[neon/backports-noble/apparmor-noble/Neon/release] debian/patches: refresh patches
Carlos De Maine
null at kde.org
Wed Apr 9 05:33:54 BST 2025
Git commit 1e0f2b7453f2fe0e6a0e9a11801693f0f247a8ef by Carlos De Maine.
Committed on 09/04/2025 at 04:33.
Pushed by carlosdem into branch 'Neon/release'.
refresh patches
M +2 -2 debian/patches/debian/Enable-writing-cache.patch
M +2 -2 debian/patches/debian/add-debian-integration-to-lighttpd.patch
M +4 -14 debian/patches/debian/etc-writable.patch
M +5 -5 debian/patches/debian/libapparmor-layout-deb.patch
M +2 -3 debian/patches/series
M +4 -4 debian/patches/ubuntu/communitheme-snap-support.patch
M +2 -2 debian/patches/ubuntu/mimeinfo-snap-support.patch
M +1 -3 debian/patches/ubuntu/mountrule-relaxing-constraints-on-fstype.patch
M +169 -159 debian/patches/ubuntu/parser-add-support-for-prompting.patch
M +2 -2 debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch
M +2 -2 debian/patches/ubuntu/samba-systemd-interaction.patch
M +2 -2 debian/patches/ubuntu/userns-runtime-disable.patch
https://invent.kde.org/neon/backports-noble/apparmor-noble/-/commit/1e0f2b7453f2fe0e6a0e9a11801693f0f247a8ef
diff --git a/debian/patches/debian/Enable-writing-cache.patch b/debian/patches/debian/Enable-writing-cache.patch
index ed20992..f9c854b 100644
--- a/debian/patches/debian/Enable-writing-cache.patch
+++ b/debian/patches/debian/Enable-writing-cache.patch
@@ -8,8 +8,8 @@ Forwarded: not-needed
parser/rc.apparmor.functions | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
---- apparmor-4.0.0-beta3.orig/parser/rc.apparmor.functions
-+++ apparmor-4.0.0-beta3/parser/rc.apparmor.functions
+--- a/parser/rc.apparmor.functions
++++ b/parser/rc.apparmor.functions
@@ -32,7 +32,7 @@
# Some nice defines that we use
diff --git a/debian/patches/debian/add-debian-integration-to-lighttpd.patch b/debian/patches/debian/add-debian-integration-to-lighttpd.patch
index e15484d..3a97236 100644
--- a/debian/patches/debian/add-debian-integration-to-lighttpd.patch
+++ b/debian/patches/debian/add-debian-integration-to-lighttpd.patch
@@ -8,8 +8,8 @@ Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/582814
profiles/apparmor/profiles/extras/usr.sbin.lighttpd | 1 +
1 file changed, 1 insertion(+)
---- apparmor-4.0.0-beta3.orig/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
-+++ apparmor-4.0.0-beta3/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
+--- a/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
++++ b/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
@@ -60,6 +60,7 @@
/{usr/,}bin/cat mix,
diff --git a/debian/patches/debian/etc-writable.patch b/debian/patches/debian/etc-writable.patch
index 461bdd6..21864ed 100644
--- a/debian/patches/debian/etc-writable.patch
+++ b/debian/patches/debian/etc-writable.patch
@@ -11,8 +11,8 @@ Bug-Ubuntu: https://launchpad.net/bugs/1227520
profiles/apparmor/profiles/extras/firefox | 1 +
3 files changed, 4 insertions(+)
---- apparmor-4.0.0-beta3.orig/profiles/apparmor.d/abstractions/base
-+++ apparmor-4.0.0-beta3/profiles/apparmor.d/abstractions/base
+--- a/profiles/apparmor.d/abstractions/base
++++ b/profiles/apparmor.d/abstractions/base
@@ -33,6 +33,7 @@
@{etc_ro}/locale.alias r,
@{etc_ro}/localtime r,
@@ -21,8 +21,8 @@ Bug-Ubuntu: https://launchpad.net/bugs/1227520
/usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
/usr/share/locale/ r,
---- apparmor-4.0.0-beta3.orig/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
-+++ apparmor-4.0.0-beta3/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
+--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
++++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
@@ -39,6 +39,7 @@
/etc/lsb-release r,
/etc/ssl/certs/java/* r,
@@ -39,13 +39,3 @@ Bug-Ubuntu: https://launchpad.net/bugs/1227520
@{PROC}/@{pid}/ r,
@{PROC}/@{pid}/fd/ r,
---- apparmor-4.0.0-beta3.orig/profiles/apparmor/profiles/extras/firefox
-+++ apparmor-4.0.0-beta3/profiles/apparmor/profiles/extras/firefox
