From: mhoellein Date: Tue, 16 Jul 2024 07:53:32 +0000 (+0200) Subject: committing changes in /etc made by "apt-get upgrade" X-Git-Url: https://git.hoellein.online/?a=commitdiff_plain;h=f3b1ed1d71aaa7cb1ad27f46fd951696e0eeb573;p=vserver committing changes in /etc made by "apt-get upgrade" Package changes: -amavisd-new 1:2.11.0-6.1ubuntu1 all +amavisd-new 1:2.11.0-6.1ubuntu1.1 all -apache2 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64 -apache2-bin 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64 -apache2-data 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 all -apache2-utils 2.4.59-1+ubuntu20.04.1+deb.sury.org+1 amd64 +apache2 2.4.61-1+ubuntu20.04.1+deb.sury.org+1 amd64 +apache2-bin 2.4.61-1+ubuntu20.04.1+deb.sury.org+1 amd64 +apache2-data 2.4.61-1+ubuntu20.04.1+deb.sury.org+1 all +apache2-utils 2.4.61-1+ubuntu20.04.1+deb.sury.org+1 amd64 -code-brand 23.05-32 all -collaboraoffice 23.05.10-1 amd64 -collaboraoffice-ure 23.05.10-1 amd64 -collaboraofficebasis-calc 23.05.10-1 amd64 -collaboraofficebasis-core 23.05.10-1 amd64 -collaboraofficebasis-draw 23.05.10-1 amd64 -collaboraofficebasis-en-us 23.05.10-1 amd64 -collaboraofficebasis-extension-pdf-import 23.05.10-1 amd64 -collaboraofficebasis-graphicfilter 23.05.10-1 amd64 -collaboraofficebasis-images 23.05.10-1 amd64 -collaboraofficebasis-impress 23.05.10-1 amd64 -collaboraofficebasis-math 23.05.10-1 amd64 -collaboraofficebasis-ooofonts 23.05.10-1 amd64 -collaboraofficebasis-ooolinguistic 23.05.10-1 amd64 -collaboraofficebasis-writer 23.05.10-1 amd64 +code-brand 24.04-10 all +collaboraoffice 24.04.5-1 amd64 +collaboraoffice-ure 24.04.5-1 amd64 +collaboraofficebasis-calc 24.04.5-1 amd64 +collaboraofficebasis-core 24.04.5-1 amd64 +collaboraofficebasis-draw 24.04.5-1 amd64 +collaboraofficebasis-en-us 24.04.5-1 amd64 +collaboraofficebasis-extension-pdf-import 24.04.5-1 amd64 +collaboraofficebasis-graphicfilter 24.04.5-1 amd64 +collaboraofficebasis-images 24.04.5-1 amd64 +collaboraofficebasis-impress 24.04.5-1 amd64 +collaboraofficebasis-math 24.04.5-1 amd64 +collaboraofficebasis-ooofonts 24.04.5-1 amd64 +collaboraofficebasis-ooolinguistic 24.04.5-1 amd64 +collaboraofficebasis-writer 24.04.5-1 amd64 -coolwsd 23.05.10.1-1 amd64 +coolwsd 24.04.5.1-1 amd64 -cpio 2.13+dfsg-2ubuntu0.3 amd64 +cpio 2.13+dfsg-2ubuntu0.4 amd64 -distro-info-data 0.43ubuntu1.15 all +distro-info-data 0.43ubuntu1.16 all -ghostscript 9.50~dfsg-5ubuntu4.11 amd64 +ghostscript 9.50~dfsg-5ubuntu4.13 amd64 -git 1:2.25.1-1ubuntu3.11 amd64 -git-man 1:2.25.1-1ubuntu3.11 all +git 1:2.25.1-1ubuntu3.13 amd64 +git-man 1:2.25.1-1ubuntu3.13 all -icinga-php-library 0.13.1-1+ubuntu20.04 all +icinga-php-library 0.14.0-1+ubuntu20.04 all -intel-microcode 3.20231114.0ubuntu0.20.04.1 amd64 +intel-microcode 3.20240514.0ubuntu0.20.04.1 amd64 -klibc-utils 2.0.7-1ubuntu5.1 amd64 +klibc-utils 2.0.7-1ubuntu5.2 amd64 -less 551-1ubuntu0.2 amd64 +less 551-1ubuntu0.3 amd64 -libapache2-mod-php7.4 7.4.3-4ubuntu2.20 amd64 +libapache2-mod-php7.4 7.4.3-4ubuntu2.23 amd64 -libc-bin 2.31-0ubuntu9.14 amd64 -libc-dev-bin 2.31-0ubuntu9.14 amd64 -libc6 2.31-0ubuntu9.14 amd64 -libc6-dev 2.31-0ubuntu9.14 amd64 +libc-bin 2.31-0ubuntu9.16 amd64 +libc-dev-bin 2.31-0ubuntu9.16 amd64 +libc6 2.31-0ubuntu9.16 amd64 +libc6-dev 2.31-0ubuntu9.16 amd64 -libcups2 2.3.1-9ubuntu1.6 amd64 +libcups2 2.3.1-9ubuntu1.8 amd64 -libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.4 amd64 -libgdk-pixbuf2.0-bin 2.40.0+dfsg-3ubuntu0.4 amd64 -libgdk-pixbuf2.0-common 2.40.0+dfsg-3ubuntu0.4 all +libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.5 amd64 +libgdk-pixbuf2.0-bin 2.40.0+dfsg-3ubuntu0.5 amd64 +libgdk-pixbuf2.0-common 2.40.0+dfsg-3ubuntu0.5 all -libglib2.0-0 2.64.6-1~ubuntu20.04.6 amd64 -libglib2.0-data 2.64.6-1~ubuntu20.04.6 all +libglib2.0-0 2.64.6-1~ubuntu20.04.7 amd64 +libglib2.0-data 2.64.6-1~ubuntu20.04.7 all -libgnutls30 3.6.13-2ubuntu1.10 amd64 +libgnutls30 3.6.13-2ubuntu1.11 amd64 -libgs9 9.50~dfsg-5ubuntu4.11 amd64 -libgs9-common 9.50~dfsg-5ubuntu4.11 all +libgs9 9.50~dfsg-5ubuntu4.13 amd64 +libgs9-common 9.50~dfsg-5ubuntu4.13 all -libklibc 2.0.7-1ubuntu5.1 amd64 +libklibc 2.0.7-1ubuntu5.2 amd64 -libmysqlclient21 8.0.36-0ubuntu0.20.04.1 amd64 +libmysqlclient21 8.0.37-0ubuntu0.20.04.3 amd64 -libnetplan0 0.104-0ubuntu2~20.04.4 amd64 +libnetplan0 0.104-0ubuntu2~20.04.6 amd64 -libnghttp2-14 1.40.0-1ubuntu0.2 amd64 +libnghttp2-14 1.40.0-1ubuntu0.3 amd64 -libnode64 10.19.0~dfsg-3ubuntu1.5 amd64 +libnode64 10.19.0~dfsg-3ubuntu1.6 amd64 -libpq5 12.18-0ubuntu0.20.04.1 amd64 +libpq5 12.19-0ubuntu0.20.04.1 amd64 -libpython3.8 3.8.10-0ubuntu1~20.04.9 amd64 -libpython3.8-dev 3.8.10-0ubuntu1~20.04.9 amd64 -libpython3.8-minimal 3.8.10-0ubuntu1~20.04.9 amd64 -libpython3.8-stdlib 3.8.10-0ubuntu1~20.04.9 amd64 +libpython3.8 3.8.10-0ubuntu1~20.04.10 amd64 +libpython3.8-dev 3.8.10-0ubuntu1~20.04.10 amd64 +libpython3.8-minimal 3.8.10-0ubuntu1~20.04.10 amd64 +libpython3.8-stdlib 3.8.10-0ubuntu1~20.04.10 amd64 -libruby2.7 2.7.0-5ubuntu1.12 amd64 +libruby2.7 2.7.0-5ubuntu1.14 amd64 -libtiff5 4.1.0+git191117-2ubuntu0.20.04.12 amd64 +libtiff5 4.1.0+git191117-2ubuntu0.20.04.13 amd64 -libunbound8 1.9.4-2ubuntu1.5 amd64 +libunbound8 1.9.4-2ubuntu1.6 amd64 -linux-libc-dev 5.4.0-176.196 amd64 +linux-libc-dev 5.4.0-189.209 amd64 -locales 2.31-0ubuntu9.14 all +locales 2.31-0ubuntu9.16 all -mysql-client-8.0 8.0.36-0ubuntu0.20.04.1 amd64 -mysql-client-core-8.0 8.0.36-0ubuntu0.20.04.1 amd64 +mysql-client-8.0 8.0.37-0ubuntu0.20.04.3 amd64 +mysql-client-core-8.0 8.0.37-0ubuntu0.20.04.3 amd64 -mysql-server 8.0.36-0ubuntu0.20.04.1 all -mysql-server-8.0 8.0.36-0ubuntu0.20.04.1 amd64 -mysql-server-core-8.0 8.0.36-0ubuntu0.20.04.1 amd64 +mysql-server 8.0.37-0ubuntu0.20.04.3 all +mysql-server-8.0 8.0.37-0ubuntu0.20.04.3 amd64 +mysql-server-core-8.0 8.0.37-0ubuntu0.20.04.3 amd64 -netplan.io 0.104-0ubuntu2~20.04.4 amd64 +netplan.io 0.104-0ubuntu2~20.04.6 amd64 -nodejs 10.19.0~dfsg-3ubuntu1.5 amd64 -nodejs-doc 10.19.0~dfsg-3ubuntu1.5 all +nodejs 10.19.0~dfsg-3ubuntu1.6 amd64 +nodejs-doc 10.19.0~dfsg-3ubuntu1.6 all -php7.4 7.4.3-4ubuntu2.20 all -php7.4-bcmath 7.4.3-4ubuntu2.20 amd64 -php7.4-bz2 7.4.3-4ubuntu2.20 amd64 -php7.4-cli 7.4.3-4ubuntu2.20 amd64 -php7.4-common 7.4.3-4ubuntu2.20 amd64 -php7.4-curl 7.4.3-4ubuntu2.20 amd64 -php7.4-gd 7.4.3-4ubuntu2.20 amd64 -php7.4-gmp 7.4.3-4ubuntu2.20 amd64 -php7.4-intl 7.4.3-4ubuntu2.20 amd64 -php7.4-json 7.4.3-4ubuntu2.20 amd64 -php7.4-ldap 7.4.3-4ubuntu2.20 amd64 -php7.4-mbstring 7.4.3-4ubuntu2.20 amd64 -php7.4-mysql 7.4.3-4ubuntu2.20 amd64 -php7.4-opcache 7.4.3-4ubuntu2.20 amd64 -php7.4-pgsql 7.4.3-4ubuntu2.20 amd64 -php7.4-phpdbg 7.4.3-4ubuntu2.20 amd64 -php7.4-readline 7.4.3-4ubuntu2.20 amd64 -php7.4-soap 7.4.3-4ubuntu2.20 amd64 -php7.4-xml 7.4.3-4ubuntu2.20 amd64 -php7.4-zip 7.4.3-4ubuntu2.20 amd64 +php7.4 7.4.3-4ubuntu2.23 all +php7.4-bcmath 7.4.3-4ubuntu2.23 amd64 +php7.4-bz2 7.4.3-4ubuntu2.23 amd64 +php7.4-cli 7.4.3-4ubuntu2.23 amd64 +php7.4-common 7.4.3-4ubuntu2.23 amd64 +php7.4-curl 7.4.3-4ubuntu2.23 amd64 +php7.4-gd 7.4.3-4ubuntu2.23 amd64 +php7.4-gmp 7.4.3-4ubuntu2.23 amd64 +php7.4-intl 7.4.3-4ubuntu2.23 amd64 +php7.4-json 7.4.3-4ubuntu2.23 amd64 +php7.4-ldap 7.4.3-4ubuntu2.23 amd64 +php7.4-mbstring 7.4.3-4ubuntu2.23 amd64 +php7.4-mysql 7.4.3-4ubuntu2.23 amd64 +php7.4-opcache 7.4.3-4ubuntu2.23 amd64 +php7.4-pgsql 7.4.3-4ubuntu2.23 amd64 +php7.4-phpdbg 7.4.3-4ubuntu2.23 amd64 +php7.4-readline 7.4.3-4ubuntu2.23 amd64 +php7.4-soap 7.4.3-4ubuntu2.23 amd64 +php7.4-xml 7.4.3-4ubuntu2.23 amd64 +php7.4-zip 7.4.3-4ubuntu2.23 amd64 -python3-django 2:2.2.12-1ubuntu0.22 all +python3-django 2:2.2.12-1ubuntu0.23 all -python3-idna 2.8-1 all +python3-idna 2.8-1ubuntu0.1 all -python3-jinja2 2.10.1-2ubuntu0.2 all +python3-jinja2 2.10.1-2ubuntu0.3 all -python3-pymysql 0.9.3-2ubuntu3 all +python3-pymysql 0.9.3-2ubuntu3.1 all -python3-update-manager 1:20.04.10.20 all +python3-update-manager 1:20.04.10.21 all -python3-werkzeug 0.16.1+dfsg1-2ubuntu0.1 all +python3-werkzeug 0.16.1+dfsg1-2ubuntu0.2 all -python3.8 3.8.10-0ubuntu1~20.04.9 amd64 -python3.8-dev 3.8.10-0ubuntu1~20.04.9 amd64 -python3.8-minimal 3.8.10-0ubuntu1~20.04.9 amd64 +python3.8 3.8.10-0ubuntu1~20.04.10 amd64 +python3.8-dev 3.8.10-0ubuntu1~20.04.10 amd64 +python3.8-minimal 3.8.10-0ubuntu1~20.04.10 amd64 -ruby2.7 2.7.0-5ubuntu1.12 amd64 +ruby2.7 2.7.0-5ubuntu1.14 amd64 -tzdata 2024a-0ubuntu0.20.04 all -ubuntu-advantage-tools 31.2~20.04 all +tzdata 2024a-0ubuntu0.20.04.1 all +ubuntu-advantage-tools 32.3.1~20.04 all -ubuntu-pro-client 31.2~20.04 amd64 -ubuntu-pro-client-l10n 31.2~20.04 amd64 +ubuntu-pro-client 32.3.1~20.04 amd64 +ubuntu-pro-client-l10n 32.3.1~20.04 amd64 -update-manager-core 1:20.04.10.20 all +update-manager-core 1:20.04.10.21 all -vim 2:8.1.2269-1ubuntu5.22 amd64 +vim 2:8.1.2269-1ubuntu5.23 amd64 -vim-common 2:8.1.2269-1ubuntu5.22 all +vim-common 2:8.1.2269-1ubuntu5.23 all -vim-runtime 2:8.1.2269-1ubuntu5.22 all -vim-tiny 2:8.1.2269-1ubuntu5.22 amd64 +vim-runtime 2:8.1.2269-1ubuntu5.23 all +vim-tiny 2:8.1.2269-1ubuntu5.23 amd64 -wget 1.20.3-1ubuntu2 amd64 +wget 1.20.3-1ubuntu2.1 amd64 -xxd 2:8.1.2269-1ubuntu5.22 amd64 +xxd 2:8.1.2269-1ubuntu5.23 amd64 --- diff --git a/.etckeeper b/.etckeeper index bf312557d..a00611040 100755 --- a/.etckeeper +++ b/.etckeeper @@ -66,6 +66,7 @@ mkdir -p './ssh/ssh_config.d' mkdir -p './ssh/sshd_config.d' mkdir -p './systemd/network' mkdir -p './udev/hwdb.d' +mkdir -p './ufw/applications.d/apache2' mkdir -p './vulkan/explicit_layer.d' mkdir -p './vulkan/icd.d' mkdir -p './vulkan/implicit_layer.d' @@ -638,6 +639,7 @@ maybe chmod 0644 'apparmor.d/local/lsb_release' maybe chmod 0644 'apparmor.d/local/nvidia_modprobe' maybe chmod 0644 'apparmor.d/local/sbin.dhclient' maybe chmod 0644 'apparmor.d/local/ubuntu_pro_apt_news' +maybe chmod 0644 'apparmor.d/local/ubuntu_pro_esm_cache' maybe chmod 0644 'apparmor.d/local/usr.bin.freshclam' maybe chmod 0644 'apparmor.d/local/usr.bin.man' maybe chmod 0644 'apparmor.d/local/usr.lib.ipsec.charon' @@ -672,6 +674,7 @@ maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs' maybe chmod 0755 'apparmor.d/tunables/xdg-user-dirs.d' maybe chmod 0644 'apparmor.d/tunables/xdg-user-dirs.d/site.local' maybe chmod 0644 'apparmor.d/ubuntu_pro_apt_news' +maybe chmod 0644 'apparmor.d/ubuntu_pro_esm_cache' maybe chmod 0644 'apparmor.d/usr.bin.freshclam' maybe chmod 0644 'apparmor.d/usr.bin.man' maybe chmod 0644 'apparmor.d/usr.lib.ipsec.charon' @@ -21780,6 +21783,7 @@ maybe chmod 0640 'ufw/after.init' maybe chmod 0640 'ufw/after.rules' maybe chmod 0640 'ufw/after6.rules' maybe chmod 0755 'ufw/applications.d' +maybe chmod 0755 'ufw/applications.d/apache2' maybe chmod 0644 'ufw/applications.d/apache2-utils.ufw.profile' maybe chmod 0644 'ufw/applications.d/bind9' maybe chmod 0644 'ufw/applications.d/dovecot-imapd' diff --git a/apparmor.d/local/ubuntu_pro_esm_cache b/apparmor.d/local/ubuntu_pro_esm_cache new file mode 100644 index 000000000..e69de29bb diff --git a/apparmor.d/ubuntu_pro_apt_news