[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#882697: marked as done (stretch-pu: package apparmor/2.11.0-3+deb9u2)

Your message dated Sat, 10 Mar 2018 10:57:46 +0000
with message-id <1520679466.2744.57.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.4
has caused the Debian Bug report #882697,
regarding stretch-pu: package apparmor/2.11.0-3+deb9u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
882697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

this update avoids breakage for Stretch users who have enabled AppArmor and run
Linux 4.14+ (e.g. from backports once it's there), by pinning the AppArmor
feature set in the kernel to the Stretch kernel's feature set, i.e. the feature
set the AppArmor policy shipped in Stretch supports (it's not ready to deal with
new AppArmor mediation features brought in recent kernels).

We already have exactly the same thing in current testing/sid, albeit with Linux
4.13's feature set for now.

Cheers!

diff -Nru apparmor-2.11.0/debian/apparmor.install apparmor-2.11.0/debian/apparmor.install
--- apparmor-2.11.0/debian/apparmor.install	2017-03-28 12:23:08.000000000 +0200
+++ apparmor-2.11.0/debian/apparmor.install	2017-11-25 19:01:04.000000000 +0100
@@ -1,4 +1,5 @@
 debian/apport/source_apparmor.py /usr/share/apport/package-hooks/
+debian/features /etc/apparmor/
 debian/lib/apparmor/functions /lib/apparmor/
 debian/lib/apparmor/profile-load /lib/apparmor/
 etc/apparmor/parser.conf
diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog
--- apparmor-2.11.0/debian/changelog	2017-03-28 12:29:15.000000000 +0200
+++ apparmor-2.11.0/debian/changelog	2017-11-25 19:04:05.000000000 +0100
@@ -1,3 +1,14 @@
+apparmor (2.11.0-3+deb9u1) stretch; urgency=medium
+
+  * Pin the AppArmor feature set to Stretch's kernel (Closes: #879585).
+    This ensures Stretch systems, even when running a newer kernel (e.g.
+    from backports), have their AppArmor feature set pinned to the one
+    supported by the AppArmor policy shipped in Stretch. Otherwise they
+    would experience breakage due to new AppArmor mediation features
+    introduced in recent kernels.
+
+ -- intrigeri <intrigeri@debian.org>  Sat, 25 Nov 2017 18:04:05 +0000
+
 apparmor (2.11.0-3) unstable; urgency=medium
 
   * Fix CVE-2017-6507: don't unload unknown profiles during package
diff -Nru apparmor-2.11.0/debian/features apparmor-2.11.0/debian/features
--- apparmor-2.11.0/debian/features	1970-01-01 01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/features	2017-11-25 18:55:55.000000000 +0100
@@ -0,0 +1,23 @@
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+}
diff -Nru apparmor-2.11.0/debian/patches/pin-feature-set.patch apparmor-2.11.0/debian/patches/pin-feature-set.patch
--- apparmor-2.11.0/debian/patches/pin-feature-set.patch	1970-01-01 01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/patches/pin-feature-set.patch	2017-11-25 18:59:40.000000000 +0100
@@ -0,0 +1,18 @@
+Description: pin the AppArmor feature set to the one shipped by the apparmor package
+ .
+ Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
+ policy in a relaxed manner.
+Bug-Debian: https://bugs.debian.org/879585 
+Forwarded: not-needed
+Author: intrigeri <intrigeri@debian.org>
+
+--- a/parser/parser.conf
++++ b/parser/parser.conf
+@@ -59,3 +59,7 @@
+ ## Adjust compression
+ #Optimize=compress-small
+ #Optimize=compress-fast
++
++## Pin feature set (avoid regressions when policy is lagging behind
++## the kernel)
++features-file=/etc/apparmor/features
diff -Nru apparmor-2.11.0/debian/patches/series apparmor-2.11.0/debian/patches/series
--- apparmor-2.11.0/debian/patches/series	2017-03-28 12:24:44.000000000 +0200
+++ apparmor-2.11.0/debian/patches/series	2017-11-25 18:59:40.000000000 +0100
@@ -2,6 +2,7 @@
 # Debian-specific patches
 #
 
+pin-feature-set.patch
 notify-group.patch
 
 #

--- End Message ---
--- Begin Message --- 
Version: 9.4

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---
Reply to: