[FFe] AppArmor 2.11 Beta 1 for policy namespace stacking and bug fixes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Critical
|
Tyler Hicks |
Bug Description
The upstream AppArmor project has cut the 2.11 Beta 1 release. It contains a large number of bug fixes and a key feature. The feature is to allow profiles and applications to take advantage of the policy namespace stacking that has landed in the Xenial kernel. This will allow LXD containers to be confined with an over-arching AppArmor profile while individual processes inside the container can be further confined with an individual profile.
Here's the changelog, containing Debian/Ubuntu bug fixes, that I have accumulated:
apparmor (2.10.95-0ubuntu1) xenial; urgency=medium
* Update to apparmor 2.10.95 (2.11 Beta 1) (LP: #1561762)
- Allow Apache prefork profile to chown(2) files (LP: #1210514)
- Allow deluge-gtk and deluge-console to handle torrents opened in
browsers (LP: #1501913)
- Allow file accesses needed by some programs using libnl-3-200
(Closes: #810888)
- Allow file accesses needed on systems that use NetworkManager without
resolvconf (Closes: #813835)
- Adjust aa-status(8) to work without python3-apparmor (LP: #1480492)
- Fix aa-logprof(8) crash when operating on files containing multiple
profiles with certain rules (LP: #1528139)
- Fix log parsing crashes, in the Python utilities, caused by certain file
related events (LP: #1525119, LP: #1540562)
- Fix log parsing crasher, in the Python utilities, caused by certain
change_hat events (LP: #1523297)
- Improve Python 2 support of the utils by fixing an aa-logprof(8) crasher
when Python 3 is not available (LP: #1513880)
- Send aa-easyprof(8) error messages to stderr instead of stdout
(LP: #1521400)
- Fix aa-autodep(8) failure when the shebang line of a script contained
parameters (LP: #1505775)
- Don't depend on the system logprof.conf when running utils/ build tests
(LP: #1393979)
- Fix apparmor_parser(8) bugs when parsing profiles that use policy
namespaces in the profile declaration or profile transition targets
(LP: #1540666, LP: #1544387)
- Regression fix for apparmor_parser(8) bug that resulted in the
-
be loaded into the root policy namespace (LP: #1526085)
- Fix crasher regression in apparmor_parser(8) when the parser was asked
to process a directory (LP: #1534405)
- Fix bug in apparmor_parser(8) to honor the specified bind flags remount
rules (LP: #1272028)
- Support tarball generation for Coverity scans and fix a number of issues
discovered by Coverity
- Fix regression test failures on s390x systems (LP: #1531325)
- Adjust expected errno values in changeprofile regression test
(LP: #1559705)
- The Python utils gained support for ptrace and signal rules
- aa-exec(8) received a rewrite in C
- apparmor_parser(8) gained support for stacking multiple profiles, as
supported by the Xenial kernel (LP: #1379535)
- libapparmor gained new public interfaces, aa_stack_profile(2) and
aa_
stacking support (LP: #1379535)
* Drop the following patches since they've been incorporated upstream:
- aa-status-
- r3209-dnsmasq-
- r3227-locale-
- r3277-update-
- r3366-networkd.
- tests-fix_
- parser-
- parser-
- parser-
- parser-
- parser-
* debian/rules, debian/
for new upstream binutils directory and aa-enabled binary
- Continue installing aa-exec into /usr/sbin/ for now since
click-
* debian/
page
* debian/
access needed for nscd's paranoia mode
* debian/
regression test build time checks, for libapparmor stacking support, to
look for the 2.10.95 versioning rather than 2.11
* debian/
Remove extra slash in the parser Makefile so that debugedit(8) can work on
apparmor_
* debian/
rules of the new stacking tests so that the generated profiles allow the
system binaries and libraries to be tested
-- Tyler Hicks <email address hidden> Mon, 28 Mar 2016 20:26:48 -0500
Changed in apparmor (Ubuntu): | |
status: | Triaged → In Progress |
assignee: | nobody → Tyler Hicks (tyhicks) |
As part of the upstream AppArmor project requirements, we've already performed considerable testing when cutting the upstream release. However, we're still doing testing to complete the Ubuntu test plan defined here:
https:/ /wiki.ubuntu. com/Process/ Merges/ TestPlans/ AppArmor
When that is complete, I'll post the final details/results and subscribe the release team.