Debian

Available patches from Ubuntu

To see Ubuntu differences wrt. to Debian, write down a grep-dctrl query identifying the packages you're interested in:
grep-dctrl -n -sPackage Sources.Debian
(e.g. -FPackage linux-ntfs or linux-ntfs)

Modified packages are listed below:

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: apparmor

apparmor (2.13.3-7ubuntu6) groovy; urgency=medium * Add missing "boot_id" rule to abstractions/nameservice. (LP: #1872564) - d/p/upstream-commit-454fca7-Add-run-variable.patch: Add the definition for the "@{run}" variable. - d/p/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch: Add trailing slash to the "@{run}" variable. - d/p/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch: Add a missing rule to allow systemd to access @{PROC}/sys/kernel/random/boot_id and @{run}/systemd/userdb. - d/apparmor.install: Install new file 'tunables/run' under '/etc/apparmor.d'. -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 11 May 2020 09:55:16 -0400 apparmor (2.13.3-7ubuntu5) focal; urgency=medium * snapd 2.44.3+20.04 introduced an apparmor unit of its own to load snap policy in /var/lib/snapd/apparmor/profiles. As such, don't load snapd policy twice by not loading it in the apparmor unit (LP: 1871148) - ubuntu/stop-loading-snapd-profiles.patch: stop loading snapd profiles - debian/control: add Breaks on snapd < 2.44.3+20.04~ since prior snapd versions assume that apparmor will load the snapd policy on boot - debian/apparmor.service: remove the now unneeded RequiresMountsFor on /var/lib/snapd/apparmor/profiles * drop ubuntu/parser-conf-no-expr-simplify.patch: Optimize=no-expr-simplify was added to parser.conf to mitigate slow snap policy compiles on 32bit ARM. These days, snapd calls apparmor_parser with "-O no-expr-simplify" and loads its snap policy, so drop this delta with upstream and Debian. -- Jamie Strandboge <jamie@ubuntu.com> Sun, 12 Apr 2020 16:11:31 +0000 apparmor (2.13.3-7ubuntu4) focal; urgency=medium * debian/apparmor.service: add /var/lib/snapd/apparmor/profiles to RequiresMountsFor since Ubuntu's rc.apparmor.functions looks for it (LP: #1871148) * libnss-systemd.patch: allow accessing the libnss-systemd VarLink sockets and DBus APIs. Patch partially based on work by Simon Deziel. (LP: #1796911, LP: #1869024) * upstream-mr-424-kerberos-dot-dirs.patch: abstractions/kerberosclient: allow reading /etc/krb5.conf.d/ * upstream-mr-442-gnome-user-themes.patch: gnome abstraction: allow reading per-user themes from $XDG_DATA_HOME (Closes: #930031) * upstream-mr-443-ecryptfs-dirs.patch: abstractions/base: allow read access to top-level ecryptfs directories (LP: #1848919) * upstream-mr-445-uuidd-request.patch: abstractions/base: allow read access to /run/uuidd/request * upstream-mr-464-Mesa_i915_perf_interface.patch: let Mesa check if the kernel supports the i915 perf interface. Patch from Debian -- Jamie Strandboge <jamie@ubuntu.com> Mon, 06 Apr 2020 17:47:20 +0000 apparmor (2.13.3-7ubuntu3) focal; urgency=medium * Add upstream-abstractions-add-etc-mdns.allow-to-etc-apparmor.d-ab.patch (LP: #1869629) -- John Johansen <john.johansen@canonical.com> Wed, 01 Apr 2020 01:05:30 -0700 apparmor (2.13.3-7ubuntu2) focal; urgency=medium * No-change rebuild to drop python3.7. -- Matthias Klose <doko@ubuntu.com> Tue, 18 Feb 2020 10:42:36 +0100 apparmor (2.13.3-7ubuntu1) focal; urgency=medium * Merge from Debian. Remaining changes: - Ubuntu-specific patches: + ubuntu/add-chromium-browser.patch + ubuntu/communitheme-snap-support.patch + ubuntu/mimeinfo-snap-support.patch + ubuntu/parser-conf-no-expr-simplify.patch + ubuntu/profiles-grant-access-to-systemd-resolved.patch + upstream-dont-allow-fontconfig-cache-write.patch + upstream-tests-mult-mount-bump-size-of-created-disk.patch - debian/apparmor.{install,maintscript}: feature pinning is not used in Ubuntu - debian/apparmor.preinst: remove cache files on upgrade to 2.13 - debian/apparmor-profiles.install: install Ubuntu chromium-browser profile and abstraction - debian/apparmor-profiles.lintian-overrides: update for chromium-browser profile having read access to dpkg database for lsb-release - debian/apparmor-profiles.postinst: ubuntu-browsers.d/chromium-browser abstraction if it doesn't exist - debian/control: adjust the Vcs-{Browser,Git} control fields to reflect the branch where the Ubuntu packaging is maintained. - debian/gbp.conf: use ubuntu/master as the debian-branch - debian/patches/series: comment out debian-only patches - debian/tests/control and debian/tests/compile-policy: don't test thunderbird since the Ubuntu packaging doesn't ship a profile * Drop the following patches, no longer needed: - python3.8-ac.diff * debian/control: drop Breaks on media-hub, mediascanner2.0, messaging-app, and webbrowser-app which was needed for upgrades to bionic (LP: #1797242) * upstream-adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus 1.5.22 * upstream-adjust-gnome-for-mimeapps.patch: abstractions/gnome: also allow /etc/xdg/mimeapps.list (LP: #1792027) -- Jamie Strandboge <jamie@ubuntu.com> Tue, 17 Dec 2019 15:50:00 +0000

Modifications :
  1. Download patch debian/patches/upstream-tests-mult-mount-bump-size-of-created-disk.patch

