-
apparmor (2.5.1-0ubuntu0.10.04.4) lucid-security; urgency=low
* fix LP: #989184 - Firefox 12's launcher script is not allowed in
abstractions/ubuntu-browsers; This was a regression from the firefox
path changing to a non-versioned path in the Firefox 12 packaging
- add debian/patches/0016-lp989184.patch
- update debian/patches/series
* fix LP: #990931 - Thunderbird is being blocked by apparmor from Firefox;
This was a regression from the Thunderbird path changing to a non-versioned
path in the Thunderbird 12 packaging
- add debian/patches/0015-lp990931.patch
- update debian/patches/series
-- Micah Gersten <email address hidden> Wed, 30 May 2012 14:02:17 -0500
-
apparmor (2.5.1-0ubuntu0.10.04.3) lucid-proposed; urgency=low
* debian/patches/0014-lp698194.patch: explicitly deny access to autostart
directories, chromium, some popular email clients and kwallet
- LP: #698194
-- Jamie Strandboge <email address hidden> Sun, 16 Jan 2011 10:09:03 -0600
-
apparmor (2.5.1-0ubuntu0.10.04.2) lucid-security; urgency=low
* Fix for apparmor_parser not generating correct policy when mixing exec
transitions with and without unconfined fallback transitions.
- debian/patches/0013-lp693082.patch: adjust dfa match flag table size
and fix index calculation for pux and cux.
- LP: #693082
-- Jamie Strandboge <email address hidden> Wed, 05 Jan 2011 12:15:29 -0600
-
apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low
* Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
with newer kernels (LP: #660077)
NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
to be adjusted when 2 separately confined applications that both use the
user-tmp abstraction depend on being able to cooperatively share files
with each other in /tmp or /var/tmp.
* remove the following patches (features not appropriate for SRU):
- 0002-add-chromium-browser.patch
- 0003-local-includes.patch
- 0004-ubuntu-abstractions-updates.patch
* debian/rules (this makes it the same as what was shipped in 10.04 LTS
release):
- don't ship aa-update-browser and its man page (requires
0004-ubuntu-abstractions-updates.patch)
- don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
- don't use dh_apparmor (not in Ubuntu 10.04 LTS)
- don't ship chromium profile
* remove debian/profiles/chromium-browser
* remove debian/aa-update-browser*
* debian/apparmor-profiles.postinst: revert to that in lucid release
(requires dh_apparmor and 0002-add-chromium-browser.patch)
* remove debian/apparmor-profiles.postrm: doesn't make sense without
0002-add-chromium-browser.patch
* debian/control:
- revert Build-Depends on debhelper (>= 5)
- revert Standards-Version to 3.8.4
- revert Vcs-Bzr
- use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
* debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
back into dbus, since profiles on 10.04 LTS expect it there
* debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
be there
apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low
* New upstream release (LP: #660077)
- The following patches were refreshed:
+ 0001-fix-release.patch
+ 0003-local-includes.patch
+ 0004-ubuntu-abstractions-updates.patch
+ 0008-lp648900.patch: renamed as 0005-lp648900.patch
- The following patches were dropped (included upstream):
+ 0005-lp601583.patch
+ 0006-network-interface-enumeration.patch
+ 0007-gnome-updates.patch
* debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
* debian/patches/0007-honor-cflags.patch: have the parser makefile honor
CFLAGS environment variable. Brings back missing symbols for the retracer
* debian/patches/0008-lp652674.patch: fix warnings for messages without
denied or requested masks (LP: #652674)
* debian/apparmor.init: fix path to aa-status (LP: #654841)
* debian/apport/source_apparmor.py: apport hook should use
root_command_hook() for running apparmor_status (LP: #655529)
* debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
cmdline details (LP: #657091)
* debian/{rules,control}: move apache2 abstractions into the base package
so we can put apache2 profiles into the -profiles package without
aa-logprof bailing out. Patch by Marc Deslauriers.
