Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

In order to test newer version before they land in the main branches
enable running tests on MR.

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

* debian/bullseye:
  Import Debian changes 2.13.6-10

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

When merging the Apertis changes the Debian patches got some undesired
changes to the formatting that do not affect anything in practice but
introduce a lot of noise when comparing branches.

Sync them back to what the debian/bullseye branch ships so `git diff` is
more useful and we avoid issues when merging updates later.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

This change got lost in the rebase to Bullseye. So re-introduce it
again.

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

* origin/debian/bullseye:
  Import Upstream version 2.13.6

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

apparmor (2.13.6-9) unstable; urgency=medium

  * usr.lib.dovecot.script-login: don't include non-existent local override file
    (Closes: #982112)
  * Declare compliance with Policy 4.5.1

apparmor (2.13.6-8) unstable; urgency=medium

  * Backport patch from upstream 3.0 series, which ports aa-status to C
    (upstream-commit-8f9046b-port-aa-status-to-c.patch), then
    drop obsolete dependency from the apparmor binary package
    on python3 (Closes: #981442)
  * Annotate test dependencies <!nocheck> (Closes: #981205).
    Thanks to Helmut Grohne <helmut@subdivi.de> for the patch!

apparmor (2.13.6-7) unstable; urgency=medium

  * Supersede failed dgit upload.

apparmor (2.13.6-6) unstable; urgency=medium

  * New patch:
    upstream-commit-1ba978b6-adjust-for-new-ICEauthority-path-in-run.patch
    (Closes: #980154)

apparmor (2.13.6-5) unstable; urgency=medium

  * Supersede failed dgit upload.

apparmor (2.13.6-4) unstable; urgency=medium

  * autopkgtest: update tcpdump profile name

apparmor (2.13.6-3) unstable; urgency=medium

  * Only pin the policy ABI, not the kernel ABI.

    I hope this fixes the regressions, on older kernels, caused by pinning
    the Linux 5.9 feature set, that I guess is the reason behind the
    several autokpgtest regressions caused by 2.13.6-2 (debci runs
    on Linux 4.19.x).

apparmor (2.13.6-2) unstable; urgency=medium

  * Pin the Linux 5.9 feature set

apparmor (2.13.6-1) unstable; urgency=medium

  * New upstream release (Closes: #969114, #930031)
  * Improve long descriptions:
    - apparmor-utils: fix typos
    - libapparmor1, libapparmor-dev: don't try to list all functionality
  * autopkgtest: don't try to compile kopano policies (kopanocore is not
    in testing and was orphaned)
  * Adjust to the fact 3.0.x was released upstream and packaged in experimental:
    - debian/watch: use the Launchpad page with all downloads
    - gbp: use upstream/2.13.x as the upstream branch
  * Drop obsolete patches
  * apparmor-profiles: install usr.lib.dovecot.script-login (Closes: #972883)
  * Drop dh_perl custom invocation

apparmor (2.13.5-1) unstable; urgency=medium

  * New upstream release (Closes: #868563, #934869, #969267)
  * Drop patches now included upstream
  * Refresh patches
  * d/apparmor.install: Install new file 'tunables/run' under '/etc/apparmor.d'
  * upstream-commit-145136f-fix-2.13-libapparmor-so-version.patch: new patch
  * Stop building on non-Linux architectures (Closes: #972049).
    Thanks to Laurent Bigonville <bigon@debian.org> for the suggestion.
  * Drop obsolete Lintian overrides
  * Update Lintian override name
  * Bump debhelper compat level to 13
  * Update symbols list
  * Install gettext translations
  * apparmor-profiles: install a few more profiles (usr.bin.mlmmj-receive,
    usr.lib.postfix.dnsblog, usr.lib.postfix.postscreen)
  * debian/not-installed: list files not installed on purpose
  * Adjust *.install source files to appease dh_missing
  * autopkgtests: don't try to test disabled Thunderbird profile
  * Merge ubuntu/2.13.3-7ubuntu6. Remaining included changes after resolving
    conflicts and dropping patches included in 2.13.{4,5}:
    - debian/control: add Breaks on snapd < 2.44.3+20.04~ since prior snapd
      versions assume that apparmor will load the snapd policy on boot

apparmor (2.13.4-3) unstable; urgency=medium

  * apparmor-profiles: provide (upstream) bug reporting instructions
  * upstream-commit-1f319c3-systemd-userdbd-compat.patch: new patch
    (Closes: #962405)

apparmor (2.13.4-2) unstable; urgency=medium

  * apparmor-profiles: don't ship redundant freshclam profile (Closes: #959915)
  * Apply upstream !465: fix the build with make 4.3
  * Drop unused Lintian override
  * GitLab CI:
     - allow reprotest to fail without failing the whole pipeline
     - enable diffoscope for reprotest

apparmor (2.13.4-1) unstable; urgency=medium

  * New upstream release
  * Switch to HTTPS for upstream homepage URL
  * apparmor-profiles: install missing usr.lib.dovecot.stats profile
    (Closes: #953268)
  * Drop backported patches that are now obsolete.
  * Cherry-picked from Ubuntu:
     - Update ibus abstract path for ibus 1.5.22
     - debian/control: drop Breaks that were only needed for upgrades to bionic
  * Drop obsolete Lintian overrides
  * Add python3-all to Build-Depends
  * Override Lintian false positive
  * Declare compliance with Policy 4.5.0
  * Apply upstream !464: let Mesa check if the kernel supports
    the i915 perf interface

apparmor (2.13.3-7ubuntu6) groovy; urgency=medium

  * Add missing "boot_id" rule to abstractions/nameservice. (LP: #1872564)
    - d/p/upstream-commit-454fca7-Add-run-variable.patch: Add the
      definition for the "@{run}" variable.
    - d/p/upstream-commit-ef591a67-Add-trailing-slash-to-the-run-variable-definition.patch:
      Add trailing slash to the "@{run}" variable.
    - d/p/upstream-commit-1f319c3870-abstractions-nameservice-allow-accessing-run-systemd-user.patch:
      Add a missing rule to allow systemd to access
      @{PROC}/sys/kernel/random/boot_id and @{run}/systemd/userdb.
    - d/apparmor.install: Install new file 'tunables/run' under '/etc/apparmor.d'.

apparmor (2.13.3-7ubuntu5) focal; urgency=medium

  * snapd 2.44.3+20.04 introduced an apparmor unit of its own to load snap
    policy in /var/lib/snapd/apparmor/profiles. As such, don't load snapd
    policy twice by not loading it in the apparmor unit (LP: 1871148)
    - ubuntu/stop-loading-snapd-profiles.patch: stop loading snapd profiles
    - debian/control: add Breaks on snapd < 2.44.3+20.04~ since prior snapd
      versions assume that apparmor will load the snapd policy on boot
    - debian/apparmor.service: remove the now unneeded RequiresMountsFor on
      /var/lib/snapd/apparmor/profiles
  * drop ubuntu/parser-conf-no-expr-simplify.patch: Optimize=no-expr-simplify
    was added to parser.conf to mitigate slow snap policy compiles on 32bit
    ARM. These days, snapd calls apparmor_parser with "-O no-expr-simplify"
    and loads its snap policy, so drop this delta with upstream and Debian.

apparmor (2.13.3-7ubuntu4) focal; urgency=medium

  * debian/apparmor.service: add /var/lib/snapd/apparmor/profiles to
    RequiresMountsFor since Ubuntu's rc.apparmor.functions looks for it
    (LP: #1871148)
  * libnss-systemd.patch: allow accessing the libnss-systemd VarLink sockets
    and DBus APIs. Patch partially based on work by Simon Deziel.
    (LP: #1796911, LP: #1869024)
  * upstream-mr-424-kerberos-dot-dirs.patch: abstractions/kerberosclient:
    allow reading /etc/krb5.conf.d/
  * upstream-mr-442-gnome-user-themes.patch: gnome abstraction: allow reading
    per-user themes from $XDG_DATA_HOME (Closes: #930031)
  * upstream-mr-443-ecryptfs-dirs.patch: abstractions/base: allow read access
    to top-level ecryptfs directories (LP: #1848919)
  * upstream-mr-445-uuidd-request.patch: abstractions/base: allow read access
    to /run/uuidd/request
  * upstream-mr-464-Mesa_i915_perf_interface.patch: let Mesa check if the
    kernel supports the i915 perf interface. Patch from Debian

apparmor (2.13.3-7ubuntu3) focal; urgency=medium

  * Add upstream-abstractions-add-etc-mdns.allow-to-etc-apparmor.d-ab.patch
    (LP: #1869629)

apparmor (2.13.3-7ubuntu2) focal; urgency=medium

  * No-change rebuild to drop python3.7.

apparmor (2.13.3-7ubuntu1) focal; urgency=medium

  * Merge from Debian. Remaining changes:
    - Ubuntu-specific patches:
      + ubuntu/add-chromium-browser.patch
      + ubuntu/communitheme-snap-support.patch
      + ubuntu/mimeinfo-snap-support.patch
      + ubuntu/parser-conf-no-expr-simplify.patch
      + ubuntu/profiles-grant-access-to-systemd-resolved.patch
      + upstream-dont-allow-fontconfig-cache-write.patch
      + upstream-tests-mult-mount-bump-size-of-created-disk.patch
    - debian/apparmor.{install,maintscript}: feature pinning is not used in
      Ubuntu
    - debian/apparmor.preinst: remove cache files on upgrade to 2.13
    - debian/apparmor-profiles.install: install Ubuntu chromium-browser
      profile and abstraction
    - debian/apparmor-profiles.lintian-overrides: update for chromium-browser
      profile having read access to dpkg database for lsb-release
    - debian/apparmor-profiles.postinst: ubuntu-browsers.d/chromium-browser
      abstraction if it doesn't exist
    - debian/control: adjust the Vcs-{Browser,Git} control fields to reflect
      the branch where the Ubuntu packaging is maintained.
    - debian/gbp.conf: use ubuntu/master as the debian-branch
    - debian/patches/series: comment out debian-only patches
    - debian/tests/control and debian/tests/compile-policy: don't test
      thunderbird since the Ubuntu packaging doesn't ship a profile
  * Drop the following patches, no longer needed:
    - python3.8-ac.diff
  * debian/control: drop Breaks on media-hub, mediascanner2.0, messaging-app,
    and webbrowser-app which was needed for upgrades to bionic (LP: #1797242)
  * upstream-adjust-for-ibus-1.5.22.patch: update ibus abstract path for ibus
    1.5.22
  * upstream-adjust-gnome-for-mimeapps.patch: abstractions/gnome: also allow
    /etc/xdg/mimeapps.list (LP: #1792027)

apparmor (2.13.3-7) unstable; urgency=medium

  * Add explicit build dependency on dh-python, so that this package
    can built with python3-defaults 3.7.5-3.

apparmor (2.13.3-6) unstable; urgency=medium

  [ Matthias Klose ]
  * debian/rules: ensure "set -e" is honored (Closes: #943649).
  * Add upstream-mr-430-Fix-a-Python-3.8-autoconf-check.patch (Closes: #943657).

apparmor (2.13.3-5ubuntu5) focal; urgency=medium

  * Don't ignore exit status in debian/rules.
  * Fix a Python 3.8 autoconf check.

apparmor (2.13.3-5ubuntu2) focal; urgency=medium

  * No-change rebuild for the perl update.

apparmor (2.13.3-5ubuntu1) eoan; urgency=medium

  * Merge new upstream release from Debian. Remaining changes:
    - Ubuntu-specific patches:
      + ubuntu/add-chromium-browser.patch
      + ubuntu/communitheme-snap-support.patch
      + ubuntu/mimeinfo-snap-support.patch
      + ubuntu/parser-conf-no-expr-simplify.patch
      + ubuntu/profiles-grant-access-to-systemd-resolved.patch
    - debian/apparmor.{install,maintscript}: feature pinning is not used in
      Ubuntu
    - debian/apparmor.preinst: remove cache files on upgrade to 2.13
    - debian/apparmor-profiles.install: install Ubuntu chromium-browser
      profile and abstraction
    - debian/apparmor-profiles.lintian-overrides: update for chromium-browser
      profile having read access to dpkg database for lsb-release
    - debian/apparmor-profiles.postinst: ubuntu-browsers.d/chromium-browser
      abstraction if it doesn't exist
    - debian/control: adjust the Vcs-{Browser,Git} control fields to reflect
      the branch where the Ubuntu packaging is maintained.
    - debian/gbp.conf: use ubuntu/master as the debian-branch
    - debian/patches/series: comment out debian-only patches
    - debian/tests/control and debian/tests/compile-policy: don't test
      thunderbird since the Ubuntu packaging doesn't ship a profile
  * Drop the following patches, no longer needed:
    - ubuntu/dont-include-site-local-with-dovecot.patch
    - lp1820068.patch
    - upstream-commit-fix-segfault-in-overlaydirat_for_each.patch
    - upstream-commit-add-option-to-dump-policy-cache-with-libapparmor.patch
    - upstream-commit-teach-aa_policy_cache_sh-about-the-new-cache.patch
    - upstream-commit-fix-segfault-when-loading-policy-cache-files.patch
    - upstream-commit-fix-variable-name-overlap-in-merge-macro.patch
  * upstream-dont-allow-fontconfig-cache-write.patch: don't allow write of
    fontconfig cache files
  * upstream-tests-mult-mount-bump-size-of-created-disk.patch: regression
    tests/mult_mount: bump size of created disk image

apparmor (2.13.3-5) unstable; urgency=medium

  * upstream-mr-419-Xwayland-vs-recent-mutter.patch: new patch (Closes: #935058)

apparmor (2.13.3-4) unstable; urgency=medium

  * New patch, cherry-picked and adapted from Ubuntu: don't include local/
    snippets in the Dovecot profiles. These inclusions of non-existing files
    break aa-genprof (Closes: #928160).
  * Merge ubuntu/2.13.2-9ubuntu7, which turns out to be a no-op, because
    we essentially revert all changes brought by this merge:
    - Drop lp1820068.patch, introduced in 2.13.2-9ubuntu7: it's included
      in the 2.13.3 upstream release already.
    - Don't enable ubuntu/parser-conf-no-expr-simplify.patch, that Ubuntu just
      re-enabled: in Debian we don't disable expression tree simplification,
      because we've cherry-picked an upstream patch that improves its
      performance sufficiently.

