apparmor 2.13.2-9ubuntu2 source package in Ubuntu

Changelog

apparmor (2.13.2-9ubuntu2) disco; urgency=medium

  * debian/debhelper/postrm-apparmor: don't quote the glob
  * debian/apparmor.preinst: remove cache files on upgrade to 2.13

apparmor (2.13.2-9ubuntu1) disco; urgency=medium

  * New 2.13.2 release for Ubuntu (LP: #1817799). Notable changes:
    - Upstream AppArmor introduces the new cache forest rather than a single
      toplevel global cache directory which improves boot speed when booting
      between kernels with different feature sets. This cache forest is located
      in /var/cache/apparmor instead of /etc/apparmor.d/cache
    - This release uses a proper systemd unit rather than calling out to the
      SysV initscript
  * Merge from Debian (LP: #1817799). Remaining changes:
    - Ubuntu-specific patches:
      + ubuntu/add-chromium-browser.patch
      + ubuntu/communitheme-snap-support.patch
      + ubuntu/mimeinfo-snap-support.patch
      + ubuntu/profiles-grant-access-to-systemd-resolved.patch
    - debian/apparmor-profiles.install: install Ubuntu chromium-browser
      profile and abstraction
    - debian/apparmor.{install,maintscript}: feature pinning is not used in
      Ubuntu
    - debian/control: adjust the Vcs-{Browser,Git} control fields to reflect
      the branch where the Ubuntu packaging is maintained.
    - debian/gbp.conf: use ubuntu/master as the debian-branch
  * Drop the following patches, no longer needed:
    - ubuntu/parser-include-usr-share-apparmor.patch
    - e99fa6c6054fa10a2b49d30967e993bd5764e77f.patch: cherry-pick upstream
      patch for usr-merge for useradd profile
    - ubuntu/lp1788929+1794848.patch
  * Do not apply the following Debian-specific patches:
    - d-only/pin-feature-set.patch
    - d-only/Document-which-AppArmor-features-are-not-supported-on-Deb.patch
  * debian/put-all-profiles-in-complain-mode.sh: nvidia_modprobe should be in
    enforce mode
  * add but don't apply ubuntu/parser-conf-no-expr-simplify.patch: disable
    expr tree simplification to greatly speed up armhf. We might consider
    making this change armhf specific and/or limiting it to only the snapd
    policy in the future. (LP: 1383858). Once LP: 1820068 is fixed, we can
    reenable this patch
  * debian/control: Breaks on snapd < 2.38~ (the cache forest breaks snap
    remove)
  * debian/debhelper/postrm-apparmor: also remove cache files
  * add upstream-commit-fix-segfault-in-overlaydirat_for_each.patch
  * regression testsuite fixes:
    - upstream-commit-add-option-to-dump-policy-cache-with-libapparmor.patch
    - upstream-commit-teach-aa_policy_cache_sh-about-the-new-cache.patch
    - upstream-commit-fix-segfault-when-loading-policy-cache-files.patch
    - upstream-commit-fix-variable-name-overlap-in-merge-macro.patch
  * debian/apparmor-profiles.lintian-overrides: update for chromium-browser
    profile having read access to dpkg database for lsb-release

apparmor (2.13.2-9) unstable; urgency=medium

  * Revert "Add autopkgtest that checks if apparmor.service starts
    on package installation". It passes with the schroot and qemu
    backends locally but fails on ci.debian.net.

apparmor (2.13.2-8) unstable; urgency=medium

  * Cherry-pick 5 more commits from upstream apparmor-2.13 branch
    (Closes: #921866).
  * Cherry-pick upstream MR!344 (Closes: #920833, #921888).
  * Install the nvidia_modprobe named profile (Closes: #921875)
    and add it to the list of profiles whose syntax is checked
    via autopkgtests.
  * Patch usr.sbin.smdb to include snippet generated at runtime
    (part of the fix for #896080).
  * New autopkgtest: ensure apparmor.service starts on
    package installation.
  * Update salsa CI pipeline.

apparmor (2.13.2-7) unstable; urgency=medium

  * Stop shipping /var/cache/apparmor/CACHEDIR.TAG (Closes: #920682)
  * New patches, cherry-picked from upstream !320, so the "audio"
    abstraction grants read access to Alsa and libao config files
    (Closes: #920669, #920670).

apparmor (2.13.2-6) unstable; urgency=medium

  * initscript: implement missing aa_log_action_begin and
    aa_log_action_end functions (Closes: #917962).

