apparmor (2.13.2-9ubuntu2) disco; urgency=medium
* debian/debhelper/postrm-apparmor: don't quote the glob
* debian/apparmor.preinst: remove cache files on upgrade to 2.13
apparmor (2.13.2-9ubuntu1) disco; urgency=medium
* New 2.13.2 release for Ubuntu (LP: #1817799). Notable changes:
- Upstream AppArmor introduces the new cache forest rather than a single
toplevel global cache directory which improves boot speed when booting
between kernels with different feature sets. This cache forest is located
in /var/cache/apparmor instead of /etc/apparmor.d/cache
- This release uses a proper systemd unit rather than calling out to the
SysV initscript
* Merge from Debian (LP: #1817799). Remaining changes:
- Ubuntu-specific patches:
+ ubuntu/add-chromium-browser.patch
+ ubuntu/communitheme-snap-support.patch
+ ubuntu/mimeinfo-snap-support.patch
+ ubuntu/profiles-grant-access-to-systemd-resolved.patch
- debian/apparmor-profiles.install: install Ubuntu chromium-browser
profile and abstraction
- debian/apparmor.{install,maintscript}: feature pinning is not used in
Ubuntu
- debian/control: adjust the Vcs-{Browser,Git} control fields to reflect
the branch where the Ubuntu packaging is maintained.
- debian/gbp.conf: use ubuntu/master as the debian-branch
* Drop the following patches, no longer needed:
- ubuntu/parser-include-usr-share-apparmor.patch
- e99fa6c6054fa10a2b49d30967e993bd5764e77f.patch: cherry-pick upstream
patch for usr-merge for useradd profile
- ubuntu/lp1788929+1794848.patch
* Do not apply the following Debian-specific patches:
- d-only/pin-feature-set.patch
- d-only/Document-which-AppArmor-features-are-not-supported-on-Deb.patch
* debian/put-all-profiles-in-complain-mode.sh: nvidia_modprobe should be in
enforce mode
* add but don't apply ubuntu/parser-conf-no-expr-simplify.patch: disable
expr tree simplification to greatly speed up armhf. We might consider
making this change armhf specific and/or limiting it to only the snapd
policy in the future. (LP: 1383858). Once LP: 1820068 is fixed, we can
reenable this patch
* debian/control: Breaks on snapd < 2.38~ (the cache forest breaks snap
remove)
* debian/debhelper/postrm-apparmor: also remove cache files
* add upstream-commit-fix-segfault-in-overlaydirat_for_each.patch
* regression testsuite fixes:
- upstream-commit-add-option-to-dump-policy-cache-with-libapparmor.patch
- upstream-commit-teach-aa_policy_cache_sh-about-the-new-cache.patch
- upstream-commit-fix-segfault-when-loading-policy-cache-files.patch
- upstream-commit-fix-variable-name-overlap-in-merge-macro.patch
* debian/apparmor-profiles.lintian-overrides: update for chromium-browser
profile having read access to dpkg database for lsb-release
apparmor (2.13.2-9) unstable; urgency=medium
* Revert "Add autopkgtest that checks if apparmor.service starts
on package installation". It passes with the schroot and qemu
backends locally but fails on ci.debian.net.
apparmor (2.13.2-8) unstable; urgency=medium
* Cherry-pick 5 more commits from upstream apparmor-2.13 branch
(Closes: #921866).
* Cherry-pick upstream MR!344 (Closes: #920833, #921888).
* Install the nvidia_modprobe named profile (Closes: #921875)
and add it to the list of profiles whose syntax is checked
via autopkgtests.
* Patch usr.sbin.smdb to include snippet generated at runtime
(part of the fix for #896080).
* New autopkgtest: ensure apparmor.service starts on
package installation.
* Update salsa CI pipeline.
apparmor (2.13.2-7) unstable; urgency=medium
* Stop shipping /var/cache/apparmor/CACHEDIR.TAG (Closes: #920682)
* New patches, cherry-picked from upstream !320, so the "audio"
abstraction grants read access to Alsa and libao config files
(Closes: #920669, #920670).
apparmor (2.13.2-6) unstable; urgency=medium
* initscript: implement missing aa_log_action_begin and
aa_log_action_end functions (Closes: #917962).
apparmor (2.13.2-5) unstable; urgency=medium
* Really move libapparmor.so unversioned symlink to /lib/<triplet>
(Closes: #919705).
* Add Lintian override for dev-pkg-without-shlib-symlink: arguably
a false positive (see #843932).
* Add Lintian override for uses-dpkg-database-directly: false positive.
* Declare compliance with Standards-Version 4.3.0.
