Processed: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Processing control commands: > tags -1 + pending Bug #882697 [release.debian.org] stretch-pu: package apparmor/2.11.0-3+deb9u2 Added tag(s) pending. -- 882697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Control: tags -1 + pending On Tue, 2018-02-27 at 12:22 +0100, intrigeri wrote: > Adam D. Barratt: > > Please feel free to upload. > > Uploaded, thanks. > > Flagged for acceptance. Regards, Adam
Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Adam D. Barratt: > Please feel free to upload. Uploaded, thanks.
Processed: Re: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Processing control commands: > tags -1 + confirmed Bug #882697 [release.debian.org] stretch-pu: package apparmor/2.11.0-3+deb9u2 Added tag(s) confirmed. -- 882697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Control: tags -1 + confirmed On 2018-02-27 7:47, intrigeri wrote: Hi, Adam D. Barratt: What's the difference between this and +deb9u1? Is it simply this change: -++features-file=/etc/apparmor/features +++features-file=/usr/share/apparmor-features/features and the equivalent in debian/install? Yes (modulo the timing matter regarding the Linux 4.14.x bug, which was the only reason why +deb9u1 could not make it into a stable release last time). The changelog going from -3 to -3+deb9u2 is confusing, particularly given that +deb9u1 has been available to users of proposed-updates for some time. If the above is correct, please keep the previous changelog stanza for +deb9u1 as-is and add a new entry for +deb9u2 describing the path change. Done and accordingly adjusted the maintainer scripts to remove the old (now obsolete) /etc/apparmor/features conffile from systems that had +deb9u1 installed. Thanks. Please feel free to upload. Regards, Adam
Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Hi, Adam D. Barratt: > What's the difference between this and +deb9u1? Is it simply this > change: > -++features-file=/etc/apparmor/features > +++features-file=/usr/share/apparmor-features/features > and the equivalent in debian/install? Yes (modulo the timing matter regarding the Linux 4.14.x bug, which was the only reason why +deb9u1 could not make it into a stable release last time). > The changelog going from -3 to -3+deb9u2 is confusing, particularly > given that +deb9u1 has been available to users of proposed-updates for > some time. If the above is correct, please keep the previous changelog > stanza for +deb9u1 as-is and add a new entry for +deb9u2 describing the > path change. Done and accordingly adjusted the maintainer scripts to remove the old (now obsolete) /etc/apparmor/features conffile from systems that had +deb9u1 installed. I'm attaching 2 updated debdiffs: one from the version in Stretch and the other one from the version that's already in stable p-u. Cheers, -- intrigeri diff -Nru apparmor-2.11.0/debian/apparmor.install apparmor-2.11.0/debian/apparmor.install --- apparmor-2.11.0/debian/apparmor.install 2017-03-28 12:23:08.0 +0200 +++ apparmor-2.11.0/debian/apparmor.install 2018-02-27 07:46:39.0 +0100 @@ -1,4 +1,5 @@ debian/apport/source_apparmor.py /usr/share/apport/package-hooks/ +debian/features /usr/share/apparmor-features/ debian/lib/apparmor/functions /lib/apparmor/ debian/lib/apparmor/profile-load /lib/apparmor/ etc/apparmor/parser.conf diff -Nru apparmor-2.11.0/debian/apparmor.maintscript apparmor-2.11.0/debian/apparmor.maintscript --- apparmor-2.11.0/debian/apparmor.maintscript 2015-08-13 21:25:45.0 +0200 +++ apparmor-2.11.0/debian/apparmor.maintscript 2018-02-27 07:46:39.0 +0100 @@ -1,3 +1,4 @@ rm_conffile /etc/apparmor/functions 2.5.1-0ubuntu4 rm_conffile /etc/apparmor/rc.apparmor.functions 2.5.1-0ubuntu4 rm_conffile /etc/apparmor.d/abstractions/ubuntu-sdk-base 2.8.0-0ubuntu20~ +rm_conffile /etc/apparmor/features 2.11.0-3+deb9u2~ diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog --- apparmor-2.11.0/debian/changelog 2017-03-28 12:29:15.0 +0200 +++ apparmor-2.11.0/debian/changelog 2018-02-27 07:46:39.0 +0100 @@ -1,3 +1,24 @@ +apparmor (2.11.0-3+deb9u2) UNRELEASED; urgency=medium + + * Move the