ALP-pool/apparmor
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 apparmor revision f47591b8c15fad3cc52a4a9bca9f87af

Browse Source
This commit is contained in:
Adrian Schröter 2024-02-19 18:41:13 +01:00
commit 6ecca88275
20 changed files with 3719 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

4
_multibuild Normal file
View File

@ -0,0 +1,4 @@
<multibuild>
<package>libapparmor</package>
</multibuild>

23
apache-extra-profile-include-if-exists.diff Normal file
View File

@ -0,0 +1,23 @@
Make the <apache2.d> include optional to avoid problems with empty profile dir.
Probably doesn't happen on real systems, but openQA uses an empty profile dir
for some tests.
Note: the patch gets applied before moving the profile to the extra directory
because quilt doesn't run the 'mv' command and therefore fails to patch the
profile at its new location (extra profiles directory)
Fixes https://bugzilla.opensuse.org/show_bug.cgi?id=1178527
Index: profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2
===================================================================
--- profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2.orig 2020-12-02 12:01:37.000000000 +0100
+++ profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2 2021-01-22 12:19:45.964708670 +0100
@@ -75,7 +75,7 @@ include <tunables/global>
# This directory contains web application
# package-specific apparmor files.
- include <apache2.d>
+ include if exists <apache2.d>
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.apache2.mpm-prefork.apache2>

BIN
apparmor-3.1.7.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

17
apparmor-3.1.7.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmXBWL0aHGFwcGFybW9y
QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLuerQ//QCW7GNO++nu3fv4lH7qy
Fz8FRIdbzsZx0jnWcj07xoRBiGhPijdGXzv7SH0PQL2rBhIZqXUZO/nEAzkJzwXd
DUIFyospmNTcd+CXd+Xj6u/oq7lSWu+XxcepWWyw5I9mU+IdpGhIhW5RtgMl/khx
sSfhPgO5mymnQ6CZBazTnxmKlIvyuqO+TAZTupK7ce1ld+dETDM8XzAnbwAYHocl
tELqIoQyGCyicdFHDEJM5aDJGyY8pWVaOblLmlB0xBPuyL1reaUyVv1Ru097E/5n
TRPAEtlFBlMFAQs19sY7lXbM4vTmuZP6nAn2A3sQMqTwBqaJ/DRi2ujrE++hYFmF
ltQQ8UwUKf2PsUfCUp9kvVjyL3orGal3vhbSn+6ohpRVzzmF4I23gLiV8bS1dod9
FUKcMpN+8qffowgCaTo6GwbNW4vD6nqQkfIwJaY+TjVN2TMwskfj/XUulwSiYicT
wycP8rWdKCbZ/HXZlYEOVs/tS3pEDlU3fLIYzEJ9m857rYb1etldN8zR8ws5cuQy
ZBbAqmpB8QRh4tvGbysqLLxQZYfUWDotKI/IStHLZ2MfWFiQNR6lCawpptC/ah4C
T4OruJAByicSiDI1ini41UwD53sgEZ2SOXdaB5DjGfLDzzw36JfFpYNKLRSiJuW2
6fXO9jCqPrweMYfr6ImGBF4=
=C8pg
-----END PGP SIGNATURE-----

43
apparmor-abstractions-openssl-allow-version-specific-en.patch Normal file
View File

@ -0,0 +1,43 @@
From 00efed1f35e2bb3f01c1914a4968e48562612fd4 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Wed, 7 Feb 2024 08:49:58 +0000
Subject: [PATCH] Merge abstractions/openssl: allow version specific engdef &
engines paths
Some openssl distributions use version specific engdef and engines paths
to support multi-version installations.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219571
Signed-off-by: David Disseldorp <ddiss@suse.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1147
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Christian Boltz <apparmor@cboltz.de>
(cherry picked from commit 2577fbf0770784e531f9210856208a774ae92af0)
2b8cf1be abstractions/openssl: allow version specific engdef & engines paths
---
profiles/apparmor.d/abstractions/openssl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/profiles/apparmor.d/abstractions/openssl b/profiles/apparmor.d/abstractions/openssl
index 65939ae4..e2c5955c 100644
--- a/profiles/apparmor.d/abstractions/openssl
+++ b/profiles/apparmor.d/abstractions/openssl
@@ -12,8 +12,8 @@
/etc/ssl/openssl.cnf r,
/etc/ssl/openssl-*.cnf r,
- /etc/ssl/{engdef,engines}.d/ r,
- /etc/ssl/{engdef,engines}.d/*.cnf r,
+ /etc/ssl/{engdef*,engines*}.d/ r,
+ /etc/ssl/{engdef*,engines*}.d/*.cnf r,
/usr/share/ssl/openssl.cnf r,
# Include additions to the abstraction
--
2.35.3

26
apparmor-enable-precompiled-cache.diff Normal file
View File

@ -0,0 +1,26 @@
Set the cache location to /var/cache/apparmor/ (writeable) and
/usr/share/apparmor/cache/ (packaged precompiled cache).
See boo#1069906 and boo#1074429
Note that Tumbleweed packages don't include precompiled profile cache on
Tumbleweed as long as it's purely validated based on timestamps (boo#1205659)
Signed-off by: Christian Boltz <apparmor@cboltz.de>
Index: parser/parser.conf
===================================================================
--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200
+++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200
@@ -31,6 +31,9 @@
## Turn creating/updating of the cache on by default
write-cache
+
+# cache location (cache writes go to the first directory in the list)
+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache
## Show cache hits
#show-cache