apparmor (2.13.2-5) unstable; urgency=medium

  * Really move libapparmor.so unversioned symlink to /lib/<triplet>
    (Closes: #919705).
  * Add Lintian override for dev-pkg-without-shlib-symlink: arguably
    a false positive (see #843932).
  * Add Lintian override for uses-dpkg-database-directly: false positive.
  * Declare compliance with Standards-Version 4.3.0.
  * autopkgtests:
    - Test compiling many more profiles:
      - all profiles that apparmor-profiles-extra ships in enforce mode
      - the profiles shipped by bind9, cups-browsed, haveged,
        libreoffice-common, man-db, ntp, onioncircuits, tcpdump, thunderbird,
        and tor
      - another profile shipped by libvirt-daemon-system
    - Declare that the compile-policy test is not superficial anymore.
    - Make the parser verbose in the compile-policy test.

apparmor (2.13.2-4) unstable; urgency=medium

  * Move libapparmor.so unversioned symlink to /lib/<triplet> (Closes: #919705).
  * New patches, cherry-picked from upstream:
    - Make tunables/share play well with aliases.
    - Fix access to /usr/share/drirc.d.conf (Closes: #919775).
    - Fix access to the default paths used by dehydrated in Debian.
    - Support new font configuration paths.
    - Support libvirt named profile.
    - Fix access to /etc/alsa/conf.d/.
  * autopkgtests: test compiling more profiles shipped by other packages.
  * Patch the dnsmasq profile to fix ptrace and signal communication
    with libvirtd.

apparmor (2.13.2-3) unstable; urgency=medium

  * Update upstream MR!252 backport to fix initscript (Closes: #917874)

apparmor (2.13.2-2) unstable; urgency=medium

  * Patch rc.apparmor.functions to suit Debian/Ubuntu's needs.
  * Port initscript, systemd service, postinst and profile-load
    to use the upstream rc.apparmor.functions shell library.
    This way, the systemd service does not require the SysV initscript
    anymore (Closes: #870697).
  * Drop obsolete /etc/apparmor/subdomain.conf conffile.

apparmor (2.13.2-1) unstable; urgency=medium

  * Import new upstream release, drop backported patches that are now obsolete,
    refresh remaining patches.
  * autopkgtest: add dummy test so that changes to linux-image-amd64
    trigger our other tests on ci.debian.net
  * Replace home-made GitLab CI with the standard Salsa pipeline
    (Closes: #912722).
  * Drop extra signatures from public upstream signing key.

apparmor (2.13.1-3) unstable; urgency=medium

  * GitLab CI/Lintian: install dpkg-dev, that ships dpkg-architecture,
    needed to run some Lintian checks.
  * Re-enable expression tree simplification and cherry-pick upstream patch
    that improves its performance.
  * Bump debhelper compatibility level to 11.
  * Patch apparmor.d(5) to document which features are not supported on Debian
    (Closes: #807369).
  * Patch apparmor(7) to document debugging options (Closes: #826218).

apparmor (2.13.1-2) unstable; urgency=medium

  * Deal with obsolete /etc/apparmor.d/abstractions/launchpad-integration
    conffile (Closes: #911745).
  * Declare autopkgtests as superficial (Closes: #911827).
    Adjust GitLab CI configuration to cope with exit code 8 accordingly.

apparmor (2.13.1-1) unstable; urgency=medium

  [ intrigeri ]
  * New upstream release (Closes: #901470, #871441).
  * Bump pinned feature set to linux-image-4.18.0-2-amd64, version 4.18.10-2.
  * Add Breaks: apparmor-profiles-extra (<< 1.21): the Pidgin profile up
    to 1.20 used the launchpad-integration abstraction, that was removed
    in AppArmor 2.13.1.
  * Drop backported patches that are now obsolete.
  * Refresh patches.
  * Add debian/.gitlab-ci.yml: build the package then run Lintian
    and autopkgtests on it.
  * upstream-commit-3bf11ce-Fix-syntax-error-in-rc.apparmor.functions.patch,
    upstream-commit-b77116e-Add-profile-names.patch: new patches to fix
    regressions introduced in 2.13.1.
  * Drop unused Lintian override.
  * Declare compliance with policy 4.2.1.
  * Update symbols list.
  * Honor nocheck in DEB_BUILD_OPTIONS.
  * Make /lib/apparmor/apparmor.systemd executable.

  [ Sven Joachim ]
  * Do not remove /var/cache/apparmor/CACHEDIR.TAG on upgrades
    (Closes: #910217).

