* Bring apparmor 2.10.95-0ubuntu2.5, from Ubuntu 16.04, to Ubuntu 14.04.
- This allows for proper snap confinement on Ubuntu 14.04 when using the
hardware enablement kernel (LP: #1641243)
* Changes made on top of 2.10.95-0ubuntu2.5:
- debian/apparmor.upstart: Remove the upstart job and continue using the
init script in 14.04
- debian/apparmor.postinst, debian/apparmor-profiles.postinst,
debian/apparmor-profiles.postrm, debian/rules: Revert to using
invoke-rc.d to load the profiles, rather than reloading them directly,
since 14.04 will continue using the init script rather than the upstart
job.
- debian/apparmor.init, debian/lib/apparmor/functions,
debian/apparmor.postinst, debian/apparmor.postrm: Remove functionality
dealing with AppArmor policy in system image based environments since
this 14.04 package will not need to handle such environments. This
removes the handle_system_policy_package_updates(),
compare_previous_version(), compare_and_save_debsums() functions and
their callers.
- debian/apparmor.init: Continue using running-in-container since
systemd-detect-virt doesn't exist on 14.04
- debian/lib/apparmor/functions, debian/apparmor.init: Remove the
is_container_with_internal_policy() function and adjust its call sites
in apparmor.init so that AppArmor policy is not loaded inside of 14.04
LXD containers (avoids bug #1641236)
- debian/lib/apparmor/profile-load, debian/apparmor.install: Remove
profile-load as upstart's apparmor-profile-load is used in 14.04
- debian/patches/libapparmor-mention-dbus-method-in-getcon-man.patch:
Continue applying this patch since the dbus version in 14.04 isn't new
enough to support fetching the AppArmor context from
org.freedesktop.DBus.GetConnectionCredentials().
- debian/patches/libapparmor-force-libtoolize-replacement.patch: Force
libtoolize to replace existing files to fix a libapparmor FTBFS issue on
14.04.
- debian/control: Retain the original 14.04 Breaks and ignore the new
Breaks from 2.10.95-0ubuntu2.5 since they were put in place as part of
the enablement of UNIX domain socket mediation. They're not needed in
this upload since UNIX domain socket mediation is disabled by default so
updates to the profiles included in those packages are not needed.
- Preserve the profiles and abstractions from 14.04's
2.8.95~2430-0ubuntu5.3 apparmor package by recreating them in the
top-level profiles-14.04/ directory of the source. They'll be installed
to debian/tmp/etc/apparmor.d/ during the build process and then to
/etc/apparmor.d/ on package install so that there are no changes to the
shipped profiles or abstractions. The abstractions from
2.10.95-0ubuntu2.5 will be installed into
debian/tmp/snap/etc/apparmor.d/ during the build process and then into
/etc/apparmor.d/snap/abstractions/ on package install for use with snap
confinement. Snap confinement profiles, which includes AppArmor profiles
loaded by snapd and profiles loaded by snaps that are allowed to manage
AppArmor policy, will use the snap abstractions. All other AppArmor
profiles will continue to use the 14.04 abstractions.
- debian/rules: Adjust for new profiles-14.04/ directory
- debian/apparmor-profiles.install: Adjust to install the profiles that
were installed in the 2.8.95~2430-0ubuntu5.3 package
- debian/apparmor.install: Install the abstractions from the 2.10.95-0ubuntu2.5 package into /etc/apparmor.d/snap/abstractions/
- debian/patches/14.04-profiles.patch: Preserve the 14.04 profiles and abstractions from the 2.8.95~2430-0ubuntu5.3 apparmor package.
- debian/patches/conditionalize-post-release-features.patch: Disable new
mediation features, implemented after the Ubuntu 14.04 release, unless
the profile is for snap confinement. If the profile is for snap confinement, the abstractions from /etc/apparmor.d/snap/abstractions
will be used and all of the mediation features will be enabled.
- 14.04-add-chromium-browser.patch,
14.04-add-debian-integration-to-lighttpd.patch,
14.04-etc-writable.patch,
14.04-update-base-abstraction-for-signals-and-ptrace.patch,
14.04-dnsmasq-libvirtd-signal-ptrace.patch,
14.04-update-chromium-browser.patch,
14.04-php5-Zend_semaphore-lp1401084.patch,
14.04-dnsmasq-lxc_networking-lp1403468.patch,
14.04-profiles-texlive_font_generation-lp1010909.patch,
14.04-profiles-dovecot-updates-lp1296667.patch,
14.04-profiles-adjust_X_for_lightdm-lp1339727.patch: Import all of the
patches, from 14.04's 2.8.95~2430-0ubuntu5.3 apparmor package, which
patched profiles/ and adjust them to patch profiles-14.04/ instead.
- debian/patches/revert-r2550-and-r2551.patch: Revert two upstream changes
to mod_apparmor which could potentially regress existing users of
mod_apparmor in 14.04. These upstream changes are not appropriate for an
SRU.
