UBUNTU: Ubuntu-unstable-6.7.0-4.4

Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
2024-01-02 14:57:21 +01:00
parent 20a4909cdc
commit b2fe2970a5
1 changed files with 169 additions and 5 deletions
@@ -1,14 +1,178 @@
-linux-unstable (6.7.0-4.4) UNRELEASED; urgency=medium
+linux-unstable (6.7.0-4.4) noble; urgency=medium

-  CHANGELOG: Do not edit directly. Autogenerated at release.
-  CHANGELOG: Use the printchanges target to see the curent changes.
-  CHANGELOG: Use the insertchanges target to create the final log.
+  * noble/linux-unstable: 6.7.0-4.4 -proposed tracker (LP: #2047807)
+
+  * unconfined profile denies userns_create for chromium based processes
+    (LP: #1990064)
+    - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS
+
+  * apparmor restricts read access of user namespace mediation sysctls to root
+    (LP: #2040194)
+    - SAUCE: apparmor4.0.0 [69/69]: apparmor: open userns related sysctl so lxc
+      can check if restriction are in place
+
+  * AppArmor spams kernel log with assert when auditing (LP: #2040192)
+    - SAUCE: apparmor4.0.0 [68/69]: apparmor: fix request field from a prompt
+      reply that denies all access
+
+  * apparmor notification files verification (LP: #2040250)
+    - SAUCE: apparmor4.0.0 [67/69]: apparmor: fix notification header size
+
+  * apparmor oops when racing to retrieve a notification (LP: #2040245)
+    - SAUCE: apparmor4.0.0 [66/69]: apparmor: fix oops when racing to retrieve
+      notification
+
+  * update apparmor and LSM stacking patch set (LP: #2028253)
+    - SAUCE: apparmor4.0.0 [01/69]: add/use fns to print hash string hex value
+    - SAUCE: apparmor4.0.0 [02/69]: patch to provide compatibility with v2.x net
+      rules
+    - SAUCE: apparmor4.0.0 [03/69]: add unpriviled user ns mediation
+    - SAUCE: apparmor4.0.0 [04/69]: Add sysctls for additional controls of unpriv
+      userns restrictions
+    - SAUCE: apparmor4.0.0 [05/69]: af_unix mediation
+    - SAUCE: apparmor4.0.0 [06/69]: Add fine grained mediation of posix mqueues
+    - SAUCE: apparmor4.0.0 [07/69]: Stacking v38: LSM: Identify modules by more
+      than name
+    - SAUCE: apparmor4.0.0 [08/69]: Stacking v38: LSM: Add an LSM identifier for
+      external use
+    - SAUCE: apparmor4.0.0 [09/69]: Stacking v38: LSM: Identify the process
+      attributes for each module
+    - SAUCE: apparmor4.0.0 [10/69]: Stacking v38: LSM: Maintain a table of LSM
+      attribute data
+    - SAUCE: apparmor4.0.0 [11/69]: Stacking v38: proc: Use lsmids instead of lsm
+      names for attrs
+    - SAUCE: apparmor4.0.0 [12/69]: Stacking v38: integrity: disassociate
+      ima_filter_rule from security_audit_rule
+    - SAUCE: apparmor4.0.0 [13/69]: Stacking v38: LSM: Infrastructure management
+      of the sock security
+    - SAUCE: apparmor4.0.0 [14/69]: Stacking v38: LSM: Add the lsmblob data
+      structure.
+    - SAUCE: apparmor4.0.0 [15/69]: Stacking v38: LSM: provide lsm name and id
+      slot mappings
+    - SAUCE: apparmor4.0.0 [16/69]: Stacking v38: IMA: avoid label collisions with
+      stacked LSMs
+    - SAUCE: apparmor4.0.0 [17/69]: Stacking v38: LSM: Use lsmblob in
+      security_audit_rule_match
+    - SAUCE: apparmor4.0.0 [18/69]: Stacking v38: LSM: Use lsmblob in
+      security_kernel_act_as
+    - SAUCE: apparmor4.0.0 [19/69]: Stacking v38: LSM: Use lsmblob in
+      security_secctx_to_secid
+    - SAUCE: apparmor4.0.0 [20/69]: Stacking v38: LSM: Use lsmblob in
+      security_secid_to_secctx
+    - SAUCE: apparmor4.0.0 [21/69]: Stacking v38: LSM: Use lsmblob in
+      security_ipc_getsecid
+    - SAUCE: apparmor4.0.0 [22/69]: Stacking v38: LSM: Use lsmblob in
+      security_current_getsecid
+    - SAUCE: apparmor4.0.0 [23/69]: Stacking v38: LSM: Use lsmblob in
+      security_inode_getsecid
+    - SAUCE: apparmor4.0.0 [24/69]: Stacking v38: LSM: Use lsmblob in
+      security_cred_getsecid
+    - SAUCE: apparmor4.0.0 [25/69]: Stacking v38: LSM: Specify which LSM to
+      display
+    - SAUCE: apparmor4.0.0 [27/69]: Stacking v38: LSM: Ensure the correct LSM
+      context releaser
+    - SAUCE: apparmor4.0.0 [28/69]: Stacking v38: LSM: Use lsmcontext in
+      security_secid_to_secctx
+    - SAUCE: apparmor4.0.0 [29/69]: Stacking v38: LSM: Use lsmcontext in
+      security_inode_getsecctx
+    - SAUCE: apparmor4.0.0 [30/69]: Stacking v38: Use lsmcontext in
+      security_dentry_init_security
+    - SAUCE: apparmor4.0.0 [31/69]: Stacking v38: LSM: security_secid_to_secctx in
+      netlink netfilter
+    - SAUCE: apparmor4.0.0 [32/69]: Stacking v38: NET: Store LSM netlabel data in
