| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| fix-expected-library-version.patch | libapparmor: fix expect library version to bump in 3.0.8 release | John Johansen <john.johansen@canonical.com> | no | 2022-11-21 | ||
| Merge-lsb_release-allow-cat-and-cut.patch | Merge lsb_release: allow cat and cut lsb_release fails on Debian Sid: ``` $ sudo aa-exec -p lsb_release lsb_release /usr/bin/lsb_release: 70: cut: Permission denied /usr/bin/lsb_release: 70: cut: Permission denied ``` ``` $ sudo aa-exec -p lsb_release lsb_release -h /usr/bin/lsb_release: 11: cat: Permission denied ``` ``` type=AVC msg=audit(1669540199.087:2680): apparmor="DENIED" operation="exec" profile="lsb_release" name="/usr/bin/cut" pid=17419 comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0 ouid=0FSUID="root" OUID="root" ``` ``` type=AVC msg=audit(1669540392.244:2944): apparmor="DENIED" operation="exec" profile="lsb_release" name="/usr/bin/cat" pid=17847 comm="lsb_release" requested_mask="x" denied_mask="x" fsuid=0 ouid=0FSUID="root" OUID="root" ``` Update profile to allow lsb_release script to invoke required executables. (cherry picked from commit 495f68c797ac7254e62e77d3ee8a4b91b8aa1767) f596a176 lsb_release: allow cat and cut |
Christian Boltz <apparmor@cboltz.de> | no | 2022-11-27 | ||
| Merge-abstractions-nvidia-allow-reading-pid-comm.patch | Merge abstractions/nvidia: allow reading @{pid}/comm On Debian Sid, NVIDIA driver spams log with: ``` type=AVC msg=audit(1669542108.552:11855): apparmor="DENIED" operation="open" profile="qtox" name="/proc/21222/comm" pid=21222 comm="qtox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` ``` type=AVC msg=audit(1669541506.703:11329): apparmor="DENIED" operation="open" profile="skypeforlinux" name="/proc/19851/comm" pid=19851 comm="skypeforlinux" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="vincas" OUID="vincas" ``` Read is initiated within libnvidia-glcore.so: ``` Thread 1 "qtox" hit Catchpoint 1 (call to syscall openat), 0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41 41 in ../sysdeps/unix/sysv/linux/open64.c $27 = 0x7fb742adbb50 "/proc/self/comm" 0 0x00007fb797b16ed0 in __libc_open64 (file=file@entry=0x7fb742adbb50 "/proc/self/comm", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:41 1 0x00007fb797aa0862 in __GI__IO_file_open (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", posix_mode=<optimized out>, prot=prot@entry=438, read_write=8, is32not64=<optimized out>) at ./libio/fileops.c:188 2 0x00007fb797aa0a1b in _IO_new_file_fopen (fp=fp@entry=0x55795176e600, filename=filename@entry=0x7fb742adbb50 "/proc/self/comm", mode=<optimized out>, mode@entry=0x7fb7428effe2 "r", is32not64=is32not64@entry=1) at ./libio/fileops.c:280 3 0x00007fb797a950f9 in __fopen_internal (filename=0x7fb742adbb50 "/proc/self/comm", mode=0x7fb7428effe2 "r", is32=1) at ./libio/iofopen.c:75 4 0x00007fb7423d791f in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 5 0x00007fb7423d4515 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 6 0x00007fb7423d0226 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 7 0x00007fb7423e1961 in ?? () from /lib/x86_64-linux-gnu/libnvidia-glcore.so.470.141.03 8 0x00007fb74824bc79 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0 9 0x00007fb7482b1c56 in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0 10 0x000000000000001d in ?? () 11 0x00005579518975f0 in ?? () 12 0x0000000000000001 in ?? () 13 0x00007fb74824b1eb in ?? () from /lib/x86_64-linux-gnu/libGLX_nvidia.so.0 14 0x00005579518975f0 in ?? () 15 0x00007fb79b2dda79 in call_init (env=0x7ffd92d7aac8, argv=0x7ffd92d7aab8, argc=-1831363648, l=0x7fb748516f70) at ./elf/dl-init.c:56 16 call_init (l=0x7fb748516f70, argc=-1831363648, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:26 17 0x00007fb79b2ddba4 in _dl_init (main_map=0x5579518975f0, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-init.c:117 18 0x00007fb797b6def4 in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:182 19 0x00007fb79b2e430e in dl_open_worker (a=a@entry=0x7ffd92d79f20) at ./elf/dl-open.c:808 20 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=<optimized out>, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208 21 0x00007fb79b2e46a8 in _dl_open (file=0x557951888020 "libGLX_nvidia.so.0", mode=<optimized out>, caller_dlopen=0x7fb78d7d4d27, nsid=<optimized out>, argc=1, argv=0x7ffd92d7aab8, env=0x7ffd92d7aac8) at ./elf/dl-open.c:884 22 0x00007fb797aa42d8 in dlopen_doit (a=a@entry=0x7ffd92d7a190) at ./dlfcn/dlopen.c:56 23 0x00007fb797b6de9a in __GI__dl_catch_exception (exception=exception@entry=0x7ffd92d7a0f0, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:208 24 0x00007fb797b6df4f in __GI__dl_catch_error (objname=0x7ffd92d7a148, errstring=0x7ffd92d7a150, mallocedp=0x7ffd92d7a147, operate=<optimized out>, args=<optimized out>) at ./elf/dl-error-skeleton.c:227 25 0x00007fb797aa3dc7 in _dlerror_run (operate=operate@entry=0x7fb797aa4280 <dlopen_doit>, args=args@entry=0x7ffd92d7a190) at ./dlfcn/dlerror.c:138 26 0x00007fb797aa4389 in dlopen_implementation (dl_caller=<optimized out>, mode=<optimized out>, file=<optimized out>) at ./dlfcn/dlopen.c:71 27 ___dlopen (file=<optimized out>, mode=<optimized out>) at ./dlfcn/dlopen.c:81 28 0x00007fb78d7d4d27 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0 29 0x00007fb78d7d6335 in ?? () from /lib/x86_64-linux-gnu/libGLX.so.0 30 0x00007fb78d7cf9f8 in glXChooseFBConfig () from /lib/x86_64-linux-gnu/libGLX.so.0 31 0x00007fb748646f6a in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so 32 0x00007fb748644450 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so 33 0x00007fb7486421b7 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/xcbglintegrations/libqxcb-glx-integration.so 34 0x00007fb79838262d in QOpenGLContext::create() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5 35 0x00007fb74bb4303c in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platformthemes/KDEPlasmaPlatformTheme.so 36 0x00007fb797eb7aaf in qt_call_pre_routines () at kernel/qcoreapplication.cpp:317 37 QCoreApplicationPrivate::init (this=<optimized out>) at kernel/qcoreapplication.cpp:849 38 0x00007fb7983379dc in QGuiApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5 39 0x00007fb798b684c9 in QApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Widgets.so.5 40 0x0000557950f1d597 in main () ``` Add read rule to allow reading @{pid}/comm. (cherry picked from commit 2597fd5db85e482657c001f68a0d574ac2ba2fb7) 948cbb56 abstractions/nvidia: allow reading @{pid}/comm |
Christian Boltz <apparmor@cboltz.de> | no | 2022-11-27 | ||
| Merge-aa-status-Fix-malformed-json-output-with-unconfined.patch | Merge aa-status: Fix malformed json output with unconfined processes As reported in issue #295, the json output from aa-status would be invalid if there were profiles defined for processes that were unconfined. Fix this by ensuring the json for the processes array is closed properly. (cherry picked from commit dfc9847f89f5b960b42dda1bcfdd212ee2210c59) |
John Johansen <john@jjmx.net> | no | 2023-01-04 | ||
