[neon/backports-noble/apparmor-noble/Neon/release] debian: backport apparmor from 24.10
Carlos De Maine
null at kde.org
Wed Apr 9 06:17:38 BST 2025
Git commit 4b71e1f382e990e27ea7c9505afd373772a48531 by Carlos De Maine.
Committed on 09/04/2025 at 05:17.
Pushed by carlosdem into branch 'Neon/release'.
backport apparmor from 24.10
M +2 -0 debian/apparmor-notify.install
M +3 -1 debian/apparmor.install
M +1 -6 debian/apparmor.maintscript
M +85 -75 debian/changelog
M +3 -0 debian/control
M +1 -0 debian/libapparmor1.symbols
M +2 -2 debian/patches/debian/Enable-writing-cache.patch
M +2 -2 debian/patches/debian/add-debian-integration-to-lighttpd.patch
M +4 -4 debian/patches/debian/etc-writable.patch
M +6 -6 debian/patches/debian/libapparmor-layout-deb.patch
M +8 -3 debian/patches/series
M +4 -4 debian/patches/ubuntu/communitheme-snap-support.patch
A +33 -0 debian/patches/ubuntu/fix-abi-break-record-for-aa-log-record.patch
D +0 -38 debian/patches/ubuntu/fix-redefinition-of-ignored-var.patch
A +60 -0 debian/patches/ubuntu/libapparmor-make-af_protos.h-consistent-in-different.patch
M +2 -2 debian/patches/ubuntu/mimeinfo-snap-support.patch
D +0 -361 debian/patches/ubuntu/mountrule-relaxing-constraints-on-fstype.patch
M +159 -169 debian/patches/ubuntu/parser-add-support-for-prompting.patch
A +129 -0 debian/patches/ubuntu/parser-fix-integer-overflow-bug-in-rule-priority-com.patch
A +74 -0 debian/patches/ubuntu/parser-fix-pam_apparmor-regression-test-failures.patch
A +141 -0 debian/patches/ubuntu/parser-fix-rule-priority-destroying-rule-permissions.patch
A +74 -0 debian/patches/ubuntu/parser-revert-removal-of-second-minimization-pass.patch
A +72 -0 debian/patches/ubuntu/parser-update-tsts-for-explicit-deny-and-filtering-c.patch
D +0 -36 debian/patches/ubuntu/profiles-add-unconfined-balena-etcher-profile.patch
M +2 -2 debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch
M +2 -2 debian/patches/ubuntu/samba-systemd-interaction.patch
M +2 -2 debian/patches/ubuntu/userns-runtime-disable.patch
A +27 -0 debian/patches/ubuntu/utils-change-os.mkdir-to-self.mkpath-to-create-inter.patch
M +3 -2 debian/watch
https://invent.kde.org/neon/backports-noble/apparmor-noble/-/commit/4b71e1f382e990e27ea7c9505afd373772a48531
diff --git a/debian/apparmor-notify.install b/debian/apparmor-notify.install
index 6bc7583..e214e00 100644
--- a/debian/apparmor-notify.install
+++ b/debian/apparmor-notify.install
@@ -1,3 +1,5 @@
utils/aa-notify.desktop /etc/xdg/autostart
usr/sbin/aa-notify /usr/bin/
etc/apparmor/notify.conf /etc/apparmor/
+usr/share/polkit-1/actions/com.ubuntu.pkexec.aa-notify.policy
+etc/apparmor/default_unconfined.template
\ No newline at end of file
diff --git a/debian/apparmor.install b/debian/apparmor.install
index 9cdaa3a..9a64f8c 100644
--- a/debian/apparmor.install
+++ b/debian/apparmor.install
@@ -115,10 +115,12 @@ etc/apparmor.d/rssguard
etc/apparmor.d/scide
etc/apparmor.d/tuxedo-control-center
etc/apparmor.d/unix-chkpwd
-profiles/apparmor/wike /etc/apparmor.d/
+etc/apparmor.d/wike
etc/apparmor.d/foliate
etc/apparmor.d/balena-etcher
etc/apparmor.d/transmission
+etc/apparmor.d/Xorg
+etc/apparmor.d/chromium
etc/apparmor/parser.conf
lib/apparmor/profile-load
sbin/apparmor_parser
diff --git a/debian/apparmor.maintscript b/debian/apparmor.maintscript
index 25cd503..0862338 100644
--- a/debian/apparmor.maintscript
+++ b/debian/apparmor.maintscript
@@ -60,9 +60,4 @@ rm_conffile /etc/apparmor.d/opt.google.chrome.chrome 4.0.0~alpha4-0ubuntu1~
rm_conffile /etc/apparmor.d/opt.microsoft.msedge.msedge 4.0.0~alpha4-0ubuntu1~
rm_conffile /etc/apparmor.d/opt.brave.com.brave.brave 4.0.0~alpha4-0ubuntu1~
rm_conffile /etc/apparmor.d/opt.vivaldi.vivaldi-bin 4.0.0~alpha4-0ubuntu1~
-rm_conffile /etc/apparmor.d/abstractions/transmission-common 4.0.1really4.0.0-beta3-0ubuntu0.1~
-rm_conffile /etc/apparmor.d/balena-etcher 4.0.1really4.0.0-beta3-0ubuntu0.1~
-rm_conffile /etc/apparmor.d/bwrap-userns-restrict 4.0.1really4.0.0-beta3-0ubuntu0.1~
-rm_conffile /etc/apparmor.d/foliate 4.0.1really4.0.0-beta3-0ubuntu0.1~
-rm_conffile /etc/apparmor.d/transmission 4.0.1really4.0.0-beta3-0ubuntu0.1~
-rm_conffile /etc/apparmor.d/wike 4.0.1really4.0.0-beta3-0ubuntu0.1~
+rm_conffile /etc/apparmor.d/bwrap-userns-restrict 4.0.1-0ubuntu2~
diff --git a/debian/changelog b/debian/changelog
index d5f57c9..54d69e3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,83 +1,97 @@
-apparmor (4.0.3-0neon) noble; urgency=medium
+apparmor (4.1.0~beta1-0ubuntu3) oracular; urgency=medium
- * New release
+ * Add patch from upstream to fix unintentional ABI break (LP :#2083435)
+ - d/p/u/fix-abi-break-record-for-aa-log-record.patch
- -- Carlos De Maine <carlosd.kde at gmail.com> Wed, 09 Apr 2025 09:52:41 +1000
+ -- Alex Murray <alex.murray at canonical.com> Wed, 02 Oct 2024 08:54:43 +0930
-apparmor (4.0.1really4.0.1-0ubuntu0.24.04.4) noble; urgency=medium
+apparmor (4.1.0~beta1-0ubuntu2) oracular; urgency=medium
- * d/p/u/fix-redefinition-of-ignored-var.patch Fixes a regression caused by a
- commit that changed the number of return values for the
- get_next_to_profile() function. This patch is backported from upstream
- (LP: #2078467)
+ [Georgia Garcia]
+ * Add patch to fix FTBFS on armhf
+ - d/p/u/libapparmor-make-af_protos.h-consistent-in-different.patch
- -- Bryan Fraschetti <bryan.fraschetti at canonical.com> Wed, 19 Mar 2025 18:09:43 +0000
+ -- Alex Murray <alex.murray at canonical.com> Tue, 20 Aug 2024 08:54:20 +0930
-apparmor (4.0.1really4.0.1-0ubuntu0.24.04.3) noble; urgency=medium
+apparmor (4.1.0~beta1-0ubuntu1) oracular; urgency=medium
- * Revert to version 4.0.1-0ubuntu0.24.04.2 except for the patch
- that enables the bwrap-userns-restrict profile (LP: #2072811).
+ [John Johansen]
* New upstream release.
- (LP: #2064672, LP: #2046844, LP: #2060100, LP: #2056297)
+ * Refresh
+ - d/p/d/libapparmor-layout-deb.patch
+ - d/p/d/etc-writable.patch
* Drop patches which have now been applied upstream
- - d/p/u/parser-fix-issues-appointed-by-coverity.patch
- - d/p/u/profiles-add-unconfined-profile-for-tuxedo-control-c.patch
- - d/p/u/parser-support-uin128_t-key-as-a-pair-of-uint64_t-nu.patch
- - d/p/u/Minor-improvements-for-MountRule.patch
- * Add patch to add balena-etcher profile (LP: #2046844)
+ - d/p/u/parser-add-support-for-prompting.patch
- d/p/u/profiles-add-unconfined-balena-etcher-profile.patch
- * Add upstream patch to relax mount rules to fix use of virtiofs and
- other file-system types
- d/p/u/mountrule-relaxing-constraints-on-fstype.patch
- * Refresh
- - d/p/u/samba-systemd-interaction.patch
- - d/p/u/parser-add-support-for-prompting.patch
- - Add condition in policydb serialization to only encode xtable if
- kernel_supports_permstable32
- * Fix d/p/u/userns-runtime-disable.patch to work when
- kernel.apparmor_restrict_unprivileged_userns does not exist by adding
- -e to sysctl.
+ - d/p/u/tests-refactor-logic-that-makes-mntpoint-private-for.patch
+ - d/p/u/tests-remount-tmpdir-as-private-instead-of.patch
+ - d/p/u/tests-enable-swap-test-when-tmp-is-tmpfs.patch
+ - d/p/u/test-detect-if-setuid-environ-test-in-running-under-.patch
+ * Add patch to fix installation of com.ubuntu.pkexec.aa-notify.policy
+ - d/p/u/parser-fix-rule-priority-destroying-rule-permissions.patch
+ - d/p/u/parser-fix-integer-overflow-bug-in-rule-priority-com.patch
+ - d/p/u/parser-revert-removal-of-second-minimization-pass.patch
+ - d/p/u/parser-update-tsts-for-explicit-deny-and-filtering-c.patch
+ [Georgia Garcia]
+ * Add patch to fix installation of com.ubuntu.pkexec.aa-notify.policy
+ - d/p/u/utils-change-os.mkdir-to-self.mkpath-to-create-inter.patch
+ - d/p/u/ubuntu/parser-fix-pam_apparmor-regression-test-failures.patch
+ * d/apparmor.install
+ - fix wike installation path
+ - install new profile
+ - Xorg
+ - chromium
+ * d/control:
+ - add depends to apparmor-notify:
+ - python3-tk
+ - python3-ttkthemes
+ - python3-gi
+ * d/apparmor-notify.install
+ - etc/apparmor/default_unconfined.template
+ - usr/share/polkit-1/actions/com.ubuntu.pkexec.aa-notify.policy
+ * d/libapparmor1.symbols
+ - add aa_split_overlay_str
+
+ -- John Johansen <john.johansen at canonical.com> Thu, 15 Aug 2024 06:41:27 -0700
+
+apparmor (4.0.1really4.0.1-0ubuntu2) oracular; urgency=medium
+
+ * Drop patch that enables bwrap profile
+ - d/p/u/enable-bwrap-profile.patch (LP: #2072811)
+ * d/apparmor.install
+ - remove bwrap-userns-restrict
+ * d/apparmor.maintscript: rm_conffile of bwrap-userns-restrict in
+ /etc/apparmor.d/ to properly revert conffiles introduced in
+ 4.0.1-0ubuntu1
* d/apparmor-profiles.install
- install new profile
- - unshare-userns-restrict
- bwrap-userns-restrict
+ * Drop patch that moves wike profile from apparmor to apparmor.d so it's
+ done by d/apparmor.install. The patch caused a warning from dpkg-source
+ because it didn't contain a diff
* d/apparmor.install
- - install new profiles
+ - install new profile
- wike - changed installation from apparmor to apparmor.d
- - foliate
- - balena-etcher
- - transmission
- * d/control: Remove obsolete lsb-base Depends and swap pkg-config to
- pkgconf for Build-Depends
-
- -- Georgia Garcia <georgia.garcia at canonical.com> Thu, 18 Jul 2024 15:28:46 -0300
-
-apparmor (4.0.1really4.0.0-beta3-0ubuntu0.1) noble; urgency=medium
-
- * Due to regression, revert changes in previous update back to a
- source tree equivalent to 4.0.0-beta3-0ubuntu3 (LP: #2072811).
- * This drops /etc/apparmor.d/bwrap-userns-restrict, allowing various
- Flatpak apps to save files again.