26
apparmor-enable-profile-cache.diff Normal file
View File

@ -0,0 +1,26 @@
Enable caching of profiles.
This speeds up loading the (unchanged) profiles about 20 times.
Upstream doesn't enable caching because the cache directory is not
writeable at the time profiles are loaded in Ubuntu.
See also bnc#689458
Signed-off by: Christian Boltz <apparmor@cboltz.de>
Index: parser/parser.conf
===================================================================
--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200
+++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200
@@ -31,7 +31,7 @@
# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
## Turn creating/updating of the cache on by default
-#write-cache
+write-cache
## Show cache hits
#show-cache

17
apparmor-lessopen-nfs-workaround.diff Normal file
View File

@ -0,0 +1,17 @@
Index: profiles/apparmor.d/usr.bin.lessopen.sh
===================================================================
--- profiles/apparmor.d/usr.bin.lessopen.sh.orig 2021-09-18 15:15:00.967216031 +0200
+++ profiles/apparmor.d/usr.bin.lessopen.sh 2021-09-18 15:18:35.731065782 +0200
@@ -13,6 +13,12 @@ abi <abi/3.0>,
capability dac_override,
capability dac_read_search,
+ # workaround for https://bugzilla.opensuse.org/show_bug.cgi?id=1119937 / http://bugzilla.opensuse.org/show_bug.cgi?id=1190552 / https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499
+ network inet dgram,
+ network inet6 dgram,
+ network inet stream,
+ network inet6 stream,
+
/** rk,
/{usr/,}bin/bash mrix,
/{usr/,}bin/rpm mrix,

57
apparmor-lessopen-profile.patch Normal file
View File

@ -0,0 +1,57 @@
Index: profiles/apparmor.d/usr.bin.lessopen.sh
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ profiles/apparmor.d/usr.bin.lessopen.sh 2017-10-28 14:15:12.624358664 +0200
@@ -0,0 +1,52 @@
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+#include <tunables/global>
+
+/usr/bin/lessopen.sh {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+ #include <abstractions/perl>
+
+ capability dac_override,
+ capability dac_read_search,
+
+ /** rk,
+ /{usr/,}bin/bash mrix,
+ /{usr/,}bin/rpm mrix,
+ /{usr/,}bin/tar mrix,
+ /tmp/less.* rw,
+ /usr/bin/bzip2 mrix,
+ /usr/bin/cabextract mrix,
+ /usr/bin/cat mrix,
+ /usr/bin/colordiff mrix,
+ /usr/bin/dvi2tty mrix,
+ /usr/bin/eqn mrix,
+ /usr/bin/file mrix,
+ /usr/bin/grep mrix,
+ /usr/bin/groff mrix,
+ /usr/bin/grotty mrix,
+ /usr/bin/gzip mrix,
+ /usr/bin/head mrix,
+ /usr/bin/lynx mrix,
+ /usr/bin/mktemp mrix,
+ /usr/bin/nm mrix,
+ /usr/bin/pic mrix,
+ /usr/bin/pdftotext mrix,
+ /usr/bin/ps2ascii mrix,
+ /usr/bin/rm mrix,
+ /usr/bin/seq mrix,
+ /usr/bin/soelim mrix,
+ /usr/bin/tar mrix,
+ /usr/bin/tbl mrix,
+ /usr/bin/troff mrix,
+ /usr/bin/unzip mrix,
+ /usr/bin/unzip-plain mrix,
+ /usr/bin/w3m mrix,
+ /usr/bin/which mrix,
+ /usr/bin/xz mrix,
+
+ include if exists <local/usr.bin.lessopen.sh>
+}

7
apparmor-rpmlintrc Normal file
View File

@ -0,0 +1,7 @@
# .features file for pre-compiled cache
addFilter("hidden-file-or-dir /usr/share/apparmor/cache/[0-9a-f]*.0/.features")
# warnings for the disabled tomcat_apparmor subpackage
# addFilter("devel-file-in-non-devel-package.*/usr/lib63/libJNIChangeHat.so")
# addFilter("devel-file-in-non-devel-package.*/usr/lib/libJNIChangeHat.so")
# addFilter("shlib-policy-name-error.*libJNIChangeHat0")

26
apparmor-samba-include-permissions-for-shares.diff Normal file
View File

@ -0,0 +1,26 @@
Samba generates a profile sniplet with permissions for all shares at
start using the update-apparmor-samba-profile script.
After the include rules were upstreamed in AppArmor 3.0.5 (MR 838), this
patch was shortened. Now it "only" creates a dummy profile sniplet
because update-apparmor-samba-profiles on Leap 15.3 and 15.4 aborts if
the local/ sniplet doesn't exist.
Tumbleweed does not rely on a pre-existing local/usr.sbin.smbd-shares
anymore, therefore the patch gets skipped there in the spec.
References: https://bugzilla.novell.com/show_bug.cgi?id=688040
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
=== added file 'profiles/apparmor.d/local/usr.sbin.smbd-shares'
--- profiles/apparmor.d/local/usr.sbin.smbd-shares 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/local/usr.sbin.smbd-shares 2011-10-19 09:40:05 +0000
@@ -0,0 +1,2 @@
+# This file will be replaced by rules for all samba shares at samba start.
+# Do not edit!

2308
apparmor.changes Normal file
View File

File diff suppressed because it is too large Load Diff

89
apparmor.keyring Normal file
View File

@ -0,0 +1,89 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFUwHrABEADZVFn6TF2SxrpMiknHVeUHW7l4mOjHcxtULlEOQ3yaxyNxA0iE
GFWnbP7ek2cjzrfNIA1HNiS0FNsKipRAd5EfRUvJO3lrVfPBRBMLExeyA5h8vXtc
fcp9zpmKAlNVkx85LtVHxch6eUZapNPwqxKJFiDCrFM/zGk4vbRODy2KO3C8XWiy
gHQEW4mjPEsJw6xhyNC63LpCRol7qQu8j6rLJur7GWzSaLKgcUpDktsMJhNRPmCd
Dzb4mbEsbSmWUZ0C2e4HqTs6yjkc3HCIPCsxi4Y8e55qVJRvmOvlx0vGqfUrZyXD
cUQb8PX02V7sjA1DvE4PnZ8yHj1bS7/Q9x+R5ZjTMkqQ0cYXFnMb8pJ/oZucwl41
RM7Nc57J7XLJmLRv/E7OL4v9DrobIPMOLvAU+PPdYzw+mUZx0jElOo84135nR/0K
EC7twaZxXVfF79iCY3OEhbHlPUH+62ucfcIdiV+TBKMhx70XJb4qDn1iDo2XW++N
8LF+7sZNLJnfJ7QfHUwVodWIXNaMsGOfknrZ4mcYbhETk2t6RpfmWUp61nVGeXgo
t1k3DXH93rFyccnEkGI8Y/+zFNN2QuZUx56kq6OF4Z3bhk7tSwA1/RubDRoNEQgF
94eGrKMgCfHhwPcV6KCtigtmXbdzhFQS5hJkvGOBHhVht9KbMrs9zh4RLQARAQAB
tExBcHBBcm1vciBEZXZlbG9wbWVudCBUZWFtIChBcHBBcm1vciBzaWduaW5nIGtl
eSkgPGFwcGFybW9yQGxpc3RzLnVidW50dS5jb20+iQI9BBMBCgAnBQJVMB6wAhsD
BQkPCZwABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEGaJ5k49NmS7Lp4QAIS3
D070h7N/giZLUsciLedixqLW8bDzDNFLLturd9ng3x3GwEGdEzibh4TASE6fAQAR
x6oW51ndgI5o7ZoNU3I0I/uLPM1B6YscmN9W2SD5oK8uQ7/K5//b8OGLq/cg1ych
O2lAh5jaGAhmfHy1MS4ZPQ9zbuwARddB7ESD81P4XIRvd/XzfsB2xW+k/7IR/P3M
ZQg+GZm6PxgbK6iwlVyWKj1NyTppzxCWu1yljlbq+Noi5LiucbRdG5qCrymnjgwR
kTeFlvBLYP7NDUifP6JsHgxwKbmvrMmFVJTRx2QnsmGv5DA0Evyz8Bof78S4lJQJ
TkfiiBmWUc6VNv3IQ56PqMQ6RlsKdaGUxXlcPekyeWKC5K6r80m8YjJNBQ+RQMlh
OC7AIckqcB/wPk3/iHvuNbJ0oNd/x/BFBgCs1Wlkktah+tc1aYVPvN1MKhChKD++
RJYZE+BzR3HSgwBE2Oth7s53D+7ZZPtQoQvhxgKBLAlO7rvhlZi1G0id2BaAqris
Bwj/zFztNewOFCplM4cIXN2pRthgTJYSv/lCarnHsenTZ9zqqkWj3OsFPcMeWhtI
p3jyHXbGC9PtzodG51Aefmz0TqUwIvQxXQ6gOTVlGxMK64MweypYLxMOh9bQOMpS
29XKiX1dKB9ThjTJ6cDBKS7tnZ3cRxAHD3ZOGtiIiEYEEBEKAAYFAlUwIioACgkQ
gTeYuayTEnF41wCfVgK6+6dvch7YdkxGYOzkyt2G/EEAoIJq94o9guRD5OWVKS6N
gkjXvKQtiQIcBBABCgAGBQJVMCJMAAoJEC8Jno0AXoH0orQP/Rjx0Mdsorjfir+Y
ahNk5g4y4ZH425usPRMxRARNpZeGu58RLWOmSW5Fv//I95V0GnK8vyl5YuquHBJM
BRN4PR1XqHUqXdzG8zPZLG5elcqyV3cs58QSUyO+6Nbh4OY/VxqcawZYFaL5XE8N
y0qo2zeFcACIgsmuPMGBgkB3LAEJQxYZab6n2uIuMnJVai2DSIO5Ql2XC4mrKZOW
2GG6vlvM/MmrKKD+gFKCoGvoea9wYYb/3Lu/DU7nARGcCYyvX2zRTuasUO95Anm5
zYxeXMvSJEq36U+xPLliTcT+bZrzf/dK93SSi/B6txYdM1KQhU0/vLQtdtDDQPFO
edvHIVo+UFrve/lNYSmNEcjgd7iAGwFPe7y6dAQs3KQvE70g10KuSVQuYqSVHJ7t
AC0AGHHsBcijFLzsSn9hOve8DSo/Jwjgvb1Rx1wl8RsmegATOik7FnWRsU+2OM9f
/BU3sLXuKWRQFXiVHsEpRO+vKVFVtcdu7BGzuFBnLS26SNP2jKRYIWJ1ea177w82
vcjX5URSTBSQef0ABuYgzcV3CmTkKmpDmy49X+bpLQjYwX26XVh4Fm8yULTXT+Wc
pyDNf4itO8VSQpzrecBBcNJnyYvKBOuV0ASs4bZ0/ghmfGNHENk18ZQHZQ0pI1vX
eNk5l60Ensk0WWA/sz1732WzhTtRiQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYC
AwEAAh4BAheAFiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmRRDVUFCRECIiUACgkQ
ZonmTj02ZLsLKg/9FOHsQ9aab5nZd3UfHxT3YTC73wkRIkKtoO1Y3Sv4pHzMr3CP