| Merge-regression-tests-fix-bogon-patch-characters-in-Make.patch | Merge regression tests: fix bogon patch characters in Makefile Commit 8cf3534a5 ("tests regression: fix failure on older versions of Make") from https://gitlab.com/apparmor/apparmor/-/merge_requests/639 was incorrectly applied, including the `+` prefixes from the proposed patch. This causes the sysctl syscall() checks to not correctly be applied and results in a mismatch of expectations in the syscall_sysctl.sh test script, causing it and the testsuite to fail. Thus, remove the bogon `+` characters from the Makefile, to make USE_SYSCTL be set correctly. (cherry picked from commit f0bc1a89a4cf52678b58525c7bf3d0f38e01ae54) |
John Johansen <john@jjmx.net> | no | 2023-01-05 | ||
| Merge-Add-pipewire-client.conf-to-audio-abstractions.patch | Merge Add pipewire client.conf to audio abstractions (cherry picked from commit dedb5d94cb8ce2c5a843f9e06f0cedeaaacad7d2) b5a7641d Add pipewire client.conf to audio abstractions |
Christian Boltz <apparmor@cboltz.de> | no | 2023-01-23 | ||
| Merge-Extend-crypto-and-ssl_certs-abstractions.patch | Merge Extend crypto and ssl_certs abstractions - ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory - crypoto: allow reading /etc/gcrypt/hwf.deny I propose this patch for 3.0..master (2.13 doesn't have abstractions/crypto). (cherry picked from commit bb30df7843d13ebb1a282ec20421d9427c056aa1) d15bfa99 Extend crypto and ssl_certs abstractions |
John Johansen <john@jjmx.net> | no | 2023-01-24 | ||
| Merge-Fix-Opening-links-with-Brave.patch | Merge Fix: Opening links with Brave Resolves #292. This fix is the same as !830 but for Brave. Opening links in Brave now works as intended. Note that now a separate denial is caused, related to WidevineCDM, is produced: ``` [ERROR:content_main_runner_impl.cc(415)] Unable to load CDM /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so: failed to map segment from shared object) ``` In the syslog: ``` ``` I'm not sure if granting permission(s) for this is desirable. In either case, the potential relevant changes are out of the scope of this MR. If I disable WidevineCDM in Brave, I get the following denial on cap sys_admin: ``` ``` which is fine, as mentioned by @jjohansen [here](https://gitlab.com/apparmor/apparmor/-/merge_requests/830#note_831915024). Closes #292 (cherry picked from commit 5fd8c25745020f816cb96d6daa15af0c140914e3) |
John Johansen <john@jjmx.net> | no | 2023-01-24 | ||
| debian/add-debian-integration-to-lighttpd.patch | Add entries for lighttpd to work in a Debian/Ubuntu install | Debian AppArmor Team <pkg-apparmor-team@lists.alioth.debian.org> | invalid | 2018-01-29 | ||
| debian/libapparmor-layout-deb.patch | always install python modules in the proper location when creating deb files | Jamie Strandboge <jamie@canonical.com> | not-needed | 2018-01-29 | ||
| debian/etc-writable.patch | Allow reading time configuration from /etc/writable, as we have it on the phone. | Martin Pitt <martin.pitt@ubuntu.com> | invalid | 2018-01-29 | ||
| debian/Enable-writing-cache.patch | Enable writing cache. | intrigeri <intrigeri@boum.org> | not-needed | 2018-12-28 | ||
| debian-only/pin-feature-set.patch | pin the AppArmor feature set to the one shipped by the apparmor package Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor policy in a relaxed manner. |
intrigeri <intrigeri@debian.org> | not-needed | debian | 2018-01-29 | |
| debian-only/aa-notify-point-to-Debian-documentation.patch | aa-notify: point to Debian documentation | intrigeri <intrigeri@boum.org> | not-needed | debian | 2018-07-25 | |
| debian-only/Document-which-AppArmor-features-are-not-supported-on-Deb.patch | Document which AppArmor features are not supported on Debian | intrigeri <intrigeri@boum.org> | not-needed | debian | 2018-10-30 |