- * d/apparmor.maintscript: rm_conffile on the following in
- /etc/apparmor.d/ to properly revert conffiles introduced in the
- update being reverted:
- - abstractions/transmission-common
- - balena-etcher
- - bwrap-userns-restrict
- - foliate
- - transmission
- - wike
+ * Add patches that fix regression tests when they run on a mounted /tmp
+ in tmpfs
+ - d/p/u/tests-refactor-logic-that-makes-mntpoint-private-for.patch
+ - d/p/u/tests-remount-tmpdir-as-private-instead-of.patch
+ - d/p/u/tests-enable-swap-test-when-tmp-is-tmpfs.patch
+ - d/p/u/test-detect-if-setuid-environ-test-in-running-under-.patch
- -- Robie Basak <robie.basak at ubuntu.com> Sun, 14 Jul 2024 22:25:31 +0000
+ -- Georgia Garcia <georgia.garcia at canonical.com> Tue, 16 Jul 2024 14:33:39 -0300
-apparmor (4.0.1-0ubuntu0.24.04.2) noble; urgency=medium
+apparmor (4.0.1-0ubuntu1) oracular; urgency=medium
[Georgia Garcia]
- * New upstream release. (LP: #2064672)
+ * New upstream release.
* Refresh
- d/p/u/parser-add-support-for-prompting.patch
- Add condition in policydb serialization to only encode xtable if
kernel_supports_permstable32
+ * Add patch to fix wike profile location (LP: #2046844)
+ - d/p/u/profiles-fix-wike-profile-location-to-apparmor.d.patch
* Add patch to add balena-etcher profile (LP: #2046844)
- d/p/u/profiles-add-unconfined-balena-etcher-profile.patch
* Fix d/p/u/userns-runtime-disable.patch to work when
@@ -85,27 +99,12 @@ apparmor (4.0.1-0ubuntu0.24.04.2) noble; urgency=medium
-e to sysctl.
* d/apparmor.install
- install new profiles
- - wike - changed installation from apparmor to apparmor.d
+ - wike
- foliate
- balena-etcher
- transmission
- [Alex Murray]
- * Add upstream patch to relax mount rules to fix use of virtiofs and
- other file-system types
- - d/p/u/mountrule-relaxing-constraints-on-fstype.patch
- * Remove patches which got dropped from quilt series earlier
- - d/p/u/parser-support-uin128_t-key-as-a-pair-of-uint64_t-nu.patch
- - d/p/u/Minor-improvements-for-MountRule.patch
- * d/control: Remove obsolete lsb-base Depends and swap pkg-config to
- pkgconf for Build-Depends
-
- -- Georgia Garcia <georgia.garcia at canonical.com> Tue, 30 Apr 2024 14:12:01 -0300
-
-apparmor (4.0.0-beta4-0ubuntu1) noble; urgency=medium
-
- * New upstream release.
- (LP: #2046844, LP: #2060100, LP: #2056297)
+ [John Johansen]
* Refresh
- d/p/u/samba-systemd-interaction.patch
* Drop patches which have now been applied updatea
@@ -113,14 +112,25 @@ apparmor (4.0.0-beta4-0ubuntu1) noble; urgency=medium
- d/p/u/profiles-add-unconfined-profile-for-tuxedo-control-c.patch
* Add patch to enable bwrap profile
- d/p/u/enable-bwrap-profile.patch
- (LP: #2046844, LP: #2065708)
+ (LP: #2046844)
* d/apparmor.install
- install new profile
- bwrap-userns-restrict
* d/apparmor-profiles.install
- install new profile
- unshare-userns-restrict
- -- John Johansen <johnjohansen at canonical.com> Mon, 08 Apr 2024 03:40:37 -0700
+
+ [ Alex Murray ]
+ * Add upstream patch to relax mount rules to fix use of virtiofs and
+ other file-system types
+ - d/p/u/mountrule-relaxing-constraints-on-fstype.patch
+ * Remove patches which got dropped from quilt series earlier
+ - d/p/u/parser-support-uin128_t-key-as-a-pair-of-uint64_t-nu.patch
+ - d/p/u/Minor-improvements-for-MountRule.patch
+ * d/control: Remove obsolete lsb-base Depends and swap pkg-config to
+ pkgconf for Build-Depends
+
+ -- Alex Murray <alex.murray at canonical.com> Wed, 08 May 2024 11:37:47 +0200
apparmor (4.0.0-beta3-0ubuntu3) noble; urgency=medium
diff --git a/debian/control b/debian/control
index 4ff2a61..2a7a31f 100644
--- a/debian/control
+++ b/debian/control
@@ -141,6 +141,9 @@ Depends: python3-apparmor,
python3-libapparmor,
python3-notify2,
python3-psutil,
+ python3-tk,
+ python3-ttkthemes,
+ python3-gi,
${misc:Depends},
${python3:Depends}
Description: AppArmor notification system
diff --git a/debian/libapparmor1.symbols b/debian/libapparmor1.symbols
index 170250b..acb2df9 100644
--- a/debian/libapparmor1.symbols
+++ b/debian/libapparmor1.symbols
@@ -11,6 +11,7 @@ libapparmor.so.1 libapparmor1 #MINVER#
APPARMOR_3.1 at APPARMOR_3.1 3.1.0
IMMUNIX_1.0 at IMMUNIX_1.0 2.6~devel
PRIVATE at PRIVATE 2.10
+ aa_split_overlay_str at APPARMOR_3.1 4.1.0~beta1
__aa_query_label at APPARMOR_1.1 3.0.4
__change_hat at APPARMOR_1.0 3.0.4
__old_change_hat at IMMUNIX_1.0 3.0.4
diff --git a/debian/patches/debian/Enable-writing-cache.patch b/debian/patches/debian/Enable-writing-cache.patch
index f9c854b..ed20992 100644
--- a/debian/patches/debian/Enable-writing-cache.patch
+++ b/debian/patches/debian/Enable-writing-cache.patch
@@ -8,8 +8,8 @@ Forwarded: not-needed
parser/rc.apparmor.functions | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
---- a/parser/rc.apparmor.functions
-+++ b/parser/rc.apparmor.functions
+--- apparmor-4.0.0-beta3.orig/parser/rc.apparmor.functions
++++ apparmor-4.0.0-beta3/parser/rc.apparmor.functions
@@ -32,7 +32,7 @@
# Some nice defines that we use
diff --git a/debian/patches/debian/add-debian-integration-to-lighttpd.patch b/debian/patches/debian/add-debian-integration-to-lighttpd.patch
index 3a97236..e15484d 100644
--- a/debian/patches/debian/add-debian-integration-to-lighttpd.patch
+++ b/debian/patches/debian/add-debian-integration-to-lighttpd.patch
@@ -8,8 +8,8 @@ Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/582814
profiles/apparmor/profiles/extras/usr.sbin.lighttpd | 1 +
1 file changed, 1 insertion(+)
---- a/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
-+++ b/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
+--- apparmor-4.0.0-beta3.orig/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
++++ apparmor-4.0.0-beta3/profiles/apparmor/profiles/extras/usr.sbin.lighttpd
@@ -60,6 +60,7 @@
/{usr/,}bin/cat mix,
diff --git a/debian/patches/debian/etc-writable.patch b/debian/patches/debian/etc-writable.patch
index 21864ed..35cdf90 100644
--- a/debian/patches/debian/etc-writable.patch
+++ b/debian/patches/debian/etc-writable.patch
@@ -11,8 +11,8 @@ Bug-Ubuntu: https://launchpad.net/bugs/1227520
profiles/apparmor/profiles/extras/firefox | 1 +
3 files changed, 4 insertions(+)
---- a/profiles/apparmor.d/abstractions/base
-+++ b/profiles/apparmor.d/abstractions/base
+--- apparmor-4.1.0~beta1.orig/profiles/apparmor.d/abstractions/base
++++ apparmor-4.1.0~beta1/profiles/apparmor.d/abstractions/base
@@ -33,6 +33,7 @@
@{etc_ro}/locale.alias r,
@{etc_ro}/localtime r,
@@ -21,8 +21,8 @@ Bug-Ubuntu: https://launchpad.net/bugs/1227520
/usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
/usr/share/locale/ r,
---- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
-+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
+--- apparmor-4.1.0~beta1.orig/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
++++ apparmor-4.1.0~beta1/profiles/apparmor.d/abstractions/ubuntu-browsers.d/java
@@ -39,6 +39,7 @@
/etc/lsb-release r,
/etc/ssl/certs/java/* r,
diff --git a/debian/patches/debian/libapparmor-layout-deb.patch b/debian/patches/debian/libapparmor-layout-deb.patch
index 22283aa..3beecd8 100644
--- a/debian/patches/debian/libapparmor-layout-deb.patch
+++ b/debian/patches/debian/libapparmor-layout-deb.patch
@@ -9,9 +9,9 @@ Forwarded: not-needed
utils/Makefile | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
---- a/libraries/libapparmor/swig/python/Makefile.am
-+++ b/libraries/libapparmor/swig/python/Makefile.am
-@@ -17,7 +17,7 @@
+--- apparmor-4.1.0~beta1.orig/libraries/libapparmor/swig/python/Makefile.am
++++ apparmor-4.1.0~beta1/libraries/libapparmor/swig/python/Makefile.am
+@@ -17,7 +17,7 @@ all-local: libapparmor_wrap.c setup.py
CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS) $(CFLAGS) $(EXTRA_WARNINGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS) $(LDFLAGS)" $(PYTHON) setup.py build
install-exec-local:
@@ -20,9 +20,9 @@ Forwarded: not-needed
clean-local:
if test -x "$(PYTHON)"; then $(PYTHON) setup.py clean; fi
---- a/utils/Makefile
-+++ b/utils/Makefile
-@@ -58,7 +58,7 @@
+--- apparmor-4.1.0~beta1.orig/utils/Makefile
++++ apparmor-4.1.0~beta1/utils/Makefile
+@@ -58,7 +58,7 @@ install: ${MANPAGES} ${HTMLMANPAGES}
$(MAKE) -C po install DESTDIR=${DESTDIR} NAME=${NAME}
$(MAKE) install_manpages DESTDIR=${DESTDIR}
$(MAKE) -C vim install DESTDIR=${DESTDIR}
diff --git a/debian/patches/series b/debian/patches/series
index 2d6d3c9..536c615 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,6 +10,11 @@ ubuntu/mimeinfo-snap-support.patch
ubuntu/profiles-grant-access-to-systemd-resolved.patch
ubuntu/samba-systemd-interaction.patch
ubuntu/userns-runtime-disable.patch
-ubuntu/parser-add-support-for-prompting.patch
-#ubuntu/mountrule-relaxing-constraints-on-fstype.patch
-#ubuntu/fix-redefinition-of-ignored-var.patch
+ubuntu/utils-change-os.mkdir-to-self.mkpath-to-create-inter.patch
+ubuntu/parser-fix-rule-priority-destroying-rule-permissions.patch
+ubuntu/parser-fix-pam_apparmor-regression-test-failures.patch
+ubuntu/parser-fix-integer-overflow-bug-in-rule-priority-com.patch
+ubuntu/parser-revert-removal-of-second-minimization-pass.patch
+ubuntu/parser-update-tsts-for-explicit-deny-and-filtering-c.patch
+ubuntu/libapparmor-make-af_protos.h-consistent-in-different.patch
+ubuntu/fix-abi-break-record-for-aa-log-record.patch
diff --git a/debian/patches/ubuntu/communitheme-snap-support.patch b/debian/patches/ubuntu/communitheme-snap-support.patch
index 466908a..9d6e1a4 100644
--- a/debian/patches/ubuntu/communitheme-snap-support.patch
+++ b/debian/patches/ubuntu/communitheme-snap-support.patch
@@ -9,8 +9,8 @@ Forwarded: no
profiles/apparmor.d/abstractions/gnome | 4 ++++
2 files changed, 8 insertions(+)
---- a/profiles/apparmor.d/abstractions/freedesktop.org
-+++ b/profiles/apparmor.d/abstractions/freedesktop.org
+--- apparmor-4.0.0-beta3.orig/profiles/apparmor.d/abstractions/freedesktop.org
++++ apparmor-4.0.0-beta3/profiles/apparmor.d/abstractions/freedesktop.org