b/apparmor.d/ubuntu_pro_apt_news index 402d93930..d703d4a41 100644 --- a/apparmor.d/ubuntu_pro_apt_news +++ b/apparmor.d/ubuntu_pro_apt_news @@ -1,6 +1,9 @@ include +# attach_disconnected is needed here because this service runs with systemd's +# PrivateTmp=true + profile ubuntu_pro_apt_news flags=(attach_disconnected) { include include @@ -12,18 +15,24 @@ profile ubuntu_pro_apt_news flags=(attach_disconnected) { capability setgid, capability setuid, capability dac_read_search, + # GH: 3079 + capability dac_override, /etc/apt/** r, /etc/default/apport r, /etc/ubuntu-advantage/* r, - /usr/bin/python3.{1,}[0-9] mrix, + # GH: #3109 + # Allow reading the os-release file (possibly a symlink to /usr/lib). + /{etc/,usr/lib/,lib/}os-release r, + /{,usr/}bin/python3.{1,}[0-9] mrix, # "import uuid" in focal triggers an uname call - /usr/bin/uname mrix, + # And also see LP: #2067319 + /{,usr/}bin/uname mrix, - /usr/lib/apt/methods/http mrix, - /usr/lib/apt/methods/https mrix, - /usr/lib/ubuntu-advantage/apt_news.py r, + /{,usr/}lib/apt/methods/http mrix, + /{,usr/}lib/apt/methods/https mrix, + /{,usr/}lib/ubuntu-advantage/apt_news.py r, /usr/share/dpkg/* r, /var/log/ubuntu-advantage.log rw, /var/lib/ubuntu-advantage/** r, @@ -35,7 +44,11 @@ profile ubuntu_pro_apt_news flags=(attach_disconnected) { /tmp/** r, owner @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/status r, @{PROC}/@{pid}/cgroup r, + + # Site-specific additions and overrides. See local/README for details. + #include } \ No newline at end of file diff --git a/apparmor.d/ubuntu_pro_esm_cache b/apparmor.d/ubuntu_pro_esm_cache new file mode 100644 index 000000000..a117dbff4 --- /dev/null +++ b/apparmor.d/ubuntu_pro_esm_cache @@ -0,0 +1,298 @@ + +include + +# attach_disconnected is needed in all profiles defined here because this +# service runs with systemd's PrivateTmp=true + +profile ubuntu_pro_esm_cache flags=(attach_disconnected) { + include + include + include + include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability kill, + capability setgid, + capability setuid, + + signal send set=int peer=ubuntu_pro_esm_cache//apt_methods, + signal send set=int peer=ubuntu_pro_esm_cache//apt_methods_gpgv, + + /etc/apt/** r, + /etc/machine-id r, + /etc/ubuntu-advantage/uaclient.conf r, + # GH: #3109 + # Allow reading the os-release file (possibly a symlink to /usr/lib). + /{etc/,usr/lib/,lib/}os-release r, + + /run/ubuntu-advantage/ rw, + /run/ubuntu-advantage/** rw, + + /run/systemd/container/ r, + /run/systemd/container/** r, + + /{,usr/}bin/apt mrix, + /{,usr/}bin/apt-cache mrix, + /{,usr/}bin/ischroot mrix, + /{,usr/}bin/python3.