features file to /usr/share/apparmor-features; +accordingly remove the old (now obsolete) '/etc/apparmor/features' +conffile (Closes: #883682). + * Configure gbp for DEP-14 and avoid gbp-pq prefixing patches +with numbers. + + -- intrigeri Tue, 27 Feb 2018 06:46:39 + + +apparmor (2.11.0-3+deb9u1) stretch; urgency=medium + + * Pin the AppArmor feature set to Stretch's kernel (Closes: #879585). +This ensures Stretch systems, even when running a newer kernel (e.g. +from backports), have their AppArmor feature set pinned to the one +supported by the AppArmor policy shipped in Stretch. Otherwise they +would experience breakage due to new AppArmor mediation features +introduced in recent kernels. + + -- intrigeri Sat, 25 Nov 2017 18:04:05 + + apparmor (2.11.0-3) unstable; urgency=medium * Fix CVE-2017-6507: don't unload unknown profiles during package diff -Nru apparmor-2.11.0/debian/features apparmor-2.11.0/debian/features --- apparmor-2.11.0/debian/features 1970-01-01 01:00:00.0 +0100 +++ apparmor-2.11.0/debian/features 2018-02-27 07:46:39.0 +0100 @@ -0,0 +1,23 @@ +caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read +} +} +rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime +} +} +capability {0xff +} +file {mask {create read write exec append mmap_exec link lock +} +} +domain {change_profile {yes +} +change_onexec {yes +} +change_hatv {yes +} +change_hat {yes +} +} +policy {set_load {yes +} +} diff -Nru apparmor-2.11.0/debian/gbp.conf apparmor-2.11.0/debian/gbp.conf --- apparmor-2.11.0/debian/gbp.conf 1970-01-01 01:00:00.0 +0100 +++ apparmor-2.11.0/debian/gbp.conf 2018-02-27 07:46:39.0 +0100 @@ -0,0 +1,6 @@ +[DEFAULT] +pristine-tar = True +debian-branch = debian/stretch +upstream-branch = upstream/latest +upstream-vcs-tag = v%(version)s +patch-numbers = False diff -Nru apparmor-2.11.0/debian/patches/pin-feature-set.patch apparmor-2.11.0/debian/patches/pin-feature-set.patch --- apparmor-2.11.0/debian/patches/pin-feature-set.patch 1970-01-01 01:00:00.0 +0100 +++ apparmor-2.11.0/debian/patches/pin-feature-set.patch 2018-02-27 07:46:39.0 +0100 @@ -0,0 +1,18 @@ +Description: pin the AppArmor feature set
Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
On Sun, 2018-02-25 at 13:01 +0100, intrigeri wrote: > here's the updated debdiff; I've bumped the version in order to > avoid confusion. Well you can't upload another +deb9u1 as that version is already in the archive, so it's required in any case. > This will now work fine except for Linux 4.14 to 4.14.12 that have > the > bug which prevented us from including apparmor 2.11.0-3+deb9u1 in the > previous point release. The kernel fix has been in sid since > 2018-01-15, in stretch-backports since 2018-01-16, and in testing > since 2018-01-20. So IMO the benefit (repairing stuff for Stretch > users running an up-to-date backported kernel) is worth the risk > (breaking stuff for Stretch users running an outdated Linux 4.14.x). > > May I upload (with s/UNRELEASED/stretch/ of course)? What's the difference between this and +deb9u1? Is it simply this change: -++features-file=/etc/apparmor/features +++features-file=/usr/share/apparmor-features/features and the equivalent in debian/install? The changelog going from -3 to -3+deb9u2 is confusing, particularly given that +deb9u1 has been available to users of proposed-updates for some time. If the above is correct, please keep the previous changelog stanza for +deb9u1 as-is and add a new entry for +deb9u2 describing the path change. Regards, Adam
Processed: Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Processing control commands: > tag -1 - moreinfo Bug #882697 [release.debian.org] stretch-pu: package apparmor/2.11.0-3+deb9u1 Removed tag(s) moreinfo. > retitle -1 stretch-pu: package apparmor/2.11.0-3+deb9u2 Bug #882697 [release.debian.org] stretch-pu: package apparmor/2.11.0-3+deb9u1 Changed Bug title to 'stretch-pu: package apparmor/2.11.0-3+deb9u2' from 'stretch-pu: package apparmor/2.11.0-3+deb9u1'. -- 882697: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882697 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u2
Control: tag -1 - moreinfo Control: retitle -1 stretch-pu: package apparmor/2.11.0-3+deb9u2 Hi, here's the updated debdiff; I've bumped the version in order to avoid confusion. This will now work fine except for Linux 4.14 to 4.14.12 that have the bug which prevented us from including apparmor 2.11.0-3+deb9u1 in the previous point release. The kernel fix has been in sid since 2018-01-15, in stretch-backports since 2018-01-16, and in testing since 2018-01-20. So IMO the benefit (repairing stuff for Stretch users running an up-to-date backported kernel) is worth the risk (breaking stuff for Stretch users running an outdated Linux 4.14.x). May I upload (with s/UNRELEASED/stretch/ of course)? Cheers, -- intrigeri diff -Nru apparmor-2.11.0/debian/apparmor.install apparmor-2.11.0/debian/apparmor.install --- apparmor-2.11.0/debian/apparmor.install 2017-03-28 12:23:08.0 +0200 +++ apparmor-2.11.0/debian/apparmor.install 2018-02-25 11:21:24.0 +0100 @@ -1,4 +1,5 @@ debian/apport/source_apparmor.py /usr/share/apport/package-hooks/ +debian/features /usr/share/apparmor-features/ debian/lib/apparmor/functions /lib/apparmor/ debian/lib/apparmor/profile-load /lib/apparmor/ etc/apparmor/parser.conf diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog --- apparmor-2.11.0/debian/changelog 2017-03-28 12:29:15.0 +0200 +++ apparmor-2.11.0/debian/changelog 2018-02-25 11:21:24.0 +0100 @@ -1,3 +1,16 @@ +apparmor (2.11.0-3+deb9u2) UNRELEASED; urgency=medium + + * Pin the AppArmor feature set to Stretch's kernel (Closes: #879585). +This ensures Stretch systems, even when running a newer kernel (e.g. +from backports), have their AppArmor feature set pinned to the one +supported by the AppArmor policy shipped in Stretch. Otherwise they +would experience breakage due to new AppArmor mediation features +introduced in recent kernels. + * Configure gbp for DEP-14 and avoid gbp-pq prefixing patches +with numbers. + + -- intrigeri Sun, 25 Feb 2018 10:21:24 + + apparmor (2.11.0-3) unstable; urgency=medium * Fix CVE-2017-6507: don't unload unknown profiles during package diff -Nru apparmor-2.11.0/debian/features apparmor-2.11.0/debian/features --- apparmor-2.11.0/debian/features 1970-01-01 01:00:00.0 +0100 +++ apparmor-2.11.0/debian/features 2018-02-25 11:21:24.0 +0100 @@ -0,0 +1,23 @@ +caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read +} +} +rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime +} +} +capability {0xff +} +file {mask {create read write exec append mmap_exec link lock +} +} +domain {change_profile {yes +} +change_onexec {yes +} +change_hatv {yes +} +change_hat {yes +} +} +policy {set_load {yes +} +} diff -Nru apparmor-2.11.0/debian/gbp.conf apparmor-2.11.0/debian/gbp.conf --- apparmor-2.11.0/debian/gbp.conf 1970-01-01 01:00:00.0 +0100 +++ apparmor-2.11.0/debian/gbp.conf 2018-02-25 11:21:24.0 +0100 @@ -0,0 +1,6 @@ +[DEFAULT] +pristine-tar = True +debian-branch = debian/stretch +upstream-branch = upstream/latest +upstream-vcs-tag = v%(version)s +patch-numbers = False diff -Nru apparmor-2.11.0/debian/patches/pin-feature-set.patch apparmor-2.11.0/debian/patches/pin-feature-set.patch --- apparmor-2.11.0/debian/patches/pin-feature-set.patch 1970-01-01 01:00:00.0 +0100 +++ apparmor-2.11.0/debian/patches/pin-feature-set.patch 2018-02-25 11:21:24.0 +0100 @@ -0,0 +1,18 @@ +Description: pin the AppArmor feature set to the one shipped by the apparmor package + . + Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor + policy in a relaxed manner. +Bug-Debian: https://bugs.debian.org/879585 +Forwarded: not-needed +Author: intrigeri + +--- a/parser/parser.conf b/parser/parser.conf +@@ -59,3 +59,7 @@ + ## Adjust compression + #Optimize=compress-small + #Optimize=compress-fast ++ ++## Pin feature set (avoid regressions when policy is lagging behind ++## the kernel) ++features-file=/usr/share/apparmor-features/features diff -Nru apparmor-2.11.0/debian/patches/series apparmor-2.11.0/debian/patches/series --- apparmor-2.11.0/debian/patches/series 2017-03-28 12:24:44.0 +0200 +++ apparmor-2.11.0/debian/patches/series 2018-02-25 11:21:24.0 +0100 @@ -2,6 +2,7 @@ # Debian-specific patches # +pin-feature-set.patch notify-group.patch #