Apache module libapparmor-dev - AppArmor development libraries and header files libapparmor-perl - AppArmor library Perl bindings libapparmor1 - changehat AppArmor library libpam-apparmor - changehat AppArmor library as a PAM module python-apparmor - AppArmor Python utility library python-libapparmor - AppArmor library Python bindings python3-apparmor - AppArmor Python3 utility library python3-libapparmor - AppArmor library Python3 bindings Closes: 795431 832984 845232 858768 858911 865206 866636 870695 870696 870807 871953 872167 874665 875892 877581 879584 880078 880859 880923 881936 882043 882070 882135 883682 883703 884014 884280 885522 886732 887591 889806 Launchpad-Bugs-Fixed: 1598759 1661766 1707614 Changes: apparmor (2.12-3ubuntu1~test.3) bionic; urgency=medium . * Merge with Debian. Remaining Ubuntu changes: - debian/control: Update maintainer to be Ubuntu Developers - debian/gbp.conf: Use ubuntu/master as the debian-branch - debian/apparmor.init: Call handle_system_policy_package_updates as we need it for Click, snappy, and system-images. Note that this prevents using a remote /var. - debian/patches/series: Apply the following Ubuntu-specific patches: + parser-include-usr-share-apparmor.patch + profiles-grant-access-to-systemd-resolved.patch + add-chromium-browser.patch - debian/apparmor-profiles.install, debian/apparmor-profiles.postinst: Install chromium-browser profile and abstraction * debian/apparmor-profiles.install, debian/apparmor-profiles.postinst: Install chromium-browser profile and abstraction into the /usr/share/apparmor/extra-profiles/ directory to match upstream and Debian * debian/patches/series, debian/apparmor.install, debian/apparmor.maintscript: Feature pinning is not used in Ubuntu * upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch: Properly identify empty ouid/fsuid fields in logs to fix log parsing bug on 32 bit platforms * upstream-commit-130958a-allow-shell-helper-read-locale.patch: Allow the shell helper regression test program read the locale * Dropped patches that weren't merged upstream: - ubuntu-manpage-updates.patch: The changes were out of date because they only addressed upstart based systems - utils-keep-shebang.patch: A different solution was merged upstream so that the shebang lines aren't rewritten * Dropped patches that were merged upstream: - utils-add-aa-remove-unknown.patch - pass-compiler-flags.patch - raise-test-timeout.patch - r3615-profiles-sshd-drop-local-include.patch - r3631-apparmor-utils-python3.6-LOCALE.patch - r3645-profiles-update-nvidia-abstraction.patch - wayland-cursor.patch - utils-fix-failing-tests-in-aa-py.patch - utils-allow-unordered-dbus-attribs.patch - aa-notify-urgency-normal.patch - base-journald-updates.patch - utils-logprof-python3.6.patch - adjust-python-for-3.6.patch - fix-aa-status-pod.patch - nameservice-add-stub-resolv.patch - 0001-Allow-seven-digit-pid.patch . apparmor (2.12-3) unstable; urgency=medium . * dnsmasq-profile-allow-chown-capability.patch: new patch (Closes: #889806) * Update-base-abstraction-for-ld.so.conf-and-friends.patch: new patch, cherry-picked from upstream (solves a minor part of #887973). * libapparmor-perl: install example program. . apparmor (2.12-2) unstable; urgency=medium . * This release is dedicated to the memory of Ursula K. Le Guin. . * Install the "extra" profiles to the default upstream directory (Closes: #832984). * Cherry-pick policy improvements from upstream Git (Closes: #887591). * Stop recommending the apparmor-profile package to the general public: - apparmor: drop "Suggests: apparmor-profile". - apparmor-profile: make it clear in the package description that these profiles cannot be expected to work out-of-the-box. * Bump debhelper compatibility level to 10. - This reintroduces --parallel building, which was fixed upstream since