Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
From: intrigeri <intrigeri@debian.org>
Date: Sat, 25 Nov 2017 20:42:30 +0100
Message-id: <[🔎] 151163895024.25639.11816562461367496713.reportbug@deb.localhost>
Reply-to: intrigeri <intrigeri@debian.org>, 882697@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

this update avoids breakage for Stretch users who have enabled AppArmor and run
Linux 4.14+ (e.g. from backports once it's there), by pinning the AppArmor
feature set in the kernel to the Stretch kernel's feature set, i.e. the feature
set the AppArmor policy shipped in Stretch supports (it's not ready to deal with
new AppArmor mediation features brought in recent kernels).

We already have exactly the same thing in current testing/sid, albeit with Linux
4.13's feature set for now.

Cheers!

diff -Nru apparmor-2.11.0/debian/apparmor.install apparmor-2.11.0/debian/apparmor.install
--- apparmor-2.11.0/debian/apparmor.install	2017-03-28 12:23:08.000000000 +0200
+++ apparmor-2.11.0/debian/apparmor.install	2017-11-25 19:01:04.000000000 +0100
@@ -1,4 +1,5 @@
 debian/apport/source_apparmor.py /usr/share/apport/package-hooks/
+debian/features /etc/apparmor/
 debian/lib/apparmor/functions /lib/apparmor/
 debian/lib/apparmor/profile-load /lib/apparmor/
 etc/apparmor/parser.conf
diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog
--- apparmor-2.11.0/debian/changelog	2017-03-28 12:29:15.000000000 +0200
+++ apparmor-2.11.0/debian/changelog	2017-11-25 19:04:05.000000000 +0100
@@ -1,3 +1,14 @@
+apparmor (2.11.0-3+deb9u1) stretch; urgency=medium
+
+  * Pin the AppArmor feature set to Stretch's kernel (Closes: #879585).
+    This ensures Stretch systems, even when running a newer kernel (e.g.
+    from backports), have their AppArmor feature set pinned to the one
+    supported by the AppArmor policy shipped in Stretch. Otherwise they
+    would experience breakage due to new AppArmor mediation features
+    introduced in recent kernels.
+
+ -- intrigeri <intrigeri@debian.org>  Sat, 25 Nov 2017 18:04:05 +0000
+
 apparmor (2.11.0-3) unstable; urgency=medium
 
   * Fix CVE-2017-6507: don't unload unknown profiles during package
diff -Nru apparmor-2.11.0/debian/features apparmor-2.11.0/debian/features
--- apparmor-2.11.0/debian/features	1970-01-01 01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/features	2017-11-25 18:55:55.000000000 +0100
@@ -0,0 +1,23 @@
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+}
diff -Nru apparmor-2.11.0/debian/patches/pin-feature-set.patch apparmor-2.11.0/debian/patches/pin-feature-set.patch
--- apparmor-2.11.0/debian/patches/pin-feature-set.patch	1970-01-01 01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/patches/pin-feature-set.patch	2017-11-25 18:59:40.000000000 +0100
@@ -0,0 +1,18 @@
+Description: pin the AppArmor feature set to the one shipped by the apparmor package
+ .
+ Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
+ policy in a relaxed manner.
+Bug-Debian: https://bugs.debian.org/879585 
+Forwarded: not-needed
+Author: intrigeri <intrigeri@debian.org>
+
+--- a/parser/parser.conf
++++ b/parser/parser.conf
+@@ -59,3 +59,7 @@
+ ## Adjust compression
+ #Optimize=compress-small
+ #Optimize=compress-fast
++
++## Pin feature set (avoid regressions when policy is lagging behind
++## the kernel)
++features-file=/etc/apparmor/features
diff -Nru apparmor-2.11.0/debian/patches/series apparmor-2.11.0/debian/patches/series
--- apparmor-2.11.0/debian/patches/series	2017-03-28 12:24:44.000000000 +0200
+++ apparmor-2.11.0/debian/patches/series	2017-11-25 18:59:40.000000000 +0100
@@ -2,6 +2,7 @@
 # Debian-specific patches
 #
 
+pin-feature-set.patch
 notify-group.patch
 
 #

Reply to:

Prev by Date: Re: Bug#882663: serverity important because qtwebkit is still in testing
Next by Date: NEW changes in stable-new
Previous by thread: Re: Bug#882663: serverity important because qtwebkit is still in testing
Next by thread: Processed: block 879585 with 882697
Index(es):
- Date
- Thread