AV9Z+5YA8rUGyaSB14AFyVKjCswv3Rymd3IV+i2UYO9RwUpv3nM+adumIRga/mXp
yMwARcsRhlrrsUQL0H8R868Z/Pmq7yQw60/0jUXC/O+BJwD0xtTe/oIOwc7oyCDL
oOX8R0XcuVcnoDn0Mc27hFV1xK3iz5c0LtqTLLW20I3YqIVPdiF52SAwFo57xNZ7
ntIvhntEHvhTzSD/BtiTNolhxf3C/pm/tmkgZ1CbkZn/TmXGEibHauP6Q9l1T7y9
HkrPrq89c6kRVDnl6k3/W8f38ocat6U2xBcRQYtcLPvns3VpLIcLge1E2k0C7pYT
KxhyCo3Oc8WGpNX7ta/i3umUk0JlNl2vKiqjFilDWiu2ygXzzucmcQCkYQElrmUC
qGMBDnZWAi6qR1yMDiOdeIHni6V8GAjRUGVUhrqzMRNF091Szthxn4EQGOoZSBZl
9MkKm02hlj95eE+7UtSk/tAtLNxnIhwsz4OYxQxKh/kmj7AD8D2mD4ImQKaoCIPv
YJOXt6fHSLWZGNOSAn6oOWgAb4yMfausgJsE+USEsYphAyE/gfyPEqM3h7RzWmFi
u6UHYeKGpEzi6r66x/+WBH7VwJDM0Zg3KfDPXznyq3ZSUjpplQQI56UXttG5Ag0E
VTAesAEQALOrZwOHmAYfjX0/AgaaTFitlbJWCWZc8j/ix/90CrKuv8VGRI1b5VnP
D/ItV8DjNb221hF4myYUqpelKgXxyLlF9l/V9tr3G/gjnHhYEY1xpRnN0qbu8xb+
t4lEOw3Dt/rO8v1WVRS2UvyVKew5tsTIKsjygxTAnO7yiMUyJR9F+ZDQhCtgLyEW
CYySSewbqBBOspJffEOYU94Bo3XVMDX22Gb4atwRsq8MyJLlEYb3bgubP7rsL6GY
pzodG8M+Q2nqmsOaIyIuQK6fqpBALluN07fIqUS6HF41w0DEogSm/lLLL2ARddPw
N4tCa61IcdvVJhIwHqbNftv7fC2Rr4S4LBaTdWu62k4cPQcIkwy3Fsuu2XKry/7e
by/23J80FVp4XJHsgS31yIaIh7l43DxHcTcFEYQhbsAGznmucDjuaZU7qcEarxUy
uIsJ5VI7sj8P716dK9xOeDvw8r32IFbt7qBsa0ZRcum/H9u7rUelCucbgNZUnuOT
pbZttItyVPwPAkNCI36mhqY26hCOoBbGvGxg81Gxzr9GjQskxcCRzTFCpKG1eXal
0J0muiPyBereLcelB8NmuPM1tbTaAw0dIJHlCmYZLhSsvx7H7cNicZRmH9LExVVV
tFDh09s7nJNvAN1pCQB6cDoVqPiUztKO/hOiIbot3pzpQxTUHkJVABEBAAGJAiUE
GAEKAA8FAlUwHrACGwwFCQ8JnAAACgkQZonmTj02ZLst/A//Qz6ROHlu+LLiuvo6
0JSd3+oKhv8MEuRsJsesRnP/7bJRBrUhL3cGMqtTa6YP8JwwRTQXrKW0evtC0W59
YSRzPUe99Gu7YfUHeus3GvVxpvR6Tsr7jnqA3k6zb+M//UvgGwCMA+KLXC2Gkfn3
Pybffcva4OeSR3xxRNohb5ME8bbA3YI4n4+DJ31IBqqlUWY7QKguFaLHIrjY4lNu
bXZLJ5SrZWVVf6/5LauqXrhFkkj0pyc3/fqRYCAx0O4KlrxcSEk/YPELxBwXJ24/
v9l1glk1a6KfLpU/4cpuU/oiadzrGPMddJBq4OynmFS7HP5otoAlJLXIEDbeV92F
/5h+7iu4wYUgJ0dcCRFcG3YkUhWyS3dwv+0Gs0SQOLQkboXNgBL2AskjK+UmUSWB
dcXQ5mXrSSOHbnjFEMQflDz+ykEN3PDQWQdLeE9aMzewNJJm5f1gBkPPDTBAYzqy
XjL4FfwjYl6uEX1IhLrTo0BpP7TqQ4fnBrhLnW7pc35R1ehdrpdKj9+qFUe3/ky7
UD3SAyQDrmOLRf5e79iijdSLVPHnzi2q0ckWcNBrjAluaMHu7OpumSTvEoUgjW+A
trJLwyQW+D6WeaO+Cv+97SGgdmdUJLOZ32RmAaQpB9NoYUhlFzbgPji1wgvUrbQH
5yyRGqGl57sQZptruxrN2lWTcDSJAjwEGAEKACYCGwwWIQQ+zcul+zTSVJYcxT9m
ieZOPTZkuwUCZFENowUJEQIicwAKCRBmieZOPTZku47eEAC2yveESIGTnAcyJW04
6igIK4NRwdfF89TDO5rJa8ZrKhbPw2Qk6CNf575cLj4/CMo6oJV3zv4a4CXztZ2B
8ObJ83pWX8AErQxA4dZdd2J+wl+5bPfeXI1Rm7FmOm32IrJfBI5hRSCq8/GBagaF
xnX5BTmnnWiDRKviodZ3kb9JVl4r1Nj4ELfC2eWpkp9KsAtrP48vK7DD7wP2uc/Z
ngCVzzSiWRLFOsUyVssYjgKZlFGYZ0w0kcTJoeoCTXU1/YvudFjeYb9vHBCJIoDU
NZi4Szxww6bnhgeCldP7Hr9rqwuPk8ReVcvbQOThORubY79oGdCp+ZmmoMFqAlDL
PektIdi0ZoP1a/u/d7qWTutLfkSHL2xwITtjVQtYY3wsuf9FVua8sksohSXuYW+d
DvP76y5EHZjituhykWm1SB74vy7XwxTJqhwTUgjdjc6Mwm4wu2eGCarfSTPrEin3
X6oFB7TUFddDc8gADKmPsy+Q2ts7RAZzl1dPQEmHBhwbH9ifXtahQjlg7XKYN7A6
ByfDxcono0VHBte5gTHIoi9k7CwEIHqjlHphpCORnzFemu52kdSN49gwrqK5hGTr
uv0BfG/LcYu2px9O2b65QTcR4nF1Zr07XfzL3pMUHsDquYBS67L2FnyXwOEfxRnX
EC34BZpyVkv7QfB5AuuQGbIeFQ==
=QOb0
-----END PGP PUBLIC KEY BLOCK-----

