-
apparmor (2.10.95-0ubuntu2.12) xenial-security; urgency=medium
* debian/lib/apparmor/functions: remove support for loading snapd
generated profiles in /var/lib/snapd/apparmor/profiles as these are
handled by snapd.apparmor.service (LP: #2024637)
-- Alex Murray <email address hidden> Thu, 22 Jun 2023 16:58:05 +0930
-
apparmor (2.10.95-0ubuntu2.11) xenial-security; urgency=medium
* Make dnsmasq profile and Python utility changes necessary to continue
working correctly after the Linux kernel change to address CVE-2019-11190.
Without these changes, some profile transitions may be unintentionally
denied. (LP: #1830802)
- 0001-dnsmasq-allow-libvirt_leaseshelper-m-permission-on-i.patch
- 0001-handle_children-automatically-add-m-permissions-on-i.patch
-- Tyler Hicks <email address hidden> Tue, 28 May 2019 21:33:21 +0000
-
apparmor (2.10.95-0ubuntu2.10) xenial-security; urgency=medium
* lp1788929+1794848.patch:
- disallow writes to thumbnailer dir (LP: #1788929)
- disallow access to the dirs of private files (LP: #1794848)
-- Jamie Strandboge <email address hidden> Thu, 27 Sep 2018 18:23:46 +0000
-
apparmor (2.10.95-0ubuntu2.9) xenial; urgency=medium
* debian/patches/base-journald-updates.patch: update base abstraction
for additional journald sockets (LP: #1670408)
Backport from 2.11.0-2ubuntu5 by Jamie Strandboge <email address hidden>
-- Christian Ehrhardt <email address hidden> Tue, 20 Feb 2018 16:04:02 +0100
-
apparmor (2.10.95-0ubuntu2.8) xenial; urgency=medium
* d/p/0001-Allow-seven-digit-pid.patch:
On 64bit systems, /proc/sys/kernel/pid_max can be set to PID_MAX_LIMIT,
(2^22), which results in seven digit pids. Adjust the @{PID} variable in
tunables/global to accept this. (LP: #1717714)
-- Seyeong Kim <email address hidden> Mon, 08 Jan 2018 07:43:46 -0800
-
apparmor (2.10.95-0ubuntu2.7) xenial; urgency=medium
* Remove initramfs-tools from the dependencies; this isn't used and the
dependency has been dropped in later releases. LP: #1713169.
-- Steve Langasek <email address hidden> Fri, 25 Aug 2017 16:54:53 -0700
-
apparmor (2.10.95-0ubuntu2.6) xenial-security; urgency=medium
* SECURITY UPDATE: Don't unload unknown profiles during package
configuration or when restarting the apparmor init script or upstart job
as this could leave processes unconfined (LP: #1668892)
- debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
Remove calls to unload_obsolete_profiles()
- debian/patches/utils-add-aa-remove-unknown.patch,
debian/apparmor.install debian/apparmor.manpages: Include a new utility,
aa-remove-unknown, which can be used to unload unknown profiles
- CVE-2017-6507
-- Tyler Hicks <email address hidden> Wed, 15 Mar 2017 22:07:02 +0000
-
apparmor (2.10.95-0ubuntu2.5) xenial; urgency=medium
* debian/lib/apparmor/functions, debian/apparmor.init,
debian/apparmor.service, debian/apparmor.upstart,
debian/lib/apparmor/profile-load: Adjust the checks that previously kept
AppArmor policy from being loaded while booting a container. Now we
attempt to load policy if we're in a LXD or LXC managed container that is
using profile stacking inside of a policy namespace. (LP: #1628285)
* Fix regression tests for stacking so that the kernel SRU process is not
interrupted by failing tests whenever the AppArmor stacking features are
backported from the 16.10 kernel or when the 16.04 LTS Enablement Stack
receives a 4.8 or newer kernel
- debian/patches/r3509-tests-fix-exec_stack-errors-1.patch: Fix the
exec_stack.sh test when running on 4.8 or newer kernels (LP: #1628745)
- debian/patches/r3558-tests-fix-exec_stack-errors-2.patch: Adjust the
exec_stack.sh fix mentioned above to more accurately test kernels older
than 4.8 (LP: #1630069)
- debian/patches/allow-stacking-tests-to-use-system.patch: Apply this
patch earlier in the series, as to match when it was committed upstream,
so that the above two patches can be cherry-picked from lp:apparmor
-- Tyler Hicks <email address hidden> Fri, 07 Oct 2016 05:21:44 +0000
-
apparmor (2.10.95-0ubuntu2.4) xenial; urgency=medium
* debian/patches/r3505-tests-fix-stacking-mode-checks.patch: Fix failing
regression tests so that the kernel SRU process is not interrupted by
failing stackonexec.sh and stackprofile.sh tests (LP: #1628295)
-- Tyler Hicks <email address hidden> Wed, 28 Sep 2016 15:33:53 -0500
-
apparmor (2.10.95-0ubuntu2.3) xenial; urgency=medium
* debian/patches/allow-access-to-ibus-socket.patch: Adjust the ibus
abstraction to allow access to the abstract UNIX domain socket location
used in Ubuntu. (LP: #1580463)
* debian/lib/apparmor/functions: Quiet the "Files ... and ... differ"
output, during the update process, which was printed by diff. This message
left users concerned since it mentioned md5sums files without being clear
about what was happening. (LP: #1614215)
-- Tyler Hicks <email address hidden> Fri, 26 Aug 2016 18:30:32 -0500
-
apparmor (2.10.95-0ubuntu2.2) xenial; urgency=medium
* r3498-r3499-ignore-net-events-that-look-like-file-events.patch: Prevent an
aa-logprof crash by ignoring file events that contains send *and* receive
in the request mask. This is an improvement to the previous fix that only
addressed events that contained send *or* receive.