  [ Helmut Grohne ]
  * Don't hard code the location of netinet/in.h (Closes: #909966).

apparmor (2.13-8) unstable; urgency=medium

  * Only fix permissions on /lib/apparmor/apparmor.systemd when building
    arch-dependent packages. Fixes FTBFS when building only
    arch:all packages.

apparmor (2.13-7) unstable; urgency=medium

  * Move the binary cache to /var/cache/apparmor (Closes: #904637).
    And then:
    - Delete obsolete cache files in /var/cache/apparmor on upgrade.
    - initscript: document the potential drawback of loading the policy
      before remote filesystems are mounted.
  * Turn off expression tree simplification, that makes performance
    much worse in some cases, and rarely much better.
  * Fix aa-teardown by installing /lib/apparmor/apparmor.systemd
    and making it executable.
  * Override a few Lintian false positives.

apparmor (2.13-6) unstable; urgency=low

  * Install new tunables/share, needed by tunables/global.
    Fixes regression introduced in 2.13-5 (Closes: #904970).
  * New autopkgtest: test that we can compile the Evince profile.
    Having this in place earlier would have avoided introducing #904970.

apparmor (2.13-5) unstable; urgency=low

  * freedesktop.org abstraction: support directories exported by Flatpak apps,
    replacing former flatpak-exports.patch with the patchset that was merged
    upstream (Closes: #865206).

apparmor (2.13-4) unstable; urgency=medium

  * Stop building the Python 2 bindings packages: python-apparmor,
    python-libapparmor (Closes: #904599).
  * Mark libapparmor-perl Multi-Arch: same.
  * dh-apparmor's postinst snippet template: drop now useless backwards
    compatibility code; simplify.

apparmor (2.13-3) unstable; urgency=medium

  * Upload to unstable.
  * Set proper SELinux labels on files created during installation or upgrade.
    Thanks to Laurent Bigonville <email address hidden> for the bug report
    and the patch! (Closes: #903633)
  * Fix CACHEDIR.TAG installation path and let dpkg replace the CACHEDIR.TAG
    directory (erroneously created by 2.13-1 and 2.13-2) with a regular file.
    (Closes: #883584)
  * New patch: make aa-notify point to Debian documentation (Closes: #904436).
    Thanks to Clément Hermann <email address hidden> for the bug report.
  * Install Dovecot profiles in /usr/share/apparmor/extra-profiles/
    instead of /etc/apparmor.d/: the previous setup created lots of noise
    in the logs and gave no security benefit. Thanks to Jonas Smedegaard
    <email address hidden> for raising the issue.
  * Skip *.dpkg-(new|old|dist|bak|remove) when falling back to calling the
    parser on individual profiles. Fixes a regression introduced in 2.13-1
    and adds .dpkg-remove, that was missing in the exclusion list before.
  * Bump pinned feature set to linux-image-4.17.0-1-amd64, version 4.17.8-1.

apparmor (2.13-2) experimental; urgency=medium

  * Merge from sid:
    - upstream-commit-d9d3cae-adjust-python-abstraction-for-python-3.patch:
      new patch, to avoid breaking things with Python 3.7.
  * Regarding the "Don't invalidate the cache anymore […]" change inrtoduced
    in 2.13-1: one can manually do that with apparmor_parser --purge.

apparmor (2.13-1) experimental; urgency=medium

  * New upstream release (Closes: #893974).
  * Drop all patches backported from upstream: applied in 2.13.
  * Refresh and export patches with gbp.
  * debian/libapparmor1.symbols: add newly introduced symbols.
  * upstream-commit-e83fa67-fix-test-failures.patch: new patch,
    cherry-picked from upstream, that fixes test suite failures.
  * Declare compatibility with Standards-Version 4.1.4.
  * debian/rules: drop deprecated get-orig-source target.
  * Merge 2.12-4ubuntu5 (dropping the Ubuntu delta):
     - Drop support for snap v1.
  * Add Lintian overrides for a few non-issues.
  * debian/apparmor.dirs, debian/lib/apparmor/functions:
    adjust for new (multi-)cache location.
  * Install /etc/apparmor.d/cache.d/CACHEDIR.TAG (Closes: #883584).
  * Install aa-teardown and its manpage.
  * initscript: drop sysvinit-specific "recache" and "teardown" commands.
  * Simplify foreach_configured_profile() thanks to recent parser features.
  * aa-remove-unknown: use upstream functions instead of custom ones,
    i.e. one step towards deprecating distro-specific /lib/apparmor/functions.
    To make this work:
     - install the upstream shell functions library
     - patch one upstream function to add support for the snap profile directory
       and to not depend on aa_log_*_msg()
  * Don't invalidate the cache anymore when stopping, reloading or restarting
    the service, nor when installing or upgrading the apparmor package:
    the parser now manages its caches itself.
  * debian/lib/apparmor/functions: drop a bunch of functions that are not
    used anymore, thanks to the aforementioned changes.
  * Make apparmor.service more similar to upstream's:
     - reorder directives
     - use the same Description as upstream
     - start After=systemd-journald-audit.socket
  * apparmor.service: point to current homepage.

apparmor (2.12-5) unstable; urgency=medium

  * upstream-commit-d9d3cae-adjust-python-abstraction-for-python-3.patch:
    new patch, to avoid breaking things with Python 3.7.

 -- Jamie Strandboge <email address hidden>  Tue, 26 Mar 2019 18:06:04 +0000