-@@ -140,6 +140,7 @@
- member=Launched,
-
- /etc/timezone r,
-+ /etc/writable/timezone r,
- /etc/wildmidi/wildmidi.cfg r,
-
- # firefox specific
diff --git a/debian/patches/debian/libapparmor-layout-deb.patch b/debian/patches/debian/libapparmor-layout-deb.patch
index 0ec20af..22283aa 100644
--- a/debian/patches/debian/libapparmor-layout-deb.patch
+++ b/debian/patches/debian/libapparmor-layout-deb.patch
@@ -9,10 +9,10 @@ Forwarded: not-needed
utils/Makefile | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
---- apparmor-4.0.0-beta3.orig/libraries/libapparmor/swig/python/Makefile.am
-+++ apparmor-4.0.0-beta3/libraries/libapparmor/swig/python/Makefile.am
+--- a/libraries/libapparmor/swig/python/Makefile.am
++++ b/libraries/libapparmor/swig/python/Makefile.am
@@ -17,7 +17,7 @@
- CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
+ CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(CFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
install-exec-local:
- $(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"
@@ -20,8 +20,8 @@ Forwarded: not-needed
clean-local:
if test -x "$(PYTHON)"; then $(PYTHON) setup.py clean; fi
---- apparmor-4.0.0-beta3.orig/utils/Makefile
-+++ apparmor-4.0.0-beta3/utils/Makefile
+--- a/utils/Makefile
++++ b/utils/Makefile
@@ -58,7 +58,7 @@
$(MAKE) -C po install DESTDIR=${DESTDIR} NAME=${NAME}
$(MAKE) install_manpages DESTDIR=${DESTDIR}
diff --git a/debian/patches/series b/debian/patches/series
index 73b42cc..2d6d3c9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,6 +11,5 @@ ubuntu/profiles-grant-access-to-systemd-resolved.patch
ubuntu/samba-systemd-interaction.patch
ubuntu/userns-runtime-disable.patch
ubuntu/parser-add-support-for-prompting.patch
-ubuntu/profiles-add-unconfined-balena-etcher-profile.patch
-ubuntu/mountrule-relaxing-constraints-on-fstype.patch
-ubuntu/fix-redefinition-of-ignored-var.patch
+#ubuntu/mountrule-relaxing-constraints-on-fstype.patch
+#ubuntu/fix-redefinition-of-ignored-var.patch
diff --git a/debian/patches/ubuntu/communitheme-snap-support.patch b/debian/patches/ubuntu/communitheme-snap-support.patch
index 9d6e1a4..466908a 100644
--- a/debian/patches/ubuntu/communitheme-snap-support.patch
+++ b/debian/patches/ubuntu/communitheme-snap-support.patch
@@ -9,8 +9,8 @@ Forwarded: no
profiles/apparmor.d/abstractions/gnome | 4 ++++
2 files changed, 8 insertions(+)
---- apparmor-4.0.0-beta3.orig/profiles/apparmor.d/abstractions/freedesktop.org
-+++ apparmor-4.0.0-beta3/profiles/apparmor.d/abstractions/freedesktop.org
+--- a/profiles/apparmor.d/abstractions/freedesktop.org
++++ b/profiles/apparmor.d/abstractions/freedesktop.org
@@ -19,6 +19,10 @@
@{system_share_dirs}/icons/{**,} r,
@{system_share_dirs}/pixmaps/{**,} r,
@@ -22,8 +22,8 @@ Forwarded: no
# this should probably go elsewhere
@{system_share_dirs}/mime/** r,
---- apparmor-4.0.0-beta3.orig/profiles/apparmor.d/abstractions/gnome
-+++ apparmor-4.0.0-beta3/profiles/apparmor.d/abstractions/gnome
+--- a/profiles/apparmor.d/abstractions/gnome
++++ b/profiles/apparmor.d/abstractions/gnome
@@ -31,6 +31,10 @@
/usr/share/themes/** r,
/usr/share/gtk-3.0/settings.ini r,
diff --git a/debian/patches/ubuntu/mimeinfo-snap-support.patch b/debian/patches/ubuntu/mimeinfo-snap-support.patch
index be8ec1a..dfa1ce2 100644
--- a/debian/patches/ubuntu/mimeinfo-snap-support.patch
+++ b/debian/patches/ubuntu/mimeinfo-snap-support.patch
@@ -8,8 +8,8 @@ Forwarded: no
profiles/apparmor.d/abstractions/freedesktop.org | 4 ++++
1 file changed, 4 insertions(+)
---- apparmor-4.0.0-beta3.orig/profiles/apparmor.d/abstractions/freedesktop.org
-+++ apparmor-4.0.0-beta3/profiles/apparmor.d/abstractions/freedesktop.org
+--- a/profiles/apparmor.d/abstractions/freedesktop.org
++++ b/profiles/apparmor.d/abstractions/freedesktop.org
@@ -23,6 +23,10 @@
/snap/communitheme/*/share/icons/ r,
/snap/communitheme/*/share/icons/** r,
