Your message dated Sat, 10 Mar 2018 10:57:46 +0000
with message-id <[email protected]>
and subject line Closing bugs for updates included in 9.4
has caused the Debian Bug report #882697,
regarding stretch-pu: package apparmor/2.11.0-3+deb9u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
882697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu
Hi!
this update avoids breakage for Stretch users who have enabled AppArmor and run
Linux 4.14+ (e.g. from backports once it's there), by pinning the AppArmor
feature set in the kernel to the Stretch kernel's feature set, i.e. the feature
set the AppArmor policy shipped in Stretch supports (it's not ready to deal with
new AppArmor mediation features brought in recent kernels).
We already have exactly the same thing in current testing/sid, albeit with Linux
4.13's feature set for now.
Cheers!
diff -Nru apparmor-2.11.0/debian/apparmor.install
apparmor-2.11.0/debian/apparmor.install
--- apparmor-2.11.0/debian/apparmor.install 2017-03-28 12:23:08.000000000
+0200
+++ apparmor-2.11.0/debian/apparmor.install 2017-11-25 19:01:04.000000000
+0100
@@ -1,4 +1,5 @@
debian/apport/source_apparmor.py /usr/share/apport/package-hooks/
+debian/features /etc/apparmor/
debian/lib/apparmor/functions /lib/apparmor/
debian/lib/apparmor/profile-load /lib/apparmor/
etc/apparmor/parser.conf
diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog
--- apparmor-2.11.0/debian/changelog 2017-03-28 12:29:15.000000000 +0200
+++ apparmor-2.11.0/debian/changelog 2017-11-25 19:04:05.000000000 +0100
@@ -1,3 +1,14 @@
+apparmor (2.11.0-3+deb9u1) stretch; urgency=medium
+
+ * Pin the AppArmor feature set to Stretch's kernel (Closes: #879585).
+ This ensures Stretch systems, even when running a newer kernel (e.g.
+ from backports), have their AppArmor feature set pinned to the one
+ supported by the AppArmor policy shipped in Stretch. Otherwise they
+ would experience breakage due to new AppArmor mediation features
+ introduced in recent kernels.
+
+ -- intrigeri <[email protected]> Sat, 25 Nov 2017 18:04:05 +0000
+
apparmor (2.11.0-3) unstable; urgency=medium
* Fix CVE-2017-6507: don't unload unknown profiles during package
diff -Nru apparmor-2.11.0/debian/features apparmor-2.11.0/debian/features
--- apparmor-2.11.0/debian/features 1970-01-01 01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/features 2017-11-25 18:55:55.000000000 +0100
@@ -0,0 +1,23 @@
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid
setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw
ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct
sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease
audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm
block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks
sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+}
diff -Nru apparmor-2.11.0/debian/patches/pin-feature-set.patch
apparmor-2.11.0/debian/patches/pin-feature-set.patch
--- apparmor-2.11.0/debian/patches/pin-feature-set.patch 1970-01-01
01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/patches/pin-feature-set.patch 2017-11-25
18:59:40.000000000 +0100
@@ -0,0 +1,18 @@
+Description: pin the AppArmor feature set to the one shipped by the apparmor
package
+ .
+ Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
+ policy in a relaxed manner.
+Bug-Debian: https://bugs.debian.org/879585
+Forwarded: not-needed
+Author: intrigeri <[email protected]>
+
+--- a/parser/parser.conf
++++ b/parser/parser.conf
+@@ -59,3 +59,7 @@
+ ## Adjust compression
+ #Optimize=compress-small
+ #Optimize=compress-fast
++
++## Pin feature set (avoid regressions when policy is lagging behind
++## the kernel)
++features-file=/etc/apparmor/features
diff -Nru apparmor-2.11.0/debian/patches/series
apparmor-2.11.0/debian/patches/series
--- apparmor-2.11.0/debian/patches/series 2017-03-28 12:24:44.000000000
+0200
+++ apparmor-2.11.0/debian/patches/series 2017-11-25 18:59:40.000000000
+0100
@@ -2,6 +2,7 @@
# Debian-specific patches
#
+pin-feature-set.patch
notify-group.patch
#
--- End Message ---
--- Begin Message ---
Version: 9.4
Hi,
The update referenced by each of these bugs was included in this
morning's stretch point release.
Regards,
Adam
--- End Message ---