    --- 2.13.3-7/debian/patches/upstream-tests-mult-mount-bump-size-of-created-disk.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-tests-mult-mount-bump-size-of-created-disk.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,42 @@ +Origin: 515cb80901640be5a6ba87b0f89145427e592962 +Description: regression tests/mult_mount: bump size of created disk image + +commit 515cb80901640be5a6ba87b0f89145427e592962 +Author: Steve Beattie <steve.beattie@canonical.com> +Date: Tue Jun 25 17:00:12 2019 -0700 + + regression tests/mult_mount: bump size of created disk image + + The mult_mount test creates a small disk image, formats it, and mounts + it in multiple locations in preparation for the tests. However, the + created raw file (80KB) is too small to make a working file system if + 4K blocks are used by mkfs. In Ubuntu 19.10, the default was recently + changed for mkfs to default to always using 4K blocks, causing the + script to fail. + + We could force mkfs to use 1K blocks, but instead, in case some future + version of mkfs decides not to support 1K blocks at all, we bump up the + size of the disk image to 512KB; large enough to work with 4K blocks + yet small enough to be workable in small scale test environments. + + Signed-off-by: Steve Beattie <steve.beattie@canonical.com> + Acked-by: John Johansen <john.johansen@canonical.com> + Acked-by: Seth Arnold <seth.arnold@canonical.com> + Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1834192 + MR: https://gitlab.com/apparmor/apparmor/merge_requests/396 + (cherry picked from commit 7c7a4bc5311d983f2c4316252b830c52a5a0930b) + Signed-off-by: Steve Beattie <steve.beattie@canonical.com> + +diff --git a/tests/regression/apparmor/mult_mount.sh b/tests/regression/apparmor/mult_mount.sh +index 2189c314..ae4749a3 100644 +--- a/tests/regression/apparmor/mult_mount.sh ++++ b/tests/regression/apparmor/mult_mount.sh +@@ -55,7 +55,7 @@ mkdirperm_fail=r + linkperm=rl + readperm=r + +-dd if=/dev/zero of=$image bs=4096 count=20 > /dev/null 2>&1 ++dd if=/dev/zero of=$image bs=4096 count=128 > /dev/null 2>&1 + mkfs.ext2 -F -m 0 -N 10 $image > /dev/null 2>&1 + + mkdir $mp1 $mp2
  2. Download patch debian/tests/compile-policy

    --- 2.13.3-7/debian/tests/compile-policy 2019-11-15 10:37:05.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/tests/compile-policy 2020-05-11 13:55:16.000000000 +0000 @@ -9,7 +9,6 @@ PROFILES_NAMES="lsb_release \ usr.bin.man \ usr.bin.onioncircuits \ usr.bin.pidgin \ - usr.bin.thunderbird \ usr.bin.totem \ usr.bin.totem-previewers \ usr.lib.libreoffice.program.oosplash \
  3. Download patch debian/tests/control

    --- 2.13.3-7/debian/tests/control 2019-11-15 10:37:05.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/tests/control 2020-05-11 13:55:16.000000000 +0000 @@ -1,5 +1,5 @@ Tests: compile-policy -Depends: apparmor, apparmor-profiles-extra, bind9, cups-browsed, cups-daemon, evince, haveged, kopano-dagent, kopano-server, libreoffice-common, libvirt-daemon-system, man-db, ntp, onioncircuits, tcpdump, thunderbird, tor +Depends: apparmor, apparmor-profiles-extra, bind9, cups-browsed, cups-daemon, evince, haveged, kopano-dagent, kopano-server, libreoffice-common, libvirt-daemon-system, man-db, ntp, onioncircuits, tcpdump, tor Restrictions: allow-stderr Tests: test-installed
  4. Download patch debian/apparmor.preinst

    --- 2.13.3-7/debian/apparmor.preinst 2019-11-15 10:37:05.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/apparmor.preinst 2020-05-11 13:55:16.000000000 +0000 @@ -11,6 +11,9 @@ case "$1" in if [ "$1" = "upgrade" ] && dpkg --compare-versions "$2" lt-nl "2.12-4ubuntu2"; then rm -f /var/lib/apparmor/profiles/.*.md5sums fi + if [ "$1" = "upgrade" ] && dpkg --compare-versions "$2" lt-nl "2.13"; then + rm -f /etc/apparmor.d/cache/.features /etc/apparmor.d/cache/* + fi ;; *)
  5. Download patch debian/patches/upstream-commit-454fca7-Add-run-variable.patch

    --- 2.13.3-7/debian/patches/upstream-commit-454fca7-Add-run-variable.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-commit-454fca7-Add-run-variable.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,47 @@ +From: nl6720 <nl6720@gmail.com> +Date: Thu, 13 Feb 2020 09:58:33 +0200 +Subject: Add "run" variable + +Signed-off-by: nl6720 <nl6720@gmail.com> +(cherry picked from commit 452b5b8735e449cba29a1fb25c9bff38ba8763ec) + +Author: nl6720 <nl6720@gmail.com> +Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/454fca7483eae7b7ee613343c2c02abaa20e37e3 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564 +Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com> +Last-Update: 2020-05-08 +--- + parser/apparmor.d.pod | 1 + + profiles/apparmor.d/tunables/global | 1 + + profiles/apparmor.d/tunables/run | 1 + + 3 files changed, 3 insertions(+) + create mode 100644 profiles/apparmor.d/tunables/run + +diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod +index db904ed..d9dff30 100644 +--- a/parser/apparmor.d.pod ++++ b/parser/apparmor.d.pod +@@ -1279,6 +1279,7 @@ provided AppArmor policy: + @{apparmorfs} + @{sys} + @{tid} ++ @{run} + @{XDG_DESKTOP_DIR} + @{XDG_DOWNLOAD_DIR} + @{XDG_TEMPLATES_DIR} +diff --git a/profiles/apparmor.d/tunables/global b/profiles/apparmor.d/tunables/global +index 28d6fc6..3b6f99c 100644 +--- a/profiles/apparmor.d/tunables/global ++++ b/profiles/apparmor.d/tunables/global +@@ -19,3 +19,4 @@ + #include <tunables/kernelvars> + #include <tunables/xdg-user-dirs> + #include <tunables/share> ++#include <tunables/run> +diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run +new file mode 100644 +index 0000000..e535d2f +--- /dev/null ++++ b/profiles/apparmor.d/tunables/run +@@ -0,0 +1 @@ ++@{run}=/run /var/run
  6. Download patch debian/apparmor.maintscript

    --- 2.13.3-7/debian/apparmor.maintscript 2019-11-15 10:37:05.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/apparmor.maintscript 2020-05-11 13:55:16.000000000 +0000 @@ -1,5 +1,6 @@ rm_conffile /etc/apparmor.d/abstractions/launchpad-integration 2.13.1-2~ rm_conffile /etc/apparmor.d/abstractions/ubuntu-sdk-base 2.8.0-0ubuntu20~ -rm_conffile /etc/apparmor/features 2.11.1-4~ +# Feature pinning is not used in Ubuntu +#rm_conffile /etc/apparmor/features 2.11.1-4~ rm_conffile /etc/apparmor/subdomain.conf 2.13.2-2~ rm_conffile /etc/init/apparmor.conf 2.11.0-11~
  7. Download patch debian/patches/ubuntu/libnss-systemd.patch

    --- 2.13.3-7/debian/patches/ubuntu/libnss-systemd.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/ubuntu/libnss-systemd.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,39 @@ +Author: Jamie Strandboge <jamie@ubuntu.com> +Description: allow accessing the libnss-systemd VarLink sockets and + and DBus APIs +Bug-Ubuntu: https://launchpad.net/bugs/1796911 +Bug-Ubuntu: https://launchpad.net/bugs/1869024 +Index: apparmor-2.13.3/profiles/apparmor.d/abstractions/nameservice +=================================================================== +--- apparmor-2.13.3.orig/profiles/apparmor.d/abstractions/nameservice ++++ apparmor-2.13.3/profiles/apparmor.d/abstractions/nameservice +@@ -106,6 +106,29 @@ + member="Resolve{Address,Hostname,Record,Service}" + peer=(name="org.freedesktop.resolve1"), + ++ # libnss-systemd ++ # ++ # https://systemd.io/USER_GROUP_API/ ++ # https://systemd.io/USER_RECORD/ ++ # https://www.freedesktop.org/software/systemd/man/nss-systemd.html ++ # ++ # Allow User/Group lookups via common VarLink socket APIs. Applications need ++ # to either consult all of them or the io.systemd.Multiplexer frontend. ++ /run/systemd/userdb/ r, ++ /run/systemd/userdb/io.systemd.Multiplexer rw, ++ /run/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users ++ /run/systemd/userdb/io.systemd.Home rw, # systemd-home dirs ++ /run/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS ++ ++ # Also allow lookups for systemd-exec's DynamicUsers via D-Bus ++ # https://www.freedesktop.org/software/systemd/man/systemd.exec.html ++ dbus send ++ bus=system ++ path="/org/freedesktop/systemd1" ++ interface="org.freedesktop.systemd1.Manager" ++ member="{GetDynamicUsers,LookupDynamicUserByName,LookupDynamicUserByUID}" ++ peer=(name="org.freedesktop.systemd1"), ++ + # TCP/UDP network access + network inet stream, + network inet6 stream,
  8. Download patch debian/apparmor-profiles.install

    --- 2.13.3-7/debian/apparmor-profiles.install 2019-11-15 10:37:05.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/apparmor-profiles.install 2020-05-11 13:55:16.000000000 +0000 @@ -1,8 +1,12 @@ +# Install Ubuntu-specific chromium-browser abstraction +debian/profiles/chromium-browser usr/share/apparmor/extra-profiles/abstractions/ubuntu-browsers.d/ etc/apparmor.d/apache2.d/phpsysinfo etc/apparmor.d/bin.ping etc/apparmor.d/sbin.klogd etc/apparmor.d/sbin.syslog-ng etc/apparmor.d/sbin.syslogd +# Install Ubuntu-specific chromium-browser profile +etc/apparmor.d/usr.bin.chromium-browser etc/apparmor.d/usr.lib.dovecot.anvil /usr/share/apparmor/extra-profiles/ etc/apparmor.d/usr.lib.dovecot.auth /usr/share/apparmor/extra-profiles/ etc/apparmor.d/usr.lib.dovecot.config /usr/share/apparmor/extra-profiles/
  9. Download patch debian/patches/ubuntu/stop-loading-snapd-profiles.patch

    --- 2.13.3-7/debian/patches/ubuntu/stop-loading-snapd-profiles.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/ubuntu/stop-loading-snapd-profiles.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,20 @@ +Author: Jamie Strandboge <jamie@canonical.com> +Description: snapd now loads its snap policy via its own systemd unit, so + stop loading the snap policy in /var/lib/snapd/apparmor/profiles +Bug-Ubuntu: https://launchpad.net/bugs/1871148 + +Index: apparmor-2.13.3/parser/rc.apparmor.functions +=================================================================== +--- apparmor-2.13.3.orig/parser/rc.apparmor.functions ++++ apparmor-2.13.3/parser/rc.apparmor.functions +@@ -44,8 +44,8 @@ if [ -d /etc/apparmor.d ] ; then + else + aa_log_warning_msg "Unable to find profiles directory, installation problem?" + fi +-ADDITIONAL_PROFILE_DIR=/var/lib/snapd/apparmor/profiles +-if [ -d "$ADDITIONAL_PROFILE_DIR" ]; then ++ADDITIONAL_PROFILE_DIR= ++if [ -n "$ADDITIONAL_PROFILE_DIR" ] && [ -d "$ADDITIONAL_PROFILE_DIR" ]; then + PROFILE_DIRS="${PROFILE_DIRS} ${ADDITIONAL_PROFILE_DIR}" + fi + AA_STATUS=/usr/sbin/aa-status
  10. Download patch debian/patches/ubuntu/mimeinfo-snap-support.patch

    --- 2.13.3-7/debian/patches/ubuntu/mimeinfo-snap-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/ubuntu/mimeinfo-snap-support.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,21 @@ +Author: Jamie Strandboge <jamie@canonical.com> +Description: allow reading /var/lib/snapd/desktop/applications/*.desktop and + /var/lib/snapd/desktop/applications/mimeinfo.cache +Bug-Ubuntu: https://launchpad.net/bugs/1712039 +Forwarded: no + +Index: apparmor-2.13.2/profiles/apparmor.d/abstractions/freedesktop.org +=================================================================== +--- apparmor-2.13.2.orig/profiles/apparmor.d/abstractions/freedesktop.org ++++ apparmor-2.13.2/profiles/apparmor.d/abstractions/freedesktop.org +@@ -18,6 +18,10 @@ + /snap/communitheme/*/share/icons/ r, + /snap/communitheme/*/share/icons/** r, + ++ # mimeinfo and desktop files for snaps ++ /var/lib/snapd/desktop/applications/mimeinfo.cache r, ++ /var/lib/snapd/desktop/applications/{,*.desktop} r, ++ + # this should probably go elsewhere + @{system_share_dirs}/mime/** r, +
  11. Download patch debian/control

