- update to AppArmor 2.8.96 (aka 2.9 beta2 aka r2652)
- add unix abstract sockets, ptrace, and signal policy generation
- several bugfixes in the python tools and elsewhere
- move program-chunks/postfix-common to abstractions/
- drop upstreamed patches:
- apparmor-profiles-clustered-samba.diff
- perl-apparmor-fix-bare-network-keyword-handling.diff
- perl-apparmor-handle-bare-capability-keyword.diff
- perl-apparmor-properly-handle-bare-file-keyword.diff
- re-enable installation of perl modules
- move python modules to python3-apparmor package
- create symlinks without aa- prefix only for tools existing in 2.8.x,
but not for new tools added in 2.9
- make utils filelist explicit to ensure we have the right set of files
without aa- prefix in sbindir
- switch easyprof python module location to python3
- drop unused defines APPARMOR_DOC_DIR and JNI_SO
- refresh patches:
- apparmor-utils-string-split (file moved)
- apparmor-profiles-dnsmasq-iface-mtu.patch
- apparmor-2.5.1-edirectory-profile
(prepared Thu Mar 20 23:35:03 UTC 2014 in home project)
- update to AppArmor 2.8.95 (aka 2.9 beta1)
- complete rewrite of the aa-* tools in python
- new tools: aa-cleanprof, aa-mergeprof
- extra profiles moved to /usr/share/apparmor/extra-profiles/ (bnc#713647)
- and much more, but there's no upstream changelog yet
- drop upstreamed patches and files:
- usr.sbin.winbindd
- usr.lib.dovecot.*, tunables-dovecot, apparmor-profiles-dovecot-bnc851984.diff
- apparmor-init.py-gsoc.diff
- apparmor-2.8.2-nm-dnsmasq-config.patch
- add %bcond_with perl and disable the perl subpackage temporarily (the perl
modules will be back in beta2)
- drop the apparmorapplet-gnome, apparmor-dbus and profile-editor subpackages
(they were disabled since a long time, and upstream no longer ships their code)
and the apparmor-profile-editor.desktop and apparmor-profile-editor.png files
- drop apparmor-utils-subdomain-compat patch (was only included for <= 12.1)
- remove libimmunix Provides/Obsoletes (libimmunix was a compat wrapper
and got finally dropped)
- refresh apparmor-samba-include-permissions-for-shares.diff and
apparmor-2.5.1-edirectory-profile (forwarded request 247917 from cboltz)
OBS-URL: https://build.opensuse.org/request/show/247918
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=72
- update to AppArmor 2.8.96 (aka 2.9 beta2 aka r2652)
- add unix abstract sockets, ptrace, and signal policy generation
- several bugfixes in the python tools and elsewhere
- move program-chunks/postfix-common to abstractions/
- drop upstreamed patches:
- apparmor-profiles-clustered-samba.diff
- perl-apparmor-fix-bare-network-keyword-handling.diff
- perl-apparmor-handle-bare-capability-keyword.diff
- perl-apparmor-properly-handle-bare-file-keyword.diff
- re-enable installation of perl modules
- move python modules to python3-apparmor package
- create symlinks without aa- prefix only for tools existing in 2.8.x,
but not for new tools added in 2.9
- make utils filelist explicit to ensure we have the right set of files
without aa- prefix in sbindir
- switch easyprof python module location to python3
- drop unused defines APPARMOR_DOC_DIR and JNI_SO
- refresh patches:
- apparmor-utils-string-split (file moved)
- apparmor-profiles-dnsmasq-iface-mtu.patch
- apparmor-2.5.1-edirectory-profile
(prepared Thu Mar 20 23:35:03 UTC 2014 in home project)
- update to AppArmor 2.8.95 (aka 2.9 beta1)
- complete rewrite of the aa-* tools in python
- new tools: aa-cleanprof, aa-mergeprof
- extra profiles moved to /usr/share/apparmor/extra-profiles/ (bnc#713647)
- and much more, but there's no upstream changelog yet
- drop upstreamed patches and files:
- usr.sbin.winbindd
- usr.lib.dovecot.*, tunables-dovecot, apparmor-profiles-dovecot-bnc851984.diff
- apparmor-init.py-gsoc.diff
- apparmor-2.8.2-nm-dnsmasq-config.patch
- add %bcond_with perl and disable the perl subpackage temporarily (the perl
modules will be back in beta2)
- drop the apparmorapplet-gnome, apparmor-dbus and profile-editor subpackages
(they were disabled since a long time, and upstream no longer ships their code)
and the apparmor-profile-editor.desktop and apparmor-profile-editor.png files
- drop apparmor-utils-subdomain-compat patch (was only included for <= 12.1)
- remove libimmunix Provides/Obsoletes (libimmunix was a compat wrapper
and got finally dropped)
- refresh apparmor-samba-include-permissions-for-shares.diff and
apparmor-2.5.1-edirectory-profile
OBS-URL: https://build.opensuse.org/request/show/247917
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=97
V2 (supersedes 247613)
This patch fixes bnc#892374, which I'd like to fix for SLE12, but
needs submitted here first.
The patch adds a (IMO) necessary rule to the dnsmasq profile,
question is whether I got the syntax right. If so, please accept
this request and forward the patch upstream. Thanks!