apparmor (2.13.3-3) unstable; urgency=medium

  [ Michael Biebl ]
  * Move libraries back to /usr/lib

  [ intrigeri ]
  * Remove Lintian override made obsolete by the move to /usr/lib/apparmor/
  * Avoid-blhc-CPPFLAGS-missing-false-positive.patch: new patch.
  * Revert "debian/control: Breaks on snapd < 2.38~"
    Jamie Strandboge explained in details on #932815 the rationale behind this
    Breaks relationship. The user impact seems non-critical and the risk of the
    problem happening in practice is very low, so for now let's remove this
    Breaks, that prevents apparmor from migrating to testing (we don't have
    snapd 2.38+ in Debian yet).

apparmor (2.13.3-2) unstable; urgency=medium

  * Install the lsb_release profile.

apparmor (2.13.3-1) unstable; urgency=medium

  * Import new 2.13.3 upstream release and accordingly:
    - Update dev-pkg-without-shlib-symlink Lintian override: soname
      was bumped to 1.6.1.
    - Drop patches that were applied upstream.
  * Merge ubuntu/2.13.2-9ubuntu6, dropping the Ubuntu delta (Closes: #926015):
    - lp1824812.patch: set SFS_MOUNTPOINT in is_container_with_internal_policy()
      since it is sometimes called independently of is_apparmor_loaded()
      (LP: #1824812)
    - debian/apparmor.postrm: remove parser-created subdirs
    - debian/tests/control: try Ubuntu kernel but mark skip-not-installable
    - regression testsuite fixes:
      upstream-commit-add-option-to-dump-policy-cache-with-libapparmor.patch,
      upstream-commit-teach-aa_policy_cache_sh-about-the-new-cache.patch,
      upstream-commit-fix-variable-name-overlap-in-merge-macro.patch
    - debian/debhelper/postrm-apparmor: also remove cache files
    - debian/control: Breaks on snapd < 2.38~ (the cache forest breaks snap
      remove)
  * Declare compatibility with Debian Policy 4.4.0.
  * Bump debhelper compatibility level to 12. Accordingly:
    - dh_installinit: replace --no-restart-on-upgrade with its new
      --no-stop-on-upgrade name
    - Add override_dh_installsystemd that mimics our override_dh_installinit
  * tests/compile-policy: check syntax of kopano profiles (implements
    #923313 except kopano-search, until giraffe-team/kopanocore!4 is merged
    and uploaded)

apparmor (2.13.2-9ubuntu7) eoan; urgency=medium

  * lp1820068.patch: don't skip read cache when options are set (LP: #1820068)
  * reenable ubuntu/parser-conf-no-expr-simplify.patch

apparmor (2.13.2-9ubuntu6) disco; urgency=medium

  * lp1824812.patch: set SFS_MOUNTPOINT in is_container_with_internal_policy()
    since it is sometimes called independently of is_apparmor_loaded()
    - LP: #1824812

apparmor (2.13.2-9ubuntu5) disco; urgency=medium

  * ubuntu/dont-include-site-local-with-dovecot.patch: don't include local/
    files in the dovecot extras profiles since the included path may not
    exist

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Probably due to the broken import on apertis/2.13.2-3co6 the most recent merge
from upstream failed to actually apply the upstream changes.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Signed-off-by: Andrew Lee (李健秋) <ajqlee@debian.org>

Gbp-Dch: Ignore

Sjoerd Simons authored 6 years ago and Ritesh Raj Sarraf committed 6 years ago

Apertis kernels do support dbus, unix and (old-style) network mediation
via extra apertis patches. Add those to the pinned feature for the
apertis apparmor.

This will cause the profile parser to upload profiles to the kernel with
those features present, such that dbus/network/unix mediation is
actually used.

On top of that it seems that the Apertis kernel will deny
usage of unix socket if those features aren't present in the loaded
profiles (in principle it should detect the profile doesn't want to
mediate unix, but for some reason that doesn't work as expected).

Tested with a plain buster 4.19 kernel as well as the Apertis kernel to
ensure this wouldn't cause issues on systems without extra apparmor
patches, which does not seem to be the case.

Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

apparmor_status is available for backward compatibility. It symlinks to
the aa-status binary. So ship the binary symlink along with the actual
binary package

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

apparmor (2.13.2-3co6) apertis; urgency=medium

  * debian/apparmor-tests.install: List syscall_ioperm and syscall_iop again,
    and later exclude them only on the architectures they are not built for
  * debian/rules: Add `-Xsyscall_ioperm -Xsyscall_iop` to dh_install in
    override_dh_install-arch to exclude those test programs on architectures
    other than i386 and amd64

apparmor (2.13.2-3co5) apertis; urgency=medium

  * debian/control: Depend on libdbus-1-dev to build the dbus test programs

apparmor (2.13.2-3co4) apertis; urgency=medium

  * debian/apparmor-tests.install: Install the
    tests/regression/apparmor/dbus_* test programs

apparmor (2.13.2-3co3) apertis; urgency=medium

  * Forward port remaining apparmor changes from Apertis
    - New binary packages: apparmor-tests, apparmor-utils-tests
    - New binary packages because the test scripts are not packaged by Debian which
      are used by our automated tests
  * Review and import following relevant patches
    - debian/patches/ptrace-test-include-asm-ptrace.h-on-ARM.patch
    - debian/patches/9901-vivante-and-egl-for-X-abstraction.patch
    - debian/patches/9999-use_DEB_HOST_GNU_TYPE.patch
    - debian/patches/libreoffice-apparmor-profile-fonts.patch
    - debian/patches/abstractions-base-stop-working-around-LP-359338.patch
    - debian/patches/Add-pvr-devices-to-X-abstraction.patch
    - debian/patches/Extend-abstractions-X-to-account-for-Wayland-clients.patch
    - debian/patches/Allow-for-access-to-the-mutter-shared-keymap.patch
    - debian/patches/freedesktop.org-abstractions.patch

apparmor (2.13.2-3co2) apertis; urgency=medium

  * Move aa-status into a separate package.