    --- 2.13.3-7/debian/control 2019-11-15 10:37:05.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/control 2020-05-11 13:55:16.000000000 +0000 @@ -1,5 +1,6 @@ Source: apparmor -Maintainer: Debian AppArmor Team <pkg-apparmor-team@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian AppArmor Team <pkg-apparmor-team@lists.alioth.debian.org> Uploaders: intrigeri <intrigeri@debian.org> Section: admin Priority: optional @@ -24,8 +25,8 @@ Build-Depends: apache2-dev, python3-all-dev, swig Standards-Version: 4.4.0 -Vcs-Browser: https://salsa.debian.org/apparmor-team/apparmor/tree/debian/master -Vcs-Git: https://salsa.debian.org/apparmor-team/apparmor.git -b debian/master +Vcs-Browser: https://salsa.debian.org/apparmor-team/apparmor/tree/ubuntu/master +Vcs-Git: https://salsa.debian.org/apparmor-team/apparmor.git -b ubuntu/master Homepage: http://apparmor.net/ Rules-Requires-Root: no @@ -41,10 +42,7 @@ Suggests: apparmor-profiles-extra, Pre-Depends: ${misc:Pre-Depends} Breaks: apparmor-profiles-extra (<< 1.21), fcitx-data (<< 1:4.2.9.1-1ubuntu2), - media-hub, - mediascanner2.0, - messaging-app, - webbrowser-app + snapd (<< 2.44.3+20.04~), Replaces: fcitx-data (<< 1:4.2.9.1-1ubuntu2) Description: user-space parser utility for AppArmor apparmor provides the system initialization scripts needed to use the
  12. Download patch debian/apparmor-profiles.lintian-overrides

    --- 2.13.3-7/debian/apparmor-profiles.lintian-overrides 2019-11-15 10:37:05.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/apparmor-profiles.lintian-overrides 2020-05-11 13:55:16.000000000 +0000 @@ -8,3 +8,7 @@ apparmor-profiles binary: package-contai # If phpsysinfo uses that database directly, then it's a bug in phpsysinfo, # and this AppArmor profile can't do much about it. apparmor-profiles binary: uses-dpkg-database-directly etc/apparmor.d/apache2.d/phpsysinfo + +# False positive: this merely grants lsb-release as called by chromium-browser +# read access to the dpkg database via dpkg-query +apparmor-profiles: uses-dpkg-database-directly etc/apparmor.d/usr.bin.chromium-browser
  13. Download patch debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch

    --- 2.13.3-7/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/ubuntu/profiles-grant-access-to-systemd-resolved.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,59 @@ +From: Tyler Hicks <tyhicks@canonical.com> +Date: Mon, 29 Jan 2018 12:45:10 +0000 +Subject: profiles: Grant access to systemd-resolved in the nameservice + abstraction + +https://launchpad.net/bugs/1598759 + +Profiles that rely on the nameservice abstraction are experiencing +denials on systems configured to use systemd-resolved via the +libnss-resolve plugin. + +libnss-resolve talks to systemd-resolved over D-Bus and this patch +attempts to only grant access to the safe members of the D-Bus API. + +Special considerations need to be made when applying this patch to most +Linux distributions as many of them do not have the ability to perform +fine-grained AppArmor mediation of D-Bus traffic. In those cases, any +users of the nameservice abstraction (such as tcpdump or ntpd) will have +full access to the D-Bus system bus once this change is applied to the +nameservice abstraction. + +Signed-off-by: Tyler Hicks <tyhicks@canonical.com> +Acked-by: Seth Arnold <seth.arnold@canonical.com> +Forwarded: https://lists.ubuntu.com/archives/apparmor/2016-October/010130.html +Bug: https://launchpad.net/bugs/1598759 +--- + profiles/apparmor.d/abstractions/nameservice | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice +index e6dcb76..6e678fb 100644 +--- a/profiles/apparmor.d/abstractions/nameservice ++++ b/profiles/apparmor.d/abstractions/nameservice +@@ -87,6 +87,25 @@ + # kerberos + #include <abstractions/kerberosclient> + ++ # resolve ++ # ++ # Allow access to the safe members of the systemd-resolved D-Bus API: ++ # ++ # https://www.freedesktop.org/wiki/Software/systemd/resolved/ ++ # ++ # This API may be used directly over the D-Bus system bus or it may be used ++ # indirectly via the nss-resolve plugin: ++ # ++ # https://www.freedesktop.org/software/systemd/man/nss-resolve.html ++ # ++ #include <abstractions/dbus-strict> ++ dbus send ++ bus=system ++ path="/org/freedesktop/resolve1" ++ interface="org.freedesktop.resolve1.Manager" ++ member="Resolve{Address,Hostname,Record,Service}" ++ peer=(name="org.freedesktop.resolve1"), ++ + # TCP/UDP network access + network inet stream, + network inet6 stream,
  14. Download patch debian/patches/upstream-mr-445-uuidd-request.patch

    --- 2.13.3-7/debian/patches/upstream-mr-445-uuidd-request.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-mr-445-uuidd-request.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,33 @@ +commit d779dbf88a664f06c1265b9e27b93f87de4cfe44 +Author: Christian Boltz <gitlab2@cboltz.de> +Date: Mon Feb 3 21:17:28 2020 +0000 + + Merge branch 'run-uuidd-request' into 'master' + + abstractions/base: allow read access to /run/uuidd/request + + See merge request apparmor/apparmor!445 + + Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master + Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master + + + (cherry picked from commit 80bf9209296417a1a65fe03130530e1303a4d6c7) + + 45fffc12 abstractions/base: allow read access to /run/uuidd/request + +diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base +index 06afecd9..fabb4273 100644 +--- a/profiles/apparmor.d/abstractions/base ++++ b/profiles/apparmor.d/abstractions/base +@@ -23,6 +23,10 @@ + /dev/log w, + /dev/random r, + /dev/urandom r, ++ # Allow access to the uuidd daemon (this daemon is a thin wrapper around ++ # time and getrandom()/{,u}random and, when available, runs under an ++ # unprivilged, dedicated user). ++ /run/uuidd/request r, + /etc/locale/** r, + /etc/locale.alias r, + /etc/localtime r,
  15. Download patch debian/patches/upstream-adjust-gnome-for-mimeapps.patch

    --- 2.13.3-7/debian/patches/upstream-adjust-gnome-for-mimeapps.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-adjust-gnome-for-mimeapps.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,17 @@ +Author: Jamie Strandboge <jamie@canonical.com> +Description: abstractions/gnome: also allow /etc/xdg/mimeapps.list +Bug-Ubuntu: https://launchpad.net/bugs/1792027 +Forwarded: yes +Index: apparmor-2.13.3/profiles/apparmor.d/abstractions/gnome +=================================================================== +--- apparmor-2.13.3.orig/profiles/apparmor.d/abstractions/gnome ++++ apparmor-2.13.3/profiles/apparmor.d/abstractions/gnome +@@ -100,7 +100,7 @@ + + # mime-types + /etc/gnome/defaults.list r, +- /etc/xdg/*-mimeapps.list r, ++ /etc/xdg/{,*-}mimeapps.list r, + /usr/share/gnome/applications/ r, + /usr/share/gnome/applications/mimeinfo.cache r, +
  16. Download patch debian/patches/upstream-mr-464-Mesa_i915_perf_interface.patch

    --- 2.13.3-7/debian/patches/upstream-mr-464-Mesa_i915_perf_interface.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-mr-464-Mesa_i915_perf_interface.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,27 @@ +From: intrigeri <intrigeri@boum.org> +Date: Tue, 31 Mar 2020 09:14:58 +0000 +Subject: abstractions/mesa: allow checking if the kernel supports the i915 + perf interface + +On current Debian sid, applications that use mesa need this access. + +Origin: https://gitlab.com/apparmor/apparmor/merge_requests/464 +--- + profiles/apparmor.d/abstractions/mesa | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/profiles/apparmor.d/abstractions/mesa b/profiles/apparmor.d/abstractions/mesa +index 68e7579..be699c7 100644 +--- a/profiles/apparmor.d/abstractions/mesa ++++ b/profiles/apparmor.d/abstractions/mesa +@@ -4,6 +4,10 @@ + # System files + /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() + ++ # Needed to check if the kernel supports the i915 perf interface ++ # (src/intel/perf/gen_perf.c, load_oa_metrics()) ++ @{PROC}/sys/dev/i915/perf_stream_paranoid r, ++ + # User files + owner @{HOME}/.cache/ w, # if user clears all caches + owner @{HOME}/.cache/mesa_shader_cache/ w,
  17. Download patch debian/patches/ubuntu/add-chromium-browser.patch
  18. Download patch debian/patches/ubuntu/communitheme-snap-support.patch

    --- 2.13.3-7/debian/patches/ubuntu/communitheme-snap-support.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/ubuntu/communitheme-snap-support.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,36 @@ +From: Didier Roche <didier.roche@canonical.com> +Date: Wed, 11 Apr 2018 10:25:10 +0000 +Subject: add communitheme snap support +Bug-Ubuntu: https://launchpad.net/bugs/1762983 + +Forwarded: no +Index: apparmor-2.13.2/profiles/apparmor.d/abstractions/freedesktop.org +=================================================================== +--- apparmor-2.13.2.orig/profiles/apparmor.d/abstractions/freedesktop.org ++++ apparmor-2.13.2/profiles/apparmor.d/abstractions/freedesktop.org +@@ -14,6 +14,10 @@ + @{system_share_dirs}/icons/{**,} r, + @{system_share_dirs}/pixmaps/{**,} r, + ++ # communitheme snap ++ /snap/communitheme/*/share/icons/ r, ++ /snap/communitheme/*/share/icons/** r, ++ + # this should probably go elsewhere + @{system_share_dirs}/mime/** r, + +Index: apparmor-2.13.2/profiles/apparmor.d/abstractions/gnome +=================================================================== +--- apparmor-2.13.2.orig/profiles/apparmor.d/abstractions/gnome ++++ apparmor-2.13.2/profiles/apparmor.d/abstractions/gnome +@@ -27,6 +27,10 @@ + /usr/share/themes/ r, + /usr/share/themes/** r, + ++ # communitheme snap ++ /snap/communitheme/*/share/themes/ r, ++ /snap/communitheme/*/share/themes/** r, ++ + # for gnome 1 applications + /etc/orbitrc r, +
  19. Download patch debian/patches/series

    --- 2.13.3-7/debian/patches/series 2019-11-15 10:37:05.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/series 2020-05-11 13:55:16.000000000 +0000 @@ -17,6 +17,25 @@ debian/Enable-writing-cache.patch debian/Make-the-systemd-unit-a-no-op-in-containers-with-no-inter.patch debian/smbd-include-snippet-generated-at-runtime.patch debian/dont-include-site-local-with-dovecot.patch -debian-only/pin-feature-set.patch -debian-only/aa-notify-point-to-Debian-documentation.patch -debian-only/Document-which-AppArmor-features-are-not-supported-on-Deb.patch +#debian-only/pin-feature-set.patch +#debian-only/aa-notify-point-to-Debian-documentation.patch +#debian-only/Document-which-AppArmor-features-are-not-supported-on-Deb.patch +ubuntu/add-chromium-browser.patch +ubuntu/communitheme-snap-support.patch +ubuntu/mimeinfo-snap-support.patch +ubuntu/profiles-grant-access-to-systemd-resolved.patch +ubuntu/libnss-systemd.patch +ubuntu/stop-loading-snapd-profiles.patch +upstream-dont-allow-fontconfig-cache-write.patch +upstream-tests-mult-mount-bump-size-of-created-disk.patch +upstream-adjust-for-ibus-1.5.22.patch +upstream-adjust-gnome-for-mimeapps.patch +upstream-commit-dda6825f-abstractions-add-etc-mdns.allow-to-etc-apparmor.d-ab.patch +upstream-mr-424-kerberos-dot-dirs.patch +upstream-mr-442-gnome-user-themes.patch +upstream-mr-443-ecryptfs-dirs.patch +upstream-mr-445-uuidd-request.patch +upstream-mr-464-Mesa_i915_perf_interface.patch +upstream-commit-454fca7-Add-run-variable.patch +upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch +upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch
  20. Download patch debian/patches/upstream-commit-dda6825f-abstractions-add-etc-mdns.allow-to-etc-apparmor.d-ab.patch

    --- 2.13.3-7/debian/patches/upstream-commit-dda6825f-abstractions-add-etc-mdns.allow-to-etc-apparmor.d-ab.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-commit-dda6825f-abstractions-add-etc-mdns.allow-to-etc-apparmor.d-ab.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,35 @@ +From dda6825ff2c268d582afe0ba7faf00ed2d525929 Mon Sep 17 00:00:00 2001 +From: Rich McAllister <Nopublic@address.provided> +Date: Tue, 31 Mar 2020 21:01:21 -0700 +Subject: [PATCH] abstractions: add /etc/mdns.allow to + /etc/apparmor.d/abstractions/mdns + +In focal users of mdns get denials in apparmor confined applications. +An exampel can be found in the original bug below. + +It seems it is a common pattern, see +https://github.com/lathiat/nss-mdns#etcmdnsallow + +Therefore I'm asking to add + /etc/mdns.allow r, +to the file + /etc/apparmor.d/abstractions/mdns" +by default. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1869629 +Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/eeac8c11c935 +Last-Update: 2020-04-01 + +--- + profiles/apparmor.d/abstractions/mdns | 1 + + 1 file changed, 1 insertion(+) + +--- apparmor-2.13.3.orig/profiles/apparmor.d/abstractions/mdns ++++ apparmor-2.13.3/profiles/apparmor.d/abstractions/mdns +@@ -9,5 +9,6 @@ + # ------------------------------------------------------------------ + + # mdnsd ++ /etc/mdns.allow r, + /etc/nss_mdns.conf r, + /{,var/}run/mdnsd w,
  21. Download patch debian/patches/upstream-dont-allow-fontconfig-cache-write.patch