(LP: #1577051, LP: #1582374)
- debian/rules: Create a new empty file, needed for the test added by this
patch, since quilt is unable to do so.
-- Tyler Hicks <email address hidden> Mon, 01 Aug 2016 18:03:36 -0500
-
apparmor (2.10.95-0ubuntu2.1) xenial; urgency=medium
* debian/patches/r3460-ignore-file-events-with-send-or-receive-request.patch:
Prevent an aa-logprof crash by ignoring file events that contains
send or receive in the request mask. (LP: #1577051, LP: #1582374)
* debian/patches/r3463-r3475-change-profile-exec-modes.patch: Allow policy
authors to specify if the environment should scrubbed during exec
transitions allowed by a change_profile rule. (LP: #1584069)
* debian/patches/r3478-make-overlapping-safe-and-unsafe-rules-conflict.patch:
Make sure that multiple change_profile rules with overlapping safe and
unsafe exec modes conflict when they share the same exec conditional
(LP: #1588069)
* debian/patches/r3488-r3489-fix-racy-onexec-test.patch: Fix racy regression
test so that the kernel SRU process is not interrupted by the onexec.sh
periodically failing. (LP: #1528230)
* debian/patches/r3490-utils-handle-change-profile-exec-modes.patch: Update
the Python utilities to handle the new exec mode keywords in
change_profile rules. (LP: #1584069)
* debian/patches/r3492-allow-dbus-user-session-path.patch: Allow read/write
access to the dbus-user-session socket file in profiles that include the
dbus-session-strict abstraction. (LP: #1604872)
-- Tyler Hicks <email address hidden> Thu, 28 Jul 2016 11:02:11 -0500
-
apparmor (2.10.95-0ubuntu2) xenial; urgency=medium
* debian/patches/r3435-allow-dnsmasq-access-to-lxd-bridge.patch: Grant
access to the new default bridge configuration in LXD 2.0.0 (LP: #1566944)
* debian/patches/r3437-add-attach-disconnected-to-dnsmasq.patch: Add the
attach_disconnected flag to the dnsmasq profile in order to prevent a
disconnected path denial triggered by the latest network-manager upload
(LP: #1569316)
* debian/lib/apparmor/functions: Reference the new path used for snapd
AppArmor profiles to fix a bug which left those profiles unloaded after
booting (LP: #1569573)
-- Tyler Hicks <email address hidden> Tue, 12 Apr 2016 16:59:46 -0500
-
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium
* Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
- Allow Apache prefork profile to chown(2) files (LP: #1210514)
- Allow deluge-gtk and deluge-console to handle torrents opened in
browsers (LP: #1501913)
- Allow file accesses needed by some programs using libnl-3-200
(Closes: #810888)
- Allow file accesses needed on systems that use NetworkManager without
resolvconf (Closes: #813835)
- Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
- Fix aa-logprof(8) crash when operating on files containing multiple
profiles with certain rules (LP: #1528139)
- Fix log parsing crashes, in the Python utilities, caused by certain file
related events (LP: #1525119, LP: #1540562)
- Fix log parsing crasher, in the Python utilities, caused by certain
change_hat events (LP: #1523297)
- Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
when Python 3 is not available (LP: #1513880)
- Send aa-easyprof(8) error messages to stderr instead of stdout
(LP: #1521400)
- Fix aa-autodep(8) failure when the shebang line of a script contained
parameters (LP: #1505775)
- Don't depend on the system logprof.conf when running utils/ build tests
(LP: #1393979)
- Fix apparmor_parser(8) bugs when parsing profiles that use policy
namespaces in the profile declaration or profile transition targets
(LP: #1540666, LP: #1544387)
- Regression fix for apparmor_parser(8) bug that resulted in the
--namespace-string commandline option being ignored causing profiles to
be loaded into the root policy namespace (LP: #1526085)
- Fix crasher regression in apparmor_parser(8) when the parser was asked
to process a directory (LP: #1534405)
- Fix bug in apparmor_parser(8) to honor the specified bind flags remount
