UBUNTU: Ubuntu-unstable-6.8.0-3.3

Signed-off-by: Paolo Pisati <[email protected]>

Author: piso77

Diff for: debian.master/changelog

@@ -1,10 +1,183 @@
-linux-unstable (6.8.0-3.3) UNRELEASED; urgency=medium
+linux-unstable (6.8.0-3.3) noble; urgency=medium
 
-  CHANGELOG: Do not edit directly. Autogenerated at release.
-  CHANGELOG: Use the printchanges target to see the curent changes.
-  CHANGELOG: Use the insertchanges target to create the final log.
+  * noble/linux-unstable: 6.8.0-3.3 -proposed tracker (LP: #2051488)
 
- -- Paolo Pisati <[email protected]>  Mon, 29 Jan 2024 08:57:05 +0100
+  * update apparmor and LSM stacking patch set (LP: #2028253)
+    - SAUCE: apparmor4.0.0 [43/87]: LSM stacking v39: UBUNTU: SAUCE: apparmor4.0.0
+      [12/95]: add/use fns to print hash string hex value
+    - SAUCE: apparmor4.0.0 [44/87]: patch to provide compatibility with v2.x net
+      rules
+    - SAUCE: apparmor4.0.0 [45/87]: add unpriviled user ns mediation
+    - SAUCE: apparmor4.0.0 [46/87]: Add sysctls for additional controls of unpriv
+      userns restrictions
+    - SAUCE: apparmor4.0.0 [47/87]: af_unix mediation
+    - SAUCE: apparmor4.0.0 [48/87]: Add fine grained mediation of posix mqueues
+    - SAUCE: apparmor4.0.0 [49/87]: setup slab cache for audit data
+    - SAUCE: apparmor4.0.0 [50/87]: Improve debug print infrastructure
+    - SAUCE: apparmor4.0.0 [51/87]: add the ability for profiles to have a
+      learning cache
+    - SAUCE: apparmor4.0.0 [52/87]: enable userspace upcall for mediation
+    - SAUCE: apparmor4.0.0 [53/87]: prompt - lock down prompt interface
+    - SAUCE: apparmor4.0.0 [54/87]: prompt - allow controlling of caching of a
+      prompt response
+    - SAUCE: apparmor4.0.0 [55/87]: prompt - add refcount to audit_node in prep or
+      reuse and delete
+    - SAUCE: apparmor4.0.0 [56/87]: prompt - refactor to moving caching to
+      uresponse
+    - SAUCE: apparmor4.0.0 [57/87]: prompt - Improve debug statements
+    - SAUCE: apparmor4.0.0 [58/87]: prompt - fix caching
+    - SAUCE: apparmor4.0.0 [59/87]: prompt - rework build to use append fn, to
+      simplify adding strings
+    - SAUCE: apparmor4.0.0 [60/87]: prompt - refcount notifications
+    - SAUCE: apparmor4.0.0 [61/87]: prompt - add the ability to reply with a
+      profile name
+    - SAUCE: apparmor4.0.0 [62/87]: prompt - fix notification cache when updating
+    - SAUCE: apparmor4.0.0 [63/87]: prompt - add tailglob on name for cache
+      support
+    - SAUCE: apparmor4.0.0 [64/87]: prompt - allow profiles to set prompts as
+      interruptible
+    - SAUCE: apparmor4.0.0 [69/87]: add io_uring mediation
+    - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS
+
+  * apparmor restricts read access of user namespace mediation sysctls to root
+    (LP: #2040194)
+    - SAUCE: apparmor4.0.0 [73/87]: apparmor: open userns related sysctl so lxc
+      can check if restriction are in place
+
+  * AppArmor spams kernel log with assert when auditing (LP: #2040192)
+    - SAUCE: apparmor4.0.0 [72/87]: apparmor: fix request field from a prompt
+      reply that denies all access
+
+  * apparmor notification files verification (LP: #2040250)
+    - SAUCE: apparmor4.0.0 [71/87]: apparmor: fix notification header size
+
+  * apparmor oops when racing to retrieve a notification (LP: #2040245)
