diff -Nru dbus-1.6.12/debian/changelog dbus-1.6.12/debian/changelog --- dbus-1.6.12/debian/changelog 2013-10-04 02:21:41.000000000 -0700 +++ dbus-1.6.12/debian/changelog 2013-10-04 09:59:24.000000000 -0700 @@ -1,3 +1,25 @@ +dbus (1.6.12-0ubuntu8) saucy; urgency=low + + * debian/patches/aa-kernel-compat-check.patch: Drop this patch. It was a + temporary compatibility check to paper over incompatibilities between + dbus-daemon, libapparmor, and the AppArmor kernel code while AppArmor + D-Bus mediation was in development. + * debian/patches/aa-mediation.patch: Fix a bug that resulted in all actions + denied by AppArmor to be audited. Auditing such actions is the default, + but it should be possible to quiet audit messages by using the "deny" + AppArmor rule modifier. (LP: #1226356) + * debian/patches/aa-mediation.patch: Fix a bug in the code that builds + AppArmor queries for the process that is receiving a message. The + message's destination was being used, as opposed to the message's source, + as the peer name in the query string. (LP: #1233895) + * debian/patches/aa-mediate-eavesdropping.patch: Don't allow applications + that are confined by AppArmor to eavesdrop. Ideally, this would be + configurable with AppArmor policy, but the parser does not yet support + any type of eavesdropping permission. For now, confined applications will + simply not be allowed to eavesdrop. (LP: #1229280) + + -- Tyler Hicks Fri, 04 Oct 2013 09:59:21 -0700 + dbus (1.6.12-0ubuntu7) saucy; urgency=low * Enable log output in session dbus upstart job. diff -Nru dbus-1.6.12/debian/patches/aa-kernel-compat-check.patch dbus-1.6.12/debian/patches/aa-kernel-compat-check.patch --- dbus-1.6.12/debian/patches/aa-kernel-compat-check.patch 2013-08-12 15:16:31.000000000 -0700 +++ dbus-1.6.12/debian/patches/aa-kernel-compat-check.patch 1969-12-31 16:00:00.000000000 -0800 @@ -1,46 +0,0 @@ -Description: Ensure that D-Bus, libapparmor, and AppArmor kernel are in sync - Do a test query during initialization to make sure that there are no - compatibility issues. - . - This patch should be dropped before Saucy is released. It is only needed - during the Saucy development cycle because there are some combinations of - D-Bus, libapparmor and AppArmor kernel code that could cause breakage. -Author: Tyler Hicks -Forwarded: not-needed - -Index: dbus-1.6.12/bus/apparmor.c -=================================================================== ---- dbus-1.6.12.orig/bus/apparmor.c 2013-08-09 19:35:51.660209646 -0700 -+++ dbus-1.6.12/bus/apparmor.c 2013-08-09 19:39:23.684214685 -0700 -@@ -204,6 +204,22 @@ _dbus_append_mask(DBusString *auxdata, u - return FALSE; - } - -+#define AA_TEST_QUERY "unconfined\0 \0\0\0\0\0" -+#define AA_TEST_QUERY_SIZE (sizeof(AA_TEST_QUERY) - 1) -+ -+static dbus_bool_t -+aa_query_string_supported (void) -+{ -+ char aa_query[AA_QUERY_CMD_LABEL_SIZE + AA_TEST_QUERY_SIZE]; -+ int res, allow, audit; -+ -+ memcpy(aa_query + AA_QUERY_CMD_LABEL_SIZE, AA_TEST_QUERY, AA_TEST_QUERY_SIZE); -+ res = aa_query_label(AA_DBUS_SEND, aa_query, -+ AA_QUERY_CMD_LABEL_SIZE + AA_TEST_QUERY_SIZE, -+ &allow, &audit); -+ return (res == -1 && errno != ENOENT) ? FALSE : TRUE; -+} -+ - static dbus_bool_t - aa_supports_dbus (void) - { -@@ -220,7 +236,7 @@ aa_supports_dbus (void) - if (stat (aa_dbus, &statbuf) != 0) - return FALSE; - -- return TRUE; -+ return aa_query_string_supported (); - } - #endif /* HAVE_APPARMOR */ - diff -Nru dbus-1.6.12/debian/patches/aa-mediate-eavesdropping.patch dbus-1.6.12/debian/patches/aa-mediate-eavesdropping.patch --- dbus-1.6.12/debian/patches/aa-mediate-eavesdropping.patch 1969-12-31 16:00:00.000000000 -0800 +++ dbus-1.6.12/debian/patches/aa-mediate-eavesdropping.patch 2013-10-04 09:57:10.000000000 -0700 @@ -0,0 +1,142 @@ +Description: Deny eavesdropping privileges to confined applications + Hook into the AddMatch backend to mediate eavesdropping. For now, the + mediation cannot be configured with AppArmor policy. If the application is + confined, then it cannot eavesdrop. In the future, the AppArmor profile parser + will support eavesdropping rules and this mediation point will rely on + AppArmor policy when the application wanting to eavesdrop is confined. +Author: Tyler Hicks +Bug-Ubuntu: https://launchpad.net/bugs/1229280 + +Index: dbus-1.6.12/bus/apparmor.c +=================================================================== +--- dbus-1.6.12.orig/bus/apparmor.c 2013-10-01 19:57:26.011632766 -0700 ++++ dbus-1.6.12/bus/apparmor.c 2013-10-01 20:36:43.499725723 -0700 +@@ -846,3 +846,82 @@ bus_apparmor_allows_send (DBusConnection + #endif /* HAVE_APPARMOR */ + } + ++/** ++ * Check if Apparmor security controls allow the connection to eavesdrop on ++ * other connections. ++ * ++ * @param connection the connection attempting to eavesdrop. ++ * @returns whether to allow the eavesdropping ++ */ ++dbus_bool_t ++bus_apparmor_allows_eavesdropping (DBusConnection *connection, ++ DBusError *error) ++{ ++#ifdef HAVE_APPARMOR ++ BusAppArmorConfinement *con = NULL; ++ DBusString auxdata; ++ dbus_bool_t allow = FALSE, audit = TRUE; ++ dbus_bool_t string_alloced = FALSE; ++ unsigned long pid; ++ int serrno = 0; ++ ++ con = bus_connection_get_apparmor_confinement (connection); ++ ++ if (is_unconfined(con->context, con->mode)) ++ { ++ allow = TRUE; ++ audit = FALSE; ++ } ++ else ++ { ++ /* FIXME: Query AppArmor policy after eavesdrop permission is supported. ++ * For now, don't let any confined process eavesdrop. ++ */ ++ allow = FALSE; ++ audit = TRUE; ++ } ++ ++ /* Don't fail operations on profiles in complain mode */ ++ if (modestr_to_complain(con->mode)) ++ allow = TRUE; ++ ++ if (!audit) ++ goto out; ++ ++ if (!_dbus_string_init (&auxdata)) ++ goto oom; ++ string_alloced = TRUE; ++ ++ if (serrno && !_dbus_append_pair_str(&auxdata, "info", strerror(serrno))) ++ goto oom; ++ ++ if (!_dbus_append_pair_str(&auxdata, "mask", "eavesdrop")) ++ goto oom; ++ ++ if (connection && dbus_connection_get_unix_process_id (connection, &pid) && ++ !_dbus_append_pair_uint(&auxdata, "pid", pid)) ++ goto oom; ++ ++ if (con->context && !