Processed: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #882697 [release.debian.org] stretch-pu: package apparmor/2.11.0-3+deb9u2
Added tag(s) pending.

-- 
882697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2

[Adam D. Barratt]

Control: tags -1 + pending

On Tue, 2018-02-27 at 12:22 +0100, intrigeri wrote:
> Adam D. Barratt:
> > Please feel free to upload.
> 
> Uploaded, thanks.
> 
> 
Flagged for acceptance.

Regards,

Adam

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2

[intrigeri]

Adam D. Barratt:
> Please feel free to upload.

Uploaded, thanks.

Processed: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #882697 [release.debian.org] stretch-pu: package apparmor/2.11.0-3+deb9u2
Added tag(s) confirmed.

-- 
882697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2

[Adam D. Barratt]

Control: tags -1 + confirmed

On 2018-02-27 7:47, intrigeri wrote:

Hi,

Adam D. Barratt:

What's the difference between this and +deb9u1? Is it simply this
change:



-++features-file=/etc/apparmor/features
+++features-file=/usr/share/apparmor-features/features



and the equivalent in debian/install?


Yes (modulo the timing matter regarding the Linux 4.14.x bug, which
was the only reason why +deb9u1 could not make it into a stable
release last time).


The changelog going from -3 to -3+deb9u2 is confusing, particularly
given that +deb9u1 has been available to users of proposed-updates for
some time. If the above is correct, please keep the previous changelog
stanza for +deb9u1 as-is and add a new entry for +deb9u2 describing 
the

path change.


Done and accordingly adjusted the maintainer scripts to remove
the old (now obsolete) /etc/apparmor/features conffile from systems
that had +deb9u1 installed.


Thanks.

Please feel free to upload.

Regards,

Adam

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2

[intrigeri]

Hi,

Adam D. Barratt:
> What's the difference between this and +deb9u1? Is it simply this
> change:

> -++features-file=/etc/apparmor/features
> +++features-file=/usr/share/apparmor-features/features

> and the equivalent in debian/install?

Yes (modulo the timing matter regarding the Linux 4.14.x bug, which
was the only reason why +deb9u1 could not make it into a stable
release last time).

> The changelog going from -3 to -3+deb9u2 is confusing, particularly
> given that +deb9u1 has been available to users of proposed-updates for
> some time. If the above is correct, please keep the previous changelog
> stanza for +deb9u1 as-is and add a new entry for +deb9u2 describing the
> path change.

Done and accordingly adjusted the maintainer scripts to remove
the old (now obsolete) /etc/apparmor/features conffile from systems
that had +deb9u1 installed.

I'm attaching 2 updated debdiffs: one from the version in Stretch and
the other one from the version that's already in stable p-u.

Cheers,
-- 
intrigeri

diff -Nru apparmor-2.11.0/debian/apparmor.install apparmor-2.11.0/debian/apparmor.install
--- apparmor-2.11.0/debian/apparmor.install	2017-03-28 12:23:08.0 +0200
+++ apparmor-2.11.0/debian/apparmor.install	2018-02-27 07:46:39.0 +0100
@@ -1,4 +1,5 @@
 debian/apport/source_apparmor.py /usr/share/apport/package-hooks/
+debian/features /usr/share/apparmor-features/
 debian/lib/apparmor/functions /lib/apparmor/
 debian/lib/apparmor/profile-load /lib/apparmor/
 etc/apparmor/parser.conf
diff -Nru apparmor-2.11.0/debian/apparmor.maintscript apparmor-2.11.0/debian/apparmor.maintscript
--- apparmor-2.11.0/debian/apparmor.maintscript	2015-08-13 21:25:45.0 +0200
+++ apparmor-2.11.0/debian/apparmor.maintscript	2018-02-27 07:46:39.0 +0100
@@ -1,3 +1,4 @@
 rm_conffile /etc/apparmor/functions 2.5.1-0ubuntu4
 rm_conffile /etc/apparmor/rc.apparmor.functions 2.5.1-0ubuntu4
 rm_conffile /etc/apparmor.d/abstractions/ubuntu-sdk-base 2.8.0-0ubuntu20~
+rm_conffile /etc/apparmor/features 2.11.0-3+deb9u2~
diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog
--- apparmor-2.11.0/debian/changelog	2017-03-28 12:29:15.0 +0200
+++ apparmor-2.11.0/debian/changelog	2018-02-27 07:46:39.0 +0100
@@ -1,3 +1,24 @@
+apparmor (2.11.0-3+deb9u2) UNRELEASED; urgency=medium
+
+  * Move the features file to /usr/share/apparmor-features;
+accordingly remove the old (now obsolete) '/etc/apparmor/features'
+conffile (Closes: #883682).
+  * Configure gbp for DEP-14 and avoid gbp-pq prefixing patches
+with numbers.
+
+ -- intrigeri   Tue, 27 Feb 2018 06:46:39 +
+
+apparmor (2.11.0-3+deb9u1) stretch; urgency=medium
+
+  * Pin the AppArmor feature set to Stretch's kernel (Closes: #879585).
+This ensures Stretch systems, even when running a newer kernel (e.g.
+from backports), have their AppArmor feature set pinned to the one
+supported by the AppArmor policy shipped in Stretch. Otherwise they
+would experience breakage due to new AppArmor mediation features
+introduced in recent kernels.
+
+ -- intrigeri   Sat, 25 Nov 2017 18:04:05 +
+
 apparmor (2.11.0-3) unstable; urgency=medium
 