+      a lsmblob
+    - SAUCE: apparmor4.0.0 [33/69]: Stacking v38: binder: Pass LSM identifier for
+      confirmation
+    - SAUCE: apparmor4.0.0 [34/69]: Stacking v38: LSM: security_secid_to_secctx
+      module selection
+    - SAUCE: apparmor4.0.0 [35/69]: Stacking v38: Audit: Keep multiple LSM data in
+      audit_names
+    - SAUCE: apparmor4.0.0 [36/69]: Stacking v38: Audit: Create audit_stamp
+      structure
+    - SAUCE: apparmor4.0.0 [37/69]: Stacking v38: LSM: Add a function to report
+      multiple LSMs
+    - SAUCE: apparmor4.0.0 [38/69]: Stacking v38: Audit: Allow multiple records in
+      an audit_buffer
+    - SAUCE: apparmor4.0.0 [39/69]: Stacking v38: Audit: Add record for multiple
+      task security contexts
+    - SAUCE: apparmor4.0.0 [40/69]: Stacking v38: audit: multiple subject lsm
+      values for netlabel
+    - SAUCE: apparmor4.0.0 [41/69]: Stacking v38: Audit: Add record for multiple
+      object contexts
+    - SAUCE: apparmor4.0.0 [42/69]: Stacking v38: netlabel: Use a struct lsmblob
+      in audit data
+    - SAUCE: apparmor4.0.0 [43/69]: Stacking v38: LSM: Removed scaffolding
+      function lsmcontext_init
+    - SAUCE: apparmor4.0.0 [44/69]: Stacking v38: AppArmor: Remove the exclusive
+      flag
+    - SAUCE: apparmor4.0.0 [45/69]: setup slab cache for audit data
+    - SAUCE: apparmor4.0.0 [46/69]: Improve debug print infrastructure
+    - SAUCE: apparmor4.0.0 [47/69]: add the ability for profiles to have a
+      learning cache
+    - SAUCE: apparmor4.0.0 [48/69]: enable userspace upcall for mediation
+    - SAUCE: apparmor4.0.0 [49/69]: prompt - lock down prompt interface
+    - SAUCE: apparmor4.0.0 [50/69]: prompt - allow controlling of caching of a
+      prompt response
+    - SAUCE: apparmor4.0.0 [51/69]: prompt - add refcount to audit_node in prep or
+      reuse and delete
+    - SAUCE: apparmor4.0.0 [52/69]: prompt - refactor to moving caching to
+      uresponse
+    - SAUCE: apparmor4.0.0 [53/69]: prompt - Improve debug statements
+    - SAUCE: apparmor4.0.0 [54/69]: prompt - fix caching
+    - SAUCE: apparmor4.0.0 [55/69]: prompt - rework build to use append fn, to
+      simplify adding strings
+    - SAUCE: apparmor4.0.0 [56/69]: prompt - refcount notifications
+    - SAUCE: apparmor4.0.0 [57/69]: prompt - add the ability to reply with a
+      profile name
+    - SAUCE: apparmor4.0.0 [58/69]: prompt - fix notification cache when updating
+    - SAUCE: apparmor4.0.0 [59/69]: prompt - add tailglob on name for cache
+      support
+    - SAUCE: apparmor4.0.0 [60/69]: prompt - allow profiles to set prompts as
+      interruptible
+    - SAUCE: apparmor4.0.0 [64/69]: advertise disconnected.path is available
+    - SAUCE: apparmor4.0.0 [65/69]: add io_uring mediation
+
+  * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]
+    apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic
+    (LP: #2032602)
+    - SAUCE: apparmor4.0.0 [61/69]: prompt - add support for advanced filtering of
+      notifications
+    - SAUCE: apparmor4.0.0 [62/69]: userns - add the ability to reference a global
+      variable for a feature value
+    - SAUCE: apparmor4.0.0 [63/69]: userns - make it so special unconfined
+      profiles can mediate user namespaces
+
+  * udev fails to make prctl() syscall with apparmor=0 (as used by maas by
+    default) (LP: #2016908) // update apparmor and LSM stacking patch set
+    (LP: #2028253)
+    - SAUCE: apparmor4.0.0 [26/69]: Stacking v38: Fix prctl() syscall with
+      apparmor=0
+
+  * Fix RPL-U CPU C-state always keep at C3 when system run PHM with idle screen
+    on (LP: #2042385)
+    - SAUCE: r8169: Add quirks to enable ASPM on Dell platforms
+
+  * [Debian] autoreconstruct - Do not generate chmod -x for deleted  files
+    (LP: #2045562)
+    - [Debian] autoreconstruct - Do not generate chmod -x for deleted files
+
+  * Disable Legacy TIOCSTI (LP: #2046192)
+    - [Config]: disable CONFIG_LEGACY_TIOCSTI
+
+  * Packaging resync (LP: #1786013)
+    - [Packaging] update variants
+    - [Packaging] remove helper scripts
+    - [Packaging] update annotations scripts
+
+  * Miscellaneous Ubuntu changes
+    - [Packaging] rules: Remove unused dkms make variables
+    - [Config] update annotations after rebase to v6.7-rc8

  [ Upstream Kernel Changes ]

  * Rebase to v6.7-rc8

- -- Andrea Righi <andrea.righi@canonical.com>  Tue, 02 Jan 2024 10:57:36 +0100
+ -- Andrea Righi <andrea.righi@canonical.com>  Tue, 02 Jan 2024 14:57:21 +0100

 linux-unstable (6.7.0-3.3) noble; urgency=medium