we disabled it. - Don't manually enable the systemd debhelper sequence: now done by default. - Drop now useless build-dependency on autotools-dev. * Declare compliance with Standards-Version 4.1.3 (no change required). * debian/control: add Rules-Requires-Root: no. - Cherry-pick upstream fix to pam_apparmor's Makefile. * Packaging cleanup: - Remove Kees Cook from the Uploaders control field. Thanks a lot for the inspiring work you've done on this package in the past! - Remove obsolete calls to rm_conffile. - debian/copyright: use canonical URL to copyright-format/1.0. - debian/copyright: sort licenses in lexical order. - Use canonical URL to Debian bug in patch header. - debian/*.install: remove duplicates. - Stop versioning dependencies that are satisfied on Debian Wheezy and Ubuntu Trusty. - Reformat debian/* with 'cme fix dpkg' + wrap-and-sort. . apparmor (2.12-1) unstable; urgency=medium . * New upstream release (Closes: #885522, #882043, #884014, #886732, #875892, #882070, #874665, #884280, #881936, #882135). - Drop obsolete patches. * dh-apparmor postinst snippet: create empty files in /etc/apparmor.d/local/ instead of repeating boilerlate. * dh-apparmor postinst snippet: simplify local overrides directory creation code. * Migrate to Git: - Configure gbp for DEP-14 - Configure gbp-pq to avoid prefixing patches with numbers - README.source: adjust to Git - Update Vcs-* control fields: migrate to Git * Move libpam to Section: admin . apparmor (2.11.1-4) unstable; urgency=medium . * Bump pinned feature set to linux-image-4.14.0-1's, version 4.14.2-1 - Pinning a feature set without "mount", as we did before this change, breaks mount operations due to a bug in the kernel (Closes: #883703). Thanks to Fabian Grünbichler and Felix Geyer for reporting this. - AppArmor maintainers in Debian have been testing 4.14 without pinning for a while and all the known issues were fixed; it's time to enable 4.14's features so we can learn what parts of our policy still need updates (Closes: #880078, #877581). * Move features file to /usr/share/apparmor-features (Closes: #883682). Thanks to Fabian Grünbichler for the patch. * Document in apparmor/README.Debian where online documentation wrt. AppArmor on Debian lives (Closes: #845232). Thanks to Wouter Verhelst and Jean-Michel Vourgère for the suggestion. * Improve usability of apparmor-notify: - notify.conf: unset use_group. aa-notify checks that it can read the selected log file — and aborts if it can't — before it checks group membership vs. use_group, so in practice setting use_group is only useful for users who are allowed to read logs but don't want to see notifications. This seems to be a corner case, easily addressed per-user (~/.apparmor/notify.conf) or system-wide (by deinstalling apparmor-notify). So let's instead optimize for a more common use case, i.e. users who can read logs and want to see the notifications. This change does not impact the most common use case, i.e. desktop users who are not allowed to read logs (Closes: #880859). - Document in apparmor-notify/README.Debian that one must be in the "adm" group to use aa-notify. Thanks to Lisandro Damián Nicanor Pérez Meyer and Salvatore Bonaccorso whose combined bug reports lead to this solution. * /lib/apparmor/functions: don't delete /etc/apparmor.d/cache/CACHEDIR.TAG ourselves (necessary, but not sufficient, to fix #883584). * Declare compliance with Standards-Version 4.1.2. . apparmor (2.11.1-3) unstable; urgency=medium . * upstream-commit-92752f5-support-Google-Chrome-beta.patch: new patch, backported from upstream (Closes: #880923). . apparmor (2.11.1-2) unstable; urgency=medium . * apparmor: drop obsolete dependency on libapparmor-perl. This dependency was added in 2.8.0-0ubuntu15, when aa-exec (that was written in Perl back then) got moved to the apparmor