   * Fix CVE-2017-6507: don't unload unknown profiles during package
diff -Nru apparmor-2.11.0/debian/features apparmor-2.11.0/debian/features
--- apparmor-2.11.0/debian/features	1970-01-01 01:00:00.0 +0100
+++ apparmor-2.11.0/debian/features	2018-02-27 07:46:39.0 +0100
@@ -0,0 +1,23 @@
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xff
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+}
diff -Nru apparmor-2.11.0/debian/gbp.conf apparmor-2.11.0/debian/gbp.conf
--- apparmor-2.11.0/debian/gbp.conf	1970-01-01 01:00:00.0 +0100
+++ apparmor-2.11.0/debian/gbp.conf	2018-02-27 07:46:39.0 +0100
@@ -0,0 +1,6 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/stretch
+upstream-branch = upstream/latest
+upstream-vcs-tag = v%(version)s
+patch-numbers = False
diff -Nru apparmor-2.11.0/debian/patches/pin-feature-set.patch apparmor-2.11.0/debian/patches/pin-feature-set.patch
--- apparmor-2.11.0/debian/patches/pin-feature-set.patch	1970-01-01 01:00:00.0 +0100
+++ apparmor-2.11.0/debian/patches/pin-feature-set.patch	2018-02-27 07:46:39.0 +0100
@@ -0,0 +1,18 

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2

[Adam D. Barratt]

On Sun, 2018-02-25 at 13:01 +0100, intrigeri wrote:
> here's the updated debdiff; I've bumped the version in order to
> avoid confusion.

Well you can't upload another +deb9u1 as that version is already in the
archive, so it's required in any case.

> This will now work fine except for Linux 4.14 to 4.14.12 that have
> the
> bug which prevented us from including apparmor 2.11.0-3+deb9u1 in the
> previous point release. The kernel fix has been in sid since
> 2018-01-15, in stretch-backports since 2018-01-16, and in testing
> since 2018-01-20. So IMO the benefit (repairing stuff for Stretch
> users running an up-to-date backported kernel) is worth the risk
> (breaking stuff for Stretch users running an outdated Linux 4.14.x).
> 
> May I upload (with s/UNRELEASED/stretch/ of course)?

What's the difference between this and +deb9u1? Is it simply this
change:

-++features-file=/etc/apparmor/features
+++features-file=/usr/share/apparmor-features/features

and the equivalent in debian/install?

The changelog going from -3 to -3+deb9u2 is confusing, particularly
given that +deb9u1 has been available to users of proposed-updates for
some time. If the above is correct, please keep the previous changelog
stanza for +deb9u1 as-is and add a new entry for +deb9u2 describing the
path change.

Regards,

Adam

Processed: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2

[Debian Bug Tracking System]

Processing control commands:

> tag -1 - moreinfo
Bug #882697 [release.debian.org] stretch-pu: package apparmor/2.11.0-3+deb9u1
Removed tag(s) moreinfo.
> retitle -1 stretch-pu: package apparmor/2.11.0-3+deb9u2
Bug #882697 [release.debian.org] stretch-pu: package apparmor/2.11.0-3+deb9u1
Changed Bug title to 'stretch-pu: package apparmor/2.11.0-3+deb9u2' from 
'stretch-pu: package apparmor/2.11.0-3+deb9u1'.

-- 
882697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2

[intrigeri]

Control: tag -1 - moreinfo
Control: retitle -1 stretch-pu: package apparmor/2.11.0-3+deb9u2

Hi,

here's the updated debdiff; I've bumped the version in order to
avoid confusion.