diff --git a/debian/patches/ubuntu/mountrule-relaxing-constraints-on-fstype.patch b/debian/patches/ubuntu/mountrule-relaxing-constraints-on-fstype.patch
index aa9c6b7..9e007e6 100644
--- a/debian/patches/ubuntu/mountrule-relaxing-constraints-on-fstype.patch
+++ b/debian/patches/ubuntu/mountrule-relaxing-constraints-on-fstype.patch
@@ -21,9 +21,7 @@ index f62c08e4b..abfa2b75e 100644
_ = init_translation()
-# TODO :
--# - match correctly AARE on every field
--# - Find the actual list of supported filesystems. This one comes from /proc/filesystems. We also blindly accept fuse.*
--# - Support path that begin by { (e.g. {,/usr}/lib/...) This syntax is not a valid AARE but is used by usr.lib.snapd.snap-confine.real in Ubuntu and will currently raise an error in genprof if these lines are not modified.
+-#
-# - Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules.
-
-valid_fs = [
diff --git a/debian/patches/ubuntu/parser-add-support-for-prompting.patch b/debian/patches/ubuntu/parser-add-support-for-prompting.patch
index c583591..bdf53a5 100644
--- a/debian/patches/ubuntu/parser-add-support-for-prompting.patch
+++ b/debian/patches/ubuntu/parser-add-support-for-prompting.patch
@@ -52,8 +52,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
create mode 100644 parser/libapparmor_re/policy_compat.h
create mode 100644 parser/perms.h
---- apparmor-4.0.0-beta4.orig/parser/af_unix.cc
-+++ apparmor-4.0.0-beta4/parser/af_unix.cc
+--- a/parser/af_unix.cc
++++ b/parser/af_unix.cc
@@ -33,7 +33,7 @@
/* See unix(7) for autobind address definition */
#define autobind_address_pattern "\\x00[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]";
@@ -152,8 +152,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
goto fail;
}
---- apparmor-4.0.0-beta4.orig/parser/af_unix.h
-+++ apparmor-4.0.0-beta4/parser/af_unix.h
+--- a/parser/af_unix.h
++++ b/parser/af_unix.h
@@ -24,7 +24,7 @@
#include "profile.h"
#include "af_rule.h"
@@ -172,8 +172,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
struct cond_entry *peer_conds);
virtual ~unix_rule()
{
---- apparmor-4.0.0-beta4.orig/parser/dbus.cc
-+++ apparmor-4.0.0-beta4/parser/dbus.cc
+--- a/parser/dbus.cc
++++ b/parser/dbus.cc
@@ -30,7 +30,7 @@
#include "dbus.h"
@@ -216,8 +216,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
perms & AA_DBUS_EAVESDROP,
audit == AUDIT_FORCE ? perms & AA_DBUS_EAVESDROP : 0,
1, vec, parseopts, false))
---- apparmor-4.0.0-beta4.orig/parser/dbus.h
-+++ apparmor-4.0.0-beta4/parser/dbus.h
+--- a/parser/dbus.h
++++ b/parser/dbus.h
@@ -23,7 +23,7 @@
#include "rule.h"
#include "profile.h"
@@ -245,8 +245,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
error = "owner prefix not allowed on dbus rules";
return false;
}
---- apparmor-4.0.0-beta4.orig/parser/io_uring.cc
-+++ apparmor-4.0.0-beta4/parser/io_uring.cc
+--- a/parser/io_uring.cc
++++ b/parser/io_uring.cc
@@ -47,7 +47,7 @@
}
}
@@ -273,8 +273,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
perms, audit == AUDIT_FORCE ? perms : 0,
parseopts))
goto fail;
---- apparmor-4.0.0-beta4.orig/parser/io_uring.h
-+++ apparmor-4.0.0-beta4/parser/io_uring.h
+--- a/parser/io_uring.h
++++ b/parser/io_uring.h
@@ -31,7 +31,7 @@
public:
char *label;
@@ -284,8 +284,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
virtual ~io_uring_rule()
{
free(label);
---- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/Makefile
-+++ apparmor-4.0.0-beta4/parser/libapparmor_re/Makefile
+--- a/parser/libapparmor_re/Makefile
++++ b/parser/libapparmor_re/Makefile
@@ -22,17 +22,19 @@
UNITTESTS = tst_parse
@@ -308,8 +308,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
parse.o : parse.cc apparmor_re.h expr-tree.h
parse.cc : parse.y parse.h flex-tables.h ../immunix.h
---- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/aare_rules.cc
-+++ apparmor-4.0.0-beta4/parser/libapparmor_re/aare_rules.cc
+--- a/parser/libapparmor_re/aare_rules.cc
++++ b/parser/libapparmor_re/aare_rules.cc
@@ -44,10 +44,10 @@
