Pin features to the ones provided by Apertis kernels

Apertis kernels do support dbus, unix and (old-style) network mediation via extra apertis patches. Add those to the pinned feature for the apertis apparmor. This will cause the profile parser to upload profiles to the kernel with those features present, such that dbus/network/unix mediation is actually used. On top of that it seems that the Apertis kernel will deny usage of unix socket if those features aren't present in the loaded profiles (in principle it should detect the profile doesn't want to mediate unix, but for some reason that doesn't work as expected). Tested with a plain buster 4.19 kernel as well as the Apertis kernel to ensure this wouldn't cause issues on systems without extra apparmor patches, which does not seem to be the case. Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

Pin features to the ones provided by Apertis kernels
06f0e949 · Sjoerd Simons · Ritesh Raj Sarraf · 83051f38 · 06f0e949 · 06f0e949
Unverified Commit 06f0e949 authored 6 years ago by Sjoerd Simons Committed by Ritesh Raj Sarraf 6 years ago
--- a/debian/features
+++ b/debian/features
@@ -6,6 +6,9 @@ perms {allow deny audit quiet
 }
 }
 }
+dbus {mask {acquire send receive
+}
+}
 signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch io pwr sys emt lost
 }
 }
@@ -28,6 +31,11 @@ profile {yes
 mount {mask {mount umount pivot_root
 }
 }
+network {af_unix {yes
+}
+af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
+}
+}
 network_v8 {af_mask {unspec unix inet ax25 ipx appletalk netrom bridge atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc rds sna irda pppox wanpipe llc ib mpls can tipc bluetooth iucv rxrpc isdn phonet ieee802154 caif alg nfc vsock kcm qipcrtr smc xdp
 }
 }

--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,7 +13,7 @@ debian/Enable-writing-cache.patch
 debian/Make-the-systemd-unit-a-no-op-in-containers-with-no-inter.patch
 debian-only/pin-feature-set.patch
 debian-only/aa-notify-point-to-Debian-documentation.patch
-debian-only/Document-which-AppArmor-features-are-not-supported-on-Deb.patch
+#debian-only/Document-which-AppArmor-features-are-not-supported-on-Deb.patch
 ptrace-test-include-asm-ptrace.h-on-ARM.patch
 9901-vivante-and-egl-for-X-abstraction.patch
 9999-use_DEB_HOST_GNU_TYPE.patch