@@ -19,6 +19,10 @@
@{system_share_dirs}/icons/{**,} r,
@{system_share_dirs}/pixmaps/{**,} r,
@@ -22,8 +22,8 @@ Forwarded: no
# this should probably go elsewhere
@{system_share_dirs}/mime/** r,
---- a/profiles/apparmor.d/abstractions/gnome
-+++ b/profiles/apparmor.d/abstractions/gnome
+--- apparmor-4.0.0-beta3.orig/profiles/apparmor.d/abstractions/gnome
++++ apparmor-4.0.0-beta3/profiles/apparmor.d/abstractions/gnome
@@ -31,6 +31,10 @@
/usr/share/themes/** r,
/usr/share/gtk-3.0/settings.ini r,
diff --git a/debian/patches/ubuntu/fix-abi-break-record-for-aa-log-record.patch b/debian/patches/ubuntu/fix-abi-break-record-for-aa-log-record.patch
new file mode 100644
index 0000000..ccb8433
--- /dev/null
+++ b/debian/patches/ubuntu/fix-abi-break-record-for-aa-log-record.patch
@@ -0,0 +1,33 @@
+From c86c87e8868c72e5ab2084b5bf783cd5ca800a9b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maxime=20B=C3=A9lair?= <maxime.belair at canonical.com>
+Date: Tue, 1 Oct 2024 22:06:45 +0000
+Subject: [PATCH] Fix ABI break for aa_log_record
+
+---
+ libraries/libapparmor/include/aalogparse.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/libraries/libapparmor/include/aalogparse.h b/libraries/libapparmor/include/aalogparse.h
+index ced77ab47..23e292233 100644
+--- a/libraries/libapparmor/include/aalogparse.h
++++ b/libraries/libapparmor/include/aalogparse.h
+@@ -86,8 +86,6 @@ typedef struct
+ char *net_foreign_addr;
+ unsigned long net_foreign_port;
+
+- char *execpath;
+-
+ char *dbus_bus;
+ char *dbus_path;
+ char *dbus_interface;
+@@ -104,6 +102,7 @@ typedef struct
+
+ char *net_addr;
+ char *peer_addr;
++ char *execpath;
+ } aa_log_record;
+
+ /**
+--
+GitLab
+
diff --git a/debian/patches/ubuntu/fix-redefinition-of-ignored-var.patch b/debian/patches/ubuntu/fix-redefinition-of-ignored-var.patch
deleted file mode 100644
index d918597..0000000
--- a/debian/patches/ubuntu/fix-redefinition-of-ignored-var.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Subject: Fix redefinition of _ to _ignored
-
- This is the backport of an upstream commit which redefines _ to _ignored as
- the former definition causes apparmor to crash with "Profile for %s not
- found, skipping" when enforcing apparmor.d. The bug was reported in Ubuntu
- in LP #2078467. Below is the brief upstream commit message:
-
- This was a regression introduced in 4f51c93f
- Fixes: #387
-
-Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/6f9e841e74f04cac78da71fd2e8af3f973af94fc
-Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2078467
-Forwarded: no
-Last-Update: 2025-03-19
-Applied-Upstream: https://gitlab.com/apparmor/apparmor/-/commit/6f9e841e74f04cac78da71fd2e8af3f973af94fc
-
-diff --git a/utils/apparmor/tools.py b/utils/apparmor/tools.py
-index e8a99bbe65cd1cba27984681050ce836f8ae242d..97654cd92fbd8be1a5600fe564363e00531fba7c 100644
---- a/utils/apparmor/tools.py
-+++ b/utils/apparmor/tools.py
-@@ -90,7 +90,7 @@ class aa_tools:
- def get_next_for_modechange(self):
- """common code for mode/flags changes"""
-
-- for (program, _, prof_filename) in self.get_next_to_profile():
-+ for (program, _ignored, prof_filename) in self.get_next_to_profile():
- output_name = prof_filename if program is None else program
-
- if not os.path.isfile(prof_filename) or is_skippable_file(prof_filename):
-@@ -162,7 +162,7 @@ class aa_tools:
- def cmd_autodep(self):
- apparmor.loadincludes()
-
-- for (program, _, prof_filename) in self.get_next_to_profile():
-+ for (program, _ignored, prof_filename) in self.get_next_to_profile():
- if not program:
- aaui.UI_Info(_('Please pass an application to generate a profile for, not a profile itself - skipping %s.') % prof_filename)
- continue
diff --git a/debian/patches/ubuntu/libapparmor-make-af_protos.h-consistent-in-different.patch b/debian/patches/ubuntu/libapparmor-make-af_protos.h-consistent-in-different.patch
new file mode 100644
index 0000000..ac6be02
--- /dev/null
+++ b/debian/patches/ubuntu/libapparmor-make-af_protos.h-consistent-in-different.patch
@@ -0,0 +1,60 @@
+Patch taken from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/1309
+and edited slightly to add the | prefix in the test case failure diff in the
+commit message to avoid confusing quilt.
+
+From 95c419dc45aa777196a613d41ea72ebca3a679ac Mon Sep 17 00:00:00 2001
+From: Georgia Garcia <georgia.garcia at canonical.com>
+Date: Mon, 19 Aug 2024 18:09:17 -0300
+Subject: [PATCH] libapparmor: make af_protos.h consistent in different archs
+
+af_protos.h is a generated table of the protocols created by looking
+for definitions of IPPROTO_* in netinet/in.h. Depending on the
+architecture, the order of the table may change when using -dM in the
+compiler during the extraction of the defines.
+
+This causes an issue because there is more than one IPPROTO defined
+by the value 0: IPPROTO_IP and IPPROTO_HOPOPTS which is a header
+extension used by IPv6. So if IPPROTO_HOPOPTS was first in the table,
+then protocol=0 in the audit logs would be translated to hopopts.
+
+This caused a failure in arm 32bit:
+
+|Output doesn't match expected data:
+|--- ./test_multi/testcase_unix_01.out 2024-08-15 01:47:53.000000000 +0000
+|+++ ./test_multi/out/testcase_unix_01.out 2024-08-15 23:42:10.187416392 +0000
+|@@ -12,7 +12,7 @@
+| Peer Addr: @test_abstract_socket
+| Network family: unix
+| Socket type: stream
+|-Protocol: ip
+|+Protocol: hopopts
+| Class: net
+| Epoch: 1711454639
+| Audit subid: 322
+
+By the time protocol is resolved in grammar.y, we don't have have
+access to the net family to check if it's inet6. Instead of making
+protocol dependent on the net family, make the order of the
+af_protos.h table consistent between architectures using -dD.
+
+Signed-off-by: Georgia Garcia <georgia.garcia at canonical.com>
+---
+ libraries/libapparmor/src/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am
+index 9a9d12e39..239fc7506 100644
+--- a/libraries/libapparmor/src/Makefile.am
++++ b/libraries/libapparmor/src/Makefile.am
+@@ -52,7 +52,7 @@ scanner.h: scanner.l
+ scanner.c: scanner.l
+
+ af_protos.h:
+- echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dM - | LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
++ echo '#include <netinet/in.h>' | $(CC) $(CPPFLAGS) -E -dD - | LC_ALL=C sed -n -e "/IPPROTO_MAX/d" -e "s/^\#define[ \\t]\\+IPPROTO_\\([A-Z0-9_]\\+\\)\\(.*\\)$$/AA_GEN_PROTO_ENT(\\UIPPROTO_\\1, \"\\L\\1\")/p" > $@
+
+ lib_LTLIBRARIES = libapparmor.la
+ noinst_HEADERS = grammar.h parser.h scanner.h af_protos.h private.h PMurHash.h
+--
+2.45.2
+
diff --git a/debian/patches/ubuntu/mimeinfo-snap-support.patch b/debian/patches/ubuntu/mimeinfo-snap-support.patch
index dfa1ce2..be8ec1a 100644
--- a/debian/patches/ubuntu/mimeinfo-snap-support.patch
+++ b/debian/patches/ubuntu/mimeinfo-snap-support.patch
@@ -8,8 +8,8 @@ Forwarded: no
profiles/apparmor.d/abstractions/freedesktop.org | 4 ++++
1 file changed, 4 insertions(+)
---- a/profiles/apparmor.d/abstractions/freedesktop.org
-+++ b/profiles/apparmor.d/abstractions/freedesktop.org
+--- apparmor-4.0.0-beta3.orig/profiles/apparmor.d/abstractions/freedesktop.org
++++ apparmor-4.0.0-beta3/profiles/apparmor.d/abstractions/freedesktop.org
@@ -23,6 +23,10 @@
/snap/communitheme/*/share/icons/ r,
/snap/communitheme/*/share/icons/** r,
diff --git a/debian/patches/ubuntu/mountrule-relaxing-constraints-on-fstype.patch b/debian/patches/ubuntu/mountrule-relaxing-constraints-on-fstype.patch
deleted file mode 100644
index 9e007e6..0000000
--- a/debian/patches/ubuntu/mountrule-relaxing-constraints-on-fstype.patch
+++ /dev/null
@@ -1,361 +0,0 @@
-From dad5ee28b30b392dc20b6a471abbd473f230ad87 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Maxime=20B=C3=A9lair?= <maxime.belair at canonical.com>
-Date: Thu, 28 Mar 2024 10:42:12 +0100
-Subject: [PATCH] MountRule: Relaxing constraints on fstype and completing AARE
- support
-
- - Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name.
- - Completing AARE support for fstype (brace expressions like ext{3,4} are now supported).
----
- utils/apparmor/rule/mount.py | 82 ++++++++++--------
- utils/test/test-mount.py | 114 ++++++++++++++-----------
- utils/test/test-parser-simple-tests.py | 3 -
- 3 files changed, 111 insertions(+), 88 deletions(-)
-
-diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py
-index f62c08e4b..abfa2b75e 100644
---- a/utils/apparmor/rule/mount.py
-+++ b/utils/apparmor/rule/mount.py
-@@ -23,19 +23,7 @@ from apparmor.translations import init_translation
-
- _ = init_translation()
-
--# TODO :
--#
--# - Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules.
--
--valid_fs = [
-- 'sysfs', 'tmpfs', 'bdevfs', 'procfs', 'cgroup', 'cgroup2', 'cpuset', 'devtmpfs', 'configfs', 'debugfs', 'tracefs',
-- 'securityfs', 'sockfs', 'bpf', 'npipefs', 'ramfs', 'hugetlbfs', 'devpts', 'ext3', 'ext2', 'ext4', 'squashfs',
-- 'vfat', 'ecryptfs', 'fuseblk', 'fuse', 'fusectl', 'efivarfs', 'mqueue', 'store', 'autofs', 'binfmt_misc', 'overlay',
-- 'none', 'bdev', 'proc', 'pipefs', 'pstore', 'btrfs', 'xfs', '9p', 'resctrl', 'zfs', 'iso9660', 'udf', 'ntfs3',
-- 'nfs', 'cifs', 'overlayfs', 'aufs', 'rpc_pipefs', 'msdos', 'nfs4',
--]
-+# TODO : Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules.
-
- flags_keywords = [
- # keep in sync with parser/mount.cc mnt_opts_table!
-@@ -48,7 +36,6 @@ flags_keywords = [
- '([A-Za-z0-9])',
- ]
- join_valid_flags = '|'.join(flags_keywords)
--join_valid_fs = '|'.join(valid_fs)
-
- sep = r'\s*[\s,]\s*'
-
-@@ -106,27 +93,18 @@ class MountRule(BaseRule):
-
- self.operation = operation
-
-- self.fstype, self.all_fstype, unknown_items = check_and_split_list(fstype[1] if fstype != self.ALL else fstype, valid_fs, self.ALL, type(self).__name__, 'fstype')
--
-- if unknown_items:
-- for it in unknown_items:
--
-- # Several filesystems use fuse internally and are referred as fuse.<software_name> (e.g. fuse.jmtpfs, fuse.s3fs, fuse.obexfs).