* autopkgtests:
- Test compiling many more profiles:
- all profiles that apparmor-profiles-extra ships in enforce mode
- the profiles shipped by bind9, cups-browsed, haveged,
libreoffice-common, man-db, ntp, onioncircuits, tcpdump, thunderbird,
and tor
- another profile shipped by libvirt-daemon-system
- Declare that the compile-policy test is not superficial anymore.
- Make the parser verbose in the compile-policy test.
apparmor (2.13.2-4) unstable; urgency=medium
* Move libapparmor.so unversioned symlink to /lib/<triplet> (Closes: #919705).
* New patches, cherry-picked from upstream:
- Make tunables/share play well with aliases.
- Fix access to /usr/share/drirc.d.conf (Closes: #919775).
- Fix access to the default paths used by dehydrated in Debian.
- Support new font configuration paths.
- Support libvirt named profile.
- Fix access to /etc/alsa/conf.d/.
* autopkgtests: test compiling more profiles shipped by other packages.
* Patch the dnsmasq profile to fix ptrace and signal communication
with libvirtd.
apparmor (2.13.2-3) unstable; urgency=medium
* Update upstream MR!252 backport to fix initscript (Closes: #917874)
apparmor (2.13.2-2) unstable; urgency=medium
* Patch rc.apparmor.functions to suit Debian/Ubuntu's needs.
* Port initscript, systemd service, postinst and profile-load
to use the upstream rc.apparmor.functions shell library.
This way, the systemd service does not require the SysV initscript
anymore (Closes: #870697).
* Drop obsolete /etc/apparmor/subdomain.conf conffile.
apparmor (2.13.2-1) unstable; urgency=medium
* Import new upstream release, drop backported patches that are now obsolete,
refresh remaining patches.
* autopkgtest: add dummy test so that changes to linux-image-amd64
trigger our other tests on ci.debian.net
* Replace home-made GitLab CI with the standard Salsa pipeline
(Closes: #912722).
* Drop extra signatures from public upstream signing key.
apparmor (2.13.1-3) unstable; urgency=medium
* GitLab CI/Lintian: install dpkg-dev, that ships dpkg-architecture,
needed to run some Lintian checks.
* Re-enable expression tree simplification and cherry-pick upstream patch
that improves its performance.
* Bump debhelper compatibility level to 11.
* Patch apparmor.d(5) to document which features are not supported on Debian
(Closes: #807369).
* Patch apparmor(7) to document debugging options (Closes: #826218).
apparmor (2.13.1-2) unstable; urgency=medium
* Deal with obsolete /etc/apparmor.d/abstractions/launchpad-integration
conffile (Closes: #911745).
* Declare autopkgtests as superficial (Closes: #911827).
Adjust GitLab CI configuration to cope with exit code 8 accordingly.
apparmor (2.13.1-1) unstable; urgency=medium
[ intrigeri ]
* New upstream release (Closes: #901470, #871441).
* Bump pinned feature set to linux-image-4.18.0-2-amd64, version 4.18.10-2.
* Add Breaks: apparmor-profiles-extra (<< 1.21): the Pidgin profile up
to 1.20 used the launchpad-integration abstraction, that was removed
in AppArmor 2.13.1.
* Drop backported patches that are now obsolete.
* Refresh patches.
* Add debian/.gitlab-ci.yml: build the package then run Lintian
and autopkgtests on it.
* upstream-commit-3bf11ce-Fix-syntax-error-in-rc.apparmor.functions.patch,
upstream-commit-b77116e-Add-profile-names.patch: new patches to fix
regressions introduced in 2.13.1.
* Drop unused Lintian override.
* Declare compliance with policy 4.2.1.
* Update symbols list.
* Honor nocheck in DEB_BUILD_OPTIONS.
* Make /lib/apparmor/apparmor.systemd executable.
[ Sven Joachim ]
* Do not remove /var/cache/apparmor/CACHEDIR.TAG on upgrades
(Closes: #910217).
[ Helmut Grohne ]
* Don't hard code the location of netinet/in.h (Closes: #909966).
apparmor (2.13-8) unstable; urgency=medium
* Only fix permissions on /lib/apparmor/apparmor.systemd when building
arch-dependent packages. Fixes FTBFS when building only
arch:all packages.
apparmor (2.13-7) unstable; urgency=medium
* Move the binary cache to /var/cache/apparmor (Closes: #904637).
And then:
- Delete obsolete cache files in /var/cache/apparmor on upgrade.
- initscript: document the potential drawback of loading the policy
before remote filesystems are mounted.