+    - SAUCE: apparmor4.0.0 [70/87]: apparmor: fix oops when racing to retrieve
+      notification
+
+  * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]
+    apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in mantic
+    (LP: #2032602)
+    - SAUCE: apparmor4.0.0 [66/87]: prompt - add support for advanced filtering of
+      notifications
+    - SAUCE: apparmor4.0.0 [67/87]: userns - add the ability to reference a global
+      variable for a feature value
+    - SAUCE: apparmor4.0.0 [68/87]: userns - make it so special unconfined
+      profiles can mediate user namespaces
+
+  * Miscellaneous Ubuntu changes
+    - SAUCE: apparmor4.0.0 [01/87]: LSM stacking v39: integrity: disassociate
+      ima_filter_rule from security_audit_rule
+    - SAUCE: apparmor4.0.0 [02/87]: LSM stacking v39: SM: Infrastructure
+      management of the sock security
+    - SAUCE: apparmor4.0.0 [03/87]: LSM stacking v39: LSM: Add the lsmblob data
+      structure.
+    - SAUCE: apparmor4.0.0 [04/87]: LSM stacking v39: IMA: avoid label collisions
+      with stacked LSMs
+    - SAUCE: apparmor4.0.0 [05/87]: LSM stacking v39: LSM: Use lsmblob in
+      security_audit_rule_match
+    - SAUCE: apparmor4.0.0 [06/87]: LSM stacking v39: LSM: Add lsmblob_to_secctx
+      hook
+    - SAUCE: apparmor4.0.0 [07/87]: LSM stacking v39: Audit: maintain an lsmblob
+      in audit_context
+    - SAUCE: apparmor4.0.0 [08/87]: LSM stacking v39: LSM: Use lsmblob in
+      security_ipc_getsecid
+    - SAUCE: apparmor4.0.0 [09/87]: LSM stacking v39: Audit: Update shutdown LSM
+      data
+    - SAUCE: apparmor4.0.0 [10/87]: LSM stacking v39: LSM: Use lsmblob in
+      security_current_getsecid
+    - SAUCE: apparmor4.0.0 [11/87]: LSM stacking v39: LSM: Use lsmblob in
+      security_inode_getsecid
+    - SAUCE: apparmor4.0.0 [12/87]: LSM stacking v39: Audit: use an lsmblob in
+      audit_names
+    - SAUCE: apparmor4.0.0 [13/87]: LSM stacking v39: LSM: Create new
+      security_cred_getlsmblob LSM hook
+    - SAUCE: apparmor4.0.0 [14/87]: LSM stacking v39: Audit: Change context data
+      from secid to lsmblob
+    - SAUCE: apparmor4.0.0 [15/87]: LSM stacking v39: Netlabel: Use lsmblob for
+      audit data
+    - SAUCE: apparmor4.0.0 [16/87]: LSM stacking v39: LSM: Ensure the correct LSM
+      context releaser
+    - SAUCE: apparmor4.0.0 [17/87]: LSM stacking v39: LSM: Use lsmcontext in
+      security_secid_to_secctx
+    - SAUCE: apparmor4.0.0 [18/87]: LSM stacking v39: LSM: Use lsmcontext in
+      security_lsmblob_to_secctx
+    - SAUCE: apparmor4.0.0 [19/87]: LSM stacking v39: LSM: Use lsmcontext in
+      security_inode_getsecctx
+    - SAUCE: apparmor4.0.0 [20/87]: LSM stacking v39: LSM: Use lsmcontext in
+      security_dentry_init_security
+    - SAUCE: apparmor4.0.0 [21/87]: LSM stacking v39: LSM:
+      security_lsmblob_to_secctx module selection
+    - SAUCE: apparmor4.0.0 [22/87]: LSM stacking v39: Audit: Create audit_stamp
+      structure
+    - SAUCE: apparmor4.0.0 [23/87]: LSM stacking v39: Audit: Allow multiple
+      records in an audit_buffer
+    - SAUCE: apparmor4.0.0 [24/87]: LSM stacking v39: Audit: Add record for
+      multiple task security contexts
+    - SAUCE: apparmor4.0.0 [25/87]: LSM stacking v39: audit: multiple subject lsm
+      values for netlabel
+    - SAUCE: apparmor4.0.0 [26/87]: LSM stacking v39: Audit: Add record for