package. Nowadays aa-exec is written in C and AFAICT there's nothing in the apparmor package that uses libapparmor-perl. * apparmor-utils: drop obsolete dependency on libapparmor-perl. All the programs shipped in this package were rewritten in Python. * Drop obsolete dependencies on python{,3}-pkg-resources. They were added to "fix autopkgtests in click-apparmor and apparmor-easyprof-ubuntu". We don't ship these packages in Debian, and I'm told they're going away in Ubuntu anyway. . apparmor (2.11.1-1) unstable; urgency=medium . * Import upstream 2.11.1 release. Drop obsolete patches and refresh remaining ones as need. * pin-feature-set.patch: new patch, that pins the AppArmor feature set to Linux 4.13.4-2's (Closes: #879584). The AppArmor policy we ship is not fully ready for Linux 4.14 yet. Once our policy has been updated (#877581) we can bump the pinned feature set to Linux 4.14's. Note, however, that this is not fully effective in the specific case of 4.14-rcN up to 4.14-rc6 due to a kernel bug with pinned older feature sets, that will likely be fixed in Linux 4.14-rc7. For example, with Linux 4.14-rc5 some network (e.g. unix, inet, inet6) operations are denied despite the fact this pinned feature does not enable network mediation support. For details, see: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278 * Disable parser-include-usr-share-apparmor.patch: it's not used on Debian and would be made fuzzy by pin-feature-set.patch, thus causing useless maintenance busywork. * Improve phrasing of long packages description, based on a patch by Vincas Dargis (Closes: #795431). * Replace build-dependency on dh-systemd with a versioned one on debhelper, that now ships dh_systemd_*. * Set priority to "optional": "extra" is deprecated. * Bump Standards-Version to 4.1.1. * Drop "Testsuite: autopkgtest" control field: it is automatically added by dpkg-source(1) since dpkg 1.17.1 when a debian/tests/control file exists, which is the case here. * Move libapache2-mod-apparmor to Section "httpd", as suggested by Lintian. . apparmor (2.11.0-11) unstable; urgency=medium . * Only use systemd-detect-virt when it's installed (Closes: #871953). * dh_apparmor: include the version of the package, so that one can find packages that were built with a particular version of dh_apparmor. (Closes: #872167). * Import patch submitted upstream to support Flatpak exports (Closes: #865206). * Revert "Build with GCC-6 on mips64el to workaround Debian#871538": that gcc-7 bug was fixed in 7.2.0-3 on 2017-09-02, presumably all buildd's chroot should have it by now. * Merge from Ubuntu citrain up to revision 1627, aka. 2.11.0-2ubuntu17. Applied all changes (filtering from that list what had already been done in Debian): - Remove apparmor system upstart job on upgrades. - r3631-apparmor-utils-python3.6-LOCALE.patch: fix utils to avoid breakage with python 3.6 (LP: #1661766). - nameservice-add-stub-resolv.patch: allow read access to systemd stub resolver configuration . apparmor (2.11.0-10) unstable; urgency=medium . * Build with GCC-6 on mips64el to workaround #871538. . apparmor (2.11.0-9) unstable; urgency=medium . * debian-chromium-paths.patch: new patch, fixes e.g. opening links (e.g. from Thunderbird) when Chromium is the default web browser (reported in #858911). . apparmor (2.11.0-8) unstable; urgency=medium . * firefox-non-esr.patch: new patch, fixes e.g. opening links from Thunderbird when Firefox non-ESR is the default web browser (Closes: #858911). * Adjust metadata for wayland-cursor.patch: applied upstream. . apparmor (2.11.0-7) unstable; urgency=medium . * compare_and_save_debsums(): fix quieting of diff on initial installation (Closes: #870696). * Don't explicitly pass runlevel nor sequence number to update-rc.d via dh_installinit (Closes: #870695). Thanks to Michael Biebl