* Turn off expression tree simplification, that makes performance
much worse in some cases, and rarely much better.
* Fix aa-teardown by installing /lib/apparmor/apparmor.systemd
and making it executable.
* Override a few Lintian false positives.
apparmor (2.13-6) unstable; urgency=low
* Install new tunables/share, needed by tunables/global.
Fixes regression introduced in 2.13-5 (Closes: #904970).
* New autopkgtest: test that we can compile the Evince profile.
Having this in place earlier would have avoided introducing #904970.
apparmor (2.13-5) unstable; urgency=low
* freedesktop.org abstraction: support directories exported by Flatpak apps,
replacing former flatpak-exports.patch with the patchset that was merged
upstream (Closes: #865206).
apparmor (2.13-4) unstable; urgency=medium
* Stop building the Python 2 bindings packages: python-apparmor,
python-libapparmor (Closes: #904599).
* Mark libapparmor-perl Multi-Arch: same.
* dh-apparmor's postinst snippet template: drop now useless backwards
compatibility code; simplify.
apparmor (2.13-3) unstable; urgency=medium
* Upload to unstable.
* Set proper SELinux labels on files created during installation or upgrade.
Thanks to Laurent Bigonville <email address hidden> for the bug report
and the patch! (Closes: #903633)
* Fix CACHEDIR.TAG installation path and let dpkg replace the CACHEDIR.TAG
directory (erroneously created by 2.13-1 and 2.13-2) with a regular file.
(Closes: #883584)
* New patch: make aa-notify point to Debian documentation (Closes: #904436).
Thanks to Clément Hermann <email address hidden> for the bug report.
* Install Dovecot profiles in /usr/share/apparmor/extra-profiles/
instead of /etc/apparmor.d/: the previous setup created lots of noise
in the logs and gave no security benefit. Thanks to Jonas Smedegaard
<email address hidden> for raising the issue.
* Skip *.dpkg-(new|old|dist|bak|remove) when falling back to calling the
parser on individual profiles. Fixes a regression introduced in 2.13-1
and adds .dpkg-remove, that was missing in the exclusion list before.
* Bump pinned feature set to linux-image-4.17.0-1-amd64, version 4.17.8-1.
apparmor (2.13-2) experimental; urgency=medium
* Merge from sid:
- upstream-commit-d9d3cae-adjust-python-abstraction-for-python-3.patch:
new patch, to avoid breaking things with Python 3.7.
* Regarding the "Don't invalidate the cache anymore […]" change inrtoduced
in 2.13-1: one can manually do that with apparmor_parser --purge.
apparmor (2.13-1) experimental; urgency=medium
* New upstream release (Closes: #893974).
* Drop all patches backported from upstream: applied in 2.13.
* Refresh and export patches with gbp.
* debian/libapparmor1.symbols: add newly introduced symbols.
* upstream-commit-e83fa67-fix-test-failures.patch: new patch,
cherry-picked from upstream, that fixes test suite failures.
* Declare compatibility with Standards-Version 4.1.4.
* debian/rules: drop deprecated get-orig-source target.
* Merge 2.12-4ubuntu5 (dropping the Ubuntu delta):
- Drop support for snap v1.
* Add Lintian overrides for a few non-issues.
* debian/apparmor.dirs, debian/lib/apparmor/functions:
adjust for new (multi-)cache location.
* Install /etc/apparmor.d/cache.d/CACHEDIR.TAG (Closes: #883584).
* Install aa-teardown and its manpage.
* initscript: drop sysvinit-specific "recache" and "teardown" commands.
* Simplify foreach_configured_profile() thanks to recent parser features.
* aa-remove-unknown: use upstream functions instead of custom ones,
i.e. one step towards deprecating distro-specific /lib/apparmor/functions.
To make this work:
- install the upstream shell functions library
- patch one upstream function to add support for the snap profile directory
and to not depend on aa_log_*_msg()
* Don't invalidate the cache anymore when stopping, reloading or restarting
the service, nor when installing or upgrading the apparmor package:
the parser now manages its caches itself.
* debian/lib/apparmor/functions: drop a bunch of functions that are not
used anymore, thanks to the aforementioned changes.
* Make apparmor.service more similar to upstream's:
- reorder directives
- use the same Description as upstream
- start After=systemd-journald-audit.socket
* apparmor.service: point to current homepage.
apparmor (2.12-5) unstable; urgency=medium
* upstream-commit-d9d3cae-adjust-python-abstraction-for-python-3.patch:
new patch, to avoid breaking things with Python 3.7.
-- Jamie Strandboge <email address hidden> Tue, 26 Mar 2019 18:06:04 +0000
