This bug was fixed in the package apparmor - 3.0.0~beta1-0ubuntu6
---------------
apparmor (3.0.0~beta1-0ubuntu6) groovy; urgency=medium
* Drop d/p/lp1824812.patch: this patch was only needed with 2.13 and not
3.0. With AppArmor 3, the patch ends up setting SFS_MOUNTPOINT to the
wrong directory in is_container_with_internal_policy(), which causes
policy to always fail to load in containers. Thanks to Christian Ehrhardt
for the analysis. (LP: #1895967)
apparmor (3.0.0~beta1-0ubuntu5) groovy; urgency=medium
[ John Johansen ]
* d/p/fix-parser-to-emit-proc-attr-access-for-all-situations.patch:
fix-automatic-adding-of-rule-for-change-hat-iface.patch fixed the
parser to emit rules needed for change_hat in the hat profiles but
broke the rule being emitted for the parent profile, this fixes it for
both so that it is emitted for any profile that is a hat or that
contains a hat.
* d/p/fix-change-profile-stack-abstraction.patch: fix the change_profile
abstraction so that it allows access to the apparmor attribute paths
under LSM stacking.
apparmor (3.0.0~beta1-0ubuntu2) groovy; urgency=medium
[ John Johansen ]
* d/p/fix-automatic-adding-of-rule-for-change-hat-iface.patch: fix
parser not adding a rule to profiles if they are a hat or contain hats
granting write access to the kernel interfaces.
apparmor (3.0.0~beta1-0ubuntu1) groovy; urgency=medium
[ John Johansen ]
* New upstream release (LP: #1895060, LP: #1887577, LP: #1880841)
* Drop all patches backported from upstream: applied in 3.0
* d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: provide
example and base abi to pin pre 3.0 policy
* d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: enable pinning
of pre AppArmor 3.x policy
* drop d/p/debian/dont-include-site-local-with-dovecot.patch: no longer
needed with upstream 'include if exists'
[ Steve Beattie ]
* d/p/parser-fix_cap_match.patch: fix cap match to work correctly, important
now that groovy has a 5.8 kernel.
* d/apparmor-profiles.install:
+ adjust for renamed postfix profiles
+ add usr.bin.dumpcap and usr.bin.mlmmj-receive to extra-profiles
+ remove usr.sbin.nmbd and usr.sbin.smbd from extra-profiles (already in
apparmor-profiles)
* d/apparmor.install: include abi/ directory and tunables/etc.
* d/apparmor.manpages: add apparmor_xattrs.7 manpage
* d/control:
+ apparmor-utils: no more shipped perl tools, drop perl dependency
+ apparmor-notify: aa-notify was converted to python3 from perl; adjust
-notify dependencies to compensate
* d/p/fix-tests-regression-apparmor-prologue-inc-settest.patch:
fix sed expression in settest()
[ Emilia Torino ]
* Removing Ubuntu specific chromium-browser profile. This is safe to do
since groovy's chromium-browser deb installs the snap. If apparmor3
is backported to 18.04 or earlier, the profile will need to be taken
into consideration
- d/profiles/chromium-browser: remove chromium-browser profile
- d/apparmor-profiles.postinst: remove postinst script as it only
contains chromium-browser related functionallity.
- d/apparmor-profiles.postrm: remove postrm script as it only
contains chromium-browser related functionallity.
- d/apparmor-profiles.install: remove ubuntu-specific
chromium-browser abstraction and profile
- d/apparmor-profiles.lintian-overrides: remove chromium-browser
profile lintian overrides
- d/p/ubuntu/add-chromium-browser.patch: remove patch which added
chrome-browser
[ Alex Murray ]
* d/p/policy-provide-example-and-base-abi-to-pin-pre-3.0-p.patch: refresh
this patch with the official upstream version
* d/p/ubuntu/enable-pinning-of-pre-AppArmor-3.x-poli.patch: refresh this
patch to match the above
* d/p/parser-add-abi-warning-flags.patch: enable parser warnings
to be silenced or to be treated as errors
[ Jamie Strandboge ]