expr_map.clear();
}
@@ -521,8 +521,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+
return buffer;
}
---- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/aare_rules.h
-+++ apparmor-4.0.0-beta4/parser/libapparmor_re/aare_rules.h
+--- a/parser/libapparmor_re/aare_rules.h
++++ b/parser/libapparmor_re/aare_rules.h
@@ -21,22 +21,28 @@
#ifndef __LIBAA_RE_RULES_H
#define __LIBAA_RE_RULES_H
@@ -617,8 +617,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
};
#endif /* __LIBAA_RE_RULES_H */
---- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/chfa.cc
-+++ apparmor-4.0.0-beta4/parser/libapparmor_re/chfa.cc
+--- a/parser/libapparmor_re/chfa.cc
++++ b/parser/libapparmor_re/chfa.cc
@@ -32,6 +32,7 @@
#include "hfa.h"
#include "chfa.h"
@@ -851,8 +851,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+ new_start = num[file_chfa.start];
+}
---- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/chfa.h
-+++ apparmor-4.0.0-beta4/parser/libapparmor_re/chfa.h
+--- a/parser/libapparmor_re/chfa.h
++++ b/parser/libapparmor_re/chfa.h
@@ -16,7 +16,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
@@ -899,8 +899,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
map<const State *, size_t> num;
map<transchar, transchar> eq;
transchar max_eq;
---- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/expr-tree.h
-+++ apparmor-4.0.0-beta4/parser/libapparmor_re/expr-tree.h
+--- a/parser/libapparmor_re/expr-tree.h
++++ b/parser/libapparmor_re/expr-tree.h
@@ -41,6 +41,7 @@
#include <stdint.h>
@@ -954,8 +954,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
/* Traverse the syntax tree depth-first in an iterator-like manner. */
class depth_first_traversal {
stack<Node *>pos;
---- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/hfa.cc
-+++ apparmor-4.0.0-beta4/parser/libapparmor_re/hfa.cc
+--- a/parser/libapparmor_re/hfa.cc
++++ b/parser/libapparmor_re/hfa.cc
@@ -31,11 +31,12 @@
#include <iostream>
#include <fstream>
@@ -1131,8 +1131,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
if (error)
fprintf(stderr, "profile has merged rule with conflicting x modifiers\n");
---- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/hfa.h
-+++ apparmor-4.0.0-beta4/parser/libapparmor_re/hfa.h
+--- a/parser/libapparmor_re/hfa.h
++++ b/parser/libapparmor_re/hfa.h
@@ -27,11 +27,15 @@
#include <list>
#include <map>
@@ -1253,7 +1253,7 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
int oob_range;
int max_range;
--- /dev/null
-+++ apparmor-4.0.0-beta4/parser/libapparmor_re/policy_compat.cc
++++ b/parser/libapparmor_re/policy_compat.cc
@@ -0,0 +1,218 @@
+/*
+ * Copyright (c) 2022
@@ -1474,7 +1474,7 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+}
+
--- /dev/null
-+++ apparmor-4.0.0-beta4/parser/libapparmor_re/policy_compat.h
++++ b/parser/libapparmor_re/policy_compat.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2022
@@ -1501,8 +1501,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+struct aa_perms compute_perms_entry(uint32_t accept1, uint32_t accept2, uint32_t accept3);
+
+#endif /* __AA_POLICY_COMPAT_H */
---- apparmor-4.0.0-beta4.orig/parser/mount.cc
-+++ apparmor-4.0.0-beta4/parser/mount.cc
+--- a/parser/mount.cc
++++ b/parser/mount.cc
@@ -478,7 +478,7 @@
mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p,
@@ -1620,8 +1620,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
int n = add_entry_to_x_table(&prof, trans);
if (!n) {
PERROR("Profile %s has too many specified profile transitions.\n", prof.name);
---- apparmor-4.0.0-beta4.orig/parser/mount.h
-+++ apparmor-4.0.0-beta4/parser/mount.h
+--- a/parser/mount.h
++++ b/parser/mount.h
@@ -152,7 +152,7 @@
mnt_rule(struct cond_entry *src_conds, char *device_p,
@@ -1640,8 +1640,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
error = "owner prefix not allowed on mount rules";
return false;
}
---- apparmor-4.0.0-beta4.orig/parser/mqueue.cc
-+++ apparmor-4.0.0-beta4/parser/mqueue.cc
+--- a/parser/mqueue.cc
++++ b/parser/mqueue.cc
@@ -25,7 +25,7 @@
#include <iostream>
#include <sstream>
@@ -1686,8 +1686,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
goto fail;
}
}
---- apparmor-4.0.0-beta4.orig/parser/mqueue.h
-+++ apparmor-4.0.0-beta4/parser/mqueue.h
+--- a/parser/mqueue.h
++++ b/parser/mqueue.h
@@ -84,7 +84,7 @@
((mask & (AA_MQUEUE_GETATTR | AA_MQUEUE_SETATTR)) << (AA_OTHER_SHIFT - 8));
}
@@ -1706,8 +1706,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
virtual ~mqueue_rule()
{
free(qname);
---- apparmor-4.0.0-beta4.orig/parser/network.cc
-+++ apparmor-4.0.0-beta4/parser/network.cc
+--- a/parser/network.cc
++++ b/parser/network.cc
@@ -29,7 +29,7 @@
#define ALL_TYPES 0x43e
@@ -1807,8 +1807,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
parseopts))
return false;
---- apparmor-4.0.0-beta4.orig/parser/network.h
-+++ apparmor-4.0.0-beta4/parser/network.h
+--- a/parser/network.h
++++ b/parser/network.h
@@ -107,8 +107,9 @@
((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */
};
@@ -1836,8 +1836,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
virtual ~network_rule()
{
peer.free_conds();
---- apparmor-4.0.0-beta4.orig/parser/parser.h
-+++ apparmor-4.0.0-beta4/parser/parser.h
+--- a/parser/parser.h
++++ b/parser/parser.h
@@ -122,7 +122,7 @@
char *nt_name;
Profile *prof; /* Special profile defined
@@ -1893,8 +1893,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
/* returns -1 if value != true or false, otherwise 0 == false, 1 == true */
extern int str_to_boolean(const char* str);
---- apparmor-4.0.0-beta4.orig/parser/parser_common.c
-+++ apparmor-4.0.0-beta4/parser/parser_common.c
+--- a/parser/parser_common.c
++++ b/parser/parser_common.c
@@ -86,6 +86,10 @@
int features_supports_flag_interruptible = 0;
int features_supports_flag_signal = 0;
@@ -1972,8 +1972,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+ fprintf(f, "Unknown prompt compat mode '%d'", prompt_compat_mode);
+ }
+}
---- apparmor-4.0.0-beta4.orig/parser/parser_interface.c
-+++ apparmor-4.0.0-beta4/parser/parser_interface.c
+--- a/parser/parser_interface.c
++++ b/parser/parser_interface.c
@@ -323,10 +323,49 @@
sd_write8(buf, SD_LISTEND);
}
@@ -2129,8 +2129,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
sd_write_structend(buf);
}
---- apparmor-4.0.0-beta4.orig/parser/parser_main.c
-+++ apparmor-4.0.0-beta4/parser/parser_main.c
+--- a/parser/parser_main.c
++++ b/parser/parser_main.c
@@ -137,6 +137,8 @@
#define EARLY_ARG_CONFIG_FILE 142
#define ARG_WERROR 143
@@ -2201,8 +2201,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
if (!kernel_supports_diff_encode)
/* clear diff_encode because it is not supported */
parseopts.control &= ~CONTROL_DFA_DIFF_ENCODE;
---- apparmor-4.0.0-beta4.orig/parser/parser_misc.c
-+++ apparmor-4.0.0-beta4/parser/parser_misc.c
+--- a/parser/parser_misc.c
++++ b/parser/parser_misc.c
@@ -97,6 +97,7 @@
{"audit", TOK_AUDIT},
{"deny", TOK_DENY},
@@ -2277,8 +2277,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
{
struct cod_entry *entry = NULL;
---- apparmor-4.0.0-beta4.orig/parser/parser_policy.c
-+++ apparmor-4.0.0-beta4/parser/parser_policy.c
+--- a/parser/parser_policy.c
++++ b/parser/parser_policy.c
@@ -240,6 +240,13 @@
}
@@ -2293,8 +2293,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
return error;
}
---- apparmor-4.0.0-beta4.orig/parser/parser_regex.c
-+++ apparmor-4.0.0-beta4/parser/parser_regex.c
+--- a/parser/parser_regex.c
++++ b/parser/parser_regex.c
@@ -507,7 +507,8 @@
aare_rules *rules = new aare_rules();
if (!rules)
@@ -2501,102 +2501,112 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
int process_profile_policydb(Profile *prof)
{
-@@ -1002,44 +1093,78 @@
+@@ -1001,50 +1092,85 @@
+ */
- /* note: this activates fs based unix domain sockets mediation on connect */
- if (kernel_abi_version > 5 &&
-- !prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_file, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_mount &&