782
apparmor.spec Normal file
View File

@ -0,0 +1,782 @@
#
# spec file for package apparmor
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2011-2024 Christian Boltz
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{?suse_version} >= 1550
%define sbindir %_sbindir
%define apparmor_bin_prefix /usr/lib/apparmor
%else
%define sbindir /sbin
%define apparmor_bin_prefix /lib/apparmor
%endif
%if 0%{?suse_version} <= 1500
# _pamdir isn't defined in 15.x
%define _pamdir /%{_lib}/security
%endif
# warning - confusing syntax ahead ;-)
# bcond_with means "disable"
# bcond_without means "enable"
%bcond_with tomcat
%bcond_without pam
%bcond_without apache
%bcond_without perl
%bcond_without python3
%bcond_without ruby
%if 0%{?suse_version} <= 1550
# enable precompiled profile cache on <= 15.x
%bcond_without precompiled_cache
%else
# don't build precompiled profile cache on Tumbleweed as long as it's purely validated based on timestamps (boo#1205659)
%bcond_with precompiled_cache
%endif
%define CATALINA_HOME /usr/share/tomcat6
#define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
#define JNI_SO libJNIChangeHat.so
%define JAR_FILE changeHatValve.jar
Name: apparmor
Version: 3.1.7
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
URL: https://launchpad.net/apparmor
Source0: apparmor-%{version}.tar.gz
Source1: apparmor-%{version}.tar.gz.asc
Source2: %{name}.keyring
Source5: update-trans.sh
Source6: baselibs.conf
Source7: apparmor-rpmlintrc
# enable caching of profiles (= massive performance speedup when loading profiles)
# and set cache-loc in parser.conf and apparmor.service accordingly
Patch1: apparmor-enable-profile-cache.diff
# include autogenerated profile sniplet for samba shares (bnc#688040) - include rule upstreamed in 3.0.5 (MR 838), now "just" creates the local/ sniplet
# (technically only needed in Leap 15.x, the samba script in Tumbleweed also works if the local/ sniplet doesn't exist - but dropping the local/ sniplet will move existing autogenerated sniplets to *.rpmsave)
Patch2: apparmor-samba-include-permissions-for-shares.diff
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
Patch3: ruby-2_0-mkmf-destdir.patch
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch4: apparmor-lessopen-profile.patch
# workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
# fixed in Kernel 6.0 and later (see comment in https://bugs.launchpad.net/bugs/1784499)
Patch5: apparmor-lessopen-nfs-workaround.diff
# make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
Patch6: apache-extra-profile-include-if-exists.diff
# add path for precompiled cache (only done/applied if precompiled_cache is enabled)
Patch7: apparmor-enable-precompiled-cache.diff
# allow dovecot-auth to execute unix_chkpwd, and add a profile for unix_chkpwd. This is needed for PAM 1.6 (boo#1219139)
Patch9: dovecot-unix_chkpwd.diff
# abstractions/openssl: allow version specific engdef & engines paths (boo#1219571)
Patch10: apparmor-abstractions-openssl-allow-version-specific-en.patch
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: bison
BuildRequires: dejagnu
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: iproute2
BuildRequires: pcre-devel
BuildRequires: pkg-config
BuildRequires: python3
BuildRequires: perl(Locale::gettext)
BuildRequires: swig
%if %{with python3}
BuildRequires: python-rpm-macros
BuildRequires: python3-devel
BuildRequires: python3-notify2
BuildRequires: python3-psutil
BuildRequires: python3-setuptools
%endif
%if %{with ruby}
BuildRequires: ruby-devel
%endif
%if %{with apache}
BuildRequires: apache-rpm-macros
BuildRequires: apache2-devel
%endif
%if %{with tomcat}
BuildRequires: ant
BuildRequires: java-devel >= 1.6.0
BuildRequires: tomcat6
%endif
%package parser
Summary: AppArmor userlevel parser utility
License: GPL-2.0-or-later
Group: Productivity/Networking/Security
Conflicts: apparmor-utils < 3.0
Obsoletes: libimnxcert < 2.9
Obsoletes: subdomain-leaf-cert < 2.9
Obsoletes: subdomain-parser < 2.9
Obsoletes: subdomain-parser-common < 2.9
Obsoletes: subdomain-parser-demo < 2.9
Obsoletes: subdomain_parser < 2.9
Provides: libimnxcert = %{version}
Provides: subdomain-leaf-cert = %{version}
Provides: subdomain-parser = %{version}
Provides: subdomain-parser-common = %{version}
Provides: subdomain-parser-demo = %{version}
Provides: subdomain_parser = %{version}
Provides: apparmor-parser(CAP_SYSLOG)
BuildRequires: systemd-rpm-macros
%{?systemd_ordering}
%description parser
The AppArmor Parser is a userlevel program that is used to load in
program profiles to the AppArmor Security kernel module.
This package is part of a suite of tools that used to be named
SubDomain.
%package docs
Summary: AppArmor Documentation package