-- # Since this list seems to evolve too fast for a fixed list to work in practice, we just accept fuse.*
-- # See https://github.com/libfuse/libfuse/wiki/Filesystems and, https://doc.ubuntu-fr.org/fuse
-- if it.startswith('fuse.') and len(it) > 5:
-- continue
--
-- it = AARE(it, is_path=False)
-- found = False
-- for fs in valid_fs:
-- if self._is_covered_aare(it, self.all_fstype, AARE(fs, False), self.all_fstype, 'fstype'):
-- found = True
-- break
-- if not found:
-- raise AppArmorException(_('Passed unknown fstype keyword to %s: %s') % (type(self).__name__, ' '.join(unknown_items)))
--
-- self.is_fstype_equal = fstype[0] if not self.all_fstype else None
-+ if fstype == self.ALL or fstype[1] == self.ALL:
-+ self.all_fstype = True
-+ self.fstype = None
-+ self.is_fstype_equal = None
-+ else:
-+ self.all_fstype = False
-+ for it in fstype[1]:
-+ l, unused = parse_aare(it, 0, 'fstype')
-+ if l != len(it):
-+ raise AppArmorException(f'Invalid aare : {it}')
-+ self.fstype = fstype[1]
-+ self.is_fstype_equal = fstype[0]
-
- self.options, self.all_options, unknown_items = check_and_split_list(options[1] if options != self.ALL else options, flags_keywords, self.ALL, type(self).__name__, 'options')
- if unknown_items:
-@@ -173,7 +151,7 @@ class MountRule(BaseRule):
-
- if r['fstype'] is not None:
- is_fstype_equal = r['fstype_equals_or_in']
-- fstype = strip_parenthesis(r['fstype']).replace(',', ' ').split()
-+ fstype = parse_aare_list(strip_parenthesis(r['fstype']), 'fstype')
- else:
- is_fstype_equal = None
- fstype = cls.ALL
-@@ -316,6 +294,38 @@ class MountRuleset(BaseRuleset):
- '''Class to handle and store a collection of Mount rules'''
-
-
-+
-+def parse_aare(s, offset, param):
-+ parsed = ''
-+ brace_count = 0
-+ for i, c in enumerate(s[offset:], start=offset):
-+ if c in [' ', ',', '\t'] and brace_count == 0:
-+ break
-+ parsed += c
-+ if c == '{':
-+ brace_count += 1
-+ elif c == '}':
-+ brace_count -= 1
-+ if brace_count < 0:
-+ raise AppArmorException(f"Unmatched closing brace in {param}: {s[offset:]}")
-+ offset = i
-+
-+ if brace_count != 0:
-+ raise AppArmorException(f"Unmatched opening brace in {param}: {s[offset:]}")
-+
-+ return offset + 1, parsed
-+
-+
-+def parse_aare_list(s, param):
-+ res = []
-+ offset = 0
-+ while offset <= len(s):
-+ offset, part = parse_aare(s, offset, param)
-+ if part.translate(' ,\t') != '':
-+ res.append(part)
-+ return res
-+
-+
- def wrap_in_with_spaces(value):
- ''' wrap 'in' keyword in spaces, and leave everything else unchanged '''
-
-diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py
-index e37c287c7..7f88ff7db 100644
---- a/utils/test/test-mount.py
-+++ b/utils/test/test-mount.py
-@@ -20,7 +20,7 @@ from common_test import AATest, setup_all_loops
- from apparmor.common import AppArmorException, AppArmorBug
- from apparmor.translations import init_translation
-
--from apparmor.rule.mount import MountRule, valid_fs
-+from apparmor.rule.mount import MountRule
-
- _ = init_translation()
-
-@@ -31,34 +31,34 @@ class MountTestParse(AATest):
- # Rule Operation Filesystem Options Source Destination Audit Deny Allow Comment
- ('mount -> **,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '**', False, False, False, '' )),
- ('mount options=(rw, shared) -> **,', MountRule('mount', MountRule.ALL, ('=', ('rw', 'shared')), MountRule.ALL, '**', False, False, False, '' )),
-- ('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('bpf')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
-- ('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('fuse.obex*')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
-- ('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('fuse.*')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
-- ('mount fstype=bpf options=(rw) random_label -> /sys/fs/bpf/,', MountRule('mount', ('=', ("bpf")), ('=', ('rw')), 'random_label', '/sys/fs/bpf/', False, False, False, '' )),
-+ ('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
-+ ('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.obex*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
-+ ('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
-+ ('mount fstype=bpf options=(rw) random_label -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'random_label', '/sys/fs/bpf/', False, False, False, '' )),
- ('mount,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
-- ('mount fstype=(ext3, ext4),', MountRule('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
-+ ('mount fstype=(ext3, ext4),', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
- ('mount bpf,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'bpf', MountRule.ALL, False, False, False, '' )),
- ('mount none,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'none', MountRule.ALL, False, False, False, '' )),
-- ('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )),
-+ ('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )),
- ('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )),
- ('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )),
-- ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, '/a', '/b', False, False, False, '' )),
-- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
-- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
-- ('mount fstype=(ext3, ext4) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
-- ('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
-- ('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ('ext3', 'ext4')), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')),
-- ('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
-+ ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '' )),
-+ ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
-+ ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
-+ ('mount fstype=({ext3,ext4}) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
-+ ('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
-+ ('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')),
-+ ('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
- ('mount options=(rw, rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,',
- MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/',
- '/tmp/snap.rootfs_*{,/usr}/lib/modules/',
- False, False, False, '' )),
- ('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
-- ('umount fstype=ext3,', MountRule('umount', ('=', ('ext3')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
-+ ('umount fstype=ext3,', MountRule('umount', ('=', ['ext3']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
- ('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '' )),
-
- ('remount,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
-- ('remount fstype=ext4,', MountRule('remount', ('=', ('ext4')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
-+ ('remount fstype=ext4,', MountRule('remount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
- ('remount /b,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/b', False, False, False, '' )),
- )
-
-@@ -72,7 +72,6 @@ class MountTestParse(AATest):
- class MountTestParseInvalid(AATest):
- tests = (
- ('mount fstype=,', AppArmorException),
-- ('mount fstype=(foo),', AppArmorException),
- ('mount fstype=(),', AppArmorException),
- ('mount options=(),', AppArmorException),
- ('mount option=(invalid),', AppArmorException),
-@@ -90,7 +89,7 @@ class MountTestParseInvalid(AATest):
-
- def test_diff_non_mountrule(self):
- exp = namedtuple('exp', ('audit', 'deny'))
-- obj = MountRule('mount', ('=', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL)
-+ obj = MountRule('mount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL)
- with self.assertRaises(AppArmorBug):
- obj.is_equal(exp(False, False), False)
-
-@@ -98,9 +97,25 @@ class MountTestParseInvalid(AATest):
- with self.assertRaises(AppArmorBug):
- MountRule('mount', ('ext3', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in'
-
-- def test_diff_invalid_fstype_keyword(self):
-- with self.assertRaises(AppArmorException):
-- MountRule('mount', ('=', 'invalidfs'), MountRule.ALL, MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in'
-+ def test_diff_invalid_fstype_aare(self):
-+ tests = [
-+ 'mount fstype=({unclosed_regex),',
-+ 'mount fstype=({closed}twice}),',
-+ ]
-+
-+ for t in tests:
-+ with self.assertRaises(AppArmorException):
-+ MountRule.create_instance(t)
-+
-+ def test_diff_invalid_fstype_aare_2(self):
-+ fslists = [
-+ ['invalid_{_regex'],
-+ ['ext4', 'invalid_}_regex'],
-+ ['ext4', '{invalid} {regex}']
-+ ]
-+ for fslist in fslists:
-+ with self.assertRaises(AppArmorException):
-+ MountRule('mount', ('=', fslist), MountRule.ALL, MountRule.ALL, MountRule.ALL)
-
- def test_diff_invalid_options_equals_or_in(self):
- with self.assertRaises(AppArmorBug):
-@@ -111,7 +126,7 @@ class MountTestParseInvalid(AATest):
- MountRule('mount', MountRule.ALL, ('=', 'invalid'), MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in'
-
- def test_diff_fstype(self):
-- obj1 = MountRule('mount', ('=', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL)
-+ obj1 = MountRule('mount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL)
- obj2 = MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL)
- self.assertFalse(obj1.is_equal(obj2, False))
-
-@@ -129,14 +144,6 @@ class MountTestParseInvalid(AATest):
- MountRule('remount', MountRule.ALL, MountRule.ALL, '/foo', MountRule.ALL)
-
-
--class MountTestFilesystems(AATest):
-- def test_fs(self):
-- with open('/proc/filesystems') as f:
-- for line in f:
-- fs_name = line.split()[-1]
-- self.assertTrue(fs_name in valid_fs, '/proc/filesystems contains %s which is not listed in MountRule valid_fs' % fs_name)
--
--
- class MountTestGlob(AATest):
- def test_glob(self):
- globList = [(
-@@ -199,49 +206,58 @@ class MountIsCoveredTest(AATest):
- def test_is_covered(self):
- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/b*')
- tests = [
-- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b', '/bar'),
-- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/bar', '/b')
-+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b', '/bar'),
-+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/bar', '/b')
- ]
- for test in tests:
- self.assertTrue(obj.is_covered(MountRule(*test)))
- self.assertFalse(obj.is_equal(MountRule(*test)))
-
- def test_is_covered_fs_source(self):
-- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
-- self.assertTrue(obj.is_covered(MountRule('mount', ('=', ('ext3')), ('=', ('ro')), 'tmpfs', MountRule.ALL)))
-- self.assertFalse(obj.is_equal(MountRule('mount', ('=', ('ext3')), ('=', ('ro')), 'tmpfs', MountRule.ALL)))
-+ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
-+ self.assertTrue(obj.is_covered(MountRule('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL)))
-+ self.assertFalse(obj.is_equal(MountRule('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL)))
-
-- def test_is_covered_regex(self):
-- obj = MountRule('mount', ('=', ('sys*', 'fuse.*')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
-+ def test_is_covered_aare_1(self):
-+ obj = MountRule('mount', ('=', ['sys*', 'fuse.*']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
- tests = [
-- ('mount', ('=', ('sysfs', 'fuse.s3fs')), ('=', ('ro')), 'tmpfs', MountRule.ALL),
-- ('mount', ('=', ('sysfs', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
-+ ('mount', ('=', ['sysfs', 'fuse.s3fs']), ('=', ('ro')), 'tmpfs', MountRule.ALL),
-+ ('mount', ('=', ['sysfs', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
-+ ]
-+ for test in tests:
-+ self.assertTrue(obj.is_covered(MountRule(*test)))
-+ self.assertFalse(obj.is_equal(MountRule(*test)))
-+ def test_is_covered_aare_2(self):
-+ obj = MountRule('mount', ('=', ['ext{3,4}', '{cgroup*,fuse.*}']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
-+ tests = [
-+ ('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL),
-+ ('mount', ('=', ['ext3', 'ext4', 'cgroup', 'cgroup2', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
- ]
- for test in tests:
- self.assertTrue(obj.is_covered(MountRule(*test)))
- self.assertFalse(obj.is_equal(MountRule(*test)))
-
- def test_is_notcovered(self):
-- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/b*')
-+ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b*', '/b*')
- tests = [
-- ('mount', ('in', ('ext3', 'ext4')), ('=', ('ro')), '/foo/bar', '/bar' ),
-- ('mount', ('=', ('procfs', 'ext4')), ('=', ('ro')), '/foo/bar', '/bar' ),
-- ('mount', ('=', ('ext3')), ('=', ('rw')), '/foo/bar', '/bar' ),
-- ('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, '/foo/b*', '/bar' ),
-+ ('mount', ('in', ['ext3', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar' ),
-+ ('mount', ('=', ['procfs', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar' ),
-+ ('mount', ('=', ['ext3']), ('=', ('rw')), '/foo/bar', '/bar' ),
-+ ('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/foo/b*', '/bar' ),