* d/p/adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus
1.5.22. This can be dropped with AppArmor 3.0 final.
* d/p/parser-add-abi-warning-flags.patch: refresh to avoid lintian warnings
* d/p/ubuntu/lp1891338.patch: adjust ubuntu-integration to use
abstractions/exo-open (LP: #1891338)
* d/p/ubuntu/lp1889699.patch: adjust to support brave in ubuntu
abstractions. Patch thanks to François Marier (LP: #1889699)
* d/p/ubuntu/lp1881357.patch: adjust for new ICEauthority path in /run
(LP: #1881357)
-- Jamie Strandboge <ja...@ubuntu.com> Tue, 22 Sep 2020 15:10:33 +0000
** Changed in: apparmor (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1895060
Title:
[FFe] apparmor 3 upstream release
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
As per the draft upstream release notes[1]:
AppArmor 3.0 is a major new release of the AppArmor user space that makes
an important change to policy development and support. Its focus is
transitioning policy to the new features ABI and as such other new features
have been limited.
Apprmor 3.0 is a bridge release between older AppArmor 2.x policy and the
newer AppArmor 3 style policy which requires the declaration of a features
abi. As such AppArmor 3.0 will be a short lived release, and will not
receive long term support. The following AppArmor 3.1 feature release is
planned to be a regular release, please take this into account when
including AppArmor 3.0 into a distro release.
As such, Ubuntu 20.10 provides a great opportunity to introduce AppArmor3
to Ubuntu and provide these new capabilities to users and system
administrators. The short support lifespan of Ubuntu 20.10 ensures that
there is alignment with the limited support lifetime of AppArmor 3.0 from
upstream, whilst giving good exposure and opportunity to test and exercise
the new features in AppArmor 3.x on the road to Ubuntu 22.04. A highlight
of new features provided by AppArmor 3.0 include:
- Policy now must declare the feature abi it was developed for if it is to
use any new features. This ensures that old policy will not become
incompatible with new kernels that support additional AppArmor features.
- The use of profile names that are based on pathnames are deprecated.
- Support for new kernel features (requires appropriate features abi
tagging in policy)
- upstream v8 network socket rules
- xattr attachment conditionals
- capabilities PERFMON and BPF
- Improved compiler warnings and semantic checks
- aa-status rewritten in C (previously was python) with additional features
- supports use in systems/images where python is not available
- supports kill, unconfined and mixed profile modes
- Rewritten aa-notify (previously was perl, now python3)
- shared backend with other python tools
- support use of aa.CONFDIR instead of hard coded /etc/apparmor
- improved message layout
- Improved support for kernels that support LSM stacking
- New utility aa-features-abi to extract and work with kernel abi features
- New utility aa-load to load binary policy without calling the
apparmor_parser
- Support for profile modes
- enforce (default when no mode flag is supplied)
- kill (experimental)
- unconfined (experimental)
The use of the new AppArmor profile feature ABI includes a default
configuration (for the Ubuntu packaged version of AppArmor proposed in this
FFE) for the AppArmor features within the 5.4 Linux kernel - this ensures
that all profiles provided in AppArmor3 for groovy will conform to this
feature set and that upgrades to the kernel version (say to 5.8) that may
include newer AppArmor confinement features will not result in additional
policy denials as a result (since say the existing profile did not specify
a rule for a new AppArmor feature which is now supported by the upgraded
kernel). This ensures that there will be no regressions in application
behaviour as a result of AppArmor kernel feature upgrades.
TESTING
This has been extensively tested by the security team - this includes
following the documented Ubuntu merges test plan[2] for AppArmor and the
extensive QA Regression Tests[3] for AppArmor as well. This ensures that the
various applications that make heavy use of AppArmor (LXD, docker, lxc,
dbus, libvirt, snapd etc) have all been exercised and no regressions have
been observed. All tests have passed and demonstrated both apparmor and the
various applications that use it to be working as expected.
BUILD LOGS
This is currently uploaded to groovy-proposed, build logs can be found on
Launchpad at:
https://launchpad.net/ubuntu/+source/apparmor/3.0.0~beta1-0ubuntu1
INSTALL LOG
See attached
(https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+attachment/5411197/+files
/groovy-proposed-apparmor-install.log) for a log showing install of
the packages from groovy-proposed
[1] https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0
[2] https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor
[3]
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1895060/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
