-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Paolo Pisati <[email protected]>
- Loading branch information
Showing
1 changed file
with
178 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,183 @@ | ||
| linux-unstable (6.8.0-3.3) UNRELEASED; urgency=medium | ||
| linux-unstable (6.8.0-3.3) noble; urgency=medium | ||
|
|
||
| CHANGELOG: Do not edit directly. Autogenerated at release. | ||
| CHANGELOG: Use the printchanges target to see the curent changes. | ||
| CHANGELOG: Use the insertchanges target to create the final log. | ||
| * noble/linux-unstable: 6.8.0-3.3 -proposed tracker (LP: #2051488) | ||
|
|
||
| -- Paolo Pisati <[email protected]> Mon, 29 Jan 2024 08:57:05 +0100 | ||
| * update apparmor and LSM stacking patch set (LP: #2028253) | ||
| - SAUCE: apparmor4.0.0 [43/87]: LSM stacking v39: UBUNTU: SAUCE: apparmor4.0.0 | ||
| [12/95]: add/use fns to print hash string hex value | ||
| - SAUCE: apparmor4.0.0 [44/87]: patch to provide compatibility with v2.x net | ||
| rules | ||
| - SAUCE: apparmor4.0.0 [45/87]: add unpriviled user ns mediation | ||
| - SAUCE: apparmor4.0.0 [46/87]: Add sysctls for additional controls of unpriv | ||
| userns restrictions | ||
| - SAUCE: apparmor4.0.0 [47/87]: af_unix mediation | ||
| - SAUCE: apparmor4.0.0 [48/87]: Add fine grained mediation of posix mqueues | ||
| - SAUCE: apparmor4.0.0 [49/87]: setup slab cache for audit data | ||
| - SAUCE: apparmor4.0.0 [50/87]: Improve debug print infrastructure | ||
| - SAUCE: apparmor4.0.0 [51/87]: add the ability for profiles to have a | ||
| learning cache | ||
| - SAUCE: apparmor4.0.0 [52/87]: enable userspace upcall for mediation | ||
| - SAUCE: apparmor4.0.0 [53/87]: prompt - lock down prompt interface | ||
| - SAUCE: apparmor4.0.0 [54/87]: prompt - allow controlling of caching of a | ||
| prompt response | ||
| - SAUCE: apparmor4.0.0 [55/87]: prompt - add refcount to audit_node in prep or | ||
| reuse and delete | ||
| - SAUCE: apparmor4.0.0 [56/87]: prompt - refactor to moving caching to | ||
| uresponse | ||
| - SAUCE: apparmor4.0.0 [57/87]: prompt - Improve debug statements | ||
| - SAUCE: apparmor4.0.0 [58/87]: prompt - fix caching | ||
| - SAUCE: apparmor4.0.0 [59/87]: prompt - rework build to use append fn, to | ||
| simplify adding strings | ||
| - SAUCE: apparmor4.0.0 [60/87]: prompt - refcount notifications | ||
| - SAUCE: apparmor4.0.0 [61/87]: prompt - add the ability to reply with a | ||
| profile name | ||
| - SAUCE: apparmor4.0.0 [62/87]: prompt - fix notification cache when updating | ||
| - SAUCE: apparmor4.0.0 [63/87]: prompt - add tailglob on name for cache | ||
| support | ||
| - SAUCE: apparmor4.0.0 [64/87]: prompt - allow profiles to set prompts as | ||
| interruptible | ||
| - SAUCE: apparmor4.0.0 [69/87]: add io_uring mediation | ||
| - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS | ||
|
|
||
| * apparmor restricts read access of user namespace mediation sysctls to root | ||
| (LP: #2040194) | ||
| - SAUCE: apparmor4.0.0 [73/87]: apparmor: open userns related sysctl so lxc | ||
| can check if restriction are in place | ||
|
|
||
| * AppArmor spams kernel log with assert when auditing (LP: #2040192) | ||
| - SAUCE: apparmor4.0.0 [72/87]: apparmor: fix request field from a prompt | ||
| reply that denies all access | ||
|
|
||
| * apparmor notification files verification (LP: #2040250) | ||
| - SAUCE: apparmor4.0.0 [71/87]: apparmor: fix notification header size | ||
|
|
||
