[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2

Control: tag -1 - moreinfo
Control: retitle -1 stretch-pu: package apparmor/2.11.0-3+deb9u2

Hi,

here's the updated debdiff; I've bumped the version in order to
avoid confusion.

This will now work fine except for Linux 4.14 to 4.14.12 that have the
bug which prevented us from including apparmor 2.11.0-3+deb9u1 in the
previous point release. The kernel fix has been in sid since
2018-01-15, in stretch-backports since 2018-01-16, and in testing
since 2018-01-20. So IMO the benefit (repairing stuff for Stretch
users running an up-to-date backported kernel) is worth the risk
(breaking stuff for Stretch users running an outdated Linux 4.14.x).

May I upload (with s/UNRELEASED/stretch/ of course)?

Cheers,
-- 
intrigeri


diff -Nru apparmor-2.11.0/debian/apparmor.install apparmor-2.11.0/debian/apparmor.install
--- apparmor-2.11.0/debian/apparmor.install	2017-03-28 12:23:08.000000000 +0200
+++ apparmor-2.11.0/debian/apparmor.install	2018-02-25 11:21:24.000000000 +0100
@@ -1,4 +1,5 @@
 debian/apport/source_apparmor.py /usr/share/apport/package-hooks/
+debian/features /usr/share/apparmor-features/
 debian/lib/apparmor/functions /lib/apparmor/
 debian/lib/apparmor/profile-load /lib/apparmor/
 etc/apparmor/parser.conf
diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog
--- apparmor-2.11.0/debian/changelog	2017-03-28 12:29:15.000000000 +0200
+++ apparmor-2.11.0/debian/changelog	2018-02-25 11:21:24.000000000 +0100
@@ -1,3 +1,16 @@
+apparmor (2.11.0-3+deb9u2) UNRELEASED; urgency=medium
+
+  * Pin the AppArmor feature set to Stretch's kernel (Closes: #879585).
+    This ensures Stretch systems, even when running a newer kernel (e.g.
+    from backports), have their AppArmor feature set pinned to the one
+    supported by the AppArmor policy shipped in Stretch. Otherwise they
+    would experience breakage due to new AppArmor mediation features
+    introduced in recent kernels.
+  * Configure gbp for DEP-14 and avoid gbp-pq prefixing patches
+    with numbers.
+
+ -- intrigeri <intrigeri@debian.org>  Sun, 25 Feb 2018 10:21:24 +0000
+
 apparmor (2.11.0-3) unstable; urgency=medium
 
   * Fix CVE-2017-6507: don't unload unknown profiles during package
diff -Nru apparmor-2.11.0/debian/features apparmor-2.11.0/debian/features
--- apparmor-2.11.0/debian/features	1970-01-01 01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/features	2018-02-25 11:21:24.000000000 +0100
@@ -0,0 +1,23 @@
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+}
diff -Nru apparmor-2.11.0/debian/gbp.conf apparmor-2.11.0/debian/gbp.conf
--- apparmor-2.11.0/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/gbp.conf	2018-02-25 11:21:24.000000000 +0100
@@ -0,0 +1,6 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/stretch
+upstream-branch = upstream/latest
+upstream-vcs-tag = v%(version)s
+patch-numbers = False
diff -Nru apparmor-2.11.0/debian/patches/pin-feature-set.patch apparmor-2.11.0/debian/patches/pin-feature-set.patch
--- apparmor-2.11.0/debian/patches/pin-feature-set.patch	1970-01-01 01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/patches/pin-feature-set.patch	2018-02-25 11:21:24.000000000 +0100
@@ -0,0 +1,18 @@
+Description: pin the AppArmor feature set to the one shipped by the apparmor package
+ .
+ Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
+ policy in a relaxed manner.
+Bug-Debian: https://bugs.debian.org/879585
+Forwarded: not-needed
+Author: intrigeri <intrigeri@debian.org>
+
+--- a/parser/parser.conf
++++ b/parser/parser.conf
+@@ -59,3 +59,7 @@
+ ## Adjust compression
+ #Optimize=compress-small
+ #Optimize=compress-fast
++
++## Pin feature set (avoid regressions when policy is lagging behind
++## the kernel)
++features-file=/usr/share/apparmor-features/features
diff -Nru apparmor-2.11.0/debian/patches/series apparmor-2.11.0/debian/patches/series
--- apparmor-2.11.0/debian/patches/series	2017-03-28 12:24:44.000000000 +0200
+++ apparmor-2.11.0/debian/patches/series	2018-02-25 11:21:24.000000000 +0100
@@ -2,6 +2,7 @@
 # Debian-specific patches
 #
 
+pin-feature-set.patch
 notify-group.patch
 
 #
Reply to: