UBUNTU: Ubuntu-unstable-6.6.0-9.9

Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
2023-11-03 11:59:13 +01:00
parent 03a7f106d1
commit 5584f0ccef
2 changed files with 231 additions and 5 deletions
@@ -1,10 +1,183 @@
-linux-unstable (6.6.0-9.9) UNRELEASED; urgency=medium
+linux-unstable (6.6.0-9.9) mantic; urgency=medium

-  CHANGELOG: Do not edit directly. Autogenerated at release.
-  CHANGELOG: Use the printchanges target to see the curent changes.
-  CHANGELOG: Use the insertchanges target to create the final log.
+  * mantic/linux-unstable: 6.6.0-9.9 -proposed tracker (LP: #2041852)

- -- Paolo Pisati <paolo.pisati@canonical.com>  Thu, 02 Nov 2023 16:02:19 +0100
+  * Switch IMA default hash to sha256 (LP: #2041735)
+    - [Config] Switch IMA_DEFAULT_HASH from sha1 to sha256
+
+  * apparmor restricts read access of user namespace mediation sysctls to root
+    (LP: #2040194)
+    - SAUCE: apparmor4.0.0 [82/82]: apparmor: open userns related sysctl so lxc
+      can check if restriction are in place
+
+  * AppArmor spams kernel log with assert when auditing (LP: #2040192)
+    - SAUCE: apparmor4.0.0 [81/82]: apparmor: fix request field from a prompt
+      reply that denies all access
+
+  * apparmor notification files verification (LP: #2040250)
+    - SAUCE: apparmor4.0.0 [80/82]: apparmor: fix notification header size
+
+  * apparmor oops when racing to retrieve a notification (LP: #2040245)
+    - SAUCE: apparmor4.0.0 [79/82]: apparmor: fix oops when racing to retrieve
+      notification
+
+  * Disable restricting unprivileged change_profile by default, due to LXD
+    latest/stable not yet compatible with this new apparmor feature
+    (LP: #2038567)
+    - SAUCE: apparmor4.0.0 [78/82]: apparmor: Make
+      apparmor_restrict_unprivileged_unconfined opt-in
+
+  * update apparmor and LSM stacking patch set (LP: #2028253)
+    - SAUCE: apparmor4.0.0 [01/82]: add/use fns to print hash string hex value
+    - SAUCE: apparmor4.0.0 [02/82]: rename SK_CTX() to aa_sock and make it an
+      inline fn
+    - SAUCE: apparmor4.0.0 [03/82]: patch to provide compatibility with v2.x net
+      rules
+    - SAUCE: apparmor4.0.0 [04/82]: add user namespace creation mediation
+    - SAUCE: apparmor4.0.0 [05/82]: Add sysctls for additional controls of unpriv
+      userns restrictions
+    - SAUCE: apparmor4.0.0 [06/82]: af_unix mediation
+    - SAUCE: apparmor4.0.0 [07/82]: Add fine grained mediation of posix mqueues
+    - SAUCE: apparmor4.0.0 [08/82]: Stacking v38: LSM: Identify modules by more
+      than name
+    - SAUCE: apparmor4.0.0 [09/82]: Stacking v38: LSM: Add an LSM identifier for
+      external use
+    - SAUCE: apparmor4.0.0 [10/82]: Stacking v38: LSM: Identify the process
+      attributes for each module
+    - SAUCE: apparmor4.0.0 [11/82]: Stacking v38: LSM: Maintain a table of LSM
+      attribute data
+    - SAUCE: apparmor4.0.0 [12/82]: Stacking v38: proc: Use lsmids instead of lsm
+      names for attrs
+    - SAUCE: apparmor4.0.0 [13/82]: Stacking v38: integrity: disassociate
+      ima_filter_rule from security_audit_rule
+    - SAUCE: apparmor4.0.0 [14/82]: Stacking v38: LSM: Infrastructure management
+      of the sock security
+    - SAUCE: apparmor4.0.0 [15/82]: Stacking v38: LSM: Add the lsmblob data
+      structure.