-- !prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_mount, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_dbus &&
-- !prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_dbus, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_signal &&
-- !prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_signal, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_ptrace &&
-- !prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_ptrace, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_networkv8 &&
-- !prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_netv8, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_unix &&
-- (!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) ||
-- !prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts)))
-+ (!prof->policy.rules->add_rule(mediates_extended_net, RULE_ALLOW, AA_MAY_READ, 0, parseopts) ||
-+ !prof->policy.rules->add_rule(mediates_net_unix, RULE_ALLOW, AA_MAY_READ, 0, parseopts)))
- goto out;
if (features_supports_userns &&
- !prof->policy.rules->add_rule(mediates_ns, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_ns, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_posix_mqueue &&
-- !prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_posix_mqueue, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_sysv_mqueue &&
-- !prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_sysv_mqueue, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_io_uring &&
-- !prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_io_uring, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_ns, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
goto out;
-- if (prof->policy.rules->rule_count > 0) {
-+ if (prompt_compat_mode == PROMPT_COMPAT_PERMSV1) {
-+ // MUST have file and policy
-+ // This requires file rule processing happen first
-+ if (!prof->dfa.rules->rule_count) {
-+ // add null dfa
-+ if (!prof->dfa.rules->add_rule(deny_file, RULE_DENY, AA_MAY_READ, 0, parseopts))
-+ goto out;
-+ }
-+ if (!prof->policy.rules->rule_count) {
-+ if (!prof->policy.rules->add_rule(mediates_file, RULE_DENY, AA_MAY_READ, 0, parseopts))
-+ goto out;
+ /* don't add mediated classes to unconfined profiles */
+ if (prof->flags.mode != MODE_UNCONFINED &&
+- prof->flags.mode != MODE_DEFAULT_ALLOW) {
++ prof->flags.mode != MODE_DEFAULT_ALLOW) {
+ /* note: this activates fs based unix domain sockets mediation on connect */
+ if (kernel_abi_version > 5 &&
+- !prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_file, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_mount &&
+- !prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_mount, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_dbus &&
+- !prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_dbus, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_signal &&
+- !prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_signal, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_ptrace &&
+- !prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_ptrace, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_networkv8 &&
+- !prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_netv8, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_unix &&
+- (!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) ||
+- !prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts)))
++ (!prof->policy.rules->add_rule(mediates_extended_net, RULE_ALLOW, AA_MAY_READ, 0, parseopts) ||
++ !prof->policy.rules->add_rule(mediates_net_unix, RULE_ALLOW, AA_MAY_READ, 0, parseopts)))
+ goto out;
+ if (features_supports_posix_mqueue &&
+- !prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_posix_mqueue, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_sysv_mqueue &&
+- !prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_sysv_mqueue, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_io_uring &&