- add apparmor-profiles-dnsmasq-iface-mtu.patch to allow dnsmasq
read access to interface mtu in
/proc/sys/net/ipv6/conf/<ifacename>/mtu
(bnc#892374)
OBS-URL: https://build.opensuse.org/request/show/247625
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=95
- update to AppArmor 2.8.3 (r2122) bugfix release
- fix some cache clearing bugs in apparmor_parser
- various fixes in mod_apparmor
- several profile updates, most of them were already included as patches
(except abstractions/winbind (bnc#863226), abstractions/fonts and
abstractions/p11-kit)
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_8_3 for all details
- update partially upstreamed apparmor-2.8.2-nm-dnsmasq-config.patch
- remove upstream(ed) patches
- apparmor-2.8.2-fix-ntpd-profile.diff
- apparmor-abstractions-r2089-r2090.diff
- apparmor-abstractions-ssl_certs.diff
- apparmor-fix-url-in-manpages-r2093.diff
- apparmor-no-perl-smartmatch-r2088.diff
- apparmor-profiles-dnsmasq.diff
- apparmor-profiles-ntpd-r2103.diff
- apparmor-profiles-samba-create-dirs.diff
- apparmor-profiles-samba4.diff
- apparmor-unconfined-lang-r2094.diff
- apparmor-utils-po-de-r2091.diff
OBS-URL: https://build.opensuse.org/request/show/222647
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=65
- update to AppArmor 2.8.3 (r2122) bugfix release
- fix some cache clearing bugs in apparmor_parser
- various fixes in mod_apparmor
- several profile updates, most of them were already included as patches
(except abstractions/winbind (bnc#863226), abstractions/fonts and
abstractions/p11-kit)
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_8_3 for all details
- update partially upstreamed apparmor-2.8.2-nm-dnsmasq-config.patch
- remove upstream(ed) patches
- apparmor-2.8.2-fix-ntpd-profile.diff
- apparmor-abstractions-r2089-r2090.diff
- apparmor-abstractions-ssl_certs.diff
- apparmor-fix-url-in-manpages-r2093.diff
- apparmor-no-perl-smartmatch-r2088.diff
- apparmor-profiles-dnsmasq.diff
- apparmor-profiles-ntpd-r2103.diff
- apparmor-profiles-samba-create-dirs.diff
- apparmor-profiles-samba4.diff
- apparmor-unconfined-lang-r2094.diff
- apparmor-utils-po-de-r2091.diff
OBS-URL: https://build.opensuse.org/request/show/222637
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=80
- update apparmor-2.8.2-nm-dnsmasq-config.patch - allow access to pid file
and supplemental config directory (by develop7)
- update apparmor-profiles-dovecot-bnc851984.diff:
- do not add access to @{DOVECOT_MAILSTORE} - not required by the main binary
- add abstractions/mysql
- allow execution of some more /usr/lib/dovecot/* binaries
- better restrict access to /var/spool/postfix/private/
- update usr.lib.dovecot.auth to allow to read mysql config files
- update usr.lib.dovecot.dict and usr.lib.dovecot.lmtp:
add abstractions/nameservice instead of allowing more and more files
OBS-URL: https://build.opensuse.org/request/show/215196
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=63
and supplemental config directory (by develop7)
- update apparmor-profiles-dovecot-bnc851984.diff:
- do not add access to @{DOVECOT_MAILSTORE} - not required by the main binary
- add abstractions/mysql
- allow execution of some more /usr/lib/dovecot/* binaries
- better restrict access to /var/spool/postfix/private/
- update usr.lib.dovecot.auth to allow to read mysql config files
- update usr.lib.dovecot.dict and usr.lib.dovecot.lmtp:
add abstractions/nameservice instead of allowing more and more files
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=75
- add apparmor-profiles-samba-create-dirs.diff to allow samba to
mkdir /var/run/samba and /var/cache/samba (bnc#856651)
- add abstractions/samba to usr.sbin.winbindd profile
- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile (bnc#851131)
- update dovecot profiles to support dovecot 2.x, and add profiles for
the parts of dovecot that were not covered yet (bnc#851984)
NOTE: Please adjust /etc/apparmor.d/tunables/dovecot to your needs.
(apparmor-profiles-dovecot-bnc851984.diff, usr.lib.dovecot.*)
- %restart_on_update (in parser %postun) is "translated" to stop/start by
the systemd wrapper, which removes AppArmor protection from running
processes. Fixed by using a custom script instead (bnc#853019)
NOTE: The %postun from the previously installed apparmor-parser package
will remove AppArmor protection from running processes a last time.
Run aa-status to get a list of processes you need to restart, or reboot
your computer.
- reload profiles in %post of the apparmor-profiles package
OBS-URL: https://build.opensuse.org/request/show/212803
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=61
- add apparmor-profiles-samba-create-dirs.diff to allow samba to
mkdir /var/run/samba and /var/cache/samba (bnc#856651)
- add abstractions/samba to usr.sbin.winbindd profile
- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile (bnc#851131)
- update dovecot profiles to support dovecot 2.x, and add profiles for
the parts of dovecot that were not covered yet (bnc#851984)
NOTE: Please adjust /etc/apparmor.d/tunables/dovecot to your needs.
- %restart_on_update (in parser %postun) is "translated" to stop/start by
the systemd wrapper, which removes AppArmor protection from running
processes. Fixed by using a custom script instead (bnc#853019)
NOTE: The %postun from the previously installed apparmor-parser package
will remove AppArmor protection from running processes a last time.
Run aa-status to get a list of processes you need to restart, or reboot
your computer.
- reload profiles in %post of the apparmor-profiles package
OBS-URL: https://build.opensuse.org/request/show/212635
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=69