+    - SAUCE: apparmor4.0.0 [16/82]: Stacking v38: LSM: provide lsm name and id
+      slot mappings
+    - SAUCE: apparmor4.0.0 [17/82]: Stacking v38: IMA: avoid label collisions with
+      stacked LSMs
+    - SAUCE: apparmor4.0.0 [18/82]: Stacking v38: LSM: Use lsmblob in
+      security_audit_rule_match
+    - SAUCE: apparmor4.0.0 [19/82]: Stacking v38: LSM: Use lsmblob in
+      security_kernel_act_as
+    - SAUCE: apparmor4.0.0 [20/82]: Stacking v38: LSM: Use lsmblob in
+      security_secctx_to_secid
+    - SAUCE: apparmor4.0.0 [21/82]: Stacking v38: LSM: Use lsmblob in
+      security_secid_to_secctx
+    - SAUCE: apparmor4.0.0 [22/82]: Stacking v38: LSM: Use lsmblob in
+      security_ipc_getsecid
+    - SAUCE: apparmor4.0.0 [23/82]: Stacking v38: LSM: Use lsmblob in
+      security_current_getsecid
+    - SAUCE: apparmor4.0.0 [24/82]: Stacking v38: LSM: Use lsmblob in
+      security_inode_getsecid
+    - SAUCE: apparmor4.0.0 [25/82]: Stacking v38: LSM: Use lsmblob in
+      security_cred_getsecid
+    - SAUCE: apparmor4.0.0 [26/82]: Stacking v38: LSM: Specify which LSM to
+      display
+    - SAUCE: apparmor4.0.0 [28/82]: Stacking v38: LSM: Ensure the correct LSM
+      context releaser
+    - SAUCE: apparmor4.0.0 [29/82]: Stacking v38: LSM: Use lsmcontext in
+      security_secid_to_secctx
+    - SAUCE: apparmor4.0.0 [30/82]: Stacking v38: LSM: Use lsmcontext in
+      security_inode_getsecctx
+    - SAUCE: apparmor4.0.0 [31/82]: Stacking v38: Use lsmcontext in
+      security_dentry_init_security
+    - SAUCE: apparmor4.0.0 [32/82]: Stacking v38: LSM: security_secid_to_secctx in
+      netlink netfilter
+    - SAUCE: apparmor4.0.0 [33/82]: Stacking v38: NET: Store LSM netlabel data in
+      a lsmblob
+    - SAUCE: apparmor4.0.0 [34/82]: Stacking v38: binder: Pass LSM identifier for
+      confirmation
+    - SAUCE: apparmor4.0.0 [35/82]: Stacking v38: LSM: security_secid_to_secctx
+      module selection
+    - SAUCE: apparmor4.0.0 [36/82]: Stacking v38: Audit: Keep multiple LSM data in
+      audit_names
+    - SAUCE: apparmor4.0.0 [37/82]: Stacking v38: Audit: Create audit_stamp
+      structure
+    - SAUCE: apparmor4.0.0 [38/82]: Stacking v38: LSM: Add a function to report
+      multiple LSMs
+    - SAUCE: apparmor4.0.0 [39/82]: Stacking v38: Audit: Allow multiple records in
+      an audit_buffer
+    - SAUCE: apparmor4.0.0 [40/82]: Stacking v38: Audit: Add record for multiple
+      task security contexts
+    - SAUCE: apparmor4.0.0 [41/82]: Stacking v38: audit: multiple subject lsm
+      values for netlabel
+    - SAUCE: apparmor4.0.0 [42/82]: Stacking v38: Audit: Add record for multiple
+      object contexts
+    - SAUCE: apparmor4.0.0 [43/82]: Stacking v38: netlabel: Use a struct lsmblob
+      in audit data
+    - SAUCE: apparmor4.0.0 [44/82]: Stacking v38: LSM: Removed scaffolding
+      function lsmcontext_init
+    - SAUCE: apparmor4.0.0 [45/82]: Stacking v38: AppArmor: Remove the exclusive
+      flag
+    - SAUCE: apparmor4.0.0 [46/82]: combine common_audit_data and
+      apparmor_audit_data
+    - SAUCE: apparmor4.0.0 [47/82]: setup slab cache for audit data
+    - SAUCE: apparmor4.0.0 [48/82]: rename audit_data->label to
+      audit_data->subj_label
+    - SAUCE: apparmor4.0.0 [49/82]: pass cred through to audit info.