rules (LP: #1272028)
- Support tarball generation for Coverity scans and fix a number of issues
discovered by Coverity
- Fix regression test failures on s390x systems (LP: #1531325)
- Adjust expected errno values in changeprofile regression test
(LP: #1559705)
- The Python utils gained support for ptrace and signal rules
- aa-exec(8) received a rewrite in C
- apparmor_parser(8) gained support for stacking multiple profiles, as
supported by the Xenial kernel (LP: #1379535)
- libapparmor gained new public interfaces, aa_stack_profile(2) and
aa_stack_onexec(2), allowing applications to utilize the new kernel
stacking support (LP: #1379535)
* Drop the following patches since they've been incorporated upstream:
- aa-status-dont_require_python3-apparmor.patch
- r3209-dnsmasq-allow-dash
- r3227-locale-indep-capabilities-sorting.patch
- r3277-update-python-abstraction.patch
- r3366-networkd.patch,
- tests-fix_sysctl_test.patch
- parser-fix-cache-file-mtime-regression.patch
- parser-verify-cache-file-mtime.patch
- parser-run-caching-tests-without-apparmorfs.patch
- parser-do-cleanup-when-test-was-skipped.patch
- parser-allow-unspec-in-network-rules.patch
* debian/rules, debian/apparmor.install, debian/apparmor.manpages: Update
for new upstream binutils directory and aa-enabled binary
- Continue installing aa-exec into /usr/sbin/ for now since
click-apparmor's aa-exec-click autopkgtest expects it to be there
* debian/libapparmor-dev.manpages: Include the new aa_stack_profile.2 man
page
* debian/patches/r3424-nscd-profile-allow-paranoia-mode.patch: Allow file
access needed for nscd's paranoia mode
* debian/patches/r3425-adjust-stacking-tests-version-check.patch: Adjust the
regression test build time checks, for libapparmor stacking support, to
look for the 2.10.95 versioning rather than 2.11
* debian/patches/r3426-allow-debugedit-to-work-on-apparmor-parser.patch:
Remove extra slash in the parser Makefile so that debugedit(8) can work on
apparmor_parser(8) (LP: #1561939)
* debian/patches/allow-stacking-tests-to-use-system.patch: Adjust the file
rules of the new stacking tests so that the generated profiles allow the
system binaries and libraries to be tested
* debian/libapparmor1.symbols: update symbols file for added symbols
in libapparmor
-- Tyler Hicks <email address hidden> Sat, 09 Apr 2016 01:35:25 -0500
-
apparmor (2.10-3ubuntu2) xenial; urgency=medium
* debian/patches/parser-allow-unspec-in-network-rules.patch: Allow
apparmor_parser to support rules that use 'unspec' as the network protocol
family. (LP: #1546455)
-- Tyler Hicks <email address hidden> Thu, 18 Feb 2016 12:48:17 -0600
-
apparmor (2.10-3ubuntu1) xenial; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/apparmor.init,apparmor.upstart,debian/lib/apparmor/functions:
clear only the system cache if apparmor version has changed on snappy
flavors since snappy will handle the app's cache itself
- debian/apparmor.install: install tunables/home.d and
tunables/multiarch.d
- debian/apparmor-utils.dirs: install usr/bin and usr/share/apparmor
- debian/control:
+ make libnotify-bin a Suggests rather than a Recommends since it is
assumed to already be installed on the desktop and so server
environments don't have to pull in a lot of X dependencies
(LP: #1061879)
+ apparmor-easyprof in section 'admin'
+ apparmor Depends on initramfs-tools | linux-initramfs-tool [linux-any]
+ apparmor Breaks on lightdm (<< 1.11.8-0ubuntu2~),
lxc (<< 1.1.0~alpha1-0ubuntu5~)
- drop debian/patches/reproducible-pdf.patch (not applied in series)
* drop debian/patches/fix-abstraction-for-python3.5.patch in favor of
Debian's
* debian/patches/series: comment out notify-group.patch
* debian/patches/non-linux.patch: refresh
* debian/patches/r3366-networkd.patch: use this instead of dropped Ubuntu
lp1529074.patch for NetworkManager and networkd support
apparmor (2.10-3) unstable; urgency=medium
* Team upload.