- ('mount', MountRule.ALL, ('=', ('ro')), '/foo/b*', '/bar' ),
-- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/invalid/bar', '/bar' ),
-+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/invalid/bar', '/bar' ),
- ('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ),
- ('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ),
-- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', '/bar' ),
-- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/invalid'),
-+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', '/bar' ),
-+ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b*', '/invalid'),
- ]
- for test in tests:
- self.assertFalse(obj.is_covered(MountRule(*test)))
- self.assertFalse(obj.is_equal(MountRule(*test)))
-
- def test_is_not_covered_fs_source(self):
-- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
-- test = ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'procfs', MountRule.ALL)
-+ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
-+ test = ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'procfs', MountRule.ALL)
- self.assertFalse(obj.is_covered(MountRule(*test)))
- self.assertFalse(obj.is_equal(MountRule(*test)))
-
-diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py
-index f76273cd2..9d91b084a 100644
---- a/utils/test/test-parser-simple-tests.py
-+++ b/utils/test/test-parser-simple-tests.py
-@@ -324,9 +324,6 @@ unknown_line = (
- 'bare_include_tests/ok_85.sd',
- 'bare_include_tests/ok_86.sd',
-
-- # mount with fstype using AARE
-- 'mount/ok_12.sd',
--
- # Mount with flags in {remount, [r]unbindable, [r]shared, [r]private, [r]slave} does not support a source
- 'mount/ok_opt_68.sd',
- 'mount/ok_opt_69.sd',
---
-GitLab
-
diff --git a/debian/patches/ubuntu/parser-add-support-for-prompting.patch b/debian/patches/ubuntu/parser-add-support-for-prompting.patch
index bdf53a5..c583591 100644
--- a/debian/patches/ubuntu/parser-add-support-for-prompting.patch
+++ b/debian/patches/ubuntu/parser-add-support-for-prompting.patch
@@ -52,8 +52,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
create mode 100644 parser/libapparmor_re/policy_compat.h
create mode 100644 parser/perms.h
---- a/parser/af_unix.cc
-+++ b/parser/af_unix.cc
+--- apparmor-4.0.0-beta4.orig/parser/af_unix.cc
++++ apparmor-4.0.0-beta4/parser/af_unix.cc
@@ -33,7 +33,7 @@
/* See unix(7) for autobind address definition */
#define autobind_address_pattern "\\x00[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]";
@@ -152,8 +152,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
goto fail;
}
---- a/parser/af_unix.h
-+++ b/parser/af_unix.h
+--- apparmor-4.0.0-beta4.orig/parser/af_unix.h
++++ apparmor-4.0.0-beta4/parser/af_unix.h
@@ -24,7 +24,7 @@
#include "profile.h"
#include "af_rule.h"
@@ -172,8 +172,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
struct cond_entry *peer_conds);
virtual ~unix_rule()
{
---- a/parser/dbus.cc
-+++ b/parser/dbus.cc
+--- apparmor-4.0.0-beta4.orig/parser/dbus.cc
++++ apparmor-4.0.0-beta4/parser/dbus.cc
@@ -30,7 +30,7 @@
#include "dbus.h"
@@ -216,8 +216,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
perms & AA_DBUS_EAVESDROP,
audit == AUDIT_FORCE ? perms & AA_DBUS_EAVESDROP : 0,
1, vec, parseopts, false))
---- a/parser/dbus.h
-+++ b/parser/dbus.h
+--- apparmor-4.0.0-beta4.orig/parser/dbus.h
++++ apparmor-4.0.0-beta4/parser/dbus.h
@@ -23,7 +23,7 @@
#include "rule.h"
#include "profile.h"
@@ -245,8 +245,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
error = "owner prefix not allowed on dbus rules";
return false;
}
---- a/parser/io_uring.cc
-+++ b/parser/io_uring.cc
+--- apparmor-4.0.0-beta4.orig/parser/io_uring.cc
++++ apparmor-4.0.0-beta4/parser/io_uring.cc
@@ -47,7 +47,7 @@
}
}
@@ -273,8 +273,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
perms, audit == AUDIT_FORCE ? perms : 0,
parseopts))
goto fail;
---- a/parser/io_uring.h
-+++ b/parser/io_uring.h
+--- apparmor-4.0.0-beta4.orig/parser/io_uring.h
++++ apparmor-4.0.0-beta4/parser/io_uring.h
@@ -31,7 +31,7 @@
public:
char *label;
@@ -284,8 +284,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
virtual ~io_uring_rule()
{
free(label);
---- a/parser/libapparmor_re/Makefile
-+++ b/parser/libapparmor_re/Makefile
+--- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/Makefile
++++ apparmor-4.0.0-beta4/parser/libapparmor_re/Makefile
@@ -22,17 +22,19 @@
UNITTESTS = tst_parse
@@ -308,8 +308,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
parse.o : parse.cc apparmor_re.h expr-tree.h
parse.cc : parse.y parse.h flex-tables.h ../immunix.h
---- a/parser/libapparmor_re/aare_rules.cc
-+++ b/parser/libapparmor_re/aare_rules.cc
+--- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/aare_rules.cc
++++ apparmor-4.0.0-beta4/parser/libapparmor_re/aare_rules.cc
@@ -44,10 +44,10 @@
expr_map.clear();
}
@@ -521,8 +521,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+
return buffer;
}
---- a/parser/libapparmor_re/aare_rules.h
-+++ b/parser/libapparmor_re/aare_rules.h
+--- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/aare_rules.h
++++ apparmor-4.0.0-beta4/parser/libapparmor_re/aare_rules.h
@@ -21,22 +21,28 @@
#ifndef __LIBAA_RE_RULES_H
#define __LIBAA_RE_RULES_H
@@ -617,8 +617,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
};
#endif /* __LIBAA_RE_RULES_H */
---- a/parser/libapparmor_re/chfa.cc
-+++ b/parser/libapparmor_re/chfa.cc
+--- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/chfa.cc
++++ apparmor-4.0.0-beta4/parser/libapparmor_re/chfa.cc
@@ -32,6 +32,7 @@
#include "hfa.h"
#include "chfa.h"
@@ -851,8 +851,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+ new_start = num[file_chfa.start];
+}
---- a/parser/libapparmor_re/chfa.h
-+++ b/parser/libapparmor_re/chfa.h
+--- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/chfa.h
++++ apparmor-4.0.0-beta4/parser/libapparmor_re/chfa.h
@@ -16,7 +16,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
@@ -899,8 +899,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
map<const State *, size_t> num;
map<transchar, transchar> eq;
transchar max_eq;
---- a/parser/libapparmor_re/expr-tree.h
-+++ b/parser/libapparmor_re/expr-tree.h
+--- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/expr-tree.h
++++ apparmor-4.0.0-beta4/parser/libapparmor_re/expr-tree.h
@@ -41,6 +41,7 @@
#include <stdint.h>
@@ -954,8 +954,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
/* Traverse the syntax tree depth-first in an iterator-like manner. */
class depth_first_traversal {
stack<Node *>pos;
---- a/parser/libapparmor_re/hfa.cc
-+++ b/parser/libapparmor_re/hfa.cc
+--- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/hfa.cc
++++ apparmor-4.0.0-beta4/parser/libapparmor_re/hfa.cc
@@ -31,11 +31,12 @@
#include <iostream>
#include <fstream>
@@ -1131,8 +1131,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
if (error)
fprintf(stderr, "profile has merged rule with conflicting x modifiers\n");
---- a/parser/libapparmor_re/hfa.h
-+++ b/parser/libapparmor_re/hfa.h
+--- apparmor-4.0.0-beta4.orig/parser/libapparmor_re/hfa.h
++++ apparmor-4.0.0-beta4/parser/libapparmor_re/hfa.h
@@ -27,11 +27,15 @@
#include <list>
#include <map>
@@ -1253,7 +1253,7 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
int oob_range;
int max_range;
--- /dev/null
-+++ b/parser/libapparmor_re/policy_compat.cc
++++ apparmor-4.0.0-beta4/parser/libapparmor_re/policy_compat.cc
@@ -0,0 +1,218 @@
+/*
+ * Copyright (c) 2022
@@ -1474,7 +1474,7 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+}
+
--- /dev/null
-+++ b/parser/libapparmor_re/policy_compat.h
++++ apparmor-4.0.0-beta4/parser/libapparmor_re/policy_compat.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2022
@@ -1501,8 +1501,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+struct aa_perms compute_perms_entry(uint32_t accept1, uint32_t accept2, uint32_t accept3);
+
+#endif /* __AA_POLICY_COMPAT_H */
---- a/parser/mount.cc
-+++ b/parser/mount.cc
+--- apparmor-4.0.0-beta4.orig/parser/mount.cc
++++ apparmor-4.0.0-beta4/parser/mount.cc
@@ -478,7 +478,7 @@
mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p,
@@ -1620,8 +1620,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
int n = add_entry_to_x_table(&prof, trans);
if (!n) {
PERROR("Profile %s has too many specified profile transitions.\n", prof.name);
---- a/parser/mount.h
-+++ b/parser/mount.h
+--- apparmor-4.0.0-beta4.orig/parser/mount.h
++++ apparmor-4.0.0-beta4/parser/mount.h
@@ -152,7 +152,7 @@
mnt_rule(struct cond_entry *src_conds, char *device_p,
@@ -1640,8 +1640,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
error = "owner prefix not allowed on mount rules";
return false;
}
---- a/parser/mqueue.cc
-+++ b/parser/mqueue.cc
+--- apparmor-4.0.0-beta4.orig/parser/mqueue.cc
++++ apparmor-4.0.0-beta4/parser/mqueue.cc
@@ -25,7 +25,7 @@
#include <iostream>
#include <sstream>
@@ -1686,8 +1686,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
goto fail;
}
}
---- a/parser/mqueue.h
-+++ b/parser/mqueue.h
+--- apparmor-4.0.0-beta4.orig/parser/mqueue.h
++++ apparmor-4.0.0-beta4/parser/mqueue.h
@@ -84,7 +84,7 @@
((mask & (AA_MQUEUE_GETATTR | AA_MQUEUE_SETATTR)) << (AA_OTHER_SHIFT - 8));
}
@@ -1706,8 +1706,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
virtual ~mqueue_rule()
{
free(qname);
---- a/parser/network.cc
-+++ b/parser/network.cc
+--- apparmor-4.0.0-beta4.orig/parser/network.cc
++++ apparmor-4.0.0-beta4/parser/network.cc
@@ -29,7 +29,7 @@
#define ALL_TYPES 0x43e
@@ -1807,8 +1807,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
parseopts))
return false;
---- a/parser/network.h
-+++ b/parser/network.h
+--- apparmor-4.0.0-beta4.orig/parser/network.h
++++ apparmor-4.0.0-beta4/parser/network.h
@@ -107,8 +107,9 @@
((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */
};
@@ -1836,8 +1836,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
virtual ~network_rule()
{
peer.free_conds();
---- a/parser/parser.h
-+++ b/parser/parser.h
+--- apparmor-4.0.0-beta4.orig/parser/parser.h
++++ apparmor-4.0.0-beta4/parser/parser.h
@@ -122,7 +122,7 @@
char *nt_name;
Profile *prof; /* Special profile defined
@@ -1893,8 +1893,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
/* returns -1 if value != true or false, otherwise 0 == false, 1 == true */
extern int str_to_boolean(const char* str);
---- a/parser/parser_common.c
-+++ b/parser/parser_common.c
+--- apparmor-4.0.0-beta4.orig/parser/parser_common.c
++++ apparmor-4.0.0-beta4/parser/parser_common.c
@@ -86,6 +86,10 @@
int features_supports_flag_interruptible = 0;
int features_supports_flag_signal = 0;
@@ -1972,8 +1972,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+ fprintf(f, "Unknown prompt compat mode '%d'", prompt_compat_mode);
+ }
+}
---- a/parser/parser_interface.c
-+++ b/parser/parser_interface.c
+--- apparmor-4.0.0-beta4.orig/parser/parser_interface.c
++++ apparmor-4.0.0-beta4/parser/parser_interface.c
@@ -323,10 +323,49 @@
sd_write8(buf, SD_LISTEND);
}
@@ -2129,8 +2129,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
sd_write_structend(buf);
}
---- a/parser/parser_main.c
-+++ b/parser/parser_main.c
+--- apparmor-4.0.0-beta4.orig/parser/parser_main.c
++++ apparmor-4.0.0-beta4/parser/parser_main.c
@@ -137,6 +137,8 @@
#define EARLY_ARG_CONFIG_FILE 142
#define ARG_WERROR 143
@@ -2201,8 +2201,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
if (!kernel_supports_diff_encode)
/* clear diff_encode because it is not supported */
parseopts.control &= ~CONTROL_DFA_DIFF_ENCODE;
---- a/parser/parser_misc.c
-+++ b/parser/parser_misc.c
+--- apparmor-4.0.0-beta4.orig/parser/parser_misc.c
++++ apparmor-4.0.0-beta4/parser/parser_misc.c
@@ -97,6 +97,7 @@
{"audit", TOK_AUDIT},
{"deny", TOK_DENY},
@@ -2277,8 +2277,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
{
struct cod_entry *entry = NULL;
---- a/parser/parser_policy.c
-+++ b/parser/parser_policy.c
+--- apparmor-4.0.0-beta4.orig/parser/parser_policy.c
++++ apparmor-4.0.0-beta4/parser/parser_policy.c
@@ -240,6 +240,13 @@
}
@@ -2293,8 +2293,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
return error;
}
---- a/parser/parser_regex.c
-+++ b/parser/parser_regex.c
+--- apparmor-4.0.0-beta4.orig/parser/parser_regex.c
++++ apparmor-4.0.0-beta4/parser/parser_regex.c
@@ -507,7 +507,8 @@
aare_rules *rules = new aare_rules();
if (!rules)
@@ -2501,112 +2501,102 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
int process_profile_policydb(Profile *prof)
{
-@@ -1001,50 +1092,85 @@
- */
+@@ -1002,44 +1093,78 @@
+ /* note: this activates fs based unix domain sockets mediation on connect */
+ if (kernel_abi_version > 5 &&
+- !prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_file, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_mount &&
+- !prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_mount, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_dbus &&
+- !prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_dbus, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_signal &&
