From b8ac1d49802dbadecb1805baf4d6ca0ac7735ef0 Mon Sep 17 00:00:00 2001
From: Gerald Turner <gturner@unzane.com>
Date: Thu, 11 May 2017 17:15:09 -0700
Subject: Install AppArmor profiles for /usr/sbin/swanctl and
 /usr/sbin/charon-systemd.

The AppArmor profile for charon-systemd was copied from the existing
profile for /usr/lib/ipsec/charon without much scrutiny other than
testing basic IPsec tunnels (no fancy plugin options were tested). It
appears that the team at Canonical that had written the
/usr/lib/ipsec/charon policy had done extensive testing with several
plugins, and it seems likely that applying the same profile to
charon-systemd will allow those plugins to continue to work.

The AppArmor profile for swanctl was written from scratch and well
tested. It turns out that swanctl unnecessarily loads plugins by
default, so a bit of frivolous access has been granted.
---
 debian/changelog | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'debian/changelog')

diff --git a/debian/changelog b/debian/changelog
index 885fa760a..0161c00ea 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,7 +14,9 @@ strongswan (5.5.3-3) UNRELEASED; urgency=medium
     upstream to install configuration to output logging information to the
     journal.
   * debian/charon-systemd.install:
-    - install charon-systemd.conf files, thanks Gerald Tuner.   closes: #866325
+    - install charon-systemd.conf files, thanks Gerald Turner.  closes: #866325
+  * Add AppArmor profiles for swanctl and charon-system, thanks Gerald Turner.
+                                                                closes: #866327
 
  -- Yves-Alexis Perez <corsac@debian.org>  Wed, 28 Jun 2017 22:57:48 +0200
 
-- 
cgit v1.2.3