+    - SAUCE: apparmor4.0.0 [50/82]: Improve debug print infrastructure
+    - SAUCE: apparmor4.0.0 [51/82]: add the ability for profiles to have a
+      learning cache
+    - SAUCE: apparmor4.0.0 [52/82]: enable userspace upcall for mediation
+    - SAUCE: apparmor4.0.0 [53/82]: cache buffers on percpu list if there is lock
+      contention
+    - SAUCE: apparmor4.0.0 [54/82]: advertise availability of exended perms
+    - SAUCE: apparmor4.0.0 [56/82]: cleanup: provide separate audit messages for
+      file and policy checks
+    - SAUCE: apparmor4.0.0 [57/82]: prompt - lock down prompt interface
+    - SAUCE: apparmor4.0.0 [58/82]: prompt - ref count pdb
+    - SAUCE: apparmor4.0.0 [59/82]: prompt - allow controlling of caching of a
+      prompt response
+    - SAUCE: apparmor4.0.0 [60/82]: prompt - add refcount to audit_node in prep or
+      reuse and delete
+    - SAUCE: apparmor4.0.0 [61/82]: prompt - refactor to moving caching to
+      uresponse
+    - SAUCE: apparmor4.0.0 [62/82]: prompt - Improve debug statements
+    - SAUCE: apparmor4.0.0 [63/82]: prompt - fix caching
+    - SAUCE: apparmor4.0.0 [64/82]: prompt - rework build to use append fn, to
+      simplify adding strings
+    - SAUCE: apparmor4.0.0 [65/82]: prompt - refcount notifications
+    - SAUCE: apparmor4.0.0 [66/82]: prompt - add the ability to reply with a
+      profile name
+    - SAUCE: apparmor4.0.0 [67/82]: prompt - fix notification cache when updating
+    - SAUCE: apparmor4.0.0 [68/82]: prompt - add tailglob on name for cache
+      support
+    - SAUCE: apparmor4.0.0 [69/82]: prompt - allow profiles to set prompts as
+      interruptible
+    - SAUCE: apparmor4.0.0 [74/82]: advertise disconnected.path is available
+    - SAUCE: apparmor4.0.0 [75/82]: fix invalid reference on profile->disconnected
+    - SAUCE: apparmor4.0.0 [76/82]: add io_uring mediation
+    - SAUCE: apparmor4.0.0 [77/82]: apparmor: Fix regression in mount mediation
+
+  * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]
+    apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic
+    (LP: #2032602)
+    - SAUCE: apparmor4.0.0 [70/82]: prompt - add support for advanced filtering of
+      notifications
+    - SAUCE: apparmor4.0.0 [71/82]: userns - add the ability to reference a global
+      variable for a feature value
+    - SAUCE: apparmor4.0.0 [72/82]: userns - make it so special unconfined
+      profiles can mediate user namespaces
+    - SAUCE: apparmor4.0.0 [73/82]: userns - allow restricting unprivileged
+      change_profile
+
+  * LSM stacking and AppArmor for 6.2: additional fixes (LP: #2017903) // update
+    apparmor and LSM stacking patch set (LP: #2028253)
+    - SAUCE: apparmor4.0.0 [55/82]: fix profile verification and enable it
+
+  * udev fails to make prctl() syscall with apparmor=0 (as used by maas by
+    default) (LP: #2016908) // update apparmor and LSM stacking patch set
+    (LP: #2028253)
+    - SAUCE: apparmor4.0.0 [27/82]: Stacking v38: Fix prctl() syscall with
+      apparmor=0
+
+  * Miscellaneous Ubuntu changes
+    - [Config] SECURITY_APPARMOR_RESTRICT_USERNS=y
+
+ -- Paolo Pisati <paolo.pisati@canonical.com>  Fri, 03 Nov 2023 11:59:12 +0100

 linux-unstable (6.6.0-8.8) mantic; urgency=medium

@@ -1 +1,54 @@
+# Recreate any symlinks created since the orig.