    --- 2.13.3-7/debian/patches/upstream-dont-allow-fontconfig-cache-write.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-dont-allow-fontconfig-cache-write.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,32 @@ +Origin: https://gitlab.com/apparmor/apparmor/merge_requests/420 +Description: abstractions/fonts: don't allow write of fontconfig cache files + +commit c5968c70d0f1bd3da9ed1a19b5a79748adbfd566 +Author: Jamie Strandboge <jamie@ubuntu.com> +Date: Mon Sep 9 15:48:05 2019 -0500 + + abstractions/fonts: don't allow write of fontconfig cache files + + 879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for + @{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been + a source of CVEs. Confined applications should absolutely have read + access, but write access could lead to breaking out of the sandbox if a + confined application can write a malformed font cache file since + unconfined applications could then pick them up and be controlled via + the malformed cache. The breakout is dependent on the fontconfig + vulnerability, but this is the sort of thing AppArmor is meant to help + guard against. + +diff --git a/profiles/apparmor.d/abstractions/fonts b/profiles/apparmor.d/abstractions/fonts +index 56185846..2cf6bfe2 100644 +--- a/profiles/apparmor.d/abstractions/fonts ++++ b/profiles/apparmor.d/abstractions/fonts +@@ -45,7 +45,7 @@ + owner @{HOME}/.local/share/fonts/** r, + owner @{HOME}/.fonts.cache-2 mr, + owner @{HOME}/.{,cache/}fontconfig/ rw, +- owner @{HOME}/.{,cache/}fontconfig/** mrwl, ++ owner @{HOME}/.{,cache/}fontconfig/** mrl, + owner @{HOME}/.fonts.conf.d/ r, + owner @{HOME}/.fonts.conf.d/** r, + owner @{HOME}/.config/fontconfig/ r,
  22. Download patch debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch

    --- 2.13.3-7/debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,22 @@ +From: nl6720 <nl6720@gmail.com> +Date: Thu, 20 Feb 2020 10:40:22 +0200 +Subject: Add trailing slash to the run variable definition + +Signed-off-by: nl6720 <nl6720@gmail.com> + +Author: nl6720 <nl6720@gmail.com> +Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/ef591a67cedc1da0676b26448ea96fa8c073c253 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564 +Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com> +Last-Update: 2020-05-08 +--- + profiles/apparmor.d/tunables/run | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run +index e535d2f..5b81925 100644 +--- a/profiles/apparmor.d/tunables/run ++++ b/profiles/apparmor.d/tunables/run +@@ -1 +1 @@ +-@{run}=/run /var/run ++@{run}=/run/ /var/run/
  23. Download patch debian/patches/upstream-mr-424-kerberos-dot-dirs.patch

    --- 2.13.3-7/debian/patches/upstream-mr-424-kerberos-dot-dirs.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-mr-424-kerberos-dot-dirs.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,31 @@ +commit 370c9292eda51623ab1e3e391eef77a5ebfecf29 +Author: Christian Boltz <gitlab2@cboltz.de> +Date: Mon Nov 18 21:35:29 2019 +0000 + + Merge branch 'cboltz-abstractions-kerberos' into 'master' + + abstractions/kerberosclient: allow reading /etc/krb5.conf.d/ + + See merge request apparmor/apparmor!425 + + Acked-by: Steve Beattie <steve@nxnw.org> for 2.10..master + Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..master + + + (cherry picked from commit 663546c2842d84255ce6d3e38ac1255c01ca14d6) + + dffed831 abstractions/kerberosclient: allow reading /etc/krb5.conf.d/ + +diff --git a/profiles/apparmor.d/abstractions/kerberosclient b/profiles/apparmor.d/abstractions/kerberosclient +index eab762a2..5b79e3d6 100644 +--- a/profiles/apparmor.d/abstractions/kerberosclient ++++ b/profiles/apparmor.d/abstractions/kerberosclient +@@ -22,6 +22,8 @@ + + /etc/krb5.keytab rk, + /etc/krb5.conf r, ++ /etc/krb5.conf.d/ r, ++ /etc/krb5.conf.d/* r, + + # config files found via strings on libs + /etc/krb.conf r,
  24. Download patch debian/patches/upstream-mr-442-gnome-user-themes.patch

    --- 2.13.3-7/debian/patches/upstream-mr-442-gnome-user-themes.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-mr-442-gnome-user-themes.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,31 @@ +commit a863279f064bfad1b80ffa78a4d7d8caad42ff09 +Author: John Johansen <john@jjmx.net> +Date: Wed Dec 11 07:43:55 2019 +0000 + + gnome abstraction: allow reading per-user themes from $XDG_DATA_HOME + + Bug-Debian: https://bugs.debian.org/930031 + + As per https://developer.gnome.org/gtk3/stable/ch32s03.html, since GTK+ 3.6, $XDG_DATA_HOME/themes is preferred over $HOME/.themes. We already support the latter, let's also support the former. + + PR: https://gitlab.com/apparmor/apparmor/merge_requests/442 + Acked-by: John Johansen <john.johansen@canonical.com> + + + (cherry picked from commit 098f0a7b5fa0acec7f8f148705d6fe520ccf059b) + + 852c1e76 gnome abstraction: allow reading per-user themes from $XDG_DATA_HOME + +Index: apparmor-2.13.3/profiles/apparmor.d/abstractions/gnome +=================================================================== +--- apparmor-2.13.3.orig/profiles/apparmor.d/abstractions/gnome ++++ apparmor-2.13.3/profiles/apparmor.d/abstractions/gnome +@@ -55,6 +55,8 @@ + owner @{HOME}/.gtk-bookmarks r, + owner @{HOME}/.themes/ r, + owner @{HOME}/.themes/** r, ++ owner @{user_share_dirs}/themes/ r, ++ owner @{user_share_dirs}/themes/** r, + + # for gtk file dialog + owner @{HOME}/.config/gtk-2.0/ w,
  25. Download patch debian/patches/upstream-adjust-for-ibus-1.5.22.patch

