- update to AppArmor 3.0.0
- introduce feature abi declaration in profiles to enable use of
new rule types (for openSUSE: dbus and unix rules)
- support xattr attachment conditionals
- experimental support for kill and unconfined profile modes
- rewritten aa-status (in C), including support for new profile modes
- rewritten aa-notify (in python), finally dropping the perl
requirement at runtime
- new tool aa-features-abi for extracting feature abis from the kernel
- update profiles to have profile names and to use 3.0 feature abi
- introduce @{etc_ro} and @{etc_rw} profile variables
- new profile for php-fpm
- several updates to profiles and abstractions (including boo#1166007)
- fully support 'include if exists' in the aa-* tools
- rewrite handling of alias, include, link and variable rules in
the aa-* tools
- rewrite and simplify log handling in the aa-logprof and aa-genprof
- see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0
for the detailed upstream changelog
- patches:
- add changes-since-3.0.0.diff with upstream fixes since the 3.0.0
release up to 3e18c0785abc03ee42a022a67a27a085516a7921
- drop upstreamed usr-etc-abstractions-base-nameservice.diff
- drop 2.13-only libapparmor-so-number.diff
- refresh apparmor-enable-profile-cache.diff - partially upstreamed
- update apparmor-samba-include-permissions-for-shares.diff and
apparmor-lessopen-profile.patch - switch to "include if exists"
- apparmor-lessopen-profile.patch: add abi rule to lessopen profile
- refresh apparmor-lessopen-nfs-workaround.diff
- move away very loose apache profile that doesn't even match the
apache2 binary path in openSUSE to avoid confusion (boo#872984)
- move rewritten aa-status from utils to parser subpackage
- add aa-features-abi to parser subpackage
- replace perl and libnotify-tools requires with requiring
python3-notify2 and python3-psutil (needed by the rewritten
aa-notify)
- drop ancient cleanup for /etc/init.d/subdomain from parser %pre
- drop (never enabled) conditionals to build with python2 and to
build the python-apparmor subpackage (upstream dropped python2
support)
- drop setting PYTHON and PYTHON_VERSIONS env variable, no longer needed
- set PYFLAKES path for utils check
- add precompiled_cache build conditional to allow faster local
builds without using kvm
- remove duplicated BuildRequires: swig
libapparmor:
- update to AppArmor 3.0.0
- see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0
for the detailed upstream changelog
- add changes-since-3.0.0.diff with upstream fixes since the 3.0.0
release up to 3e18c0785abc03ee42a022a67a27a085516a7921
- drop 2.13-only patch libapparmor-so-number.diff
OBS-URL: https://build.opensuse.org/request/show/844157
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=281
- add changes-since-2.13.4.diff with upstream changes and fixes
since 2.13.4 up to 5f61bd4c:
- add several abstractions related to xdg-open:
dbus-network-manager-strict, exo-open, gio-open, gvfs-open,
kde-open5, xdg-open
- introduce @{run} variable
- update dnsmasq and winbindd profile
- update mdns, mesa and nameservice abstraction
- some bugfixes in the aa-* tools, including a remote bugfix in the
YaST AppArmor module (boo#1171315)
- drop upstream(ed) patches (now part of changes-since-2.13.4.diff):
- make-4.3-capabilities.diff
- make-4.3-capabilities-vim.diff
- make-4.3-fix-utils-network-test.diff
- make-4.3-network.diff
- abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch
- apply usr-etc-abstractions-base-nameservice.diff only for
Tumbleweed, but not for Leap 15.x where it's not needed
- refresh usr-etc-abstractions-base-nameservice.diff
OBS-URL: https://build.opensuse.org/request/show/807998
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=266
- fix build with make 4.3 by backporting some commits from upstream
master (boo#1167953):
- make-4.3-capabilities.diff
- make-4.3-capabilities-vim.diff
- make-4.3-network.diff
- make-4.3-fix-utils-network-test.diff
Also fix a wrong patch filename in the previous .changes entry.
The correct message about the refreshed patch is:
- refresh usr-etc-abstractions-base-nameservice.diff
OBS-URL: https://build.opensuse.org/request/show/789397
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=262
- update to AppArmor 2.13.2
- add profile names to most profiles
- update dnsmasq profile (pid file and logfile path) (boo#1111342)
- add vulkan abstraction
- add letsencrypt certificate path to abstractions/ssl_*
- ignore *.orig and *.rej files when loading profiles
- fix aa-complain etc. to handle named profiles
- several bugfixes and small profile improvements
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.2
for the detailed upstream changelog
- remove upstreamed fix-syntax-error-in-rc.apparmor.functions.patch
- update to 2.13.1
- add qt5 and qt5-compose-cache-write abstractions
- add @{uid} and @{uids} kernel var placeholders
- several profile and abstraction updates
- ignore "abi" rules in parser and tools (instead of erroring out)
- utils: fix overwriting of child profile flags if they differ from
the main profile
- several bugfixes (including boo#1100779)
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.1
for the detailed upstream changelog
- remove upstream(ed) patches:
- aa-teardown-path.diff
- fix-apparmor-systemd-perms.diff
- logprof-skip-cache-d.diff
- fix-samba-profiles.patch
- make-pyflakes-happy.diff
- dnsmasq-Add-permission-to-open-log-files.patch
- refresh apparmor-samba-include-permissions-for-shares.diff
- add fix-syntax-error-in-rc.apparmor.functions.patch
- update to AppArmor 2.13.2
- no changes in libapparmor
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.2
for the detailed upstream changelog
- update to AppArmor 2.13.1
- several bug fixes
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.1
for the detailed upstream changelog
OBS-URL: https://build.opensuse.org/request/show/660558
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=224
- create and package precompiled cache (/usr/share/apparmor/cache,
read-only) (boo#1069906, boo#1074429)
- change (writeable) cache directory to /var/cache/apparmor/ - with the
new btrfs layout, the only reason for using /var/lib/apparmor/cache/
(which was "it's part of the / subvolume") is gone, and /var/cache
makes more sense for the cache
- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
cache locations
- clear cache also in %post of abstractions package
OBS-URL: https://build.opensuse.org/request/show/598826
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=208
--------------------------------------------------------------------
- update to AppArmor 2.13
- add support for multiple cache directories and cache overlays
(boo#1069906, boo#1074429)
- add support for conditional includes in policy
- remove group restrictions from aa-notify (boo#1058787)
- aa-complain etc.: set flags for profiles represented by a glob
- aa-status: split profile from exec name
- several profile and abstraction updates
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
for the detailed upstream changelog
- drop upstreamed patches and files:
- aa-teardown
- apparmor.service
- apparmor.systemd
- 32-bit-no-uid.diff
- disable-cache-on-ro-fs.diff
- dovecot-stats.diff
- parser-write-cache-warn-only.diff
- set-flags-for-profiles-represented-by-glob.patch
- fix-regression-in-set-flags.patch
- drop spec code that handled installing aa-teardown, apparmor.service
and apparmor.systemd (now part of upstream Makefile)
- simplify "make -C profiles parser-check" call (upstream Makefile bug
that required to call "cd" was fixed)
- add aa-teardown-path.diff - install aa-teardown in /usr/sbin/
- move 'exec' symlink to parser package (belongs to aa-exec)
libapparmor:
- update to AppArmor 2.13
- add support for multiple cache directories and cache overlays
(boo#1069906, boo#1074429)
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
for the detailed upstream changelog
OBS-URL: https://build.opensuse.org/request/show/598823
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=207
- update to AppArmor 2.12
- add support for 'owner' rules in aa-logprof and aa-genprof
- add support for includes with absolute path in aa-logprof etc. (lp#1733700)
- update aa-decode to also decode PROCTITLE (lp#1736841)
- several profile and abstraction updates, including boo#1069470
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12
for the detailed upstream changelog
- drop upstreamed patches:
- read_inactive_profile-exactly-once.patch
- utils-fix-sorted-save_profiles-regression.diff
- lessopen profile: change all 'rix' rules to 'mrix'
- update to AppArmor 2.11.95 aka 2.12 beta1
- add JSON interface to aa-logprof and aa-genprof (used by YaST)
- drop old YaST interface code
- update audio, base and nameservice abstractions
- allow @{pid} to match 7-digit pids
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95
for the detailed upstream changelog
- drop upstreamed patches
- apparmor-yast-cleanup.patch
- apparmor-json-support.patch