License: GPL-2.0-or-later
Group: Documentation/Other
BuildArch: noarch
%description docs
This package contains documentation for AppArmor.
This package is part of a suite of tools that used to be named
SubDomain.
%if %{with apache}
%package -n apache2-mod_apparmor
Summary: AppArmor module for apache2
License: GPL-2.0-or-later
Group: Productivity/Security
%description -n apache2-mod_apparmor
apache2-modapparmor adds support to apache2 to provide AppArmor
confinement to individual cgi scripts handled by apache modules like
mod_php and mod_perl.
This package is part of a suite of tools that used to be named
SubDomain.
The documentation is in the apparmor-admin_en package.
%endif
%if %{with perl}
%package -n perl-apparmor
Summary: Perl interface for libapparmor functions
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Development/Libraries/Perl
Requires: libapparmor1 = %{version}
Requires: perl = %{perl_version}
Provides: perl-libapparmor = %{version}
Obsoletes: perl-libapparmor < 2.5
%description -n perl-apparmor
This package provides the perl interface to AppArmor. It is used for perl
applications interfacing with AppArmor.
%endif
%if %{with python3}
%package -n python3-apparmor
Summary: Python 3 interface for libapparmor functions
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Development/Libraries/Python
Requires: libapparmor1 = %{version}
Requires: python3
Requires: python(abi) = %{py3_ver}
%description -n python3-apparmor
This package provides the python interface to AppArmor. It is used for python
applications interfacing with AppArmor.
%endif
%if %{with ruby}
%package -n ruby-apparmor
Summary: Ruby interface for libapparmor functions
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Development/Languages/Ruby
Requires: libapparmor1 = %{version}
Requires: ruby = %(rpm -q --qf '%%{version}' ruby)
Provides: ruby-libapparmor = %{version}
Obsoletes: ruby-libapparmor < 2.5
%description -n ruby-apparmor
This package provides the ruby interface to AppArmor. It is used for ruby
applications interfacing with AppArmor.
%endif
%package abstractions
Summary: AppArmor abstractions and directory structure
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Productivity/Security
Requires: apparmor-parser(CAP_SYSLOG)
BuildArch: noarch
%description abstractions
AppArmor abstractions (common parts used in various profiles) and
the /etc/apparmor.d/ directory structure.
AppArmor is a file and network mandatory access control mechanism.
AppArmor confines processes to the resources allowed by the systems
administrator and can constrain the scope of potential security
vulnerabilities.
This package is part of a suite of tools that used to be named
SubDomain.
%package profiles
Summary: AppArmor profiles that are loaded into the apparmor kernel module
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Productivity/Security
Requires: apparmor-abstractions >= %{version}
Requires: apparmor-parser(CAP_SYSLOG)
Obsoletes: subdomain-profiles < 2.9
Provides: subdomain-profiles = %{version}
BuildArch: noarch
%description profiles
Base profiles. AppArmor is a file and network mandatory access control
mechanism. AppArmor confines processes to the resources allowed by the
systems administrator and can constrain the scope of potential security
vulnerabilities.
This package is part of a suite of tools that used to be named
SubDomain.
%package utils
Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Productivity/Security
Requires: apparmor-parser
Requires: libapparmor1 = %{version}
Requires: python3-apparmor = %{version}
Requires: python3-base
Requires: python3-notify2
Requires: python3-psutil
# aa-unconfined needs ss
Recommends: iproute2
BuildArch: noarch
%description utils
This package provides the aa-logprof, aa-genprof, aa-autodep,
aa-enforce, and aa-complain tools to assist with profile authoring.
Besides it provides the aa-unconfined server information tool.
It is part of a suite of tools that used to be named SubDomain.
%if %{with tomcat}
%package -n tomcat_apparmor
Summary: Tomcat 6 plugin for AppArmor change_hat
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: System/Libraries
Requires: libapparmor1 = %{version}
Requires: tomcat6
%description -n tomcat_apparmor
tomcat_apparmor - is a plugin for Apache Tomcat version 6 that
provides support for AppArmor change_hat for creating AppArmor
containers that are bound to discrete elements of processing within the
Tomcat servlet container. The AppArmor containers, or "hats", can be
created for individual URL processing or per servlet.
%endif
%if %{with pam}
%package -n pam_apparmor
Summary: PAM module for AppArmor change_hat