    --- 2.13.3-7/debian/patches/upstream-adjust-for-ibus-1.5.22.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-adjust-for-ibus-1.5.22.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,27 @@ +Author: Jamie Strandboge <jamie@canonical.com> +Description: update ibus abstract path for ibus 1.5.22. Due to LP: #1856738 + this has not been pushed upstream. Once LP: #1856738 is fixed, this can be + upstreamed and the workaround rule removed. +Bug-Ubuntu: https://launchpad.net/bugs/1580463 +Forwarded: no +Index: apparmor-2.13.3/profiles/apparmor.d/abstractions/ibus +=================================================================== +--- apparmor-2.13.3.orig/profiles/apparmor.d/abstractions/ibus ++++ apparmor-2.13.3/profiles/apparmor.d/abstractions/ibus +@@ -14,6 +14,16 @@ + owner @{HOME}/.config/ibus/bus/ rw, + owner @{HOME}/.config/ibus/bus/* rw, + ++ # abstract path in ibus < 1.5.22 uses /tmp + unix (connect, receive, send) + type=stream + peer=(addr="@/tmp/ibus/dbus-*"), ++ ++ # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache) ++ # This should use this, but due to LP: #1856738 we cannot ++ #unix (connect, receive, send) ++ # type=stream ++ # peer=(addr="@@{HOME}/.cache/ibus/dbus-*"), ++ unix (connect, receive, send) ++ type=stream ++ peer=(addr="@/home/*/.cache/ibus/dbus-*"),
  26. Download patch debian/gbp.conf

    --- 2.13.3-7/debian/gbp.conf 2019-11-15 10:37:05.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/gbp.conf 2020-05-11 13:55:16.000000000 +0000 @@ -1,6 +1,6 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/master +debian-branch = ubuntu/master upstream-branch = upstream/latest upstream-vcs-tag = v%(version)s patch-numbers = False
  27. Download patch debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch

    --- 2.13.3-7/debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,37 @@ +From: Sergio Durigan Junior <sergio.durigan@canonical.com> +Date: Fri, 8 May 2020 10:13:24 -0400 +Subject: abstractions/nameservice: allow accessing /run/systemd/userdb/ + +On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ . + +(cherry picked from commit 16f9f6885aff84123c0b52197f435e40d656c0e4) +Fixes: https://gitlab.com/apparmor/apparmor/-/issues/82 +Signed-off-by: nl6720 <nl6720@gmail.com> +Signed-off-by: John Johansen <john.johansen@canonical.com> + +Author: nl6720 <nl6720@gmail.com> +Origin: upstream, https://gitlab.com/apparmor/apparmor/-/commit/1f319c3870287b9a2cfa39e92344c9d35875b811 +Bug: https://gitlab.com/apparmor/apparmor/-/issues/82 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1872564 +Reviewed-By: Sergio Durigan Junior <sergio.durigan@canonical.com> +Last-Update: 2020-05-08 +--- + profiles/apparmor.d/abstractions/nameservice | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice +index 4ebecfd..a04a30a 100644 +--- a/profiles/apparmor.d/abstractions/nameservice ++++ b/profiles/apparmor.d/abstractions/nameservice +@@ -29,6 +29,11 @@ + /var/lib/extrausers/group r, + /var/lib/extrausers/passwd r, + ++ # NSS records from systemd-userdbd.service ++ @{run}/systemd/userdb/ r, ++ @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r, ++ @{PROC}/sys/kernel/random/boot_id r, ++ + # When using sssd, the passwd and group files are stored in an alternate path + # and the nss plugin also needs to talk to a pipe + /var/lib/sss/mc/group r,
  28. Download patch debian/apparmor-profiles.postinst

    --- 2.13.3-7/debian/apparmor-profiles.postinst 2019-11-15 10:37:05.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/apparmor-profiles.postinst 2020-05-11 13:55:16.000000000 +0000 @@ -20,6 +20,14 @@ set -e # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. +case "$1" in + configure) + if [ ! -e /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser ]; then + cp /usr/share/apparmor/extra-profiles/abstractions/ubuntu-browsers.d/chromium-browser /etc/apparmor.d/abstractions/ubuntu-browsers.d || true + fi + ;; +esac + #DEBHELPER# exit 0
  29. Download patch debian/apparmor.install

    --- 2.13.3-7/debian/apparmor.install 2019-11-15 10:37:05.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/apparmor.install 2020-05-11 13:55:16.000000000 +0000 @@ -1,5 +1,6 @@ debian/apport/source_apparmor.py /usr/share/apport/package-hooks/ -debian/features /usr/share/apparmor-features/ +# Feature pinning is not used in Ubuntu +#debian/features /usr/share/apparmor-features/ debian/lib/apparmor/profile-load /lib/apparmor/ etc/apparmor.d/abstractions/* etc/apparmor.d/local/README @@ -15,6 +16,7 @@ etc/apparmor.d/tunables/kernelvars etc/apparmor.d/tunables/multiarch etc/apparmor.d/tunables/multiarch.d etc/apparmor.d/tunables/proc +etc/apparmor.d/tunables/run etc/apparmor.d/tunables/securityfs etc/apparmor.d/tunables/share etc/apparmor.d/tunables/sys
  30. Download patch debian/patches/upstream-mr-443-ecryptfs-dirs.patch

    --- 2.13.3-7/debian/patches/upstream-mr-443-ecryptfs-dirs.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2.13.3-7ubuntu6/debian/patches/upstream-mr-443-ecryptfs-dirs.patch 2020-05-11 13:55:16.000000000 +0000 @@ -0,0 +1,32 @@ +commit 9d4571aac924f2457836ae10ee026e5e476cdede +Author: Christian Boltz <gitlab2@cboltz.de> +Date: Mon Feb 3 21:15:38 2020 +0000 + + Merge branch 'ecryptfs-top-dir' into 'master' + + abstractions/base: allow read access to top-level ecryptfs directories + + See merge request apparmor/apparmor!443 + + Acked-by: John Johansen <john.johansen@canonical.com> for 2.11..master + Acked-by: Christian Boltz <apparmor@cboltz.de> for 2.11..master + + + (cherry picked from commit 24895ea302d06684b4fda1c538e04fb9e6d0f287) + + fbd8981e abstractions/base: allow read access to top-level ecryptfs directories + +Index: apparmor-2.13.3/profiles/apparmor.d/abstractions/base +=================================================================== +--- apparmor-2.13.3.orig/profiles/apparmor.d/abstractions/base ++++ apparmor-2.13.3/profiles/apparmor.d/abstractions/base +@@ -156,7 +156,9 @@ + # prevents access to the files from processes running under a different uid. + + # encrypted ~/.Private and old-style encrypted $HOME ++ owner @{HOME}/.Private/ r, + owner @{HOME}/.Private/** mrixwlk, + # new-style encrypted $HOME ++ owner @{HOMEDIRS}/.ecryptfs/*/.Private/ r, + owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk, +