(LP: #539441)
* debian/patches/0009-sensible-browser-pix.patch: use Pix with
sensible-browser
* debian/patches/0010-ubuntu-buildd.patch: skip parser caching test if
the AppArmor securityfs introspection directory is not mounted, as
is the case on Ubuntu buildds.
apparmor (2.5.1~rc1-0ubuntu2) maverick; urgency=low
* abstractions/ubuntu-email: adjustment for ever-changing thunderbird path
(LP: #648900)
apparmor (2.5.1~rc1-0ubuntu1) maverick; urgency=low
[ Jamie Strandboge ]
* New upstream RC release (revision 1413). In addition to getting the tools
to work with the maverick kernel, this update fixes:
- LP: #619521
- LP: #633369
- LP: #626451
- LP: #581525
- LP: #623467 (link and unlink still need to be addressed)
* Dropped the following patches, included upstream:
- 0002-lp615177.patch
- 0004-ubuntu-pux.patch
- 0006-kde4-config-pux.patch
- 0007-lp605835.patch
- 0012-lp625041.patch
- 0013-lp623586.patch
* Update the following patches:
- rename 0010-fix-release.patch as 0001-fix-release.patch since this will
likely always need to be here
- rename 0005-add-chromium-browser.patch as
0002-add-chromium-browser.patch
- rename 0001-local-includes.patch as 0003-local-includes.patch and update
to use r1493 (from trunk) of local/README file. This can be dropped in
2.6.
- collect the ubuntu abstractions updates pulled from trunk into
0004-ubuntu-abstractions-updates.patch. This can be dropped in 2.6.
- rename 0008-lp601583.patch as 0005-lp601583.patch. This can be dropped
in 2.5.1 final.
* fix up some lintian warnings:
- debian/control:
+ don't use 'Section' in apparmor-notify, since it is the same as the
source
+ updates Standards-Version to 3.9.1
+ add ${misc:Depends} to libapparmor-dev and apparmor-notify
- add debian/source/format
- debian/libapache2-mod-apparmor.postrm: use #DEBHELPER#
- debian/libapache2-mod-apparmor.preinst: use #DEBHELPER#
- add debian/watch
* debian/notify/notify.conf: set show_notifications="yes" by default
* debian/patches/0006-network-interface-enumeration.patch: allow network
interface enumeration. This can be dropped in 2.5.1 final.
* debian/patches/0007-gnome-updates.patch: update for font/icon/mime
locations in current gnome. This can be dropped in 2.5.1 final.
[ Kees Cook ]
* debian/apparmor.init: rename "stop" to "teardown", drop caches on
"stop" and warn about the dangers of "teardown".
apparmor (2.5.1~pre1393-0ubuntu6) maverick; urgency=low
* debian/profiles/chromium-browser: updated to have the proper path to
local/
* debian/patches/0011-lp514356+573344+593413.patch: browser abstraction
updates for /net, kmozillahelper and gnome-appearance-properties
(LP: #593413, LP: #514356, LP: #573344)
* debian/patches/0012-lp625041.patch: add sensible-browser (LP: #625041)
* debian/patches/0013-lp623586.patch: allow access to ghostscript fonts when
not using defoma (LP: #623586)
apparmor (2.5.1~pre1393-0ubuntu5) maverick; urgency=low
* debian/patches/0007-lp605835.patch: allow ca-certificates in ssl_certs
abstraction (LP: #605835)
* debian/patches/0008-lp601583.patch: adjust X abstraction for newer gdm
(LP: #601583)
* debian/patches/0009-lp565753.patch: add ubuntu-feed-readers abstraction
and have ubuntu-browsers.d/multimedia use it (LP: #565753)
* debian/apparmor.config: don't try to read in the existing value from
/etc/apparmor.d/tunables/home.d/ubuntu, but instead always use what is
in debconf. (LP: #561694)
* add aa-update-browser for giving a programmatic way to update browser
profiles to use browser abstractions
- add debian/aa-update-browser
- add debian/aa-update-browser.8
- debian/rules: install aa-update-browser*
* debian/patches/0003-ubuntu-browsers-d.patch: updated to generalize java