License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Productivity/Security
BuildRequires: pam-devel
PreReq: pam
PreReq: pam-config
Requires: pam
Requires: pam-config
%description -n pam_apparmor
The pam_apparmor module provides the means for any PAM applications
that call pam_open_session() to automatically perform an AppArmor
change_hat operation in order to switch to a user-specific security
policy.
%endif
%description
The AppArmor Parser is a userlevel program that is used to load in
program profiles to the AppArmor Security kernel module.
This package is part of a suite of tools that used to be named
SubDomain.
%lang_package -n apparmor-utils
%lang_package -n apparmor-parser
%prep
%setup -q
# very loose profile that doesn't even match the apache2 binary path in openSUSE. Move it away instead of confusing people (boo#872984)
mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/profiles/extras/
%patch1
%patch2
%patch3 -p1
%patch4
%patch5
%patch6
%if %{with precompiled_cache}
%patch7
%endif
%patch9 -p1
%patch10 -p1
%build
export SUSE_ASNEEDED=0
# libapparmor:
(
cd ./libraries/libapparmor
%configure \
%if %{with perl}
--with-perl \
%endif
%if %{with python3}
--with-python \
%else
--without-python \
%endif
%if %{with ruby}
--with-ruby \
%else
--without-ruby \
%endif
make
)
# Utilities:
make -C utils
# binutils
make -C binutils
# parser:
make -C parser V=1
# Apache mod_apparmor:
%if %{with apache}
make -C changehat/mod_apparmor
%endif
# PAM AppArmor:
%if %{with pam}
make -C changehat/pam_apparmor
%endif
# Profiles:
make -C profiles
%if %{with tomcat}
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
%endif
# pre-build profile cache
# note that -L only works with an absolute path, therefore prefix it with $(pwd)
%if %{with precompiled_cache}
parser/apparmor_parser --config-file $(pwd)/parser/parser.conf --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
%endif
%check
make check -C libraries/libapparmor
make check -C parser
make check -C binutils
# profiles make check fails for the utils (they expect /sbin/apparmor_parser to exist), therefore only do parser-based check
make -C profiles check-parser
# test for a few files that should exist in the cache
%if %{with precompiled_cache}
test -f profiles/cache/*/bin.ping
test -f profiles/cache/*/.features
%endif
# run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121
make check -o check_lint -C utils
%install
# libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec
%makeinstall -C libraries/libapparmor/swig
# utilities
%makeinstall -C utils
test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568
mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
# binutils
%makeinstall -C binutils
( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec )
%makeinstall -C profiles
%if %{with precompiled_cache}
install -d -m 755 %{buildroot}/usr/share/apparmor/cache
echo -e "\n\n *** WARNING: precompiling cache is known to fail under 'osc build' - use 'osc build --vm-type kvm' instead or skip building the precompiled cache with 'osc build --without precompiled_cache' ***\n\n"
# ensure cache files are newer than (text) profiles by sleeping a few seconds, and using cp -r which updates the timestamps
sleep 2
cp -r profiles/cache/* %{buildroot}/usr/share/apparmor/cache
test -f %{buildroot}/usr/share/apparmor/cache/*/.features
test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
%endif
%makeinstall SBINDIR="%{buildroot}%{sbindir}" APPARMOR_BIN_PREFIX="%{buildroot}%{apparmor_bin_prefix}" -C parser
# default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location.
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )
# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location
# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d )
%if %{with apache}
%makeinstall -C changehat/mod_apparmor
%endif
%if %{with pam}
%makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_pamdir}
%endif
%if %{with tomcat}
mkdir -p %{buildroot}/%{CATALINA_HOME}
%makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME}
%endif
find %{buildroot} -name .packlist -exec rm -vf {} \;
find %{buildroot} -name perllocal.pod -exec rm -vf {} \;
# Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm].
# Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix
for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do
d=$(dirname $file)
f=$(basename $file)
case "${f#aa-}" in
audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \
audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.1* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* )
if [ "${f#aa-}" != "$f" ]; then
ln -s $f $d/${f#aa-}
fi
;;
esac
done
mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8}
mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8}