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libgtk2-perl

libgtk2-perl (2:1.24993-1ubuntu2) focal; urgency=medium * No-change rebuild for the perl update. -- Matthias Klose <doko@ubuntu.com> Sat, 19 Oct 2019 10:47:51 +0000 libgtk2-perl (2:1.24993-1ubuntu1) eoan; urgency=medium * Sync with Debian. Remaining change: - Add new_gdk_pixbuf.patch: + Skip a test that is made invalid by the new gdk-pixbuf (the library errors out directly now on invalid xpm data) -- Jeremy Bicha <jbicha@ubuntu.com> Mon, 16 Sep 2019 20:49:59 -0400

Modifications :
  1. Download patch debian/control

    --- 2:1.24993-1/debian/control 2019-09-16 13:56:26.000000000 +0000 +++ 2:1.24993-1ubuntu2/debian/control 2019-09-17 00:48:31.000000000 +0000 @@ -1,5 +1,6 @@ Source: libgtk2-perl -Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Uploaders: gregor herrmann <gregoa@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, intrigeri <intrigeri@debian.org>
  2. Download patch debian/patches/new_gdk_pixbuf.patch

    --- 2:1.24993-1/debian/patches/new_gdk_pixbuf.patch 1970-01-01 00:00:00.000000000 +0000 +++ 2:1.24993-1ubuntu2/debian/patches/new_gdk_pixbuf.patch 2019-09-17 00:48:31.000000000 +0000 @@ -0,0 +1,23 @@ +# Description: skip a test that is made invalid by the new gdk-pixbuf +# Upstream: https://gitlab.gnome.org/GNOME/perl-gtk2/issues/3 +# +Index: libgtk2-perl-1.24992/t/GdkPixbuf.t +=================================================================== +--- libgtk2-perl-1.24992.orig/t/GdkPixbuf.t ++++ libgtk2-perl-1.24992/t/GdkPixbuf.t +@@ -123,9 +123,12 @@ my $log = Glib::Log->set_handler ('GdkPi + $pixbuf = Gtk2::Gdk::Pixbuf->new_from_xpm_data (@test_xpm[0..2]); + ok (! defined ($pixbuf), "Don't crash on broken pixmap data"); + $pixbuf = Gtk2::Gdk::Pixbuf->new_from_xpm_data (@test_xpm[0..5]); +-ok (defined $pixbuf, "Don't crash on partial pixmap data"); +-Glib::Log->remove_handler ('GdkPixbuf', $log); +- ++SKIP: { ++ skip 'new gdk-pixbuf error out on invalid xpm', 1; ++ ++ ok (defined $pixbuf, "Don't crash on partial pixmap data"); ++ Glib::Log->remove_handler ('GdkPixbuf', $log); ++} + + # raw pixel values to make the xpm above + my $rawdata = pack 'C*',
  3. Download patch debian/patches/series

    --- 2:1.24993-1/debian/patches/series 2019-09-16 13:56:26.000000000 +0000 +++ 2:1.24993-1ubuntu2/debian/patches/series 2019-09-17 00:48:31.000000000 +0000 @@ -1,3 +1,4 @@ 30-disable_libgtk_version_check.patch fix-typo.patch Add-debug-output-in-test-that-failed-on-powerpc-t-GdkPixb.patch +new_gdk_pixbuf.patch

Debian ( Changelog | PTS | Bugs ) Ubuntu ( Changelog | txt | LP | Bugs ) | Diff from Ubuntu

Source: libotr

libotr (4.1.1-3ubuntu1) focal; urgency=medium * Fix test_auth failure on riscv64. It was a buggy test that only worked on other architectures by coincidence. Patch from the Debian BTS. -- William Grant <wgrant@ubuntu.com> Mon, 13 Apr 2020 12:41:49 +1000

Modifications :
  1. Download patch debian/control

    --- 4.1.1-3/debian/control 2018-10-27 14:31:51.000000000 +0000 +++ 4.1.1-3ubuntu1/debian/control 2020-04-13 02:41:49.000000000 +0000 @@ -1,5 +1,6 @@ Source: libotr -Maintainer: Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org> +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Debian Privacy Tools Maintainers <pkg-privacy-maintainers@lists.alioth.debian.org> Uploaders: intrigeri <intrigeri@debian.org>, Micah Anderson <micah@debian.org> Section: libs
  2. Download patch debian/patches/series

    --- 4.1.1-3/debian/patches/series 2018-10-27 14:31:51.000000000 +0000 +++ 4.1.1-3ubuntu1/debian/patches/series 2020-04-13 02:37:59.000000000 +0000 @@ -1,3 +1,4 @@ 0001-Do-not-error-out-when-an-application-is-run-against-.patch 0003-Disable-tests-that-fail-because-we-disable-the-API-v.patch 0004-Suggest-pidgin-otr-to-Debian-and-Ubuntu-users-who-ha.patch +0005-fix-test_auth.patch
  3. Download patch debian/patches/0005-fix-test_auth.patch

    --- 4.1.1-3/debian/patches/0005-fix-test_auth.patch 1970-01-01 00:00:00.000000000 +0000 +++ 4.1.1-3ubuntu1/debian/patches/0005-fix-test_auth.patch 2020-04-13 02:41:46.000000000 +0000 @@ -0,0 +1,16 @@ +Author: Aurelien Jarno <aurel32@debian.org> +Subject: Fix test_auth failure on riscv64 +Origin: other, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932927 + +Index: libotr-4.1.1/tests/unit/test_auth.c +=================================================================== +--- libotr-4.1.1.orig/tests/unit/test_auth.c ++++ libotr-4.1.1/tests/unit/test_auth.c +@@ -67,6 +67,7 @@ static void test_auth_clear(void) + OtrlAuthInfo *auth = &ctx.auth; + + /* API call. */ ++ otrl_auth_new(&ctx); + otrl_auth_clear(auth); + + ok(auth->authstate == OTRL_AUTHSTATE_NONE &&
  1. apparmor
  2. libgtk2-perl
  3. libotr