child profile names
* debian/patches/0010-fix-release.patch: update common/Make.rules to use
lsb_release
apparmor (2.5.1~pre1393-0ubuntu4) maverick; urgency=low
* debian/patches/0001-local-includes.patch: updated to adjust local/README
to have upstream clarifications
* debian/patches/0003-ubuntu-browsers-d.patch: add ubuntu-browsers.d/*
abstractions
* debian/patches/0004-ubuntu-pux.patch: use 'PUx' instead of 'Ux' in
abstractions/ubuntu-*
* add chromium-browser profile. All this can be removed once
chromium-browser ships its own profile:
- debian/patches/0005-add-chromium-browser.patch: add preliminary
profiles/apparmor.d/usr.bin.chromium-browser
- debian/profiles/chromium-browser: added for use with ubuntu-browsers.d
- debian/rules: ship debian/profiles/chromium-browser in apparmor-profiles
* don't make /etc/apparmor.d/local/* from apparmor-profiles conffiles
- debian/control: Build-Depends on debhelper 7.4.20ubuntu5
- debian/rules: use dh_apparmor instead of shipping the files as conffiles
- debian/apparmor-profiles.postinst: move DEBHELPER before initscript
reload
- debian/apparmor-profiles.postrm: added to remove chromium-browser config
file
* debian/patches/0006-kde4-config-pux.patch: remove kde4-config from kde
abstraction and add it to kde ubuntu-browsers abstraction
apparmor (2.5.1~pre1393-0ubuntu3) maverick; urgency=low
* debian/patches/0002-lp615177.patch: 'owner' match in commit 1406 too
strict for /tmp/ and /var/tmp/ (LP: #615177)
apparmor (2.5.1~pre1393-0ubuntu2) maverick; urgency=low
* debian/rules: move local/usr.lib.apache2.mpm-prefork.apache2 to
libapache2-mod-apparmor
apparmor (2.5.1~pre1393-0ubuntu1) maverick; urgency=low
* Update to upstream bzr revision 1393 from lp:apparmor/2.5.
* add dbus-session abstraction (LP: #566207)
* require owner in user-tmp abstraction (LP: #578922)
* don't use uninitialized $opt_s (LP: #582075)
* allow thunderbird 3 in abstractions/ubuntu-email (LP: #590462)
* allow gmplayer in abstractions/ubuntu-media-players (LP: #591421)
* debian/control: updated branches.
* debian/patches/0001-local-includes.patch: backported patch from trunk to
allow local administrators to customize their profiles without modifying
a shipped profile
* debian/rules:
- don't pass RELEASE to libapparmor's 'make install' as it breaks the
build and isn't used by the Makfile anyway
- install apparmor.d/local/README in apparmor, not apparmor-profiles
- don't install apparmor.d/local/usr.sbin.ntpd
* Drop the following patches already included upstream:
- 0001-lp538561.patch
- 0002-aalogprof-warnings.patch
- 0003-fix-memleaks.patch
- 0004-lp549557.patch
- 0005-lp538661.patch
- 0006-lp611248.patch
apparmor (2.5-0ubuntu4) maverick; urgency=low
* debian/patches/0006-lp611248.patch: allow access to gdk-pixbuf loaders
LP: #611248
-- Jamie Strandboge <email address hidden> Tue, 02 Nov 2010 13:33:15 -0500
-
apparmor (2.5-0ubuntu3) lucid; urgency=low
[ Jamie Strandboge ]
* debian/patches/lp-549557.patch: have apparmor_notify deal with log file
rotation. (LP: #549557)
* debian/notify/notify.conf: set show_notifications="yes"
* debian/patches/0005-lp538661.patch: adjust php5 abstraction for cgi config
file path and extensions (LP: #538661)
[ Kees Cook ]
* debian/apparmor.functions: do not load in parallel, this is causing
weird side-effects.
-- Jamie Strandboge <email address hidden> Tue, 30 Mar 2010 11:31:49 -0500
-
apparmor (2.5-0ubuntu2) lucid; urgency=low
[ Jamie Strandboge ]
* debian/patches/0001-lp538561.patch: add 'k' to /var/lib/samba/**.tdb in
the samba abstraction (LP: #538561)
[ Marc Deslauriers ]
* debian/patches/0002-aalogprof-warnings.patch: get rid of warnings when
aa-logprof is run.
