-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 30 Mar 2019 13:23:11 +0000 Source: apparmor Architecture: source Version: 2.13.2-10 Distribution: unstable Urgency: medium Maintainer: Debian AppArmor Team <pkg-apparmor-t...@lists.alioth.debian.org> Changed-By: intrigeri <intrig...@debian.org> Closes: 922378 923273 Changes: apparmor (2.13.2-10) unstable; urgency=medium . * Don't load AppArmor policy when running in a Debian Live environment that uses overlayfs (Closes: #922378). Rationale: the storage stack set up by live-boot with overlayfs is not supported by our AppArmor policy at the moment, resulting in breakage of confined software such as Evince and LibreOffice. * Ship nvidia_modprobe in enforce mode (Closes: #923273). - Rationale: as explained by Seth Arnold <seth.arn...@canonical.com> on #923273#32, profiles in complain mode can chew up essentially unlimited amounts of non-swappable kernel memory and huge amounts of IO bandwidth logging ALLOWED messages, which can in turn use large amounts of storage. This is why Ubuntu has applied this change already for their upcoming release. - Scope of this change: in Buster, this profile is used in one single place — the usr.lib.libreoffice.program.soffice.bin profile — for which it was developed and tested in the first place. So the risk and potential problematic impact of this change seems pretty low. * Cherry-pick the most important and non-invasive fixes from the upstream apparmor-2.13 maintenance branch: - base abstraction: allow mr on *.so* in common library paths, i.e. don't assume all common libraries' name starts with "lib". At the very least, this fixes Qt5 applications under some VirtualBox graphics configuration, where otherwise they would not start at all (Closes: Tails#16414). Upstream commits: 8dff7dc, 08f9d16 - Fix 2 segfaults spotted upstream while writing automated tests for the multicache support (upstream MR!348): · in overlaydirat_for_each, segfault caused by repeatedly freeing the same memory area; · when loading policy cache files, due to incorrect size passed to qsort(). Upstream commits: 5704fba, 01aec04 Checksums-Sha1: a9013217c60d28cfbe13d7520ba577bb7e7c8dcb 3370 apparmor_2.13.2-10.dsc 5ca751a41ecbbf10d661af93619708ba966f90f3 106724 apparmor_2.13.2-10.debian.tar.xz 2167d38451ffc09d477f9776f36a8a2dc1f39648 12688 apparmor_2.13.2-10_amd64.buildinfo Checksums-Sha256: 743547b3a693f0873f02860a5df8ec909544f9f7f54e97899ee0cb5bec518c60 3370 apparmor_2.13.2-10.dsc 2777537b493f5e3aea89aa41ba9e7664615d3e36be2d87d5ddc63bd9c1f4bc43 106724 apparmor_2.13.2-10.debian.tar.xz cd7162a0107ec56b11e04be917888fa9bcaec9b557d6e3c9678cb00ca57327cc 12688 apparmor_2.13.2-10_amd64.buildinfo Files: 3c672555c361f8ef2bfc0b82663db815 3370 admin optional apparmor_2.13.2-10.dsc e502da89e89963573abc5198c2cb35f1 106724 admin optional apparmor_2.13.2-10.debian.tar.xz f86cb90f05b76c8da1e90e9c15b6d3a4 12688 admin optional apparmor_2.13.2-10_amd64.buildinfo
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHRt1x6SY9ZXd6PxEAfr306of05kFAlyfd2cACgkQAfr306of 05n4NBAApGRMDMQAAUjGu805TjD70ckwL7fj2BvI0FcFFTv6SFs9vNUuAz1E8pUl rXVbnohRGcgGWNDeZXjA6bv/CKZ5nP4W6iN7h7/bBGokDXiKw7Ohq95fsxZPxh+Q ht6elr/78wjNYexw+MtZeu1V0FEzL2HB4fwvJR7NWVrZJPRpkyouQKaNdBSuHBo6 dVOLC4AeQKv2ry431CMoIlJdAWyUCen3uscSbXZs1aNbOVJeM8CnJO/FSv1AvcM2 PVQD8XV+zYlsQUnRY0zmxXfWSAkSb1YaYrfhkuTxjpDVno5b+6ANmd7WUrAQ4iSj VF5MzzhElNngiicWmyYBfs+PYf3hiTJJhJ97cIWMs4b4GB2V5n1KFpLGYRclf1Dn xnQ+JhWmK1X6QSLbYzVNCh6TXGAnBSeG8vgYTMuSsvv3DcFksREQ9QCsXdISJUso nV9G3LroD2g2D0oip8BEst9leBhpHoVgk4wOz1pASjd0ILERyGp2AHuouZbmYJhj tOcAU+Qd3wx/9ofxdAXzt3hj4uQnaz3EfhGE5UCk/y2MIwD/8V5EttRFg3bATdrT KYRmhBk64u/ylLhHioIXyrzGeHRoqPJAt3VA3QXMcDpBN3FZNAxevrp4WagMbODg tYljovaXPLXrdNv6Wdg3j0lhqNk4JSAQvcbnex6RNKd6I0XdLkg= =7V6j -----END PGP SIGNATURE-----