{1,}[0-9] mrix, + # LP: #2067319 + /{,usr/}bin/uname mrix, + + /{,usr/}bin/cloud-id Cx -> cloud_id, + # LP: #2067319 + /{,usr/}bin/ps Cx -> ps, + /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt, + /{,usr/}bin/dpkg Cx -> dpkg, + /{,usr/}bin/ubuntu-distro-info Cx -> ubuntu_distro_info, + /{,usr/}lib/apt/methods/gpgv Cx -> apt_methods_gpgv, + /{,usr/}lib/apt/methods/http Cx -> apt_methods, + /{,usr/}lib/apt/methods/https Cx -> apt_methods, + /{,usr/}lib/apt/methods/store Cx -> apt_methods, + # when there is no status.json cached, esm-cache.service will invoke "snap status" + /{,usr/}bin/snap PUx, + + /usr/share/dpkg/** r, + /usr/share/keyrings/* r, + + /var/cache/apt/** rw, + + /var/lib/apt/** r, + /var/lib/dpkg/** r, + /var/lib/ubuntu-advantage/** rwk, + + /var/log/ubuntu-advantage.log rw, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/1/cgroup r, + @{PROC}/version_signature r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/status r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/osrelease r, + + + + profile ps flags=(attach_disconnected) { + include + include + + capability sys_ptrace, + + # GH: #3079 + capability dac_read_search, + capability dac_override, + + # GH: #3119 + ptrace (read,trace), + + # LP: #2067319 + /{,usr/}bin/ps mrix, + + /dev/tty r, + + @{PROC}/ r, + @{PROC}/@{pid}/** r, + @{PROC}/uptime r, + @{PROC}/sys/kernel/** r, + # GH: #3079 + @{PROC}/tty/drivers r, + /sys/devices/system/node/ r, + /sys/devices/system/node/** r, + } + + profile cloud_id flags=(attach_disconnected) { + include + include + include + + ptrace read peer=unconfined, + + /etc/cloud/** r, + /etc/apt/** r, + /etc/apport/** r, + /etc/ssl/openssl.cnf r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/cmdline r, + @{PROC}/1/environ r, + @{PROC}/1/cmdline r, + @{PROC}/@{pid}/status r, + + /run/cloud-init/** r, + + /{,usr/}bin/ r, + /{,usr/}bin/cloud-id r, + /{,usr/}bin/python3.{1,}[0-9] mrix, + # LP: #2067319 + /{,usr/}bin/uname mrix, + + /usr/share/dpkg/** r, + + # workarounds for + # https://gitlab.com/apparmor/apparmor/-/issues/346 + # LP: #2067319 + /{,usr/}bin/systemctl Px -> ubuntu_pro_esm_cache_systemctl, + /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt, + + /var/lib/cloud/** r, + + + + } + + profile dpkg flags=(attach_disconnected) { + include + + capability setgid, + + /etc/dpkg/** r, + + /{,usr/}bin/dpkg mr, + + # LP: #2067810 + /var/lib/dpkg/** r, + + } + + profile ubuntu_distro_info flags=(attach_disconnected) { + include + + /{,usr/}bin/ubuntu-distro-info mr, + + /usr/share/distro-info/** r, + + } + + profile apt_methods flags=(attach_disconnected) { + include + include + include + include + + capability setgid, + capability setuid, + + network inet stream, + network inet6 stream, + + signal receive set=int peer=ubuntu_pro_esm_cache, + + / r, + /etc/dpkg/** r, + + /{,usr/}lib/apt/methods/gpgv