diff --git a/debian.master/changelog b/debian.master/changelog index 4d564533cab7..49184e648888 100644 --- a/debian.master/changelog +++ b/debian.master/changelog @@ -1,10 +1,183 @@ -linux-unstable (6.6.0-9.9) UNRELEASED; urgency=medium +linux-unstable (6.6.0-9.9) mantic; urgency=medium - CHANGELOG: Do not edit directly. Autogenerated at release. - CHANGELOG: Use the printchanges target to see the curent changes. - CHANGELOG: Use the insertchanges target to create the final log. + * mantic/linux-unstable: 6.6.0-9.9 -proposed tracker (LP: #2041852) - -- Paolo Pisati Thu, 02 Nov 2023 16:02:19 +0100 + * Switch IMA default hash to sha256 (LP: #2041735) + - [Config] Switch IMA_DEFAULT_HASH from sha1 to sha256 + + * apparmor restricts read access of user namespace mediation sysctls to root + (LP: #2040194) + - SAUCE: apparmor4.0.0 [82/82]: apparmor: open userns related sysctl so lxc + can check if restriction are in place + + * AppArmor spams kernel log with assert when auditing (LP: #2040192) + - SAUCE: apparmor4.0.0 [81/82]: apparmor: fix request field from a prompt + reply that denies all access + + * apparmor notification files verification (LP: #2040250) + - SAUCE: apparmor4.0.0 [80/82]: apparmor: fix notification header size + + * apparmor oops when racing to retrieve a notification (LP: #2040245) + - SAUCE: apparmor4.0.0 [79/82]: apparmor: fix oops when racing to retrieve + notification + + * Disable restricting unprivileged change_profile by default, due to LXD + latest/stable not yet compatible with this new apparmor feature + (LP: #2038567) + - SAUCE: apparmor4.0.0 [78/82]: apparmor: Make + apparmor_restrict_unprivileged_unconfined opt-in + + * update apparmor and LSM stacking patch set (LP: #2028253) + - SAUCE: apparmor4.0.0 [01/82]: add/use fns to print hash string hex value + - SAUCE: apparmor4.0.0 [02/82]: rename SK_CTX() to aa_sock and make it an + inline fn + - SAUCE: apparmor4.0.0 [03/82]: patch to provide compatibility with v2.x net + rules + - SAUCE: apparmor4.0.0 [04/82]: add user namespace creation mediation + - SAUCE: apparmor4.0.0 [05/82]: Add sysctls for additional controls of unpriv + userns restrictions + - SAUCE: apparmor4.0.0 [06/82]: af_unix mediation + - SAUCE: apparmor4.0.0 [07/82]: Add fine grained mediation of posix mqueues + - SAUCE: apparmor4.0.0 [08/82]: Stacking v38: LSM: Identify modules by more + than name + - SAUCE: apparmor4.0.0 [09/82]: Stacking v38: LSM: Add an LSM identifier for + external use + - SAUCE: apparmor4.0.0 [10/82]: Stacking v38: LSM: Identify the process + attributes for each module + - SAUCE: apparmor4.0.0 [11/82]: Stacking v38: LSM: Maintain a table of LSM + attribute data + - SAUCE: apparmor4.0.0 [12/82]: Stacking v38: proc: Use lsmids instead of lsm + names for attrs + - SAUCE: apparmor4.0.0 [13/82]: Stacking v38: integrity: disassociate + ima_filter_rule from security_audit_rule + - SAUCE: apparmor4.0.0 [14/82]: Stacking v38: LSM: Infrastructure management + of the sock security + - SAUCE: apparmor4.0.0 [15/82]: Stacking v38: LSM: Add the lsmblob data + structure. + - SAUCE: apparmor4.0.0 [16/82]: Stacking v38: LSM: provide lsm name and id + slot mappings + - SAUCE: apparmor4.0.0 [17/82]: Stacking v38: IMA: avoid label collisions with + stacked LSMs + - SAUCE: apparmor4.0.0 [18/82]: Stacking v38: LSM: Use lsmblob in + security_audit_rule_match + - SAUCE: apparmor4.0.0 [19/82]: Stacking v38: LSM: Use lsmblob in + security_kernel_act_as + - SAUCE: apparmor4.0.0 [20/82]: Stacking v38: LSM: Use lsmblob in + security_secctx_to_secid + - SAUCE: apparmor4.0.0 [21/82]: Stacking v38: LSM: Use lsmblob in + security_secid_to_secctx + - SAUCE: apparmor4.0.0 [22/82]: Stacking v38: LSM: Use lsmblob in + security_ipc_getsecid + - SAUCE: apparmor4.0.0 [23/82]: Stacking v38: LSM: Use lsmblob in + security_current_getsecid + - SAUCE: apparmor4.0.0 [24/82]: Stacking v38: LSM: Use lsmblob in + security_inode_getsecid + - SAUCE: apparmor4.0.0 [25/82]: Stacking v38: LSM: Use lsmblob in + security_cred_getsecid + - SAUCE: apparmor4.0.0 [26/82]: Stacking v38: LSM: Specify which LSM to + display + - SAUCE: apparmor4.0.0 [28/82]: Stacking v38: LSM: Ensure the correct LSM + context releaser + - SAUCE: apparmor4.0.0 [29/82]: Stacking v38: LSM: Use lsmcontext in + security_secid_to_secctx + - SAUCE: apparmor4.0.0 [30/82]: Stacking v38: LSM: Use lsmcontext in + security_inode_getsecctx + - SAUCE: apparmor4.0.0 [31/82]: Stacking v38: Use lsmcontext in + security_dentry_init_security + - SAUCE: apparmor4.0.0 [32/82]: Stacking v38: LSM: security_secid_to_secctx in + netlink netfilter + - SAUCE: apparmor4.0.0 [33/82]: Stacking v38: NET: Store LSM netlabel data in + a lsmblob + - SAUCE: apparmor4.0.0 [34/82]: Stacking v38: binder: Pass LSM identifier for + confirmation + - SAUCE: apparmor4.0.0 [35/82]: Stacking v38: LSM: security_secid_to_secctx + module selection + - SAUCE: apparmor4.0.0 [36/82]: Stacking v38: Audit: Keep multiple LSM data in + audit_names + - SAUCE: apparmor4.0.0 [37/82]: Stacking v38: Audit: Create audit_stamp + structure + - SAUCE: apparmor4.0.0 [38/82]: Stacking v38: LSM: Add a function to report + multiple LSMs + - SAUCE: apparmor4.0.0 [39/82]: Stacking v38: Audit: Allow multiple records in + an audit_buffer + - SAUCE: apparmor4.0.0 [40/82]: Stacking v38: Audit: Add record for multiple + task security contexts + - SAUCE: apparmor4.0.0 [41/82]: Stacking v38: audit: multiple subject lsm + values for netlabel + - SAUCE: apparmor4.0.0 [42/82]: Stacking v38: Audit: Add record for multiple + object contexts + - SAUCE: apparmor4.0.0 [43/82]: Stacking v38: netlabel: Use a struct lsmblob + in audit data + - SAUCE: apparmor4.0.0 [44/82]: Stacking v38: LSM: Removed scaffolding + function lsmcontext_init + - SAUCE: apparmor4.0.0 [45/82]: Stacking v38: AppArmor: Remove the exclusive + flag + - SAUCE: apparmor4.0.0 [46/82]: combine common_audit_data and + apparmor_audit_data + - SAUCE: apparmor4.0.0 [47/82]: setup slab cache for audit data + - SAUCE: apparmor4.0.0 [48/82]: rename audit_data->label to + audit_data->subj_label + - SAUCE: apparmor4.0.0 [49/82]: pass cred through to audit info. + - SAUCE: apparmor4.0.0 [50/82]: Improve debug print infrastructure + - SAUCE: apparmor4.0.0 [51/82]: add the ability for profiles to have a + learning cache + - SAUCE: apparmor4.0.0 [52/82]: enable userspace upcall for mediation + - SAUCE: apparmor4.0.0 [53/82]: cache buffers on percpu list if there is lock + contention + - SAUCE: apparmor4.0.0 [54/82]: advertise availability of exended perms + - SAUCE: apparmor4.0.0 [56/82]: cleanup: provide separate audit messages for + file and policy checks + - SAUCE: apparmor4.0.0 [57/82]: prompt - lock down prompt interface + - SAUCE: apparmor4.0.0 [58/82]: prompt - ref count pdb + - SAUCE: apparmor4.0.0 [59/82]: prompt - allow controlling of caching of a + prompt response + - SAUCE: apparmor4.0.0 [60/82]: prompt - add refcount to audit_node in prep or + reuse and delete + - SAUCE: apparmor4.0.0 [61/82]: prompt - refactor to moving caching to + uresponse + - SAUCE: apparmor4.0.0 [62/82]: prompt - Improve debug statements + - SAUCE: apparmor4.0.0 [63/82]: prompt - fix caching + - SAUCE: apparmor4.0.0 [64/82]: prompt - rework build to use append fn, to + simplify adding strings + - SAUCE: apparmor4.0.0 [65/82]: prompt - refcount notifications + - SAUCE: apparmor4.0.0 [66/82]: prompt - add the ability to reply with a + profile name + - SAUCE: apparmor4.0.0 [67/82]: prompt - fix notification cache when updating + - SAUCE: apparmor4.0.0 [68/82]: prompt - add tailglob on name for cache + support + - SAUCE: apparmor4.0.0 [69/82]: prompt - allow profiles to set prompts as + interruptible + - SAUCE: apparmor4.0.0 [74/82]: advertise disconnected.path is available + - SAUCE: apparmor4.0.0 [75/82]: fix invalid reference on profile->disconnected + - SAUCE: apparmor4.0.0 [76/82]: add io_uring mediation + - SAUCE: apparmor4.0.0 [77/82]: apparmor: Fix regression in mount mediation + + * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe] + apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic + (LP: #2032602) + - SAUCE: apparmor4.0.0 [70/82]: prompt - add support for advanced filtering of + notifications + - SAUCE: apparmor4.0.0 [71/82]: userns - add the ability to reference a global + variable for a feature value + - SAUCE: apparmor4.0.0 [72/82]: userns - make it so special unconfined + profiles can mediate user namespaces + - SAUCE: apparmor4.0.0 [73/82]: userns - allow restricting unprivileged + change_profile + + * LSM stacking and AppArmor for 6.2: additional fixes (LP: #2017903) // update + apparmor and LSM stacking patch set (LP: #2028253) + - SAUCE: apparmor4.0.0 [55/82]: fix profile verification and enable it + + * udev fails to make prctl() syscall with apparmor=0 (as used by maas by + default) (LP: #2016908) // update apparmor and LSM stacking patch set + (LP: #2028253) + - SAUCE: apparmor4.0.0 [27/82]: Stacking v38: Fix prctl() syscall with + apparmor=0 + + * Miscellaneous Ubuntu changes + - [Config] SECURITY_APPARMOR_RESTRICT_USERNS=y + + -- Paolo Pisati Fri, 03 Nov 2023 11:59:12 +0100 linux-unstable (6.6.0-8.8) mantic; urgency=medium diff --git a/debian.master/reconstruct b/debian.master/reconstruct index ca916d098dab..fcb5bd1a70e2 100644 --- a/debian.master/reconstruct +++ b/debian.master/reconstruct @@ -1 +1,54 @@ +# Recreate any symlinks created since the orig. +# Remove any files deleted from the orig. +rm -f 'include/linux/ceph/mdsmap.h' +chmod +x 'debian/cloud-tools/hv_get_dhcp_info' +chmod +x 'debian/cloud-tools/hv_get_dns_info' +chmod +x 'debian/cloud-tools/hv_set_ifconfig' +chmod +x 'debian/rules' +chmod +x 'debian/scripts/checks/abi-check' +chmod +x 'debian/scripts/checks/final-checks' +chmod +x 'debian/scripts/checks/module-check' +chmod +x 'debian/scripts/checks/module-signature-check' +chmod +x 'debian/scripts/checks/retpoline-check' +chmod +x 'debian/scripts/control-create' +chmod +x 'debian/scripts/dkms-build' +chmod +x 'debian/scripts/dkms-build--nvidia-N' +chmod +x 'debian/scripts/dkms-build-configure--zfs' +chmod +x 'debian/scripts/file-downloader' +chmod +x 'debian/scripts/helpers/close' +chmod +x 'debian/scripts/helpers/open' +chmod +x 'debian/scripts/helpers/rebase' +chmod +x 'debian/scripts/link-headers' +chmod +x 'debian/scripts/link-lib-rust' +chmod +x 'debian/scripts/misc/annotations' +chmod +x 'debian/scripts/misc/arch-has-odm-enabled.sh' +chmod +x 'debian/scripts/misc/find-missing-sauce.sh' +chmod +x 'debian/scripts/misc/fw-to-ihex.sh' +chmod +x 'debian/scripts/misc/gen-auto-reconstruct' +chmod +x 'debian/scripts/misc/getabis' +chmod +x 'debian/scripts/misc/git-ubuntu-log' +chmod +x 'debian/scripts/misc/insert-changes' +chmod +x 'debian/scripts/misc/insert-mainline-changes' +chmod +x 'debian/scripts/misc/insert-ubuntu-changes' +chmod +x 'debian/scripts/misc/kernelconfig' +chmod +x 'debian/scripts/misc/retag' +chmod +x 'debian/scripts/misc/sanitize-annotations' +chmod +x 'debian/scripts/misc/splitconfig.pl' +chmod +x 'debian/scripts/misc/update-aufs.sh' +chmod +x 'debian/scripts/module-inclusion' +chmod +x 'debian/scripts/retpoline-extract' +chmod +x 'debian/scripts/retpoline-extract-one' +chmod +x 'debian/scripts/sign-module' +chmod +x 'debian/templates/extra.postinst.in' +chmod +x 'debian/templates/extra.postrm.in' +chmod +x 'debian/templates/headers.postinst.in' +chmod +x 'debian/templates/image.postinst.in' +chmod +x 'debian/templates/image.postrm.in' +chmod +x 'debian/templates/image.preinst.in' +chmod +x 'debian/templates/image.prerm.in' +chmod +x 'debian/tests-build/check-aliases' +chmod +x 'debian/tests/rebuild' +chmod +x 'debian/tests/ubuntu-regression-suite' +chmod +x 'drivers/watchdog/f71808e_wdt.c' +chmod +x 'update-dkms-versions' exit 0