+- !prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_signal, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_ptrace &&
+- !prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_ptrace, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_networkv8 &&
+- !prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_netv8, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_unix &&
+- (!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) ||
+- !prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts)))
++ (!prof->policy.rules->add_rule(mediates_extended_net, RULE_ALLOW, AA_MAY_READ, 0, parseopts) ||
++ !prof->policy.rules->add_rule(mediates_net_unix, RULE_ALLOW, AA_MAY_READ, 0, parseopts)))
+ goto out;
if (features_supports_userns &&
- !prof->policy.rules->add_rule(mediates_ns, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_ns, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_ns, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_posix_mqueue &&
+- !prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_posix_mqueue, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_sysv_mqueue &&
+- !prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_sysv_mqueue, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_io_uring &&
+- !prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_io_uring, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
goto out;
-
- /* don't add mediated classes to unconfined profiles */
- if (prof->flags.mode != MODE_UNCONFINED &&
-- prof->flags.mode != MODE_DEFAULT_ALLOW) {
-+ prof->flags.mode != MODE_DEFAULT_ALLOW) {
- /* note: this activates fs based unix domain sockets mediation on connect */
- if (kernel_abi_version > 5 &&
-- !prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_file, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_mount &&
-- !prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_mount, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_dbus &&
-- !prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_dbus, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_signal &&
-- !prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_signal, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_ptrace &&
-- !prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_ptrace, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_networkv8 &&
-- !prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_netv8, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_unix &&
-- (!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) ||
-- !prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts)))
-+ (!prof->policy.rules->add_rule(mediates_extended_net, RULE_ALLOW, AA_MAY_READ, 0, parseopts) ||
-+ !prof->policy.rules->add_rule(mediates_net_unix, RULE_ALLOW, AA_MAY_READ, 0, parseopts)))
- goto out;
- if (features_supports_posix_mqueue &&
-- !prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_posix_mqueue, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_sysv_mqueue &&
-- !prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_sysv_mqueue, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
- if (features_supports_io_uring &&
-- !prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts))
-+ !prof->policy.rules->add_rule(mediates_io_uring, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
- goto out;
-- }
-+ }
- if (prof->policy.rules->rule_count > 0) {
-- int xmatch_len = 0;
++ if (prompt_compat_mode == PROMPT_COMPAT_PERMSV1) {
++ // MUST have file and policy
++ // This requires file rule processing happen first
++ if (!prof->dfa.rules->rule_count) {
++ // add null dfa
++ if (!prof->dfa.rules->add_rule(deny_file, RULE_DENY, AA_MAY_READ, 0, parseopts))
++ goto out;
++ }
++ if (!prof->policy.rules->rule_count) {
++ if (!prof->policy.rules->add_rule(mediates_file, RULE_DENY, AA_MAY_READ, 0, parseopts))
++ goto out;
++ }
++ int xmatch_len = 0;
++ prof->policy.dfa = prof->policy.rules->create_welded_dfablob(
++ prof->dfa.rules,
++ &prof->policy.size,
++ &xmatch_len,
++ &prof->policy.file_start,
++ prof->policy.perms_table, parseopts,
++ kernel_supports_permstable32_v1,
++ prof->uses_prompt_rules);
++ delete prof->policy.rules;
++ delete prof->dfa.rules;
++ prof->policy.rules = NULL;
++ prof->dfa.rules = NULL;
++ if (!prof->policy.dfa)
++ goto out;
++ } else if (prof->policy.rules->rule_count > 0 &&
++ // yes not needed as covered above, just making sure
++ // this doesn't get messed up in the future
++ prompt_compat_mode != PROMPT_COMPAT_PERMSV1) {
+ int xmatch_len = 0;
- prof->policy.dfa = prof->policy.rules->create_dfa(&prof->policy.size,
- &xmatch_len, parseopts, false);
-+ if (prompt_compat_mode == PROMPT_COMPAT_PERMSV1) {
-+ // MUST have file and policy
-+ // This requires file rule processing happen first
-+ if (!prof->dfa.rules->rule_count) {
-+ // add null dfa
-+ if (!prof->dfa.rules->add_rule(deny_file, RULE_DENY, AA_MAY_READ, 0, parseopts))
-+ goto out;
-+ }
-+ if (!prof->policy.rules->rule_count) {
-+ if (!prof->policy.rules->add_rule(mediates_file, RULE_DENY, AA_MAY_READ, 0, parseopts))
-+ goto out;
-+ }
-+ int xmatch_len = 0;
-+ prof->policy.dfa = prof->policy.rules->create_welded_dfablob(
-+ prof->dfa.rules,
-+ &prof->policy.size,
-+ &xmatch_len,
-+ &prof->policy.file_start,
-+ prof->policy.perms_table, parseopts,
-+ kernel_supports_permstable32_v1,
-+ prof->uses_prompt_rules);
-+ delete prof->policy.rules;
-+ delete prof->dfa.rules;
-+ prof->policy.rules = NULL;
-+ prof->dfa.rules = NULL;
-+ if (!prof->policy.dfa)
-+ goto out;
-+ } else if (prof->policy.rules->rule_count > 0 &&
-+ // yes not needed as covered above, just making sure
-+ // this doesn't get messed up in the future
-+ prompt_compat_mode != PROMPT_COMPAT_PERMSV1) {
-+ int xmatch_len = 0;
+ prof->policy.dfa = prof->policy.rules->create_dfablob(&prof->policy.size,
-+ &xmatch_len,
-+ prof->policy.perms_table,
-+ parseopts, false,
-+ prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
-+ prof->uses_prompt_rules);
++ &xmatch_len,
++ prof->policy.perms_table,
++ parseopts, false,
++ prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
++ prof->uses_prompt_rules);
delete prof->policy.rules;
prof->policy.rules = NULL;
---- a/parser/parser_yacc.y
-+++ b/parser/parser_yacc.y
+--- apparmor-4.0.0-beta4.orig/parser/parser_yacc.y
++++ apparmor-4.0.0-beta4/parser/parser_yacc.y
@@ -63,10 +63,10 @@
int parser_token = 0;
@@ -2741,7 +2731,7 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
};
-
--- /dev/null
-+++ b/parser/perms.h
++++ apparmor-4.0.0-beta4/parser/perms.h
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 2022
@@ -2860,8 +2850,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
+};
+
+#endif /* __AA_PERM_H */
---- a/parser/profile.cc
-+++ b/parser/profile.cc
+--- apparmor-4.0.0-beta4.orig/parser/profile.cc
++++ apparmor-4.0.0-beta4/parser/profile.cc
@@ -161,6 +161,8 @@
{
entry->next = prof->entries;
@@ -2885,8 +2875,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
int n = add_named_transition(prof, entry);
if (!n) {
PERROR("Profile %s has too many specified profile transitions.\n", prof->name);
---- a/parser/profile.h
-+++ b/parser/profile.h
+--- apparmor-4.0.0-beta4.orig/parser/profile.h
++++ apparmor-4.0.0-beta4/parser/profile.h
@@ -15,6 +15,7 @@
#define __AA_PROFILE_H
@@ -2956,8 +2946,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
ns = name = attachment = NULL;
altnames = NULL;
xmatch = NULL;
---- a/parser/ptrace.cc
-+++ b/parser/ptrace.cc
+--- apparmor-4.0.0-beta4.orig/parser/ptrace.cc
++++ apparmor-4.0.0-beta4/parser/ptrace.cc
@@ -24,7 +24,7 @@
#include <string>
#include <sstream>
@@ -2988,8 +2978,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
goto fail;
}
---- a/parser/ptrace.h
-+++ b/parser/ptrace.h
+--- apparmor-4.0.0-beta4.orig/parser/ptrace.h
++++ apparmor-4.0.0-beta4/parser/ptrace.h
@@ -27,14 +27,14 @@
#define AA_VALID_PTRACE_PERMS (AA_MAY_READ | AA_MAY_TRACE | AA_MAY_READBY | \
AA_MAY_TRACEDBY)
@@ -3016,8 +3006,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
error = "owner prefix not allowed on ptrace rules";
return false;
}
---- a/parser/rule.h
-+++ b/parser/rule.h
+--- apparmor-4.0.0-beta4.orig/parser/rule.h
++++ apparmor-4.0.0-beta4/parser/rule.h
@@ -22,10 +22,19 @@
#include <list>
#include <ostream>
@@ -3173,8 +3163,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
};
---- a/parser/signal.cc
-+++ b/parser/signal.cc
+--- apparmor-4.0.0-beta4.orig/parser/signal.cc
++++ apparmor-4.0.0-beta4/parser/signal.cc
@@ -116,7 +116,7 @@
};
@@ -3205,8 +3195,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
goto fail;
}
---- a/parser/signal.h
-+++ b/parser/signal.h
+--- apparmor-4.0.0-beta4.orig/parser/signal.h
++++ apparmor-4.0.0-beta4/parser/signal.h
@@ -32,7 +32,7 @@
typedef set<int> Signals;
@@ -3232,8 +3222,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
error = "owner prefix not allowed on signal rules";
return false;
}
---- a/parser/userns.cc
-+++ b/parser/userns.cc
+--- apparmor-4.0.0-beta4.orig/parser/userns.cc
++++ apparmor-4.0.0-beta4/parser/userns.cc
@@ -40,7 +40,7 @@
}
}
@@ -3256,8 +3246,8 @@ Signed-off-by: John Johansen <john.johansen at canonical.com>
goto fail;
}
---- a/parser/userns.h
-+++ b/parser/userns.h
+--- apparmor-4.0.0-beta4.orig/parser/userns.h
++++ apparmor-4.0.0-beta4/parser/userns.h
@@ -26,7 +26,7 @@
class userns_rule: public perms_rule_t {
void move_conditionals(struct cond_entry *conds);
diff --git a/debian/patches/ubuntu/parser-fix-integer-overflow-bug-in-rule-priority-com.patch b/debian/patches/ubuntu/parser-fix-integer-overflow-bug-in-rule-priority-com.patch
new file mode 100644
index 0000000..e60c5a7
--- /dev/null
+++ b/debian/patches/ubuntu/parser-fix-integer-overflow-bug-in-rule-priority-com.patch
@@ -0,0 +1,129 @@
+From 9637fbd3b965a47a0629df55f156173ee8f6a177 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Thu, 15 Aug 2024 13:22:19 -0700
+Subject: [PATCH 1/2] parser: fix integer overflow bug in rule priority
+ comparisons
+
+There is an integer overflow when comparing priorities when cmp is
+used because it uses subtraction to find lessthan, equal, and greater
+than in one operation.
+
+But INT_MAX and INT_MIN are being used by priorities and this results
+in INT_MAX - INT_MIN and INT_MIN - INT_MAX which are both overflows
+causing an incorrect comparison result and selection of the wrong
+rule permission.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+---
+ parser/immunix.h | 4 ++++
+ parser/libapparmor_re/hfa.h | 4 ++--
+ parser/parser.h | 8 +++++---
+ parser/parser_regex.c | 6 +++---
+ parser/parser_yacc.y | 8 ++++----
+ 5 files changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/parser/immunix.h b/parser/immunix.h
+index 357a2d16a..4f18096da 100644
+--- a/parser/immunix.h
++++ b/parser/immunix.h
+@@ -175,6 +175,10 @@ static inline int is_merged_x_consistent(int a, int b)
+ return 1;
+ }
+
++/* ensure we don't overflow when using minus to generate a comparison */
++#define PRIORITY_MIN ((INT_MIN >> 1) + 1)
++#define PRIORITY_MAX (INT_MAX >> 1)
++
+ #endif /* ! _IMMUNIX_H */
+
+ /* LocalWords: MMAP
+diff --git a/parser/libapparmor_re/hfa.h b/parser/libapparmor_re/hfa.h
+index 3c6afb071..a52ace7d7 100644
+--- a/parser/libapparmor_re/hfa.h
++++ b/parser/libapparmor_re/hfa.h
+@@ -52,7 +52,7 @@ ostream &operator<<(ostream &os, State &state);
+
+ class perms_t {
+ public:
+- perms_t(void): priority(INT_MIN), allow(0), deny(0), prompt(0), audit(0), quiet(0), exact(0) { };
++ perms_t(void): priority(PRIORITY_MIN), allow(0), deny(0), prompt(0), audit(0), quiet(0), exact(0) { };
+
+ bool is_accept(void) { return (allow | deny | prompt | audit | quiet); }
+
+@@ -68,7 +68,7 @@ public:
+ }
+
+ void clear(void) {
+- priority = INT_MIN;
++ priority = PRIORITY_MIN;
+ allow = deny = prompt = audit = quiet = exact = 0;
+ }
+ void clear(int p) {
+diff --git a/parser/parser.h b/parser/parser.h
+index 6f0425c81..82dd9e812 100644
+--- a/parser/parser.h
++++ b/parser/parser.h
+@@ -54,11 +54,13 @@ using namespace std;
+ extern int parser_token;
+
+ /* Arbitrary max and minimum priority that userspace can specify, internally
+- * we handle up to INT_MAX and INT_MIN. Do not ever allow INT_MAX, see
++ * we handle up to PRIORITY_MAX and PRIORITY_MIN. Do not ever allow INT_MAX,
++ * or INT_MIN because cmp uses subtraction and it can cause overflow
++ * see
+ * note on mediates_priority
+ */
+-#define MAX_PRIORITY 1000
+-#define MIN_PRIORITY -1000
++#define MAX_INPUT_PRIORITY 1000
++#define MIN_INPUT_PRIORITY -1000
+
+ #define WARN_RULE_NOT_ENFORCED 0x1
+ #define WARN_RULE_DOWNGRADED 0x2
+diff --git a/parser/parser_regex.c b/parser/parser_regex.c
+index fd245e7e9..6232b5620 100644
+--- a/parser/parser_regex.c
++++ b/parser/parser_regex.c
+@@ -1093,9 +1093,9 @@ static const char *deny_file = ".*";
+ *
+ * Note: it turns out the above bug does exist for dbus rules in parsers
+ * that do not support priority, and we don't have a way to fix it.