_dbus_append_pair_str(&auxdata, "profile", con->context)) ++ goto oom; ++ ++ log_message(allow, "eavesdrop", &auxdata); ++ ++ out: ++ if (con != NULL) ++ bus_apparmor_confinement_unref (con); ++ if (string_alloced) ++ _dbus_string_free (&auxdata); ++ ++ return allow; ++ ++ oom: ++ BUS_SET_OOM (error); ++ allow = FALSE; ++ goto out; ++ ++#else ++ return TRUE; ++#endif /* HAVE_APPARMOR */ ++} ++ +Index: dbus-1.6.12/bus/apparmor.h +=================================================================== +--- dbus-1.6.12.orig/bus/apparmor.h 2013-10-01 19:57:26.011632766 -0700 ++++ dbus-1.6.12/bus/apparmor.h 2013-10-01 19:57:25.999632766 -0700 +@@ -61,5 +61,9 @@ bus_apparmor_allows_send (DBusConnection + const char *source, + DBusError *error); + ++dbus_bool_t ++bus_apparmor_allows_eavesdropping (DBusConnection *connection, ++ DBusError *error); ++ + + #endif /* BUS_APPARMOR_H */ +Index: dbus-1.6.12/bus/signals.c +=================================================================== +--- dbus-1.6.12.orig/bus/signals.c 2013-10-01 19:57:26.011632766 -0700 ++++ dbus-1.6.12/bus/signals.c 2013-10-01 20:18:20.583682234 -0700 +@@ -27,6 +27,8 @@ + #include "utils.h" + #include + ++#include "apparmor.h" ++ + struct BusMatchRule + { + int refcount; /**< reference count */ +@@ -1094,7 +1096,17 @@ bus_match_rule_parse (DBusConnection * + + ++i; + } +- ++ ++ if (rule->flags & BUS_MATCH_CLIENT_IS_EAVESDROPPING && ++ !bus_apparmor_allows_eavesdropping (matches_go_to, error)) ++ { ++ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED, ++ "Connection \"%s\" is not allowed to eavesdrop due to " ++ "AppArmor policy", ++ bus_connection_is_active (matches_go_to) ? ++ bus_connection_get_name (matches_go_to) : "(inactive)"); ++ goto failed; ++ } + + goto out; + diff -Nru dbus-1.6.12/debian/patches/aa-mediation.patch dbus-1.6.12/debian/patches/aa-mediation.patch --- dbus-1.6.12/debian/patches/aa-mediation.patch 2013-08-28 13:40:13.000000000 -0700 +++ dbus-1.6.12/debian/patches/aa-mediation.patch 2013-10-04 09:57:10.000000000 -0700 @@ -15,8 +15,8 @@ Index: dbus-1.6.12/bus/Makefile.am =================================================================== ---- dbus-1.6.12.orig/bus/Makefile.am 2013-08-27 23:10:31.000000000 -0700 -+++ dbus-1.6.12/bus/Makefile.am 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/bus/Makefile.am 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/bus/Makefile.am 2013-09-26 17:53:53.567293954 -0500 @@ -68,6 +68,8 @@ BUS_SOURCES= \ activation.c \ activation.h \ @@ -29,8 +29,8 @@ Index: dbus-1.6.12/bus/apparmor.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ dbus-1.6.12/bus/apparmor.c 2013-08-28 02:51:28.830204536 -0700 -@@ -0,0 +1,829 @@ ++++ dbus-1.6.12/bus/apparmor.c 2013-09-27 11:18:31.763278020 -0500 +@@ -0,0 +1,834 @@ +/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- + * apparmor.c AppArmor security checks for D-Bus + * @@ -586,7 +586,7 @@ + if (modestr_to_complain(con->mode)) + allow = TRUE; + -+ if (allow && !audit) ++ if (!audit) + goto out; + + audit: @@ -653,6 +653,7 @@ + const char *method, + const char *error_name, + const char *destination, ++ const char *source, + DBusError *error) +{ +#ifdef HAVE_APPARMOR @@ -727,7 +728,7 @@ + } + else + { -+ qsize = build_query (&qstr, tcon->context, bustype, destination, ++ qsize = build_query (&qstr, tcon->context, bustype, source, + scon->context, path, interface, method); + if (qsize == -1) + goto oom; @@ -747,7 +748,7 @@ + if (modestr_to_complain(tcon->mode)) + tallow = TRUE; + -+ if ((sallow && tallow) && (!saudit && !taudit)) ++ if (!saudit && !taudit) + goto out; + + audit: @@ -758,9 +759,6 @@ + if (bustype && !_dbus_append_pair_str(&auxdata, "bus", bustype ? bustype : "unknown")) + goto oom; + -+ if (destination && !