apparmor (2.13.2-3co1) apertis; urgency=medium

  * Don't use mv -n, it's only part of newer coreutils

apparmor (2.13.2-3) unstable; urgency=medium

  * Update upstream MR!252 backport to fix initscript (Closes: #917874)

apparmor (2.13.2-2) unstable; urgency=medium

  * Patch rc.apparmor.functions to suit Debian/Ubuntu's needs.
  * Port initscript, systemd service, postinst and profile-load
    to use the upstream rc.apparmor.functions shell library.
    This way, the systemd service does not require the SysV initscript
    anymore (Closes: #870697).
  * Drop obsolete /etc/apparmor/subdomain.conf conffile.

apparmor (2.13.2-1) unstable; urgency=medium

  * Import new upstream release, drop backported patches that are now obsolete,
    refresh remaining patches.
  * autopkgtest: add dummy test so that changes to linux-image-amd64
    trigger our other tests on ci.debian.net
  * Replace home-made GitLab CI with the standard Salsa pipeline
    (Closes: #912722).
  * Drop extra signatures from public upstream signing key.

apparmor (2.13.1-3) unstable; urgency=medium

  * GitLab CI/Lintian: install dpkg-dev, that ships dpkg-architecture,
    needed to run some Lintian checks.
  * Re-enable expression tree simplification and cherry-pick upstream patch
    that improves its performance.
  * Bump debhelper compatibility level to 11.
  * Patch apparmor.d(5) to document which features are not supported on Debian
    (Closes: #807369).
  * Patch apparmor(7) to document debugging options (Closes: #826218).

apparmor (2.13.1-2) unstable; urgency=medium

  * Deal with obsolete /etc/apparmor.d/abstractions/launchpad-integration
    conffile (Closes: #911745).
  * Declare autopkgtests as superficial (Closes: #911827).
    Adjust GitLab CI configuration to cope with exit code 8 accordingly.

apparmor (2.13.1-1) unstable; urgency=medium

  [ intrigeri ]
  * New upstream release (Closes: #901470, #871441).
  * Bump pinned feature set to linux-image-4.18.0-2-amd64, version 4.18.10-2.
  * Add Breaks: apparmor-profiles-extra (<< 1.21): the Pidgin profile up
    to 1.20 used the launchpad-integration abstraction, that was removed
    in AppArmor 2.13.1.
  * Drop backported patches that are now obsolete.
  * Refresh patches.
  * Add debian/.gitlab-ci.yml: build the package then run Lintian
    and autopkgtests on it.
  * upstream-commit-3bf11ce-Fix-syntax-error-in-rc.apparmor.functions.patch,
    upstream-commit-b77116e-Add-profile-names.patch: new patches to fix
    regressions introduced in 2.13.1.
  * Drop unused Lintian override.
  * Declare compliance with policy 4.2.1.
  * Update symbols list.
  * Honor nocheck in DEB_BUILD_OPTIONS.
  * Make /lib/apparmor/apparmor.systemd executable.

  [ Sven Joachim ]
  * Do not remove /var/cache/apparmor/CACHEDIR.TAG on upgrades
    (Closes: #910217).

  [ Helmut Grohne ]
  * Don't hard code the location of netinet/in.h (Closes: #909966).

apparmor (2.13-8) unstable; urgency=medium

  * Only fix permissions on /lib/apparmor/apparmor.systemd when building
    arch-dependent packages. Fixes FTBFS when building only
    arch:all packages.

apparmor (2.13-7) unstable; urgency=medium

  * Move the binary cache to /var/cache/apparmor (Closes: #904637).
    And then:
    - Delete obsolete cache files in /var/cache/apparmor on upgrade.
    - initscript: document the potential drawback of loading the policy
      before remote filesystems are mounted.
  * Turn off expression tree simplification, that makes performance
    much worse in some cases, and rarely much better.
  * Fix aa-teardown by installing /lib/apparmor/apparmor.systemd
    and making it executable.
  * Override a few Lintian false positives.

apparmor (2.13-6) unstable; urgency=low

  * Install new tunables/share, needed by tunables/global.
    Fixes regression introduced in 2.13-5 (Closes: #904970).
  * New autopkgtest: test that we can compile the Evince profile.
    Having this in place earlier would have avoided introducing #904970.

apparmor (2.13-5) unstable; urgency=low

  * freedesktop.org abstraction: support directories exported by Flatpak apps,
    replacing former flatpak-exports.patch with the patchset that was merged
    upstream (Closes: #865206).

apparmor (2.13-4) unstable; urgency=medium

  * Stop building the Python 2 bindings packages: python-apparmor,
    python-libapparmor (Closes: #904599).
  * Mark libapparmor-perl Multi-Arch: same.
  * dh-apparmor's postinst snippet template: drop now useless backwards
    compatibility code; simplify.

apparmor (2.13-3) unstable; urgency=medium

  * Upload to unstable.
  * Set proper SELinux labels on files created during installation or upgrade.
    Thanks to Laurent Bigonville <bigon@debian.org> for the bug report
    and the patch! (Closes: #903633)
  * Fix CACHEDIR.TAG installation path and let dpkg replace the CACHEDIR.TAG
    directory (erroneously created by 2.13-1 and 2.13-2) with a regular file.
    (Closes: #883584)
  * New patch: make aa-notify point to Debian documentation (Closes: #904436).
    Thanks to Clément Hermann <nodens@nodens.org> for the bug report.
  * Install Dovecot profiles in /usr/share/apparmor/extra-profiles/
    instead of /etc/apparmor.d/: the previous setup created lots of noise
    in the logs and gave no security benefit. Thanks to Jonas Smedegaard
    <js@debian.org> for raising the issue.
  * Skip *.dpkg-(new|old|dist|bak|remove) when falling back to calling the
    parser on individual profiles. Fixes a regression introduced in 2.13-1
    and adds .dpkg-remove, that was missing in the exclusion list before.
  * Bump pinned feature set to linux-image-4.17.0-1-amd64, version 4.17.8-1.

apparmor (2.13-2) experimental; urgency=medium

  * Merge from sid:
    - upstream-commit-d9d3cae-adjust-python-abstraction-for-python-3.patch:
      new patch, to avoid breaking things with Python 3.7.
  * Regarding the "Don't invalidate the cache anymore […]" change inrtoduced
    in 2.13-1: one can manually do that with apparmor_parser --purge.