+- * We fix it here by capping user specified priority to be < INT_MAX.
++ * We fix it here by capping user specified priority to be < PRIORITY_MAX.
+ */
+-static int mediates_priority = INT_MAX;
++static int mediates_priority = PRIORITY_MAX;
+
+ /* some rule types unfortunately encoded permissions on the class byte
+ * to fix the above bug, they need a different solution. The generic
+@@ -1106,7 +1106,7 @@ static int mediates_priority = INT_MAX;
+ * and it is guaranteed to have the same priority as the highest priority
+ * rule.
+ */
+-static int perms_onclass_mediates_priority = INT_MIN;
++static int perms_onclass_mediates_priority = PRIORITY_MIN;
+
+ int process_profile_policydb(Profile *prof)
+ {
+diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
+index 532ddb55a..657ea586c 100644
+--- a/parser/parser_yacc.y
++++ b/parser/parser_yacc.y
+@@ -640,10 +640,10 @@ opt_priority: { $$ = 0; }
+ yyerror("invalid priority %s", $3);
+ free($3);
+ /* see note on mediates_priority */
+- if (tmp > MAX_PRIORITY)
+- yyerror("invalid priority %l > %d", tmp, MAX_PRIORITY);
+- if (tmp < MIN_PRIORITY)
+- yyerror("invalid priority %l > %d", tmp, MIN_PRIORITY);
++ if (tmp > MAX_INPUT_PRIORITY)
++ yyerror("invalid priority %l > %d", tmp, MAX_INPUT_PRIORITY);
++ if (tmp < MIN_INPUT_PRIORITY)
++ yyerror("invalid priority %l > %d", tmp, MIN_INPUT_PRIORITY);
+ $$ = tmp;
+ }
+
+--
+2.43.0
+
diff --git a/debian/patches/ubuntu/parser-fix-pam_apparmor-regression-test-failures.patch b/debian/patches/ubuntu/parser-fix-pam_apparmor-regression-test-failures.patch
new file mode 100644
index 0000000..421cd99
--- /dev/null
+++ b/debian/patches/ubuntu/parser-fix-pam_apparmor-regression-test-failures.patch
@@ -0,0 +1,74 @@
+From 3da96aaf786eebbecf8d5bd0d5dc7d0a8a1b027d Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Thu, 15 Aug 2024 06:33:38 -0700
+Subject: [PATCH] parser: fix pam_apparmor regression test failures
+
+temporary fix for qa-regression-test failure in the pam_apparmor test
+ test-apparmor.py ApparmorPAM.test_pam_default_user_group
+
+This reverts commit ee1a5e6e18b1d59390085cc51dc702e9692f0162.
+disabling extended perms unless prompt rules are present in policy.
+A complete fix will need to replace this because this bug could
+surface with prompt rules.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+---
+ parser/parser_main.c | 5 +----
+ parser/parser_regex.c | 4 ++--
+ parser/tst/minimize.sh | 2 +-
+ 3 files changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/parser/parser_main.c b/parser/parser_main.c
+index a1c7d9c08..14d05a086 100644
+--- a/parser/parser_main.c
++++ b/parser/parser_main.c
+@@ -1583,10 +1583,7 @@ static bool get_kernel_features(struct aa_features **features)
+ }
+ kernel_supports_permstable32_v1 = aa_features_supports(*features, "policy/permstable32_version/0x000001");
+ if (kernel_supports_permstable32_v1) {
+- /* permstabl32 is broken in kernels that only support v1
+- * so disable it
+- */
+- kernel_supports_permstable32 = false;
++ //fprintf(stderr, "kernel supports prompt_v1\n");
+ }
+
+ /* set default prompt_compat_mode to the best that is supported */
+diff --git a/parser/parser_regex.c b/parser/parser_regex.c
+index 7810458d5..fd245e7e9 100644
+--- a/parser/parser_regex.c
++++ b/parser/parser_regex.c
+@@ -791,7 +791,7 @@ int process_profile_regex(Profile *prof)
+ prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size,
+ &xmatch_len, prof->dfa.perms_table,
+ parseopts, true,
+- kernel_supports_permstable32,
++ prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
+ prof->uses_prompt_rules);
+ delete prof->dfa.rules;
+ prof->dfa.rules = NULL;
+@@ -1199,7 +1199,7 @@ int process_profile_policydb(Profile *prof)
+ &xmatch_len,
+ prof->policy.perms_table,
+ parseopts, false,
+- kernel_supports_permstable32,
++ prof->uses_prompt_rules && (prompt_compat_mode == PROMPT_COMPAT_PERMSV2),
+ prof->uses_prompt_rules);
+ delete prof->policy.rules;
+
+diff --git a/parser/tst/minimize.sh b/parser/tst/minimize.sh
+index 054831fe8..93bbd17a2 100755
+--- a/parser/tst/minimize.sh
++++ b/parser/tst/minimize.sh
+@@ -155,7 +155,7 @@ echo "ok"
+ ## NOTE: change count from 6 to 7 when extend perms is not dependent on
+ ## prompt rules being present
+ echo -n "Minimize profiles extended no-filter audit deny perms "
+-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 7 ] ; then
++if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then
+ echo "failed"
+ exit 1;
+ fi
+--
+2.43.0
+
diff --git a/debian/patches/ubuntu/parser-fix-rule-priority-destroying-rule-permissions.patch b/debian/patches/ubuntu/parser-fix-rule-priority-destroying-rule-permissions.patch
new file mode 100644
index 0000000..0fb2569
--- /dev/null
+++ b/debian/patches/ubuntu/parser-fix-rule-priority-destroying-rule-permissions.patch
@@ -0,0 +1,141 @@
+From 204c0c5a3a34ac2eb47b863aae20bace48e0ad3c Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Thu, 15 Aug 2024 03:51:20 -0700
+Subject: [PATCH] parser: fix rule priority destroying rule permissions for
+ some classes
+
+io_uring and userns mediation are encoding permissions on the class
+byte. This is a mistake that should never have been allowed.
+
+With the addition of rule priorities the class byte mediates rule,
+that ensure the kernel can determine a class is being mediated is
+given the highest priority possible, to ensure class mediation can not
+be removed by a deny rule. See
+ 61b7568e1 ("parser: bug fix mediates_X stub rules.")
+for details.
+
+Unfortunately this breaks rule classes that encode permissions on the
+class byte, because those rules will always have a lower priority and
+the class mediates rule will always be selected over them resulting in
+only the class mediates permission being on the rule class state.
+
+Fix this by adding the mediaties class rules for these rule classes
+with the lowest priority possible. This means that any rule mediating
+the class will wipe out the mediates class rule. So add a new mediates
+class rule at the same priority, as the rule being added.
+
+This is a naive implementation and does result in more mediates rules
+being added than necessary. The rule class could keep track of the
+highest priority rule that had been added, and use that to reduce the
+number of mediates rules it adds for the class.
+
+Technically we could also get away with not adding the rules for allow
+rules, as the kernel doesn't actually check the encoded permission but
+whether the class state is not the trap state. But it is required with
+deny rules to ensure the deny rule doesn't result in permissions being
+removed from the class, resulting in the kernel thinking it is
+unmediated. We also want to ensure that mediation is encoded for other
+rule types like prompt, and in the future the kernel could check the
+permission so we do want to guarantee that the class state has the
+MAY_READ permission on it.
+
+Note: there is another set of classes (file, mqueue, dbus, ...) which
+encodes a default rule permission as
+
+ class .* <perm>
+
+this encoding is unfortunate in that it will also add the permission
+to the class byte, but also sets up following states with the permission.
+thankfully, this accespt anything, including nothing generally isn't
+valid in the nothing case (eg. a file without any absolute name). For
+this set of classes, the high priority mediates rule just ensures
+that the null match case does not have permission.
+
+Fixes: 61b7568e1 parser: bug fix mediates_X stub rules.
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+---
+ parser/io_uring.cc | 7 +++++++
+ parser/parser_regex.c | 15 +++++++++++++--
+ parser/userns.cc | 8 ++++++++
+ 3 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/parser/io_uring.cc b/parser/io_uring.cc
+index 17fa39614..60b8c2579 100644
+--- a/parser/io_uring.cc
++++ b/parser/io_uring.cc
+@@ -127,6 +127,13 @@ int io_uring_rule::gen_policy_re(Profile &prof)
+ audit == AUDIT_FORCE ? perms : 0,
+ parseopts))
+ goto fail;
++ /* add a mediates_io_uring rule for every rule added. It
++ * needs to be the same priority
++ */
++ if (!prof.policy.rules->add_rule(buf.c_str(), priority,
++ RULE_ALLOW, AA_MAY_READ, 0,
++ parseopts))
++ goto fail;
+
+ if (perms & AA_IO_URING_OVERRIDE_CREDS) {
+ buf = buffer.str(); /* update buf to have label */
+diff --git a/parser/parser_regex.c b/parser/parser_regex.c
+index 71126c5f9..7810458d5 100644
+--- a/parser/parser_regex.c
++++ b/parser/parser_regex.c
+@@ -1097,6 +1097,17 @@ static const char *deny_file = ".*";
+ */
+ static int mediates_priority = INT_MAX;
+
++/* some rule types unfortunately encoded permissions on the class byte
++ * to fix the above bug, they need a different solution. The generic
++ * mediates rule will get encoded at the minimum priority, and then
++ * for every rule of those classes a mediates rule of the same priority
++ * will be added. This way the mediates rule never has higher priority,
++ * which would wipe out the rule permissions encoded on the class state,
++ * and it is guaranteed to have the same priority as the highest priority
++ * rule.
++ */
++static int perms_onclass_mediates_priority = INT_MIN;
++
+ int process_profile_policydb(Profile *prof)
+ {
+ int error = -1;
+@@ -1112,7 +1123,7 @@ int process_profile_policydb(Profile *prof)
+ * to be supported
+ */
+ if (features_supports_userns &&
+- !prof->policy.rules->add_rule(mediates_ns, mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_ns, perms_onclass_mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+
+ /* don't add mediated classes to unconfined profiles */
+@@ -1148,7 +1159,7 @@ int process_profile_policydb(Profile *prof)
+ !prof->policy.rules->add_rule(mediates_sysv_mqueue, mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ if (features_supports_io_uring &&
+- !prof->policy.rules->add_rule(mediates_io_uring, mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
++ !prof->policy.rules->add_rule(mediates_io_uring, perms_onclass_mediates_priority, RULE_ALLOW, AA_MAY_READ, 0, parseopts))
+ goto out;
+ }
+
+diff --git a/parser/userns.cc b/parser/userns.cc
+index c66ce062e..a2cd9e8eb 100644
+--- a/parser/userns.cc
++++ b/parser/userns.cc
+@@ -99,6 +99,14 @@ int userns_rule::gen_policy_re(Profile &prof)
+ rule_mode, perms,
+ audit == AUDIT_FORCE ? perms : 0,
+ parseopts))
++
++ goto fail;
++ /* add a mediates_userns rule for every rule added. It
++ * needs to be the same priority
++ */
++ if (!prof.policy.rules->add_rule(buf.c_str(), priority,
++ RULE_ALLOW, AA_MAY_READ, 0,
++ parseopts))
+ goto fail;
+ }
+
+--
+2.43.0
+
diff --git a/debian/patches/ubuntu/parser-revert-removal-of-second-minimization-pass.patch b/debian/patches/ubuntu/parser-revert-removal-of-second-minimization-pass.patch
new file mode 100644
index 0000000..d580d20
--- /dev/null
+++ b/debian/patches/ubuntu/parser-revert-removal-of-second-minimization-pass.patch
@@ -0,0 +1,74 @@
+From a7b1b48826f73a4586ac761f0499f6e9898d8d70 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Thu, 15 Aug 2024 13:48:08 -0700
+Subject: [PATCH 2/2] parser: revert removal of second minimization pass
+
+extended perms code is not ready to carry explicit deny information
+revert the clearing of deny and second minimization pass from
+
+ 2737cb2c2 ("parser: minimization - remove unnecessary second minimization pass")
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+---
+ parser/libapparmor_re/aare_rules.cc | 31 +++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
+index 6892b70a7..9b6478cf8 100644
+--- a/parser/libapparmor_re/aare_rules.cc
++++ b/parser/libapparmor_re/aare_rules.cc
+@@ -125,7 +125,6 @@ bool aare_rules::add_rule_vec(int priority, rule_mode_t mode, perm32_t perms,
+ cerr << " -> ";
+ tree->dump(cerr);
+ // TODO: split out from prefixes class
+- cerr << " priority=" << priority;
+ if (mode == RULE_DENY)
+ cerr << " deny";
+ else if (mode == RULE_PROMPT)
+@@ -258,20 +257,6 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
+ if (opts.dump & DUMP_DFA_UNIQ_PERMS)
+ dfa.dump_uniq_perms("dfa");
+
+- /* since we are building a chfa, use the info about
+- * whether the chfa supports extended perms to help
+- * determine whether we clear the deny info.