- nameservice-libtirpc.diff
- drop obsolete perl modules (YaST no longer needs them)
- drop patches that were only needed by the obsolete perl modules:
- apparmor-utils-string-split
- apparmor-abstractions-no-multiline.diff
- drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in
apparmor_parser
- refresh utils-fix-sorted-save_profiles-regression.diff
OBS-URL: https://build.opensuse.org/request/show/560016
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=194
apparmor:
- update to AppArmor 2.11.1
- add permissions to several profiles and abstractions (including
lp#1650827 and boo#1057900)
- several fixes in the aa-* tools (including lp#1689667, lp#1628286,
lp#1661766 and boo#1062667)
- fix downgrading/converting of 'unix' rules (will be supported in
kernel 4.15) to 'network unix' rules in apparmor_parser (boo#1061195)
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for
upstream changelog
- remove upstream(ed) patches
- upstream-changes-r3616..3628.diff
- upstream-changes-r3629..3648.diff
- parser-tests-dbus-duplicated-conditionals.diff
- apparmor-fix-podsyntax.patch
- sshd-profile-drop-local-include-r3615.diff
- refresh apparmor-yast-cleanup.patch
- add utils-fix-sorted-save_profiles-regression.diff to fix a regression
in displaying the "changed profiles" list in aa-logprof
Also add bugzilla reference to the previous change:
- add nameservice-libtirpc.diff to fix NIS/YP logins (boo#1062244)
libapparmor:
- update to AppArmor 2.11.1
- mostly test-related changes in libapparmor
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for
upstream changelog
OBS-URL: https://build.opensuse.org/request/show/536620
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=190
- add upstream-changes-r-3629..3648.diff:
- preserve unknown profiles when reloading apparmor.service
(CVE-2017-6507, lp#1668892, boo#1029696)
- add aa-remove-unknown utility to unload unknown profiles (lp#1668892)
- update nvidia abstraction for newer nvidia drivers
- don't enforce ordering of dbus rule attributes in utils (lp#1628286)
- add --parser, --base and --Include option to aa-easyprof to allow
non-standard paths (useful for tests) (lp#1521031)
- move initialization code in apparmor.aa to init_aa(). This allows to
run all utils tests even if /etc/apparmor.d/ or /sbin/apparmor_parser
don't exist.
- several improvements in the utils tests
- drop upstreamed python3-drop-re-locale.patch
- no longer delete/skip some of the utils tests (to allow this, add
parser-tests-dbus-duplicated-conditionals.diff)
- add var.mount dependeny to apparmor.service (boo#1016259#c34)
OBS-URL: https://build.opensuse.org/request/show/482764
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=174
- add upstream-changes-r3616..3628.diff:
- update abstractions/base, abstractions/apache2-common and dovecot profiles
- merge ask_the_questions() of aa-logprof and aa-mergeprof
- pass LDFLAGS when building parser, libapparmor perl bindings and pam_apparmor
- adjust deleting the cache in profiles %post to the new cache location
- silence errors when deleting the cache (boo#976914)
- split libapparmor into separate spec to get rid of build loop
involving mariadb, systemd, apparmor, libapr and mariadb again
(see the discussion in SR 448871 for details)
- libapparmor.spec is based on the AppArmor 2.11 apparmor.spec, but
with minimum BuildRequires
OBS-URL: https://build.opensuse.org/request/show/453533
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=166
- update to AppArmor 2.11.0
- apparmor_parser now supports parallel compiles and loads
- add full support for dbus, ptrace and signal rules and events to the
utils
- full rewrite of the file rule handling in the utils
- lots of improvements and fixes
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the
detailed changelog
- patches:
- add sshd-profile-drop-local-include-r3615.diff to fix 'make check'
- drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed
- refresh apparmor-abstractions-no-multiline.diff
- refresh apparmor-samba-include-permissions-for-shares.diff
- spec changes:
- aa-unconfined switched to using ss (from iproute2), adjust Recommends:
- move libapparmor to /usr/lib*/
- drop %if %suse_version checks for 12.x
- change several Obsoletes from %version to < 2.9. Those package names
weren't used since years, and 2.9 is still a careful choice
- include apparmor.service independent of %suse_version
- techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires
- drop latex2html, texlive-* and w3m BuildRequires
- techdoc.txt and techdoc.html not included, drop them from the package
- run most of utils/ make check (some tests expect /etc/apparmor.d/ and
/sbin/apparmor_parser to exist, skip them)
- BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests)
- drop sed'ing python3 into aa-* shebang (upstreamed)
- build binutils
- aa-exec is now written in C and lives in /usr/bin/, move it to the
apparmor_parser package and create a compability symlink in /usr/sbin/