+- !prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_io_uring, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+- }
+ }
-+ int xmatch_len = 0;
-+ prof->policy.dfa = prof->policy.rules->create_welded_dfablob(
-+ prof->dfa.rules,
-+ &prof->policy.size,
-+ &xmatch_len,
-+ &prof->policy.file_start,
-+ prof->policy.perms_table, parseopts,
-+ kernel_supports_permstable32_v1,
-+ prof->uses_prompt_rules);
-+ delete prof->policy.rules;
-+ delete prof->dfa.rules;
-+ prof->policy.rules = NULL;
-+ prof->dfa.rules = NULL;
-+ if (!prof->policy.dfa)
-+ goto out;
-+ } else if (prof->policy.rules->rule_count > 0 &&
-+ // yes not needed as covered above, just making sure
-+ // this doesn't get messed up in the future
-+ prompt_compat_mode != PROMPT_COMPAT_PERMSV1) {
- int xmatch_len = 0;
+
+- if (prof->policy.rules->rule_count > 0) {
+- int xmatch_len = 0;
- prof->policy.dfa = prof->policy.rules->create_dfa(&prof->policy.size,
- &xmatch_len, parseopts, false);
++ if (prompt_compat_mode == PROMPT_COMPAT_PERMSV1) {
++ // MUST have file and policy
++ // This requires file rule processing happen first
++ if (!prof->dfa.rules->rule_count) {
++ // add null dfa
++ if (!prof->dfa.rules->add_rule(deny_file, RULE_DENY, AA_MAY_READ, 0, parseopts))
++ goto out;
++ }
++ if (!prof->policy.rules->rule_count) {
++ if (!prof->policy.rules->add_rule(mediates_file, RULE_DENY, AA_MAY_READ, 0, parseopts))
++ goto out;
++ }
++ int xmatch_len = 0;
++ prof->policy.dfa = prof->policy.rules->create_welded_dfablob(
++ prof->dfa.rules,
++ &prof->policy.size,
++ &xmatch_len,
++ &prof->policy.file_start,
++ prof->policy.perms_table, parseopts,
++ kernel_supports_permstable32_v1,
++ prof->uses_prompt_rules);
++ delete prof->policy.rules;
++ delete prof->dfa.rules;
++ prof->policy.rules = NULL;
++ prof->dfa.rules = NULL;
++ if (!prof->policy.dfa)
++ goto out;
++ } else if (prof->policy.rules->rule_count > 0 &&
++ // yes not needed as covered above, just making sure
++ // this doesn't get messed up in the future
++ prompt_compat_mode != PROMPT_COMPAT_PERMSV1) {
++ int xmatch_len = 0;
+ prof->policy.dfa = prof->policy.rules->create_dfablob(&prof->policy.size,
-+ &xmatch_len,
-+ prof->policy.perms_table,
-+ parseopts, false,
-+ prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
-+ prof->uses_prompt_rules);
++ &xmatch_len,
++ prof->policy.perms_table,
++ parseopts, false,
++ prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
++ prof->uses_prompt_rules);
delete prof->policy.rules;
prof->policy.rules = NULL;
---- apparmor-4.0.0-beta4.orig/parser/parser_yacc.y
-+++ apparmor-4.0.0-beta4/parser/parser_yacc.y
+--- a/parser/parser_yacc.y
++++ b/parser/parser_yacc.y
@@ -63,10 +63,10 @@
int parser_token = 0;
@@ -2731,7 +2741,7 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
};
-
--- /dev/null
-+++ apparmor-4.0.0-beta4/parser/perms.h
++++ b/parser/perms.h
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 2022
@@ -2850,8 +2860,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+};
+
+#endif /* __AA_PERM_H */
---- apparmor-4.0.0-beta4.orig/parser/profile.cc
-+++ apparmor-4.0.0-beta4/parser/profile.cc
+--- a/parser/profile.cc
++++ b/parser/profile.cc
@@ -161,6 +161,8 @@
{
entry->next = prof->entries;
@@ -2875,8 +2885,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
int n = add_named_transition(prof, entry);
if (!n) {
PERROR("Profile %s has too many specified profile transitions.\n", prof->name);
---- apparmor-4.0.0-beta4.orig/parser/profile.h
-+++ apparmor-4.0.0-beta4/parser/profile.h
+--- a/parser/profile.h
++++ b/parser/profile.h
@@ -15,6 +15,7 @@
#define __AA_PROFILE_H
@@ -2946,8 +2956,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
ns = name = attachment = NULL;
altnames = NULL;
xmatch = NULL;
---- apparmor-4.0.0-beta4.orig/parser/ptrace.cc
-+++ apparmor-4.0.0-beta4/parser/ptrace.cc
+--- a/parser/ptrace.cc
++++ b/parser/ptrace.cc
@@ -24,7 +24,7 @@
#include <string>
#include <sstream>