+- * This will let us build the minimal dfa for the
+- * information supported by the backed
+- */
+- if (!extended_perms ||
+- // TODO: we should drop DFA_MINIMIZE check here but doing
+- // so changes behavior. Do as a separate patch and fixup
+- // tests, etc.
+- ((opts.control & CONTROL_DFA_FILTER_DENY) &&
+- (opts.control & CONTROL_DFA_MINIMIZE)))
+- dfa.apply_and_clear_deny();
+-
+ if (opts.control & CONTROL_DFA_MINIMIZE) {
+ dfa.minimize(opts);
+
+@@ -279,6 +264,22 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
+ dfa.dump_uniq_perms("minimized dfa");
+ }
+
++ if (opts.control & CONTROL_DFA_FILTER_DENY &&
++ opts.control & CONTROL_DFA_MINIMIZE &&
++ dfa.apply_and_clear_deny()) {
++ /* Do a second minimization pass as removal of deny
++ * information has moved some states from accepting
++ * to none accepting partitions
++ *
++ * TODO: add this as a tail pass to minimization
++ * so we don't need to do a full second pass
++ */
++ dfa.minimize(opts);
++
++ if (opts.dump & DUMP_DFA_MIN_UNIQ_PERMS)
++ dfa.dump_uniq_perms("minimized dfa");
++ }
++
+ if (opts.control & CONTROL_DFA_REMOVE_UNREACHABLE)
+ dfa.remove_unreachable(opts);
+
+--
+2.43.0
+
diff --git a/debian/patches/ubuntu/parser-update-tsts-for-explicit-deny-and-filtering-c.patch b/debian/patches/ubuntu/parser-update-tsts-for-explicit-deny-and-filtering-c.patch
new file mode 100644
index 0000000..07dff37
--- /dev/null
+++ b/debian/patches/ubuntu/parser-update-tsts-for-explicit-deny-and-filtering-c.patch
@@ -0,0 +1,72 @@
+From 0195f3a1ab57e99404d996e29e80916441b12157 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Thu, 15 Aug 2024 15:05:45 -0700
+Subject: [PATCH] parser: update tsts for explicit deny and filtering changes
+
+Update the equality and minimzation tests for changes made in how
+explicit denies can be carried.
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+---
+ parser/tst/equality.sh | 4 ++--
+ parser/tst/minimize.sh | 14 ++++++++------
+ 2 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
+index 8c68a2854..5cdd07a90 100755
+--- a/parser/tst/equality.sh
++++ b/parser/tst/equality.sh
+@@ -31,7 +31,7 @@ verbose="${VERBOSE:-}"
+
+ hash_binary_policy()
+ {
+- printf %s "$1" | ${APPARMOR_PARSER} --features-file "${_SCRIPTDIR}/features_files/features.all" -qS 2>/dev/null| md5sum | cut -d ' ' -f 1
++ printf %s "$1" | ${APPARMOR_PARSER} --O filter-deny --features-file "${_SCRIPTDIR}/features_files/features.all" -qS 2>/dev/null| md5sum | cut -d ' ' -f 1
+ return $?
+ }
+
+@@ -504,7 +504,7 @@ verify_binary_equality "'$p1'x'$p2' Deny removes r perm" \
+
+ #this one may not be true in the future depending on if the compiled profile
+ #is explicitly including deny permissions for dynamic composition
+-verify_binary_equality "'$p1'x'$p2' Deny of ungranted perm" \
++verify_binary_inequality "'$p1'x'$p2' Deny of ungranted perm" \
+ "/t { $p1 /foo/[abc] r, audit deny /foo/b w, }" \
+ "/t { $p2 /foo/[abc] r, }"
+
+diff --git a/parser/tst/minimize.sh b/parser/tst/minimize.sh
+index 93bbd17a2..d7fb166f9 100755
+--- a/parser/tst/minimize.sh
++++ b/parser/tst/minimize.sh
+@@ -154,11 +154,12 @@ echo "ok"
+
+ ## NOTE: change count from 6 to 7 when extend perms is not dependent on
+ ## prompt rules being present
+-echo -n "Minimize profiles extended no-filter audit deny perms "
+-if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then
+- echo "failed"
+- exit 1;
+-fi
++## not doing this just yet
++#echo -n "Minimize profiles extended no-filter audit deny perms "
++#if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 6 ] ; then
++# echo "failed"
++# exit 1;
++#fi
+ echo "ok"
+
+ # same test as above except with filter-deny which should result in one less
+@@ -240,8 +241,9 @@ echo "ok"
+ # {1} <== (allow/deny/audit/quiet)
+ # {3} (0x 0/fe17f85/0/0)
+
++# because we are still filtering deny this test is -ne 1 instead of -ne 0
+ echo -n "Minimize profiles audit deny xtrans "
+-if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 0 ] ; then
++if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*} 0 (.*)$')" -ne 1 ] ; then
+ echo "failed"
+ exit 1;
+ fi
+--
+2.43.0
+
diff --git a/debian/patches/ubuntu/profiles-add-unconfined-balena-etcher-profile.patch b/debian/patches/ubuntu/profiles-add-unconfined-balena-etcher-profile.patch
deleted file mode 100644
index 13e06c4..0000000
--- a/debian/patches/ubuntu/profiles-add-unconfined-balena-etcher-profile.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 70125895f37f99bbe779840c937070996e0d895e Mon Sep 17 00:00:00 2001
-From: Georgia Garcia <georgia.garcia at canonical.com>
-Date: Tue, 30 Apr 2024 15:34:47 -0300
-Subject: [PATCH 2/2] profiles: add unconfined balena-etcher profile
-
-Balena Etcher runs in a degraded sandbox mode when unprivileged userns
-is not available. Add an unconfined profile so it's properly
-sandboxed.
-
-Signed-off-by: Georgia Garcia <georgia.garcia at canonical.com>
----
- profiles/apparmor.d/balena-etcher | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
- create mode 100644 profiles/apparmor.d/balena-etcher
-
-diff --git a/profiles/apparmor.d/balena-etcher b/profiles/apparmor.d/balena-etcher
-new file mode 100644
-index 000000000..9a55bcd2f
---- /dev/null
-+++ b/profiles/apparmor.d/balena-etcher
-@@ -0,0 +1,12 @@
-+# This profile allows everything and only exists to give the
-+# application a name instead of having the label "unconfined"
-+
-+abi <abi/4.0>,
-+include <tunables/global>
-+
-+profile balena-etcher /usr/lib/balena-etcher/balena-etcher flags=(unconfined) {
-+ userns,
-+
-+ # Site-specific additions and overrides. See local/README for details.
-+ include if exists <local/balena-etcher>
-+}
---
-2.34.1
-
diff --git a/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch b/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch
index d97f608..f0dac7b 100644
--- a/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch
+++ b/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch
@@ -27,8 +27,8 @@ Bug: https://launchpad.net/bugs/1598759
profiles/apparmor.d/abstractions/nameservice | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
---- a/profiles/apparmor.d/abstractions/nameservice
-+++ b/profiles/apparmor.d/abstractions/nameservice
+--- apparmor-4.0.0-beta3.orig/profiles/apparmor.d/abstractions/nameservice
++++ apparmor-4.0.0-beta3/profiles/apparmor.d/abstractions/nameservice
@@ -105,6 +105,25 @@
member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}"
peer=(name="org.freedesktop.systemd1"),
diff --git a/debian/patches/ubuntu/samba-systemd-interaction.patch b/debian/patches/ubuntu/samba-systemd-interaction.patch
index 9edcc69..36405b0 100644
--- a/debian/patches/ubuntu/samba-systemd-interaction.patch
+++ b/debian/patches/ubuntu/samba-systemd-interaction.patch
@@ -18,8 +18,8 @@ Ubuntu notes:
profiles/apparmor.d/usr.sbin.smbd | 12 ++++++++++++
1 file changed, 12 insertions(+)
---- a/profiles/apparmor.d/usr.sbin.smbd
-+++ b/profiles/apparmor.d/usr.sbin.smbd
+--- apparmor-4.0.0-beta4.orig/profiles/apparmor.d/usr.sbin.smbd
++++ apparmor-4.0.0-beta4/profiles/apparmor.d/usr.sbin.smbd
@@ -26,12 +26,22 @@
signal send set=term peer=samba-bgqd,
diff --git a/debian/patches/ubuntu/userns-runtime-disable.patch b/debian/patches/ubuntu/userns-runtime-disable.patch
index dbddef2..d8227ec 100644
--- a/debian/patches/ubuntu/userns-runtime-disable.patch
+++ b/debian/patches/ubuntu/userns-runtime-disable.patch
@@ -11,8 +11,8 @@ Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2036128
parser/rc.apparmor.functions | 14 ++++++++++++++
1 file changed, 14 insertions(+)
---- a/parser/rc.apparmor.functions
-+++ b/parser/rc.apparmor.functions
+--- apparmor-4.0.0-beta3.orig/parser/rc.apparmor.functions
++++ apparmor-4.0.0-beta3/parser/rc.apparmor.functions
@@ -141,7 +141,21 @@
return "$status"
}
diff --git a/debian/patches/ubuntu/utils-change-os.mkdir-to-self.mkpath-to-create-inter.patch b/debian/patches/ubuntu/utils-change-os.mkdir-to-self.mkpath-to-create-inter.patch
new file mode 100644
index 0000000..6f756e0
--- /dev/null
+++ b/debian/patches/ubuntu/utils-change-os.mkdir-to-self.mkpath-to-create-inter.patch
@@ -0,0 +1,27 @@
+From a3eca67f380a900327400dcfd0753ad955f3cac3 Mon Sep 17 00:00:00 2001
+From: Georgia Garcia <georgia.garcia at canonical.com>
+Date: Thu, 15 Aug 2024 00:44:55 -0300
+Subject: [PATCH] utils: change os.mkdir to self.mkpath to create intermediary
+ dirs
+
+Signed-off-by: Georgia Garcia <georgia.garcia at canonical.com>
+---
+ utils/python-tools-setup.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/python-tools-setup.py b/utils/python-tools-setup.py
+index e84375898..363762ce6 100644
+--- a/utils/python-tools-setup.py
++++ b/utils/python-tools-setup.py
+@@ -68,7 +68,7 @@ class Install(_install):
+ polkit = polkit_template.format(LIB_PATH=self.install_lib)
+
+ if not os.path.exists(prefix + '/usr/share/polkit-1/actions/'):
+- os.mkdir(prefix + '/usr/share/polkit-1/actions/')
++ self.mkpath(prefix + '/usr/share/polkit-1/actions/')
+ with open(prefix + '/usr/share/polkit-1/actions/' + pkexec_action_name, 'w') as f:
+ f.write(polkit)
+ os.chmod(prefix + '/usr/share/polkit-1/actions/' + pkexec_action_name, 0o644)
+--
+2.34.1
+
diff --git a/debian/watch b/debian/watch
index fb79c52..5b8e77c 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,4 @@
version=4
-opts="searchmode=plain" \
- https://gitlab.com/apparmor/@PACKAGE@/tags?sort=updated_desc -/archive/v?\d[\d.]+/@PACKAGE at -@ANY_VERSION@@ARCHIVE_EXT@
+opts=pgpsigurlmangle=s/$/.asc/ \
+https://launchpad.net/apparmor/+download \
+.*/apparmor-(3\.0\.\d[^\s/]*)\.(?:tar\.xz|txz|tar\.bz2|tbz2|tar\.gz|tgz)
More information about the Neon-commits
mailing list