=== modified file 'debian/changelog' --- debian/changelog 2010-04-23 13:28:56 +0000 +++ debian/changelog 2010-05-05 12:46:37 +0000 @@ -15,8 +15,17 @@ [ Jamie Strandboge ] * AppArmor: - add read access to /etc/xul-ext/**, now needed by adblock + - allow ixr access to /usr/lib/xulrunner-*/plugin-container for xul builds + - finetune Adobe Reader access (LP: #570337) + - silence noisy denial on /boot/vmlinuz* and /boot/initrd.img* caused by + readlinking symlinks in / (LP: #571761) + - allow 'm' for java's 'classes.jsa' file (LP: #574459) + - transition to firefox_java on Sun's jre/bin/java_vm too (LP: #570128) [ Chris Coulson ] + * Rebase patches for 3.6.4+build3 release + - update debian/patches/firefox-kde.patch + - update debian/patches/mozilla-kde.patch * Create checksums for NSS libraries to make FIPS mode work (LP: #559881) - update debian/rules * Build with --enable-ipc on amd64, i386 and armel. These are the only === modified file 'debian/usr.bin.firefox.apparmor.10.04' --- debian/usr.bin.firefox.apparmor.10.04 2010-04-13 17:02:04 +0000 +++ debian/usr.bin.firefox.apparmor.10.04 2010-05-05 12:44:45 +0000 @@ -52,6 +52,8 @@ deny /usr/lib/xulrunner-addons/** w, deny /usr/lib/xulrunner-*/components/*.tmp w, deny /.suspended r, + deny /boot/initrd.img* r, + deny /boot/vmlinuz* r, # These are needed when a new user starts firefox and firefox.sh is used @LIBDIR@/** ixr, @@ -138,6 +140,9 @@ /var/lib/ r, /var/lib/** mr, + # Needed for container to work in xul builds + /usr/lib/xulrunner-*/plugin-container ixr, + # for maximum plugin/helper compatibility #/usr/bin/* Uxr, #/usr/lib/*/** ixr, @@ -150,6 +155,7 @@ # for PDFs owner @{HOME}/.adobe/** rw, /opt/Adobe/Reader9/bin/acroread Uxr, + /opt/Adobe/Reader9/** r, /usr/bin/evince PUxr, /usr/bin/okular Uxr, @@ -195,7 +201,7 @@ /etc/java-*/ r, /etc/java-*/** r, /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> firefox_openjdk, - /usr/lib/jvm/java-*-sun-1.*/jre/bin/java cx -> firefox_java, + /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> firefox_java, /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> firefox_java, /usr/lib/j2*-ibm/jre/bin/java cx -> firefox_java, @@ -257,6 +263,7 @@ /usr/bin/env ix, /usr/lib/jvm/java-6-openjdk/jre/bin/java ix, + /usr/lib/jvm/java-6-openjdk/jre/lib/i386/client/classes.jsa m, # Why would java need this? deny /usr/bin/gconftool-2 x, @@ -297,7 +304,8 @@ /var/lib/dbus/machine-id r, /usr/bin/env ix, - /usr/lib/jvm/java-*-sun-1.*/jre/bin/java ix, + /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix, + /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m, /usr/lib/j2*-ibm/jre/bin/java ix, # noisy, can't write here anyway === modified file 'debian/usr.bin.firefox.apparmor.9.10' --- debian/usr.bin.firefox.apparmor.9.10 2010-04-13 17:02:04 +0000 +++ debian/usr.bin.firefox.apparmor.9.10 2010-05-05 12:45:05 +0000 @@ -55,6 +55,8 @@ deny /usr/lib/xulrunner-addons/** w, deny /usr/lib/xulrunner-*/components/*.tmp w, deny /.suspended r, + deny /boot/initrd.img* r, + deny /boot/vmlinuz* r, # These are needed when a new user starts firefox and firefox.sh is used @LIBDIR@/** ixr, @@ -144,6 +146,9 @@ /var/lib/ r, /var/lib/** mr, + # Needed for container to work in xul builds + /usr/lib/xulrunner-*/plugin-container ixr, + # for maximum plugin/helper compatibility #/usr/bin/* Uxr, #/usr/lib/*/** ixr, @@ -180,6 +185,7 @@ # Adobe Acrobat Reader /opt/Adobe/Reader9/bin/acroread Uxr, + /opt/Adobe/Reader9/** r, # totem /usr/lib/totem/** ixr, @@ -200,7 +206,7 @@ /etc/java-*/ r, /etc/java-*/** r, /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> firefox_openjdk, - /usr/lib/jvm/java-*-sun-1.*/jre/bin/java cx -> firefox_java, + /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> firefox_java, /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> firefox_java, /usr/lib/j2*-ibm/jre/bin/java cx -> firefox_java, @@ -257,6 +263,7 @@ /usr/bin/env ix, /usr/lib/jvm/java-6-openjdk/jre/bin/java ix, + /usr/lib/jvm/java-6-openjdk/jre/lib/i386/client/classes.jsa m, # Why would java need this? deny /usr/bin/gconftool-2 x, @@ -297,7 +304,8 @@ /var/lib/dbus/machine-id r, /usr/bin/env ix, - /usr/lib/jvm/java-*-sun-1.*/jre/bin/java ix, + /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix, + /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m, /usr/lib/j2*-ibm/jre/bin/java ix, # noisy, can't write here anyway