[ intrigeri ]
* Drop libapparmor-mention-dbus-method-in-getcon-man.patch (Closes: #800132)
[ Felix Geyer ]
* Update python abstraction for python 3.5.
- Pull r3277-update-python-abstraction.patch from upstream
apparmor (2.10-2) unstable; urgency=medium
[ Felix Geyer ]
* Apply aa-status-dont_require_python3-apparmor.patch, to keep
the hard dependencies of the apparmor binary package minimal.
* python{,3}-apparmor: require at least the same upstream version
of python{,3}-libapparmor.
[ intrigeri ]
* Drop abstractions-ubuntu-browsers.patch: integrated upstream
(in a slightly different way).
* debian/control: don't start short description with capital letter.
(Closes: #795434)
* r3227-locale-indep-capabilities-sorting.patch: cherry-pick from upstream,
to make (more of?) the build reproducible. (Closes: #797415)
* Merge from ubuntu-citrain up to revision 1578, that is changes brought
by 2.10-0ubuntu3 to 2.10-0ubuntu6.
* Upload to unstable.
apparmor (2.10-1) experimental; urgency=medium
[ intrigeri ]
* Merge ubuntu-citrain up to revision 1575, except:
- previously documented changes
- debian/patches/aa-status-dont_require_python3-apparmor.patch:
don't apply, only relevant for Ubuntu Phone
* debian/patches/r3209-dnsmasq-allow-dash: cherry-pick from upstream.
* debian/patches/pass-compiler-flags.patch: refresh.
* Update upstream signing key.
* apparmor-utils: make the Depends on python3-apparmor versioned.
(Closes: #785436)
* Override the "apparmor source: usr-lib-perl5-mentioned rules" error.
We replace usr/lib/perl5 with the corresponding multiarch path
in debian/rules, as a consequence this file contains this string.
* python-apparmor, python3-apparmor: add Lintian overrides for
the extended-description-is-probably-too-short tag.
* debian/control: stuff out a bit apparmor-utils' extended description.
[ Felix Geyer ]
* Add Brazilian Portuguese translation of debconf messages.
Thanks to Adriano Rafael Gomes. (Closes: #788342)
* Use dh_apparmor from this source package for apparmor-profiles.
(Closes: #656451)
* Make debian/rules safer:
- Add set -e to loops.
- Use "&&" when chaining shell commands.
-- Jamie Strandboge <email address hidden> Tue, 16 Feb 2016 08:49:31 -0600
-
apparmor (2.10-0ubuntu12) xenial; urgency=medium
* Call systemd-detect-virt instead of the Ubuntu specific
running-in-container wrapper. (LP: #1539016)
-- Martin Pitt <email address hidden> Thu, 28 Jan 2016 13:33:28 +0100
-
apparmor (2.10-0ubuntu11) xenial; urgency=medium
* No-change rebuild to drop python3.4 support.
-- Matthias Klose <email address hidden> Mon, 18 Jan 2016 19:38:38 +0000
-
apparmor (2.10-0ubuntu10) xenial; urgency=medium
* debian/patches/lp1529074.patch: for systems using networkd, add read on
/run/systemd/resolve/resolv.conf (LP: #1529074)
-- Jamie Strandboge <email address hidden> Tue, 05 Jan 2016 10:00:20 -0600
-
apparmor (2.10-0ubuntu9) xenial; urgency=medium
* No change rebuild for perl 5.22
-- Jamie Strandboge <email address hidden> Thu, 17 Dec 2015 12:14:10 -0600
-
apparmor (2.10-0ubuntu8) xenial; urgency=medium
* debian/patches/fix-abstraction-for-python3.5.patch: adjust python
abstraction for python 3.5
-- Jamie Strandboge <email address hidden> Wed, 18 Nov 2015 16:01:47 -0600
-
apparmor (2.10-0ubuntu7) xenial; urgency=medium
* debian/apparmor.init,apparmor.upstart: clear only the system cache if
apparmor version has changed on snappy flavors since snappy will handle
the app's cache itself
* debian/lib/apparmor/functions:
- compile /var/lib/snappy/apparmor/profiles policy
- add compare_previous_version()
- refactor clear_cache()
- compare_and_save_debsums() checks if $PROFILES_VAR exists
-- Jamie Strandboge <email address hidden> Tue, 10 Nov 2015 15:34:20 -0600
-
apparmor (2.10-0ubuntu6) wily; urgency=medium
* debian/libapparmor-dev.manpages: add 5 missing libapparmor manpages
(LP: #1491147, LP: #1384431)
-- Steve Beattie <email address hidden> Tue, 01 Sep 2015 14:17:16 -0700