This bug was fixed in the package apparmor - 2.10.95- 0ubuntu2. 5~14.04. 1
--------------- 0ubuntu2. 5~14.04. 1) trusty; urgency=medium
apparmor (2.10.95-
* Bring apparmor 2.10.95-0ubuntu2.5, from Ubuntu 16.04, to Ubuntu 14.04. apparmor. upstart: Remove the upstart job and continue using the apparmor. postinst, debian/ apparmor- profiles. postinst, apparmor- profiles. postrm, debian/rules: Revert to using apparmor. init, debian/ lib/apparmor/ functions, apparmor. postinst, debian/ apparmor. postrm: Remove functionality system_ policy_ package_ updates( ), previous_ version( ), compare_ and_save_ debsums( ) functions and apparmor. init: Continue using running- in-container since detect- virt doesn't exist on 14.04 lib/apparmor/ functions, debian/ apparmor. init: Remove the container_ with_internal_ policy( ) function and adjust its call sites lib/apparmor/ profile- load, debian/ apparmor. install: Remove profile- load is used in 14.04 patches/ libapparmor- mention- dbus-method- in-getcon- man.patch: freedesktop. DBus.GetConnect ionCredentials( ). patches/ libapparmor- force-libtooliz e-replacement. patch: Force 8.95~2430- 0ubuntu5. 3 apparmor package by recreating them in the tmp/etc/ apparmor. d/ during the build process and then to etc/apparmor. d/ on package install so that there are no changes to the 10.95-0ubuntu2. 5 will be installed into tmp/snap/ etc/apparmor. d/ during the build process and then into etc/apparmor. d/snap/ abstractions/ on package install for use with snap apparmor- profiles. install: Adjust to install the profiles that 2430-0ubuntu5. 3 package apparmor. install: Install the abstractions from the
2.10.95- 0ubuntu2. 5 package into /etc/apparmor. d/snap/ abstractions/ patches/ 14.04-profiles. patch: Preserve the 14.04 profiles and
abstractions from the 2.8.95~ 2430-0ubuntu5. 3 apparmor package. patches/ conditionalize- post-release- features. patch: Disable new
confinement, the abstractions from /etc/apparmor. d/snap/ abstractions chromium- browser. patch, 04-add- debian- integration- to-lighttpd. patch, 04-etc- writable. patch, 04-update- base-abstractio n-for-signals- and-ptrace. patch, 04-dnsmasq- libvirtd- signal- ptrace. patch, 04-update- chromium- browser. patch, 04-php5- Zend_semaphore- lp1401084. patch, 04-dnsmasq- lxc_networking- lp1403468. patch, 04-profiles- texlive_ font_generation -lp1010909. patch, 04-profiles- dovecot- updates- lp1296667. patch, 04-profiles- adjust_ X_for_lightdm- lp1339727. patch: Import all of the 2430-0ubuntu5. 3 apparmor package, which patches/ revert- r2550-and- r2551.patch: Revert two upstream changes
- This allows for proper snap confinement on Ubuntu 14.04 when using the
hardware enablement kernel (LP: #1641243)
* Changes made on top of 2.10.95-0ubuntu2.5:
- debian/
init script in 14.04
- debian/
debian/
invoke-rc.d to load the profiles, rather than reloading them directly,
since 14.04 will continue using the init script rather than the upstart
job.
- debian/
debian/
dealing with AppArmor policy in system image based environments since
this 14.04 package will not need to handle such environments. This
removes the handle_
compare_
their callers.
- debian/
systemd-
- debian/
is_
in apparmor.init so that AppArmor policy is not loaded inside of 14.04
LXD containers (avoids bug #1641236)
- debian/
profile-load as upstart's apparmor-
- debian/
Continue applying this patch since the dbus version in 14.04 isn't new
enough to support fetching the AppArmor context from
org.
- debian/
libtoolize to replace existing files to fix a libapparmor FTBFS issue on
14.04.
- debian/control: Retain the original 14.04 Breaks and ignore the new
Breaks from 2.10.95-0ubuntu2.5 since they were put in place as part of
the enablement of UNIX domain socket mediation. They're not needed in
this upload since UNIX domain socket mediation is disabled by default so
updates to the profiles included in those packages are not needed.
- Preserve the profiles and abstractions from 14.04's
2.
top-level profiles-14.04/ directory of the source. They'll be installed
to debian/
/
shipped profiles or abstractions. The abstractions from
2.
debian/
/
confinement. Snap confinement profiles, which includes AppArmor profiles
loaded by snapd and profiles loaded by snaps that are allowed to manage
AppArmor policy, will use the snap abstractions. All other AppArmor
profiles will continue to use the 14.04 abstractions.
- debian/rules: Adjust for new profiles-14.04/ directory
- debian/
were installed in the 2.8.95~
- debian/
- debian/
- debian/
mediation features, implemented after the Ubuntu 14.04 release, unless
the profile is for snap confinement. If the profile is for snap
will be used and all of the mediation features will be enabled.
- 14.04-add-
14.
14.
14.
14.
14.
14.
14.
14.
14.
14.
patches, from 14.04's 2.8.95~
patched profiles/ and adjust them to patch profiles-14.04/ instead.
- debian/
to mod_apparmor which could potentially regress existing users of
mod_apparmor in 14.04. These upstream changes are not appropriate for an
SRU.
-- Tyler Hicks <email address hidden> Wed, 30 Nov 2016 16:36:02 +0000