@@ -2978,8 +2988,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
goto fail;
}
---- apparmor-4.0.0-beta4.orig/parser/ptrace.h
-+++ apparmor-4.0.0-beta4/parser/ptrace.h
+--- a/parser/ptrace.h
++++ b/parser/ptrace.h
@@ -27,14 +27,14 @@
#define AA_VALID_PTRACE_PERMS (AA_MAY_READ | AA_MAY_TRACE | AA_MAY_READBY | \
AA_MAY_TRACEDBY)
@@ -3006,8 +3016,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
error = "owner prefix not allowed on ptrace rules";
return false;
}
---- apparmor-4.0.0-beta4.orig/parser/rule.h
-+++ apparmor-4.0.0-beta4/parser/rule.h
+--- a/parser/rule.h
++++ b/parser/rule.h
@@ -22,10 +22,19 @@
#include <list>
#include <ostream>
@@ -3163,8 +3173,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
};
---- apparmor-4.0.0-beta4.orig/parser/signal.cc
-+++ apparmor-4.0.0-beta4/parser/signal.cc
+--- a/parser/signal.cc
++++ b/parser/signal.cc
@@ -116,7 +116,7 @@
};
@@ -3195,8 +3205,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
goto fail;
}
---- apparmor-4.0.0-beta4.orig/parser/signal.h
-+++ apparmor-4.0.0-beta4/parser/signal.h
+--- a/parser/signal.h
++++ b/parser/signal.h
@@ -32,7 +32,7 @@
typedef set<int> Signals;
@@ -3222,8 +3232,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
error = "owner prefix not allowed on signal rules";
return false;
}
---- apparmor-4.0.0-beta4.orig/parser/userns.cc
-+++ apparmor-4.0.0-beta4/parser/userns.cc
+--- a/parser/userns.cc
++++ b/parser/userns.cc
@@ -40,7 +40,7 @@
}
}
@@ -3246,8 +3256,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
goto fail;
}
---- apparmor-4.0.0-beta4.orig/parser/userns.h
-+++ apparmor-4.0.0-beta4/parser/userns.h
+--- a/parser/userns.h
++++ b/parser/userns.h
@@ -26,7 +26,7 @@
class userns_rule: public perms_rule_t {
void move_conditionals(struct cond_entry *conds);
diff --git a/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch b/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch
index f0dac7b..d97f608 100644
--- a/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch
+++ b/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch
@@ -27,8 +27,8 @@ Bug: https://launchpad.net/bugs/1598759
profiles/apparmor.d/abstractions/nameservice | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
---- apparmor-4.0.0-beta3.orig/profiles/apparmor.d/abstractions/nameservice
-+++ apparmor-4.0.0-beta3/profiles/apparmor.d/abstractions/nameservice
+--- a/profiles/apparmor.d/abstractions/nameservice
++++ b/profiles/apparmor.d/abstractions/nameservice
@@ -105,6 +105,25 @@
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
peer=(name="org.freedesktop.systemd1"),
diff --git a/debian/patches/ubuntu/samba-systemd-interaction.patch b/debian/patches/ubuntu/samba-systemd-interaction.patch
index 36405b0..9edcc69 100644
--- a/debian/patches/ubuntu/samba-systemd-interaction.patch
+++ b/debian/patches/ubuntu/samba-systemd-interaction.patch
@@ -18,8 +18,8 @@ Ubuntu notes:
profiles/apparmor.d/usr.sbin.smbd | 12 ++++++++++++
1 file changed, 12 insertions(+)
---- apparmor-4.0.0-beta4.orig/profiles/apparmor.d/usr.sbin.smbd
-+++ apparmor-4.0.0-beta4/profiles/apparmor.d/usr.sbin.smbd
+--- a/profiles/apparmor.d/usr.sbin.smbd
++++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -26,12 +26,22 @@
signal send set=term peer=samba-bgqd,
diff --git a/debian/patches/ubuntu/userns-runtime-disable.patch b/debian/patches/ubuntu/userns-runtime-disable.patch
index d8227ec..dbddef2 100644
--- a/debian/patches/ubuntu/userns-runtime-disable.patch
+++ b/debian/patches/ubuntu/userns-runtime-disable.patch
@@ -11,8 +11,8 @@ Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036128
parser/rc.apparmor.functions | 14 ++++++++++++++
1 file changed, 14 insertions(+)
---- apparmor-4.0.0-beta3.orig/parser/rc.apparmor.functions
-+++ apparmor-4.0.0-beta3/parser/rc.apparmor.functions
+--- a/parser/rc.apparmor.functions
++++ b/parser/rc.apparmor.functions
@@ -141,7 +141,21 @@
return "$status"
}
More information about the Neon-commits
mailing list