This will now work fine except for Linux 4.14 to 4.14.12 that have the
bug which prevented us from including apparmor 2.11.0-3+deb9u1 in the
previous point release. The kernel fix has been in sid since
2018-01-15, in stretch-backports since 2018-01-16, and in testing
since 2018-01-20. So IMO the benefit (repairing stuff for Stretch
users running an up-to-date backported kernel) is worth the risk
(breaking stuff for Stretch users running an outdated Linux 4.14.x).

May I upload (with s/UNRELEASED/stretch/ of course)?

Cheers,
-- 
intrigeri

diff -Nru apparmor-2.11.0/debian/apparmor.install apparmor-2.11.0/debian/apparmor.install
--- apparmor-2.11.0/debian/apparmor.install	2017-03-28 12:23:08.0 +0200
+++ apparmor-2.11.0/debian/apparmor.install	2018-02-25 11:21:24.0 +0100
@@ -1,4 +1,5 @@
 debian/apport/source_apparmor.py /usr/share/apport/package-hooks/
+debian/features /usr/share/apparmor-features/
 debian/lib/apparmor/functions /lib/apparmor/
 debian/lib/apparmor/profile-load /lib/apparmor/
 etc/apparmor/parser.conf
diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog
--- apparmor-2.11.0/debian/changelog	2017-03-28 12:29:15.0 +0200
+++ apparmor-2.11.0/debian/changelog	2018-02-25 11:21:24.0 +0100
@@ -1,3 +1,16 @@
+apparmor (2.11.0-3+deb9u2) UNRELEASED; urgency=medium
+
+  * Pin the AppArmor feature set to Stretch's kernel (Closes: #879585).
+This ensures Stretch systems, even when running a newer kernel (e.g.
+from backports), have their AppArmor feature set pinned to the one
+supported by the AppArmor policy shipped in Stretch. Otherwise they
+would experience breakage due to new AppArmor mediation features
+introduced in recent kernels.
+  * Configure gbp for DEP-14 and avoid gbp-pq prefixing patches
+with numbers.
+
+ -- intrigeri   Sun, 25 Feb 2018 10:21:24 +
+
 apparmor (2.11.0-3) unstable; urgency=medium
 
   * Fix CVE-2017-6507: don't unload unknown profiles during package
diff -Nru apparmor-2.11.0/debian/features apparmor-2.11.0/debian/features
--- apparmor-2.11.0/debian/features	1970-01-01 01:00:00.0 +0100
+++ apparmor-2.11.0/debian/features	2018-02-25 11:21:24.0 +0100
@@ -0,0 +1,23 @@
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xff
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+}
diff -Nru apparmor-2.11.0/debian/gbp.conf apparmor-2.11.0/debian/gbp.conf
--- apparmor-2.11.0/debian/gbp.conf	1970-01-01 01:00:00.0 +0100
+++ apparmor-2.11.0/debian/gbp.conf	2018-02-25 11:21:24.0 +0100
@@ -0,0 +1,6 @@
+[DEFAULT]
+pristine-tar = True
+debian-branch = debian/stretch
+upstream-branch = upstream/latest
+upstream-vcs-tag = v%(version)s
+patch-numbers = False
diff -Nru apparmor-2.11.0/debian/patches/pin-feature-set.patch apparmor-2.11.0/debian/patches/pin-feature-set.patch
--- apparmor-2.11.0/debian/patches/pin-feature-set.patch	1970-01-01 01:00:00.0 +0100
+++ apparmor-2.11.0/debian/patches/pin-feature-set.patch	2018-02-25 11:21:24.0 +0100
@@ -0,0 +1,18 @@
+Description: pin the AppArmor feature set to the one shipped by the apparmor package
+ .
+ Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
+ policy in a relaxed manner.
+Bug-Debian: https://bugs.debian.org/879585
+Forwarded: not-needed
+Author: intrigeri 
+
+--- a/parser/parser.conf
 b/parser/parser.conf
+@@ -59,3 +59,7 @@
+ ## Adjust compression
+ #Optimize=compress-small
+ #Optimize=compress-fast
++
++## Pin feature set (avoid regressions when policy is lagging behind
++## the kernel)
++features-file=/usr/share/apparmor-features/features
diff -Nru apparmor-2.11.0/debian/patches/series apparmor-2.11.0/debian/patches/series
--- apparmor-2.11.0/debian/patches/series	2017-03-28 12:24:44.0 +0200
+++ apparmor-2.11.0/debian/patches/series	2018-02-25 11:21:24.0 +0100
@@ -2,6 +2,7 @@
 # Debian-specific patches
 #
 
+pin-feature-set.patch
 notify-group.patch
 
 #