apparmor (2.13-1) experimental; urgency=medium

  * New upstream release (Closes: #893974).
  * Drop all patches backported from upstream: applied in 2.13.
  * Refresh and export patches with gbp.
  * debian/libapparmor1.symbols: add newly introduced symbols.
  * upstream-commit-e83fa67-fix-test-failures.patch: new patch,
    cherry-picked from upstream, that fixes test suite failures.
  * Declare compatibility with Standards-Version 4.1.4.
  * debian/rules: drop deprecated get-orig-source target.
  * Merge 2.12-4ubuntu5 (dropping the Ubuntu delta):
     - Drop support for snap v1.
  * Add Lintian overrides for a few non-issues.
  * debian/apparmor.dirs, debian/lib/apparmor/functions:
    adjust for new (multi-)cache location.
  * Install /etc/apparmor.d/cache.d/CACHEDIR.TAG (Closes: #883584).
  * Install aa-teardown and its manpage.
  * initscript: drop sysvinit-specific "recache" and "teardown" commands.
  * Simplify foreach_configured_profile() thanks to recent parser features.
  * aa-remove-unknown: use upstream functions instead of custom ones,
    i.e. one step towards deprecating distro-specific /lib/apparmor/functions.
    To make this work:
     - install the upstream shell functions library
     - patch one upstream function to add support for the snap profile directory
       and to not depend on aa_log_*_msg()
  * Don't invalidate the cache anymore when stopping, reloading or restarting
    the service, nor when installing or upgrading the apparmor package:
    the parser now manages its caches itself.
  * debian/lib/apparmor/functions: drop a bunch of functions that are not
    used anymore, thanks to the aforementioned changes.
  * Make apparmor.service more similar to upstream's:
     - reorder directives
     - use the same Description as upstream
     - start After=systemd-journald-audit.socket
  * apparmor.service: point to current homepage.

apparmor (2.12-5) unstable; urgency=medium

  * upstream-commit-d9d3cae-adjust-python-abstraction-for-python-3.patch:
    new patch, to avoid breaking things with Python 3.7.

apparmor (2.12-4ubuntu8) cosmic; urgency=medium

  * lp1788929+1794848.patch:
    - disallow writes to thumbnailer dir (LP: #1788929)
    - disallow access to the dirs of private files (LP: #1794848)

apparmor (2.12-4ubuntu7) cosmic; urgency=medium

  * Cherry-pick upstream patch for usr-merge for useradd profile.
  * Update chromium-browser profile with latest from profiles project.
  * Fixes LP: #1784023

apparmor (2.12-4ubuntu6) cosmic; urgency=medium

  * No-change rebuild to build for python3.7.

apparmor (2.12-4ubuntu5) bionic; urgency=medium

  [ Didier Roche ]
  * debian/patches/ubuntu/communitheme-snap-support.patch:
    - support communitheme snap (LP: #1762983)

  [ Jamie Strandboge ]
  * debian/patches/ubuntu/add-chromium-browser.patch: adjust for newer
    chromium (LP: #1101298, LP: #1594589, LP: #1647142)
    - add attach_disconnected
    - allow reading /proc/vmstat
    - don't require owner match for /proc/pid/{stat,status} and task
      counterparts
    - adjust pci[0-9] to be pci[0-9a-f]
    - allow reading all uevents and /sys/devices/virtual/tty/tty0/active
    - allow ptracing xdgsettings and lsb-release
    - xdgsettings uses head and tr and looks at /usr/share/ubuntu/applications/
    - lsb-release uses python 3.6 and looks at apport, apt.conf, dpkg and
      distro-info
    - use 'm' on on sandbox
  * debian/patches/ubuntu/mimeinfo-snap-support.patch: allow reading
    /var/lib/snapd/desktop/applications *.desktop and mimeinfo.cache
    (LP: #1712039)

apparmor (2.12-4ubuntu4) bionic; urgency=medium

  * Remove another Ubuntu Touch profile (LP: #1761176)
    - debian/control: Breaks on messaging-app
    - debian/postinst: on upgrade, remove profile for usr.bin.messaging-app

apparmor (2.12-4ubuntu3) bionic; urgency=medium

  * Remove old Ubuntu Touch profiles for packages removed from the archive
    since they need apparmor-easyprof-ubuntu to compile, and it was also
    removed from the archive (LP: #1756800)
    - debian/control: Breaks on media-hub, mediascanner2.0 and webbrowser-app
    - debian/postinst: on upgrade, remove profiles for usr.bin.webbrowser-app,
      usr.bin.media-hub-server, usr.lib.mediascanner-2.0.mediascanner-extractor
      and usr.bin.mediascanner-service-2.0

apparmor (2.12-4ubuntu2) bionic; urgency=medium

  * Remove old click and snapv1 support since those packages no longer exist
    in bionic
    - debian/apparmor.dirs: don't install /var/lib/apparmor/profiles
    - debian/apparmor.init: remove click and snapv1 additions
    - debian/apparmor.postinst: don't update the md5sums for click/snapv1
    - debian/apparmor.postrm: remove code for handling
      /var/lib/apparmor/profiles
    - debian/apparmor.preinst: remove md5sums files from
      /var/lib/apparmor/profiles
    - debian/lib/apparmor/functions: remove compare_and_save_debsums() and
      compare_previous_version() since nothing in the archive uses them any
      more. For now, leave snap v2 support, but eventually we'll want to move
      to the upstream init recommendations
  * profiles-grant-access-to-systemd-resolved.patch: fix typo in DEP-3 headers

apparmor (2.12-4ubuntu1) bionic; urgency=medium

  [ Tyler Hicks ]
  * Merge from Debian to get gbp-pq related packaging improvements. Thanks to
    intrigeri for making those improvements! Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
    - Feature pinning is not used in Ubuntu

  [ intrigeri ]
  * Adjust the Vcs-{Browser,Git} control fields to reflect the branch where
    the Ubuntu packaging is maintained.

apparmor (2.12-4) unstable; urgency=medium

  * Migrate patch handling to gbp-pq (Closes: #888244).
  * Merge 2.12-3ubuntu1 (dropping the Ubuntu delta):
    - upstream-commit-46f88f5-properly-identify-empty-ouid-fsuid-fields.patch:
      new patch, properly identify empty ouid/fsuid fields in logs.
    - upstream-commit-130958a-allow-shell-helper-read-locale.patch:
      new patch, allow the shell helper regression test program read
      the locale.