for the hint! * wayland-cursor.patch: new patch, to allow wayland-cursor-shared-* (Closes: #870807). * Merge from Ubuntu citrain up to revision 1620, i.e. 2.11.0-2ubuntu11. Applied all changes: - fix-aa-status-pod.patch: updates aa-status for newer podchecker (LP: #1707614) - adjust-python-for-3.6.patch: update python abstraction for 3.6 - adjust-nameservice-for-systemd-resolved.patch: grant access to systemd-resolved in the nameservice abstraction (LP: #1598759). … and then disabled adjust-nameservice-for-systemd-resolved.patch that's dangerous without fine-grained AppArmor mediation of D-Bus traffic. * Remove upstart configuration: Upstart was removed in Debian Stretch so this file is no longer useful. * Drop ubuntu-manpage-updates.patch, that was only relevant with Upstart. . apparmor (2.11.0-6) unstable; urgency=medium . * libapparmor-dev: stop installing /lib/*/libapparmor.la (Closes: #866636). . apparmor (2.11.0-5) unstable; urgency=medium . * pass-compiler-flags-binutils.patch: new patch, fixes missing hardening flags in aa-enabled and aa-exec. * Merge from Ubuntu citrain up to revision 1617, i.e. 2.11.0-2ubuntu8. . apparmor (2.11.0-4) unstable; urgency=medium . * Run parts of the upstream test suite as autopkgtests. * Declare compliance with Standards-Version 4.0.0 (no change required). * Add mentions-deprecated-usr-lib-perl5-directory to Lintian overrides, since usr-lib-perl5-mentioned has been renamed. * libapparmor1.symbols: require 2.8.94 instead of 2.8.94-0ubuntu1. * debian/rules: use variables provided by dpkg/pkg-info.mk instead of parsing the output of dpkg-parsechangelog. * Override mistaken apache2-module-depends-on-real-apache2-package Lintian check. * Merge from Ubuntu citrain up to revision 1616, i.e. 2.11.0-2ubuntu5 (more recent changes, up to 2.11.0-2ubuntu8, have not been pushed to the citrain repo yet; they don't seen critical though). . apparmor (2.11.0-3) unstable; urgency=medium . * Fix CVE-2017-6507: don't unload unknown profiles during package configuration or when restarting the apparmor init script, upstart job, or systemd unit as this could leave processes unconfined (Closes: #858768). Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3: - debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart: Remove calls to unload_obsolete_profiles() - debian/patches/utils-add-aa-remove-unknown.patch, debian/apparmor.install debian/apparmor.manpages: Include a new utility, aa-remove-unknown, which can be used to unload unknown profiles. Based on an upstream patch but adjusted to source the /lib/apparmor/functions shipped in Debian/Ubuntu. Checksums-Sha1: a6eeb9d874000db9d28ff5b35bc95b0ba137f64e 3151 apparmor_2.12-3ubuntu1~test.3.dsc 18827d38deb0052f22bf87304aaffa235ceb0423 7258450 apparmor_2.12.orig.tar.gz 534bd7fc77648852b9978a365f3a8e423bd7c251 87280 apparmor_2.12-3ubuntu1~test.3.debian.tar.xz 771cb0bfe70922794869d37dcad59b637c3de1ee 7719 apparmor_2.12-3ubuntu1~test.3_source.buildinfo Checksums-Sha256: f561f967cd1d8ad65b0a80dc62b6d5fa6cc0a272ec64228355d33a84a2dd0acc 3151 apparmor_2.12-3ubuntu1~test.3.dsc 8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056 7258450 apparmor_2.12.orig.tar.gz ddaa0c869057b2f0709b4e8da0b0852fd3781b93df7cf34617efa5ca48d37d11 87280 apparmor_2.12-3ubuntu1~test.3.debian.tar.xz bfd3b74fc1104677700cb4f292f0c148f7f1e8dd3ee42d57eea1c808a4254368 7719 apparmor_2.12-3ubuntu1~test.3_source.buildinfo Files: 17f401025a8583d1d40d54963e3e4bf0 3151 admin optional apparmor_2.12-3ubuntu1~test.3.dsc 49054f58042f8e51ea92cc866575a833 7258450 admin optional apparmor_2.12.orig.tar.gz da8cfb5b35e5fffdd0a7080898bacc9a 87280 admin optional apparmor_2.12-3ubuntu1~test.3.debian.tar.xz 4e60e3f969dfaf6ffe666158bbc77d7b 7719 admin optional apparmor_2.12-3ubuntu1~test.3_source.buildinfo Original-Maintainer: Debian AppArmor Team