Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi!
this update avoids breakage for Stretch users who have enabled AppArmor and run
Linux 4.14+ (e.g. from backports once it's there), by pinning the AppArmor
feature set in the kernel to the Stretch kernel's feature set, i.e. the feature
set the AppArmor policy shipped in Stretch supports (it's not ready to deal with
new AppArmor mediation features brought in recent kernels).
We already have exactly the same thing in current testing/sid, albeit with Linux
4.13's feature set for now.
Cheers!
diff -Nru apparmor-2.11.0/debian/apparmor.install
apparmor-2.11.0/debian/apparmor.install
--- apparmor-2.11.0/debian/apparmor.install 2017-03-28 12:23:08.000000000
+0200
+++ apparmor-2.11.0/debian/apparmor.install 2017-11-25 19:01:04.000000000
+0100
@@ -1,4 +1,5 @@
debian/apport/source_apparmor.py /usr/share/apport/package-hooks/
+debian/features /etc/apparmor/
debian/lib/apparmor/functions /lib/apparmor/
debian/lib/apparmor/profile-load /lib/apparmor/
etc/apparmor/parser.conf
diff -Nru apparmor-2.11.0/debian/changelog apparmor-2.11.0/debian/changelog
--- apparmor-2.11.0/debian/changelog 2017-03-28 12:29:15.000000000 +0200
+++ apparmor-2.11.0/debian/changelog 2017-11-25 19:04:05.000000000 +0100
@@ -1,3 +1,14 @@
+apparmor (2.11.0-3+deb9u1) stretch; urgency=medium
+
+ * Pin the AppArmor feature set to Stretch's kernel (Closes: #879585).
+ This ensures Stretch systems, even when running a newer kernel (e.g.
+ from backports), have their AppArmor feature set pinned to the one
+ supported by the AppArmor policy shipped in Stretch. Otherwise they
+ would experience breakage due to new AppArmor mediation features
+ introduced in recent kernels.
+
+ -- intrigeri <intrig...@debian.org> Sat, 25 Nov 2017 18:04:05 +0000
+
apparmor (2.11.0-3) unstable; urgency=medium
* Fix CVE-2017-6507: don't unload unknown profiles during package
diff -Nru apparmor-2.11.0/debian/features apparmor-2.11.0/debian/features
--- apparmor-2.11.0/debian/features 1970-01-01 01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/features 2017-11-25 18:55:55.000000000 +0100
@@ -0,0 +1,23 @@
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid
setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw
ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct
sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease
audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm
block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks
sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+}
diff -Nru apparmor-2.11.0/debian/patches/pin-feature-set.patch
apparmor-2.11.0/debian/patches/pin-feature-set.patch
--- apparmor-2.11.0/debian/patches/pin-feature-set.patch 1970-01-01
01:00:00.000000000 +0100
+++ apparmor-2.11.0/debian/patches/pin-feature-set.patch 2017-11-25
18:59:40.000000000 +0100
@@ -0,0 +1,18 @@
+Description: pin the AppArmor feature set to the one shipped by the apparmor
package
+ .
+ Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
+ policy in a relaxed manner.
+Bug-Debian: https://bugs.debian.org/879585
+Forwarded: not-needed
+Author: intrigeri <intrig...@debian.org>
+
+--- a/parser/parser.conf
++++ b/parser/parser.conf
+@@ -59,3 +59,7 @@
+ ## Adjust compression
+ #Optimize=compress-small
+ #Optimize=compress-fast
++
++## Pin feature set (avoid regressions when policy is lagging behind
++## the kernel)
++features-file=/etc/apparmor/features
diff -Nru apparmor-2.11.0/debian/patches/series
apparmor-2.11.0/debian/patches/series
--- apparmor-2.11.0/debian/patches/series 2017-03-28 12:24:44.000000000
+0200
+++ apparmor-2.11.0/debian/patches/series 2017-11-25 18:59:40.000000000
+0100
@@ -2,6 +2,7 @@
# Debian-specific patches
#
+pin-feature-set.patch
notify-group.patch
#