apparmor (2.12-3ubuntu1) bionic; urgency=medium

  * New upstream bug fix release. Bugs fixed:
    - abstraction/nameservice should include allow access to
      /var/lib/sss/mc/initgroups (LP: #1751402)
    - Cannot Add Request Hat or Use Default Hat in aa-logprof and mod_apparmor
      (LP: #1752365)
    - python tools do not understand 'non-magic' include rules (LP: #1733700)
    - "Unable to open external link" in Evince when google-chrome-unstable is
      the default browser (LP: #1730536)
    - apparmor_parser is missing fix for rule down grades (LP: #1728120)
    - base abstraction missing glibc /proc/$pid/ things (LP: #1658239)
    - logparser.py parse_event_for_tree() doesn't care about owner vs. all in
      file events(LP: #1538340)
    - aa-decode can't decode the audit log which contains the proctitle string
      (LP: #1736841)
    - aa-logprof asks for "a" rule even if "deny w" is present (LP: #1385474)
  * Merge from Debian. Remaining Ubuntu changes:
    - debian/gbp.conf: Use ubuntu/master as the debian-branch
    - Update package maintainer to be Ubuntu Developers in the control file
    - Call handle_system_policy_package_updates in apparmor.init.
      This is needed for snappy and system-images. Note that this prevents
      using a remove /var.
    - Apply Ubuntu-specific patches
      + parser-include-usr-share-apparmor.patch
      + profiles-grant-access-to-systemd-resolved.patch
      + add-chromium-browser.patch
    - Install Ubuntu chromium-browser profile and abstraction
  * Dropped patches that were not merged upstream:
    - ubuntu-manpage-updates.patch: The changes were out of date because
      they only addressed upstart based systems
    - utils-keep-shebang.patch: A different solution was merged upstream
      so that the shebang lines aren't rewritten
  * Feature pinning is not used in Ubuntu
  * Properly identify empty ouid/fsuid fields in logs
  * Allow the shell helper regression test program read the locale

apparmor (2.12-3) unstable; urgency=medium

  * dnsmasq-profile-allow-chown-capability.patch: new patch (Closes: #889806)
  * Update-base-abstraction-for-ld.so.conf-and-friends.patch: new patch,
    cherry-picked from upstream (solves a minor part of #887973).
  * libapparmor-perl: install example program.

apparmor (2.12-2) unstable; urgency=medium

  * This release is dedicated to the memory of Ursula K. Le Guin.

  * Install the "extra" profiles to the default upstream directory
    (Closes: #832984).
  * Cherry-pick policy improvements from upstream Git (Closes: #887591).
  * Stop recommending the apparmor-profile package to the general public:
    - apparmor: drop "Suggests: apparmor-profile".
    - apparmor-profile: make it clear in the package description that
      these profiles cannot be expected to work out-of-the-box.
  * Bump debhelper compatibility level to 10.
    - This reintroduces --parallel building, which was fixed upstream
      since we disabled it.
    - Don't manually enable the systemd debhelper sequence: now done
      by default.
    - Drop now useless build-dependency on autotools-dev.
  * Declare compliance with Standards-Version 4.1.3 (no change required).
  * debian/control: add Rules-Requires-Root: no.
    - Cherry-pick upstream fix to pam_apparmor's Makefile.
  * Packaging cleanup:
    - Remove Kees Cook <kees@debian.org> from the Uploaders control field.
      Thanks a lot for the inspiring work you've done on this package
      in the past!
    - Remove obsolete calls to rm_conffile.
    - debian/copyright: use canonical URL to copyright-format/1.0.
    - debian/copyright: sort licenses in lexical order.
    - Use canonical URL to Debian bug in patch header.
    - debian/*.install: remove duplicates.
    - Stop versioning dependencies that are satisfied on Debian Wheezy
      and Ubuntu Trusty.
    - Reformat debian/* with 'cme fix dpkg' + wrap-and-sort.

apparmor (2.12-1) unstable; urgency=medium

  * New upstream release (Closes: #885522, #882043, #884014, #886732,
    #875892, #882070, #874665, #884280, #881936, #882135).
    - Drop obsolete patches.
  * dh-apparmor postinst snippet: create empty files in
    /etc/apparmor.d/local/ instead of repeating boilerlate.
  * dh-apparmor postinst snippet: simplify local overrides directory
    creation code.
  * Migrate to Git:
    - Configure gbp for DEP-14
    - Configure gbp-pq to avoid prefixing patches with numbers
    - README.source: adjust to Git
    - Update Vcs-* control fields: migrate to Git
  * Move libpam to Section: admin

apparmor (2.11.1-4) unstable; urgency=medium

  * Bump pinned feature set to linux-image-4.14.0-1's, version 4.14.2-1
    - Pinning a feature set without "mount", as we did before this change,
      breaks mount operations due to a bug in the kernel (Closes: #883703).
      Thanks to Fabian Grünbichler and Felix Geyer for reporting this.
    - AppArmor maintainers in Debian have been testing 4.14 without pinning
      for a while and all the known issues were fixed; it's time to enable
      4.14's features so we can learn what parts of our policy still need
      updates (Closes: #880078, #877581).
  * Move features file to /usr/share/apparmor-features (Closes: #883682).
    Thanks to Fabian Grünbichler <f.gruenbichler@proxmox.com> for the patch.
  * Document in apparmor/README.Debian where online documentation wrt. AppArmor
    on Debian lives (Closes: #845232). Thanks to Wouter Verhelst and Jean-Michel
    Vourgère for the suggestion.
  * Improve usability of apparmor-notify:
    - notify.conf: unset use_group.
      aa-notify checks that it can read the selected log file — and aborts
      if it can't — before it checks group membership vs. use_group, so in
      practice setting use_group is only useful for users who are allowed
      to read logs but don't want to see notifications. This seems to be
      a corner case, easily addressed per-user (~/.apparmor/notify.conf)
      or system-wide (by deinstalling apparmor-notify).
      So let's instead optimize for a more common use case, i.e. users who can
      read logs and want to see the notifications. This change does not
      impact the most common use case, i.e. desktop users who are not allowed
      to read logs (Closes:  #880859).
    - Document in apparmor-notify/README.Debian that one must be in the "adm"
      group to use aa-notify.
    Thanks to Lisandro Damián Nicanor Pérez Meyer and Salvatore Bonaccorso
    whose combined bug reports lead to this solution.
  * /lib/apparmor/functions: don't delete /etc/apparmor.d/cache/CACHEDIR.TAG
    ourselves (necessary, but not sufficient, to fix #883584).
  * Declare compliance with Standards-Version 4.1.2.

apparmor (2.11.1-3) unstable; urgency=medium

  * upstream-commit-92752f5-support-Google-Chrome-beta.patch:
    new patch, backported from upstream (Closes: #880923).

apparmor (2.11.1-2) unstable; urgency=medium

  * apparmor: drop obsolete dependency on libapparmor-perl.
    This dependency was added in 2.8.0-0ubuntu15, when aa-exec (that was
    written in Perl back then) got moved to the apparmor package.
    Nowadays aa-exec is written in C and AFAICT there's nothing in the
    apparmor package that uses libapparmor-perl.
  * apparmor-utils: drop obsolete dependency on libapparmor-perl.
    All the programs shipped in this package were rewritten in Python.
  * Drop obsolete dependencies on python{,3}-pkg-resources.
    They were added to "fix autopkgtests in click-apparmor and
    apparmor-easyprof-ubuntu". We don't ship these packages in Debian,
    and I'm told they're going away in Ubuntu anyway.