- aa-exec manpage moved to section 1
- aa-enabled is a small new tool to find out if AppArmor is enabled
- package new aa_stack_profile(2) manpage
OBS-URL: https://build.opensuse.org/request/show/453151
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=165
- add changes-since-2.10.1--r3326..3346.diff with upstream changes and
fixes since the 2.10.1 release, including
- allow dac_override in winbindd profile (boo#990006#c5)
- allow mr for /usr/lib*/ldb/*.so in samba abstractions (needed since
Samba 4.4.x, boo#990006)
- abstractions/nameservice: also support ConnMan-managed resolv.conf
- let aa-genprof ask about profiles in extra dir (again)
- fix aa-logprof "add hat" endless loop (lp#1538306)
- honor 'chown' file events in logparser.py
- ignore log file events with a request mask of 'send' or 'receive'
because they are actually network events (lp#1577051, lp#1582374)
- accept hostname with dots when parsing logs (lp#1453300 comments #1 and #2)
- fix python LibAppArmor import failures with swig > 3.0.8 (boo#987607)
(libapparmor-fix-import-path.diff)
- refresh apparmor-abstractions-no-multiline.diff
- drop upstreamed profiles-ping-inet6-r3449.diff
- add %check section - runs libapparmor (including swig bindings),
parser and profiles tests
- add BuildRequires: perl(Locale::gettext) - needed for parser tests
OBS-URL: https://build.opensuse.org/request/show/423291
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=152
- fix incorrect output of child profile names (apparmor_parser -N) which
caused 'rcapparmor reload' to remove child profiles and hats (lp#1551950)
- fix a crash in aa-logprof / logparser.py for change_hat log events
(lp#1523297) and log events that look like file events, but aren't
(lp#1540562, lp#1525119, lp#1466812)
- write unix rules when saving a profile (lp#1522938, boo#954104#c3)
- several fixes for variable handling in aa-logprof
- map c (create) log events to w instead of a
- add python to the "no Px rule" list in logprof.conf
- let aa-logprof check for duplicate profiles
- let aa-status work without the apparmor.fail python module (boo#971917,
lp#1480492)
- add permissions in several profiles (including boo#948584, boo#948753,
boo#954959, boo#954958, boo#971790, boo#964971, boo#921098, boo#923201 and
boo#921098#c15).
- and many more fixes, see the full changelog at
http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_1
- drop upstream(ed) patches:
- fix-initscript-aa_log_end_msg.diff
- syslog-ng-profile-boo948584.diff
- upstream-profile-updates-r3205-3241.diff
- refresh patches:
- apparmor-abstractions-no-multiline.diff
- apparmor-samba-include-permissions-for-shares.diff
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=147
- add syslog-ng-profile-boo948584.diff - add several permissions needed
by latest syslog-ng (boo#948584, boo#948753)
- add upstream-profile-updates-r3205-3241.diff with several profile updates:
- add /usr/share/locale-bundle/** to abstractions/base
- allow dnsmask to use /bin/sh (boo#940749) and /bin/dash
- allow dovecot imap to read /run/dovecot/mounts
- allow avahi-daemon to write to /run/systemd/notify
- allow ntpd to read $PATH directory listings (boo#945592, boo#948752)
- update dhclient profile
- allow skype to read @{PROC}/@{pid}/net/dev (boo#939568)
- and some other small updates
- drop upstreamed apparmor-winbindd-r3213.diff (included in the
upstream-profile-updates patch)
OBS-URL: https://build.opensuse.org/request/show/337046
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=145
- update to AppArmor 2.10 (trunk r3205)
- profile names can now contain variables
- improved profile compile time in apparmor_parser
- lots of improvements, refactoring and bugfixes in the aa-* tools
- new apis for managing and loading profile caches into the kernel in
libapparmor
- lots of profile updates
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10 for the
complete changelog with more details
- add new apparmor_private.h and the aa_query_label(2), aa_features(3),
aa_kernel_interface(3), aa_policy_cache(3), aa_splitcon(3) manpages
to libapparmor-devel
- drop apparmor-2.5.1-edirectory-profile patch - it's most probably
no longer needed (see boo#621394 for details)
- drop upstreamed samba-4.2-profiles.diff
- refresh apparmor-samba-include-permissions-for-shares.diff
OBS-URL: https://build.opensuse.org/request/show/317971
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=135
- pull in upstream fixes since the 2.9.1 release
- update logparser.py to support changed syslog format (lp#1399027)
- update usr.sbin.dovecot and usr.lib.dovecot.imap{, -login} profiles (lp#1296667)
- update the mysqld profile
- fix network rule description in apparmor.d(5) manpage
- drop upstreamed dnsmasq-profile-fixes.patch
- update expired GPG key
Also add a missing bnc number in the Jan 1 2015 changelog entry.
OBS-URL: https://build.opensuse.org/request/show/282158
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=118