* debian/{rules,control}: move apache2 abstractions into the base package
so we can put apache2 profiles into the -profiles package without
aa-logprof bailing out. (LP: #539441)
* debian/patches/0003-fix-memleaks.patch: include a couple of leak
patches from upstream.
-- Marc Deslauriers <email address hidden> Fri, 26 Mar 2010 11:39:18 -0400
-
apparmor (2.5-0ubuntu1) lucid; urgency=low
* New upstream release.
* debian/control: updated branches.
* debian/copyright: updated download locations.
* debian/rules: drop unneeded build variables.
* common/Make.rules: set distributor.
-- Kees Cook <email address hidden> Thu, 11 Mar 2010 00:08:08 -0800
-
apparmor (2.5~pre+bzr1367-0ubuntu1) lucid; urgency=low
* Update to upstream bzr revision 1367
* debian/notify/90apparmor-notify: sleep for 60 seconds for boot speed and
to make sure that X is all the way up so the notifications look pretty
-- Jamie Strandboge <email address hidden> Mon, 08 Mar 2010 13:53:50 -0600
-
apparmor (2.5~pre+bzr1364-0ubuntu1) lucid; urgency=low
* Update to upstream bzr revision 1364.
* debian/apparmor.functions: ignore .dpkg-bak files when loading too.
-- Kees Cook <email address hidden> Wed, 17 Feb 2010 13:36:21 -0800
-
apparmor (2.5~pre+bzr1362-0ubuntu2) lucid; urgency=low
* debian/apparmor.postinst: on upgrades, prepopulate apparmor/homedirs
if it is not preseeded. Will check /etc/passwd for UIDs >= 1000 and
< 30000 for unique dirnames of home directories that are not /home. Fully
resolves (LP: #447292)
-- Jamie Strandboge <email address hidden> Wed, 17 Feb 2010 09:42:55 -0600
-
apparmor (2.5~pre+bzr1362-0ubuntu1) lucid; urgency=low
[ Kees Cook ]
* Update to upstream bzr revision 1362.
- This release includes DFA minimization, transition table compression,
and improved partitioning performance (LP: #503869).
- drop 0001-tunable-alias.patch, now upstream.
* debian/apparmor.postinst: update home.d template to note the trailing
slash, even if the debconf template mentions it too.
* debian/apparmor.functions: go fully parallel with parsing to use all
CPUs in the case of needing to regenerate caches.
* debian/rules: enable library testsuite during build.
* debian/control: add dejagnu for library testsuite.
* debian/{rules,control}: use chrpath to drop rpath in libapparmor-perl.
[ Jamie Strandboge ]
* debian/control: add apparmor-notify
* add debian/notify/notify.conf
* add debian/notify/90apparmor-notify
* add debian/apparmor-notify.install: install notify.conf to /etc/apparmor
and 90apparmor-notify to /etc/X11/Xsession.d
* debian/rules:
- remove upstream notify.conf since we will install our own via debhelper
- move apparmor_notify script and man pages to apparmor-notify
-- Kees Cook <email address hidden> Sat, 13 Feb 2010 12:19:30 -0800
-
apparmor (2.3.1+bzr1312-0ubuntu4) lucid; urgency=low
* 0001-tunable-alias.patch: backport r1330 to make it easier for people
to use AppArmor's alias rules (LP: #160002)
-- Jamie Strandboge <email address hidden> Mon, 11 Jan 2010 14:31:06 -0600
-
apparmor (2.3.1+bzr1312-0ubuntu3) lucid; urgency=low
* debian/apparmor.{init,functions}:
- add "recache" argument to init script for liveCD cache generation.
- skip start/stop/reload when running on liveCD.
-- Kees Cook <email address hidden> Fri, 08 Jan 2010 08:39:14 -0800
-
apparmor (2.3.1+bzr1312-0ubuntu2) lucid; urgency=low
* debian/rules: disable profiling support for released version.
-- Kees Cook <email address hidden> Wed, 06 Jan 2010 16:57:58 -0800
-
apparmor (2.3.1+bzr1312-0ubuntu1) lucid; urgency=low
[ Kees Cook ]
* Update to upstream bzr revision 1312.
* debian/apparmor.postrm: fix comment typo.