apparmor (2.11.1-1) unstable; urgency=medium

  * Import upstream 2.11.1 release.
    Drop obsolete patches and refresh remaining ones as need.
  * pin-feature-set.patch: new patch, that pins the AppArmor feature set
    to Linux 4.13.4-2's (Closes: #879584).
    The AppArmor policy we ship is not fully ready for Linux 4.14 yet.
    Once our policy has been updated (#877581) we can bump the pinned
    feature set to Linux 4.14's.
    Note, however, that this is not fully effective in the specific case
    of 4.14-rcN up to 4.14-rc6 due to a kernel bug with pinned older
    feature sets, that will likely be fixed in Linux 4.14-rc7.
    For example, with Linux 4.14-rc5 some network (e.g. unix, inet, inet6)
    operations are denied despite the fact this pinned feature does not
    enable network mediation support. For details, see:
    https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1721278
  * Disable parser-include-usr-share-apparmor.patch: it's not used on Debian
    and would be made fuzzy by pin-feature-set.patch, thus causing useless
    maintenance busywork.
  * Improve phrasing of long packages description, based on a patch
    by Vincas Dargis <vindrg@gmail.com> (Closes: #795431).
  * Replace build-dependency on dh-systemd with a versioned one
    on debhelper, that now ships dh_systemd_*.
  * Set priority to "optional": "extra" is deprecated.
  * Bump Standards-Version to 4.1.1.
  * Drop "Testsuite: autopkgtest" control field: it is automatically added
    by dpkg-source(1) since dpkg 1.17.1 when a debian/tests/control file exists,
    which is the case here.
  * Move libapache2-mod-apparmor to Section "httpd", as suggested by Lintian.

apparmor (2.11.0-11) unstable; urgency=medium

  * Only use systemd-detect-virt when it's installed (Closes: #871953).
  * dh_apparmor: include the version of the package, so that one can find
    packages that were built with a particular version of dh_apparmor.
    (Closes: #872167).
  * Import patch submitted upstream to support Flatpak exports
    (Closes: #865206).
  * Revert "Build with GCC-6 on mips64el to workaround Debian#871538":
    that gcc-7 bug was fixed in 7.2.0-3 on 2017-09-02, presumably all buildd's
    chroot should have it by now.
  * Merge from Ubuntu citrain up to revision 1627, aka. 2.11.0-2ubuntu17.
    Applied all changes (filtering from that list what had already been
    done in Debian):
     - Remove apparmor system upstart job on upgrades.
     - r3631-apparmor-utils-python3.6-LOCALE.patch: fix utils to avoid
       breakage with python 3.6 (LP: #1661766).
     - nameservice-add-stub-resolv.patch: allow read access to systemd stub
       resolver configuration

apparmor (2.11.0-10) unstable; urgency=medium

  * Build with GCC-6 on mips64el to workaround #871538.

apparmor (2.11.0-9) unstable; urgency=medium

  * debian-chromium-paths.patch: new patch, fixes e.g. opening links
    (e.g. from Thunderbird) when Chromium is the default web browser
    (reported in #858911).

apparmor (2.11.0-8) unstable; urgency=medium

  * firefox-non-esr.patch: new patch, fixes e.g. opening links from
    Thunderbird when Firefox non-ESR is the default web browser
    (Closes: #858911).
  * Adjust metadata for wayland-cursor.patch: applied upstream.

apparmor (2.11.0-7) unstable; urgency=medium

  * compare_and_save_debsums(): fix quieting of diff on initial installation
    (Closes: #870696).
  * Don't explicitly pass runlevel nor sequence number to update-rc.d
    via dh_installinit (Closes: #870695).
    Thanks to Michael Biebl for the hint!
  * wayland-cursor.patch: new patch, to allow wayland-cursor-shared-*
    (Closes: #870807).
  * Merge from Ubuntu citrain up to revision 1620, i.e. 2.11.0-2ubuntu11.
    Applied all changes:
     - fix-aa-status-pod.patch: updates aa-status for newer podchecker
       (LP: #1707614)
     - adjust-python-for-3.6.patch: update python abstraction for 3.6
     - adjust-nameservice-for-systemd-resolved.patch: grant access to
       systemd-resolved in the nameservice abstraction (LP: #1598759).
    … and then disabled adjust-nameservice-for-systemd-resolved.patch
    that's dangerous without fine-grained AppArmor mediation of
    D-Bus traffic.
  * Remove upstart configuration: Upstart was removed in Debian Stretch
    so this file is no longer useful.
  * Drop ubuntu-manpage-updates.patch, that was only relevant with Upstart.

apparmor (2.11.0-6) unstable; urgency=medium

  * libapparmor-dev: stop installing /lib/*/libapparmor.la (Closes: #866636).

apparmor (2.11.0-5) unstable; urgency=medium

  * pass-compiler-flags-binutils.patch: new patch, fixes missing
    hardening flags in aa-enabled and aa-exec.
  * Merge from Ubuntu citrain up to revision 1617, i.e. 2.11.0-2ubuntu8.

apparmor (2.11.0-4) unstable; urgency=medium

  * Run parts of the upstream test suite as autopkgtests.
  * Declare compliance with Standards-Version 4.0.0 (no change required).
  * Add mentions-deprecated-usr-lib-perl5-directory to Lintian overrides,
    since usr-lib-perl5-mentioned has been renamed.
  * libapparmor1.symbols: require 2.8.94 instead of 2.8.94-0ubuntu1.
  * debian/rules: use variables provided by dpkg/pkg-info.mk instead
    of parsing the output of dpkg-parsechangelog.
  * Override mistaken apache2-module-depends-on-real-apache2-package
    Lintian check.
  * Merge from Ubuntu citrain up to revision 1616, i.e. 2.11.0-2ubuntu5
    (more recent changes, up to 2.11.0-2ubuntu8, have not been pushed
    to the citrain repo yet; they don't seen critical though).

apparmor (2.11.0-3) unstable; urgency=medium

  * Fix CVE-2017-6507: don't unload unknown profiles during package
    configuration or when restarting the apparmor init script, upstart job, or
    systemd unit as this could leave processes unconfined (Closes: #858768).
    Changes cherry-picked from Ubuntu's 2.11.0-2ubuntu3:
    - debian/apparmor.postinst, debian/apparmor.init, debian/apparmor.upstart:
      Remove calls to unload_obsolete_profiles()
    - debian/patches/utils-add-aa-remove-unknown.patch,
      debian/apparmor.install debian/apparmor.manpages: Include a new utility,
      aa-remove-unknown, which can be used to unload unknown profiles. Based
      on an upstream patch but adjusted to source the /lib/apparmor/functions
      shipped in Debian/Ubuntu.

apparmor (2.11.0-2ubuntu19) bionic; urgency=medium

  * d/p/0001-Allow-seven-digit-pid.patch:
    On 64bit systems, /proc/sys/kernel/pid_max can be set to PID_MAX_LIMIT,
    (2^22), which results in seven digit pids. Adjust the @{PID} variable in
    tunables/global to accept this. (LP: #1717714)

apparmor (2.11.0-2ubuntu18) bionic; urgency=medium

  * No-change rebuild against perlapi-5.26.1

apparmor (2.11.0-2ubuntu17) artful; urgency=medium

  * nameservice-add-stub-resolv.patch: allow read access to systemd stub
    resolver configuration

apparmor (2.11.0-2ubuntu16) artful; urgency=medium

  * add wayland-cursor.patch (LP: #1710487)

apparmor (2.11.0-2ubuntu15) artful; urgency=medium

  * Correctly remove system upstart job.