_dbus_append_pair_str(&auxdata, "name", destination)) -+ goto oom; -+ + if (path && !_dbus_append_pair_str(&auxdata, "path", path)) + goto oom; + @@ -775,11 +773,14 @@ + + len = _dbus_string_get_length(&auxdata); + -+ if (!sallow || saudit) ++ if (saudit) + { + if (!_dbus_append_mask(&auxdata, sperm)) + goto oom; + ++ if (destination && !_dbus_append_pair_str(&auxdata, "name", destination)) ++ goto oom; ++ + if (sender && dbus_connection_get_unix_process_id (sender, &pid) && + !_dbus_append_pair_uint(&auxdata, "pid", pid)) + goto oom; @@ -806,9 +807,13 @@ + + log_message(sallow, msgtype, &auxdata); + } -+ if (!tallow || taudit) ++ if (taudit) + { + _dbus_string_set_length(&auxdata, len); ++ ++ if (source && !_dbus_append_pair_str(&auxdata, "name", source)) ++ goto oom; ++ + if (!_dbus_append_mask(&auxdata, tperm)) + goto oom; + @@ -863,8 +868,8 @@ Index: dbus-1.6.12/bus/apparmor.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ dbus-1.6.12/bus/apparmor.h 2013-08-28 01:04:34.000000000 -0700 -@@ -0,0 +1,62 @@ ++++ dbus-1.6.12/bus/apparmor.h 2013-09-27 11:18:31.763278020 -0500 +@@ -0,0 +1,63 @@ +/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- + * apparmor.c AppArmor security checks for D-Bus + * @@ -923,14 +928,15 @@ + const char *member, + const char *error_name, + const char *destination, ++ const char *source, + DBusError *error); + + +#endif /* BUS_APPARMOR_H */ Index: dbus-1.6.12/bus/bus.c =================================================================== ---- dbus-1.6.12.orig/bus/bus.c 2012-06-06 03:45:55.000000000 -0700 -+++ dbus-1.6.12/bus/bus.c 2013-08-28 02:56:02.910211050 -0700 +--- dbus-1.6.12.orig/bus/bus.c 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/bus/bus.c 2013-09-27 11:18:31.763278020 -0500 @@ -34,6 +34,7 @@ #include "config-parser.h" #include "signals.h" @@ -971,7 +977,24 @@ } dbus_server_free_data_slot (&server_data_slot); -@@ -1470,6 +1489,30 @@ bus_context_check_security_policy (BusCo +@@ -1407,7 +1426,7 @@ bus_context_check_security_policy (BusCo + DBusMessage *message, + DBusError *error) + { +- const char *dest; ++ const char *src, *dest; + BusClientPolicy *sender_policy; + BusClientPolicy *recipient_policy; + dbus_int32_t toggles; +@@ -1416,6 +1435,7 @@ bus_context_check_security_policy (BusCo + dbus_bool_t requested_reply; + + type = dbus_message_get_type (message); ++ src = dbus_message_get_sender (message); + dest = dbus_message_get_destination (message); + + /* dispatch.c was supposed to ensure these invariants */ +@@ -1470,6 +1490,32 @@ bus_context_check_security_policy (BusCo } return FALSE; @@ -986,7 +1009,9 @@ + dbus_message_get_interface (message), + dbus_message_get_member (message), + dbus_message_get_error_name (message), -+ dest ? dest : DBUS_SERVICE_DBUS, error)) ++ dest ? dest : DBUS_SERVICE_DBUS, ++ src ? src : DBUS_SERVICE_DBUS, ++ error)) + { + if (error != NULL && !dbus_error_is_set (error)) + { @@ -1004,8 +1029,8 @@ if (bus_connection_is_active (sender)) Index: dbus-1.6.12/bus/main.c =================================================================== ---- dbus-1.6.12.orig/bus/main.c 2013-06-05 09:40:34.000000000 -0700 -+++ dbus-1.6.12/bus/main.c 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/bus/main.c 