* debain/rules: switch to bzr for upstream versioning.
* debian/rules: install apache2-* abstractions into apache2-mod package.
* drop debian/patches/0001-likewise-home-tunables.patch: this is causing
too much time in the parser (see LP 503869). The default install is
suffering, so move this configuration to likewise-open (see LP 274350).
[ Jamie Strandboge ]
* debian/rules:
- don't ship tunables/home.d/site.local
- correct path for moving apache2 abstraction
* add debconf question for adjusting HOMEDIRS (LP: #447292)
- add debian/apparmor.config
- debian/apparmor.postinst: query debconf and adjust
tunables/home.d/ubuntu
- debian/apparmor.postrm: on purge, remove tunables/home.d/ubuntu and run
db_purge
- debian/control: Build-Depends on po-debconf and have apparmor Depends on
debconf
- add debian/po/*
- debian/rules: use dh_installdebconf -papparmor
- added debian/templates
-- Kees Cook <email address hidden> Wed, 06 Jan 2010 15:51:33 -0800
-
apparmor (2.3.1+1403-0ubuntu31) lucid; urgency=low
* Remove initramfs hooks, as early profile loading is handled
on a service-by-service basis with Upstart jobs now.
-- Kees Cook <email address hidden> Fri, 04 Dec 2009 13:22:04 -0800
-
apparmor (2.3.1+1403-0ubuntu30) lucid; urgency=low
[ Jamie Strandboge ]
* convert to using quilt
- debian/control: Build-Depends on quilt
- add debian/README.source
- debian/rules: include /usr/share/quilt/quilt.make and adjust
targets for patching
* debian/patches/0001-likewise-home-tunables.patch: tunables/home: add
/home/likewise-open/*/ to HOMEDIRS (LP: #274350)
* Merge to upstream bzr rev 1308.
- really add chromium-browser (LP: #488559)
- add official google-chrome (LP: #481661)
[ Kees Cook ]
* parser/parser_main.c: use nanosec ctime resolution when checking
cache file times.
* parser/tst/caching.sh: add tests for cache use based on timestamps.
-- Jamie Strandboge <email address hidden> Fri, 04 Dec 2009 11:11:01 -0600
-
apparmor (2.3.1+1403-0ubuntu29) lucid; urgency=low
* parser/Makefile: generate af_names.h based on bits/socket.h since
linux/socket.h no longer has what we need (LP: #474751)
* usr.sbin.dnsmasq: fully address LP: #445818
- more pidfile refinements
- allow access to /var/run/dnsmasq
- allow access to /etc/dnsmasq.d
- allow dac_override so it can write its pidfile
-- Jamie Strandboge <email address hidden> Wed, 04 Nov 2009 17:07:23 -0600
-
apparmor (2.3.1+1403-0ubuntu28) lucid; urgency=low
[ Jamie Strandboge ]
* update skype profile in extras. Based on work by Андрей Калинин.
(LP: #226624)
* abstractions/ubuntu-browsers: add opera and icecat (LP: #432778)
* abstractions/ubuntu-browsers: add epiphany (epiphany-browser and
epiphany-webkit were already present, but the recent changes in
epiphany packaging require /usr/bin/epiphany) (LP: #472952)
* usr.sbin.dnsmasq: allow pidfiles for /var/run/dnsmasq*.pid (LP: #445818)
* abstractions/gnome: allow access to ~/.themes (LP: #460125)
* abstractions/kde: allow access to /etc/kde4rc and /usr/bin/kde4-config
(LP: #447006)
[ Marc Deslauriers ]
* utils/Subdomain.pm: don't skip reading profiles that are also in the
cache directory (LP: #446449)
* utils/Subdomain.pm: correctly parse PUxr modes
* utils/Subdomain.pm: support include directories
-- Jamie Strandboge <email address hidden> Wed, 04 Nov 2009 11:02:27 -0600
-
apparmor (2.3.1+1403-0ubuntu27) karmic; urgency=low
* utils/SubDomain.pm: handle new format "null" log entries (LP: #446524)
-- Marc Deslauriers <email address hidden> Fri, 16 Oct 2009 14:40:04 -0400