+      multiple object contexts
+    - SAUCE: apparmor4.0.0 [27/87]: LSM stacking v39: LSM: Remove unused
+      lsmcontext_init()
+    - SAUCE: apparmor4.0.0 [28/87]: LSM stacking v39: LSM: Improve logic in
+      security_getprocattr
+    - SAUCE: apparmor4.0.0 [29/87]: LSM stacking v39: LSM: secctx provider check
+      on release
+    - SAUCE: apparmor4.0.0 [30/87]: LSM stacking v39: LSM: Single calls in
+      socket_getpeersec hooks
+    - SAUCE: apparmor4.0.0 [31/87]: LSM stacking v39: LSM: Exclusive secmark usage
+    - SAUCE: apparmor4.0.0 [32/87]: LSM stacking v39: LSM: Identify which LSM
+      handles the context string
+    - SAUCE: apparmor4.0.0 [33/87]: LSM stacking v39: AppArmor: Remove the
+      exclusive flag
+    - SAUCE: apparmor4.0.0 [34/87]: LSM stacking v39: LSM: Add mount opts blob
+      size tracking
+    - SAUCE: apparmor4.0.0 [35/87]: LSM stacking v39: LSM: allocate mnt_opts blobs
+      instead of module specific data
+    - SAUCE: apparmor4.0.0 [36/87]: LSM stacking v39: LSM: Infrastructure
+      management of the key security blob
+    - SAUCE: apparmor4.0.0 [37/87]: LSM stacking v39: LSM: Infrastructure
+      management of the mnt_opts security blob
+    - SAUCE: apparmor4.0.0 [38/87]: LSM stacking v39: LSM: Correct handling of
+      ENOSYS in inode_setxattr
+    - SAUCE: apparmor4.0.0 [39/87]: LSM stacking v39: LSM: Remove lsmblob
+      scaffolding
+    - SAUCE: apparmor4.0.0 [40/87]: LSM stacking v39: LSM: Allow reservation of
+      netlabel
+    - SAUCE: apparmor4.0.0 [41/87]: LSM stacking v39: LSM: restrict
+      security_cred_getsecid() to a single LSM
+    - SAUCE: apparmor4.0.0 [42/87]: LSM stacking v39: Smack: Remove
+      LSM_FLAG_EXCLUSIVE
+    - SAUCE: apparmor4.0.0 [65/87] v6.8 prompt:fixup interruptible
+    - SAUCE: apparmor4.0.0 [74/87]: apparmor: cleanup attachment perm lookup to
+      use lookup_perms()
+    - SAUCE: apparmor4.0.0 [75/87]: apparmor: remove redundant unconfined check.
+    - SAUCE: apparmor4.0.0 [76/87]: apparmor: switch signal mediation to using
+      RULE_MEDIATES
+    - SAUCE: apparmor4.0.0 [77/87]: apparmor: ensure labels with more than one
+      entry have correct flags
+    - SAUCE: apparmor4.0.0 [78/87]: apparmor: remove explicit restriction that
+      unconfined cannot use change_hat
+    - SAUCE: apparmor4.0.0 [79/87]: apparmor: cleanup: refactor file_perm() to
+      provide semantics of some checks
+    - SAUCE: apparmor4.0.0 [80/87]: apparmor: carry mediation check on label
+    - SAUCE: apparmor4.0.0 [81/87]: apparmor: convert easy uses of unconfined() to
+      label_mediates()
+    - SAUCE: apparmor4.0.0 [82/87]: apparmor: add additional flags to extended
+      permission.
+    - SAUCE: apparmor4.0.0 [83/87]: apparmor: add support for profiles to define
+      the kill signal
+    - SAUCE: apparmor4.0.0 [84/87]: apparmor: fix x_table_lookup when stacking is
+      not the first entry
+    - SAUCE: apparmor4.0.0 [85/87]: apparmor: allow profile to be transitioned
+      when a user ns is created
+    - SAUCE: apparmor4.0.0 [86/87]: apparmor: add ability to mediate caps with
+      policy state machine
+    - SAUCE: apparmor4.0.0 [87/87]: fixup notify
+    - [Config] updateconfigs following v6.8-rc2 rebase
+
+ -- Paolo Pisati <[email protected]>  Mon, 29 Jan 2024 08:59:32 +0100
 
 linux-unstable (6.8.0-2.2) noble; urgency=medium