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/bus/main.c 2013-09-26 17:53:53.575293954 -0500 @@ -39,6 +39,7 @@ #include /* for write() and STDERR_FILENO */ #endif @@ -1037,8 +1062,8 @@ } Index: dbus-1.6.12/bus/services.c =================================================================== ---- dbus-1.6.12.orig/bus/services.c 2012-08-13 11:08:25.000000000 -0700 -+++ dbus-1.6.12/bus/services.c 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/bus/services.c 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/bus/services.c 2013-09-26 17:53:53.575293954 -0500 @@ -36,6 +36,7 @@ #include "policy.h" #include "bus.h" @@ -1078,8 +1103,8 @@ } Index: dbus-1.6.12/bus/connection.c =================================================================== ---- dbus-1.6.12.orig/bus/connection.c 2012-08-13 11:08:25.000000000 -0700 -+++ dbus-1.6.12/bus/connection.c 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/bus/connection.c 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/bus/connection.c 2013-09-26 17:53:53.579293954 -0500 @@ -30,6 +30,7 @@ #include "signals.h" #include "expirelist.h" @@ -1159,8 +1184,8 @@ * Index: dbus-1.6.12/bus/bus.h =================================================================== ---- dbus-1.6.12.orig/bus/bus.h 2012-06-06 03:45:55.000000000 -0700 -+++ dbus-1.6.12/bus/bus.h 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/bus/bus.h 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/bus/bus.h 2013-09-26 17:53:53.579293954 -0500 @@ -38,6 +38,7 @@ typedef struct BusClientPolicy BusClien typedef struct BusPolicyRule BusPolicyRule; typedef struct BusRegistry BusRegistry; @@ -1171,8 +1196,8 @@ typedef struct BusTransaction BusTransaction; Index: dbus-1.6.12/bus/connection.h =================================================================== ---- dbus-1.6.12.orig/bus/connection.h 2012-06-06 03:45:55.000000000 -0700 -+++ dbus-1.6.12/bus/connection.h 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/bus/connection.h 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/bus/connection.h 2013-09-26 17:53:53.579293954 -0500 @@ -52,6 +52,7 @@ BusActivation* bus_connection_get_activ BusMatchmaker* bus_connection_get_matchmaker (DBusConnection *connection); const char * bus_connection_get_loginfo (DBusConnection *connection); @@ -1183,8 +1208,8 @@ DBusError *error); Index: dbus-1.6.12/cmake/bus/CMakeLists.txt =================================================================== ---- dbus-1.6.12.orig/cmake/bus/CMakeLists.txt 2013-02-05 06:37:48.000000000 -0800 -+++ dbus-1.6.12/cmake/bus/CMakeLists.txt 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/cmake/bus/CMakeLists.txt 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/cmake/bus/CMakeLists.txt 2013-09-26 17:53:53.579293954 -0500 @@ -42,6 +42,8 @@ set (DIR_WATCH_SOURCE ) set (BUS_SOURCES ${BUS_DIR}/activation.c @@ -1196,8 +1221,8 @@ ${BUS_DIR}/config-parser.c Index: dbus-1.6.12/bus/config-parser.c =================================================================== ---- dbus-1.6.12.orig/bus/config-parser.c 2013-02-12 03:45:32.000000000 -0800 -+++ dbus-1.6.12/bus/config-parser.c 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/bus/config-parser.c 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/bus/config-parser.c 2013-09-26 