| * apparmor oops when racing to retrieve a notification (LP: #2040245) | ||
| - SAUCE: apparmor4.0.0 [70/87]: apparmor: fix oops when racing to retrieve | ||
| notification | ||
|
|
||
| * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe] | ||
| apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic | ||
| (LP: #2032602) | ||
| - SAUCE: apparmor4.0.0 [66/87]: prompt - add support for advanced filtering of | ||
| notifications | ||
| - SAUCE: apparmor4.0.0 [67/87]: userns - add the ability to reference a global | ||
| variable for a feature value | ||
| - SAUCE: apparmor4.0.0 [68/87]: userns - make it so special unconfined | ||
| profiles can mediate user namespaces | ||
|
|
||
| * Miscellaneous Ubuntu changes | ||
| - SAUCE: apparmor4.0.0 [01/87]: LSM stacking v39: integrity: disassociate | ||
| ima_filter_rule from security_audit_rule | ||
| - SAUCE: apparmor4.0.0 [02/87]: LSM stacking v39: SM: Infrastructure | ||
| management of the sock security | ||
| - SAUCE: apparmor4.0.0 [03/87]: LSM stacking v39: LSM: Add the lsmblob data | ||
| structure. | ||
| - SAUCE: apparmor4.0.0 [04/87]: LSM stacking v39: IMA: avoid label collisions | ||
| with stacked LSMs | ||
| - SAUCE: apparmor4.0.0 [05/87]: LSM stacking v39: LSM: Use lsmblob in | ||
| security_audit_rule_match | ||
| - SAUCE: apparmor4.0.0 [06/87]: LSM stacking v39: LSM: Add lsmblob_to_secctx | ||
| hook | ||
| - SAUCE: apparmor4.0.0 [07/87]: LSM stacking v39: Audit: maintain an lsmblob | ||
| in audit_context | ||
| - SAUCE: apparmor4.0.0 [08/87]: LSM stacking v39: LSM: Use lsmblob in | ||
| security_ipc_getsecid | ||
| - SAUCE: apparmor4.0.0 [09/87]: LSM stacking v39: Audit: Update shutdown LSM | ||
| data | ||
| - SAUCE: apparmor4.0.0 [10/87]: LSM stacking v39: LSM: Use lsmblob in | ||
| security_current_getsecid | ||
| - SAUCE: apparmor4.0.0 [11/87]: LSM stacking v39: LSM: Use lsmblob in | ||
| security_inode_getsecid | ||
| - SAUCE: apparmor4.0.0 [12/87]: LSM stacking v39: Audit: use an lsmblob in | ||
| audit_names | ||
| - SAUCE: apparmor4.0.0 [13/87]: LSM stacking v39: LSM: Create new | ||
| security_cred_getlsmblob LSM hook | ||
| - SAUCE: apparmor4.0.0 [14/87]: LSM stacking v39: Audit: Change context data | ||
| from secid to lsmblob | ||
| - SAUCE: apparmor4.0.0 [15/87]: LSM stacking v39: Netlabel: Use lsmblob for | ||
| audit data | ||
| - SAUCE: apparmor4.0.0 [16/87]: LSM stacking v39: LSM: Ensure the correct LSM | ||
| context releaser | ||
| - SAUCE: apparmor4.0.0 [17/87]: LSM stacking v39: LSM: Use lsmcontext in | ||
| security_secid_to_secctx | ||
| - SAUCE: apparmor4.0.0 [18/87]: LSM stacking v39: LSM: Use lsmcontext in | ||
| security_lsmblob_to_secctx | ||
| - SAUCE: apparmor4.0.0 [19/87]: LSM stacking v39: LSM: Use lsmcontext in | ||
| security_inode_getsecctx | ||
| - SAUCE: apparmor4.0.0 [20/87]: LSM stacking v39: LSM: Use lsmcontext in | ||
| security_dentry_init_security | ||
| - SAUCE: apparmor4.0.0 [21/87]: LSM stacking v39: LSM: | ||
| security_lsmblob_to_secctx module selection | ||
| - SAUCE: apparmor4.0.0 [22/87]: LSM stacking v39: Audit: Create audit_stamp | ||
| structure | ||
| - SAUCE: apparmor4.0.0 [23/87]: LSM stacking v39: Audit: Allow multiple | ||
| records in an audit_buffer | ||
| - SAUCE: apparmor4.0.0 [24/87]: LSM stacking v39: Audit: Add record for | ||
| multiple task security contexts | ||
| - SAUCE: apparmor4.0.0 [25/87]: LSM stacking v39: audit: multiple subject lsm | ||
| values for netlabel | ||
| - SAUCE: apparmor4.0.0 [26/87]: LSM stacking v39: Audit: Add record for | ||