mr, + /{,usr/}lib/apt/methods/http mr, + /{,usr/}lib/apt/methods/https mr, + /{,usr/}lib/apt/methods/store mr, + + /usr/share/dpkg/** r, + + # LP: #2067810 + /var/lib/dpkg/** r, + + /var/lib/ubuntu-advantage/apt-esm/** rwk, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/fd/ r, + + } + + profile apt_methods_gpgv flags=(attach_disconnected) { + include + include + include + include + + capability setgid, + capability setuid, + + signal receive set=int peer=ubuntu_pro_esm_cache, + + / r, + /etc/dpkg/** r, + + # there are just too many shell script tools that are called, like head, + # tail, cut, sed, etc + /{,usr/}bin/* mrix, + + /{,usr/}lib/apt/methods/gpgv mr, + + /usr/share/dpkg/** r, + /usr/share/keyrings/* r, + + /var/lib/ubuntu-advantage/apt-esm/** r, + + @{PROC}/@{pid}/fd/ r, + + # apt-config command needs these + # Note: observed only in xenial tests, but makes sense for all releases + /etc/apt/** r, + /var/lib/apt/** r, + + # LP: #2067810 + /var/lib/dpkg/** r, + + } + + # Site-specific additions and overrides. See local/README for details. + #include +} + + # these profiles were initially subprofiles of cloud-id, but: + # a) that crashes the kernel + # https://gitlab.com/apparmor/apparmor/-/issues/346 + # b) <= bionic doesn't like the // or - chars in profile names + # https://gitlab.com/apparmor/apparmor/-/commit/99755daafb8cfde4df542b66f656597a482129ac + + profile ubuntu_pro_esm_cache_systemctl flags=(attach_disconnected) { + include + + capability net_admin, + capability sys_ptrace, + + ptrace read peer=unconfined, + + + + # LP: #2067319 + /{,usr/}bin/systemctl mr, + + /run/systemd/private rw, + /run/systemd/** r, + + @{PROC}/cmdline r, + # GH: #3119 + @{PROC}/1/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/sys/kernel/osrelease r, + # GH: 3119 + /sys/firmware/efi/efivars/** r, + } + + profile ubuntu_pro_esm_cache_systemd_detect_virt flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read peer=unconfined, + + /{,usr/}bin/systemd-detect-virt mr, + + /run/systemd/** r, + + /sys/devices/virtual/** r, + # GH: #3119 + /sys/firmware/efi/efivars/** r, + @{PROC}/@{pid}/status r, + @{PROC}/@{pid}/stat r, + @{PROC}/1/environ r, + @{PROC}/1/sched r, + @{PROC}/cmdline r, + @{PROC}/1/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + } \ No newline at end of file diff --git a/coolwsd/coolkitconfig.xcu b/coolwsd/coolkitconfig.xcu index 828ef6b4d..61e39faa0 100644 --- a/coolwsd/coolkitconfig.xcu +++ b/coolwsd/coolkitconfig.xcu @@ -417,7 +417,7 @@ - 0 + 0xFFFFFF diff --git a/mysql/FROZEN b/mysql/FROZEN new file mode 120000 index 000000000..2bc63aea9 --- /dev/null +++ b/mysql/FROZEN @@ -0,0 +1 @@ +../../usr/share/doc/mysql-common/frozen-mode/downgrade \ No newline at end of file