17:53:53.579293954 -0500 @@ -28,6 +28,7 @@ #include "utils.h" #include "policy.h" @@ -1252,8 +1277,8 @@ else Index: dbus-1.6.12/bus/config-parser-common.c =================================================================== ---- dbus-1.6.12.orig/bus/config-parser-common.c 2012-06-06 03:45:55.000000000 -0700 -+++ dbus-1.6.12/bus/config-parser-common.c 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/bus/config-parser-common.c 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/bus/config-parser-common.c 2013-09-26 17:53:53.579293954 -0500 @@ -127,6 +127,10 @@ bus_config_parser_element_name_to_type ( { return ELEMENT_ALLOW_ANONYMOUS; @@ -1276,8 +1301,8 @@ _dbus_assert_not_reached ("bad element type"); Index: dbus-1.6.12/bus/config-parser-common.h =================================================================== ---- dbus-1.6.12.orig/bus/config-parser-common.h 2012-06-06 03:45:55.000000000 -0700 -+++ dbus-1.6.12/bus/config-parser-common.h 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/bus/config-parser-common.h 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/bus/config-parser-common.h 2013-09-26 17:53:53.579293954 -0500 @@ -49,7 +49,8 @@ typedef enum ELEMENT_STANDARD_SYSTEM_SERVICEDIRS, ELEMENT_KEEP_UMASK, @@ -1290,8 +1315,8 @@ ElementType bus_config_parser_element_name_to_type (const char *element_name); Index: dbus-1.6.12/doc/busconfig.dtd =================================================================== ---- dbus-1.6.12.orig/doc/busconfig.dtd 2012-06-06 03:45:55.000000000 -0700 -+++ dbus-1.6.12/doc/busconfig.dtd 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/doc/busconfig.dtd 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/doc/busconfig.dtd 2013-09-26 17:53:53.579293954 -0500 @@ -11,7 +11,8 @@ include | policy | @@ -1312,8 +1337,8 @@ + mode (required|enabled|disabled) "enabled"> Index: dbus-1.6.12/doc/dbus-daemon.1.in =================================================================== ---- dbus-1.6.12.orig/doc/dbus-daemon.1.in 2012-08-13 11:08:25.000000000 -0700 -+++ dbus-1.6.12/doc/dbus-daemon.1.in 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/doc/dbus-daemon.1.in 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/doc/dbus-daemon.1.in 2013-09-26 17:53:53.579293954 -0500 @@ -648,6 +648,20 @@ Right now the default will be the securi If two elements specify the same name, the element appearing later in the configuration file will be used. @@ -1374,8 +1399,8 @@ .PP Index: dbus-1.6.12/bus/test-main.c =================================================================== ---- dbus-1.6.12.orig/bus/test-main.c 2012-06-06 03:45:55.000000000 -0700 -+++ dbus-1.6.12/bus/test-main.c 2013-08-27 23:10:31.000000000 -0700 +--- dbus-1.6.12.orig/bus/test-main.c 2013-09-26 17:53:53.583293954 -0500 ++++ dbus-1.6.12/bus/test-main.c 2013-09-26 17:53:53.579293954 -0500 @@ -30,6 +30,7 @@ #include #include diff -Nru dbus-1.6.12/debian/patches/series dbus-1.6.12/debian/patches/series --- dbus-1.6.12/debian/patches/series 2013-08-12 15:16:31.000000000 -0700 +++ dbus-1.6.12/debian/patches/series 2013-10-04 09:57:10.000000000 -0700 @@ -11,4 +11,4 @@ aa-build-tools.patch aa-mediation.patch aa-get-connection-apparmor-security-context.patch -aa-kernel-compat-check.patch +aa-mediate-eavesdropping.patch