| multiple object contexts | ||
| - SAUCE: apparmor4.0.0 [27/87]: LSM stacking v39: LSM: Remove unused | ||
| lsmcontext_init() | ||
| - SAUCE: apparmor4.0.0 [28/87]: LSM stacking v39: LSM: Improve logic in | ||
| security_getprocattr | ||
| - SAUCE: apparmor4.0.0 [29/87]: LSM stacking v39: LSM: secctx provider check | ||
| on release | ||
| - SAUCE: apparmor4.0.0 [30/87]: LSM stacking v39: LSM: Single calls in | ||
| socket_getpeersec hooks | ||
| - SAUCE: apparmor4.0.0 [31/87]: LSM stacking v39: LSM: Exclusive secmark usage | ||
| - SAUCE: apparmor4.0.0 [32/87]: LSM stacking v39: LSM: Identify which LSM | ||
| handles the context string | ||
| - SAUCE: apparmor4.0.0 [33/87]: LSM stacking v39: AppArmor: Remove the | ||
| exclusive flag | ||
| - SAUCE: apparmor4.0.0 [34/87]: LSM stacking v39: LSM: Add mount opts blob | ||
| size tracking | ||
| - SAUCE: apparmor4.0.0 [35/87]: LSM stacking v39: LSM: allocate mnt_opts blobs | ||
| instead of module specific data | ||
| - SAUCE: apparmor4.0.0 [36/87]: LSM stacking v39: LSM: Infrastructure | ||
| management of the key security blob | ||
| - SAUCE: apparmor4.0.0 [37/87]: LSM stacking v39: LSM: Infrastructure | ||
| management of the mnt_opts security blob | ||
| - SAUCE: apparmor4.0.0 [38/87]: LSM stacking v39: LSM: Correct handling of | ||
| ENOSYS in inode_setxattr | ||
| - SAUCE: apparmor4.0.0 [39/87]: LSM stacking v39: LSM: Remove lsmblob | ||
| scaffolding | ||
| - SAUCE: apparmor4.0.0 [40/87]: LSM stacking v39: LSM: Allow reservation of | ||
| netlabel | ||
| - SAUCE: apparmor4.0.0 [41/87]: LSM stacking v39: LSM: restrict | ||
| security_cred_getsecid() to a single LSM | ||
| - SAUCE: apparmor4.0.0 [42/87]: LSM stacking v39: Smack: Remove | ||
| LSM_FLAG_EXCLUSIVE | ||
| - SAUCE: apparmor4.0.0 [65/87] v6.8 prompt:fixup interruptible | ||
| - SAUCE: apparmor4.0.0 [74/87]: apparmor: cleanup attachment perm lookup to | ||
| use lookup_perms() | ||
| - SAUCE: apparmor4.0.0 [75/87]: apparmor: remove redundant unconfined check. | ||
| - SAUCE: apparmor4.0.0 [76/87]: apparmor: switch signal mediation to using | ||
| RULE_MEDIATES | ||
| - SAUCE: apparmor4.0.0 [77/87]: apparmor: ensure labels with more than one | ||
| entry have correct flags | ||
| - SAUCE: apparmor4.0.0 [78/87]: apparmor: remove explicit restriction that | ||
| unconfined cannot use change_hat | ||
| - SAUCE: apparmor4.0.0 [79/87]: apparmor: cleanup: refactor file_perm() to | ||
| provide semantics of some checks | ||
| - SAUCE: apparmor4.0.0 [80/87]: apparmor: carry mediation check on label | ||
| - SAUCE: apparmor4.0.0 [81/87]: apparmor: convert easy uses of unconfined() to | ||
| label_mediates() | ||
| - SAUCE: apparmor4.0.0 [82/87]: apparmor: add additional flags to extended | ||
| permission. | ||
| - SAUCE: apparmor4.0.0 [83/87]: apparmor: add support for profiles to define | ||
| the kill signal | ||
| - SAUCE: apparmor4.0.0 [84/87]: apparmor: fix x_table_lookup when stacking is | ||
| not the first entry | ||
| - SAUCE: apparmor4.0.0 [85/87]: apparmor: allow profile to be transitioned | ||
| when a user ns is created | ||
| - SAUCE: apparmor4.0.0 [86/87]: apparmor: add ability to mediate caps with | ||
| policy state machine | ||
| - SAUCE: apparmor4.0.0 [87/87]: fixup notify | ||
| - [Config] updateconfigs following v6.8-rc2 rebase | ||
|
|
||
| -- Paolo Pisati <[email protected]> Mon, 29 Jan 2024 08:59:32 +0100 | ||
|
|
||
| linux-unstable (6.8.0-2.2) noble; urgency=medium | ||
|
|
||
|
|
||