apparmor (2.11.0-2ubuntu14) artful; urgency=medium

  * drop adjust-nameservice-for-systemd-resolved.patch that was previously
    applied in profiles-grant-access-to-systemd-resolved.patch

apparmor (2.11.0-2ubuntu13) artful; urgency=medium

  * Stop installing apparmor system upstart job.
  * Remove apparmor system upstart job on upgrades.

apparmor (2.11.0-2ubuntu12) artful; urgency=medium

  * r3631-apparmor-utils-python3.6-LOCALE.patch: fix utils to avoid
    breakage with python 3.6 (LP: #1661766)

apparmor (2.11.0-2ubuntu11) artful; urgency=medium

  * fix-aa-status-pod.patch: updates aa-status for newer podchecker
    (LP: #1707614)

apparmor (2.11.0-2ubuntu10) artful; urgency=medium

  * No-change rebuild for perl 5.26.

apparmor (2.11.0-2ubuntu9) artful; urgency=medium

  * adjust-python-for-3.6.patch: update python abstraction for 3.6
  * adjust-nameservice-for-systemd-resolved.patch: grant access to
    systemd-resolved in the nameservice abstraction (LP: #1598759). Patch
    from Tyler Hicks

apparmor (2.11.0-2ubuntu8) artful; urgency=medium

  * no-change rebuild to unblock build of snapd after armhf/arm64
    enabling PIE by default.

apparmor (2.11.0-2ubuntu7) artful; urgency=medium

  * utils-keep-shebang.patch: Stop inappropriately mangling script shebangs.
  * utils-logprof-python3.6.patch: Add python3.6 line to utils/logprof.conf.

apparmor (2.11.0-2ubuntu6) artful; urgency=medium

  * No change rebuild to add Python 3.6 support.

apparmor (2.13.2-10) unstable; urgency=medium

  * Don't load AppArmor policy when running in a Debian Live environment
    that uses overlayfs (Closes: #922378).
    Rationale: the storage stack set up by live-boot with overlayfs
    is not supported by our AppArmor policy at the moment, resulting
    in breakage of confined software such as Evince and LibreOffice.
  * Ship nvidia_modprobe in enforce mode (Closes: #923273).
    - Rationale: as explained by Seth Arnold <seth.arnold@canonical.com>
      on #923273#32, profiles in complain mode can chew up essentially
      unlimited amounts of non-swappable kernel memory and huge amounts
      of IO bandwidth logging ALLOWED messages, which can in turn
      use large amounts of storage. This is why Ubuntu has applied this change
      already for their upcoming release.
    - Scope of this change: in Buster, this profile is used in one single place
      — the usr.lib.libreoffice.program.soffice.bin profile — for which it was
      developed and tested in the first place. So the risk and potential
      problematic impact of this change seems pretty low.
  * Cherry-pick the most important and non-invasive fixes
    from the upstream apparmor-2.13 maintenance branch:
    - base abstraction: allow mr on *.so* in common library paths,
      i.e. don't assume all common libraries' name starts with "lib".
      At the very least, this fixes Qt5 applications under some
      VirtualBox graphics configuration, where otherwise they would
      not start at all (Closes: Tails#16414).
      Upstream commits: 8dff7dc, 08f9d16
    - Fix 2 segfaults spotted upstream while writing automated tests
      for the multicache support (upstream MR!348):
       · in overlaydirat_for_each, segfault caused by repeatedly freeing
         the same memory area;
       · when loading policy cache files, due to incorrect size passed
         to qsort().
      Upstream commits: 5704fba, 01aec04

apparmor (2.13.2-9) unstable; urgency=medium

  * Revert "Add autopkgtest that checks if apparmor.service starts
    on package installation". It passes with the schroot and qemu
    backends locally but fails on ci.debian.net.

apparmor (2.13.2-8) unstable; urgency=medium

  * Cherry-pick 5 more commits from upstream apparmor-2.13 branch
    (Closes: #921866).
  * Cherry-pick upstream MR!344 (Closes: #920833, #921888).
  * Install the nvidia_modprobe named profile (Closes: #921875)
    and add it to the list of profiles whose syntax is checked
    via autopkgtests.
  * Patch usr.sbin.smdb to include snippet generated at runtime
    (part of the fix for #896080).
  * New autopkgtest: ensure apparmor.service starts on
    package installation.
  * Update salsa CI pipeline.

apparmor (2.13.2-7) unstable; urgency=medium

  * Stop shipping /var/cache/apparmor/CACHEDIR.TAG (Closes: #920682)
  * New patches, cherry-picked from upstream !320, so the "audio"
    abstraction grants read access to Alsa and libao config files
    (Closes: #920669, #920670).

apparmor (2.13.2-6) unstable; urgency=medium

  * initscript: implement missing aa_log_action_begin and
    aa_log_action_end functions (Closes: #917962).

apparmor (2.13.2-5) unstable; urgency=medium

  * Really move libapparmor.so unversioned symlink to /lib/<triplet>
    (Closes: #919705).
  * Add Lintian override for dev-pkg-without-shlib-symlink: arguably
    a false positive (see #843932).
  * Add Lintian override for uses-dpkg-database-directly: false positive.
  * Declare compliance with Standards-Version 4.3.0.
  * autopkgtests:
    - Test compiling many more profiles:
      - all profiles that apparmor-profiles-extra ships in enforce mode
      - the profiles shipped by bind9, cups-browsed, haveged,
        libreoffice-common, man-db, ntp, onioncircuits, tcpdump, thunderbird,
        and tor
      - another profile shipped by libvirt-daemon-system
    - Declare that the compile-policy test is not superficial anymore.
    - Make the parser verbose in the compile-policy test.

apparmor (2.13.2-4) unstable; urgency=medium

  * Move libapparmor.so unversioned symlink to /lib/<triplet> (Closes: #919705).
  * New patches, cherry-picked from upstream:
    - Make tunables/share play well with aliases.
    - Fix access to /usr/share/drirc.d.conf (Closes: #919775).
    - Fix access to the default paths used by dehydrated in Debian.
    - Support new font configuration paths.
    - Support libvirt named profile.
    - Fix access to /etc/alsa/conf.d/.
  * autopkgtests: test compiling more profiles shipped by other packages.
  * Patch the dnsmasq profile to fix ptrace and signal communication
    with libvirtd.

apparmor (2.13.2-3) unstable; urgency=medium

  * Update upstream MR!252 backport to fix initscript (Closes: #917874)