+# Remove any files deleted from the orig.
+rm -f 'include/linux/ceph/mdsmap.h'
+chmod +x 'debian/cloud-tools/hv_get_dhcp_info'
+chmod +x 'debian/cloud-tools/hv_get_dns_info'
+chmod +x 'debian/cloud-tools/hv_set_ifconfig'
+chmod +x 'debian/rules'
+chmod +x 'debian/scripts/checks/abi-check'
+chmod +x 'debian/scripts/checks/final-checks'
+chmod +x 'debian/scripts/checks/module-check'
+chmod +x 'debian/scripts/checks/module-signature-check'
+chmod +x 'debian/scripts/checks/retpoline-check'
+chmod +x 'debian/scripts/control-create'
+chmod +x 'debian/scripts/dkms-build'
+chmod +x 'debian/scripts/dkms-build--nvidia-N'
+chmod +x 'debian/scripts/dkms-build-configure--zfs'
+chmod +x 'debian/scripts/file-downloader'
+chmod +x 'debian/scripts/helpers/close'
+chmod +x 'debian/scripts/helpers/open'
+chmod +x 'debian/scripts/helpers/rebase'
+chmod +x 'debian/scripts/link-headers'
+chmod +x 'debian/scripts/link-lib-rust'
+chmod +x 'debian/scripts/misc/annotations'
+chmod +x 'debian/scripts/misc/arch-has-odm-enabled.sh'
+chmod +x 'debian/scripts/misc/find-missing-sauce.sh'
+chmod +x 'debian/scripts/misc/fw-to-ihex.sh'
+chmod +x 'debian/scripts/misc/gen-auto-reconstruct'
+chmod +x 'debian/scripts/misc/getabis'
+chmod +x 'debian/scripts/misc/git-ubuntu-log'
+chmod +x 'debian/scripts/misc/insert-changes'
+chmod +x 'debian/scripts/misc/insert-mainline-changes'
+chmod +x 'debian/scripts/misc/insert-ubuntu-changes'
+chmod +x 'debian/scripts/misc/kernelconfig'
+chmod +x 'debian/scripts/misc/retag'
+chmod +x 'debian/scripts/misc/sanitize-annotations'
+chmod +x 'debian/scripts/misc/splitconfig.pl'
+chmod +x 'debian/scripts/misc/update-aufs.sh'
+chmod +x 'debian/scripts/module-inclusion'
+chmod +x 'debian/scripts/retpoline-extract'
+chmod +x 'debian/scripts/retpoline-extract-one'
+chmod +x 'debian/scripts/sign-module'
+chmod +x 'debian/templates/extra.postinst.in'
+chmod +x 'debian/templates/extra.postrm.in'
+chmod +x 'debian/templates/headers.postinst.in'
+chmod +x 'debian/templates/image.postinst.in'
+chmod +x 'debian/templates/image.postrm.in'
+chmod +x 'debian/templates/image.preinst.in'
+chmod +x 'debian/templates/image.prerm.in'
+chmod +x 'debian/tests-build/check-aliases'
+chmod +x 'debian/tests/rebuild'
+chmod +x 'debian/tests/ubuntu-regression-suite'
+chmod +x 'drivers/watchdog/f71808e_wdt.c'
+chmod +x 'update-dkms-versions'
 exit 0