rm -f %{buildroot}%{_mandir}/man8/decode.8
for pkg in apparmor-utils apparmor-parser aa-binutils; do
%find_lang $pkg
done
# remove *.la files
rm -fv %{buildroot}%{_libdir}/libapparmor.la
%files docs
%defattr(-,root,root)
%doc parser/*.[1-9].html
%doc utils/vim/apparmor.vim.5.html
%doc common/apparmor.css
%doc parser/techdoc.pdf
# apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file
%dir %{_datadir}/apparmor
%{_datadir}/apparmor/apparmor.vim
%files parser
%defattr(-,root,root)
%license parser/COPYING.GPL
%doc parser/README
%{sbindir}/apparmor_parser
%{_bindir}/aa-enabled
%{_bindir}/aa-exec
%{_bindir}/aa-features-abi
%{_sbindir}/aa-status
%{_sbindir}/apparmor_status
%{_sbindir}/status
%{_sbindir}/aa-teardown
%{_sbindir}/exec
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
%dir %{_sysconfdir}/apparmor.d
%{_sysconfdir}/apparmor.d/cache
%{_sysconfdir}/apparmor.d/cache.d
%{sbindir}/rcapparmor
%{_unitdir}/apparmor.service
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
%{_localstatedir}/lib/apparmor
%{_localstatedir}/cache/apparmor
%dir %attr(-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix}/rc.apparmor.functions
%{apparmor_bin_prefix}/apparmor.systemd
%{apparmor_bin_prefix}/profile-load
%doc %{_mandir}/man1/aa-enabled.1.gz
%doc %{_mandir}/man1/aa-exec.1.gz
%doc %{_mandir}/man1/aa-features-abi.1.gz
%doc %{_mandir}/man1/exec.1.gz
%doc %{_mandir}/man5/apparmor.d.5.gz
%doc %{_mandir}/man5/apparmor.vim.5.gz
%doc %{_mandir}/man7/apparmor.7.gz
%doc %{_mandir}/man7/apparmor_xattrs.7.gz
%doc %{_mandir}/man8/aa-status.8.gz
%doc %{_mandir}/man8/aa-teardown.8.gz
%doc %{_mandir}/man8/apparmor_parser.8.gz
%doc %{_mandir}/man8/apparmor_status.8.gz
%pre parser
%service_add_pre apparmor.service
%files parser-lang -f apparmor-parser.lang -f aa-binutils.lang
%defattr(-,root,root)
%files abstractions
%defattr(644,root,root,755)
%dir %{_sysconfdir}/apparmor.d/
%dir %{_sysconfdir}/apparmor.d/abi
%config(noreplace) %{_sysconfdir}/apparmor.d/abi/3.0
%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-outoftree-network
%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-vanilla
%dir %{_sysconfdir}/apparmor.d/abstractions
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/*
%dir %{_sysconfdir}/apparmor.d/disable
%dir %{_sysconfdir}/apparmor.d/local
%dir %{_sysconfdir}/apparmor.d/tunables
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/*
%files profiles
%defattr(644,root,root,755)
%dir %{_sysconfdir}/apparmor.d/apache2.d
%config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo
%config(noreplace) %{_sysconfdir}/apparmor.d/bin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
%config(noreplace) %{_sysconfdir}/apparmor.d/lsb_release
%config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe
%config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-*
%config(noreplace) %{_sysconfdir}/apparmor.d/unix-chkpwd
%config(noreplace) %{_sysconfdir}/apparmor.d/zgrep
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
%dir /usr/share/apparmor/
%if %{with precompiled_cache}
/usr/share/apparmor/cache/
%endif
/usr/share/apparmor/extra-profiles/
%files utils
%defattr(-,root,root)
%dir %{_sysconfdir}/apparmor
%config(noreplace) %{_sysconfdir}/apparmor/easyprof.conf
%config(noreplace) %{_sysconfdir}/apparmor/logprof.conf
%config(noreplace) %{_sysconfdir}/apparmor/notify.conf
%config(noreplace) %{_sysconfdir}/apparmor/severity.db
%{_sbindir}/aa-audit
%{_sbindir}/aa-autodep
%{_sbindir}/aa-cleanprof
%{_sbindir}/aa-complain
%{_sbindir}/aa-decode
%{_sbindir}/aa-disable
%{_sbindir}/aa-enforce
%{_sbindir}/aa-genprof
%{_sbindir}/aa-logprof
%{_sbindir}/aa-mergeprof
%{_sbindir}/aa-notify
%{_sbindir}/aa-remove-unknown
%{_sbindir}/aa-unconfined
%{_sbindir}/audit
%{_sbindir}/autodep
%{_sbindir}/complain
%{_sbindir}/decode
%{_sbindir}/disable
%{_sbindir}/enforce
%{_sbindir}/genprof
%{_sbindir}/logprof
%{_sbindir}/notify
%{_sbindir}/unconfined
%{_bindir}/aa-easyprof
%dir %{_datadir}/apparmor
%{_datadir}/apparmor/easyprof/
%dir %{_localstatedir}/log/apparmor
%doc %{_mandir}/man5/logprof.conf.5.gz
%doc %{_mandir}/man8/apparmor_notify.8.gz
%doc %{_mandir}/man8/aa-audit.8.gz
%doc %{_mandir}/man8/aa-autodep.8.gz
%doc %{_mandir}/man8/aa-cleanprof.8.gz
%doc %{_mandir}/man8/aa-complain.8.gz
%doc %{_mandir}/man8/aa-decode.8.gz
%doc %{_mandir}/man8/aa-disable.8.gz
%doc %{_mandir}/man8/aa-easyprof.8.gz
%doc %{_mandir}/man8/aa-enforce.8.gz
%doc %{_mandir}/man8/aa-genprof.8.gz
%doc %{_mandir}/man8/aa-logprof.8.gz
%doc %{_mandir}/man8/aa-mergeprof.8.gz
%doc %{_mandir}/man8/aa-notify.8.gz
%doc %{_mandir}/man8/aa-remove-unknown.8.gz
%doc %{_mandir}/man8/aa-unconfined.8.gz
%doc %{_mandir}/man8/audit.8.gz
%doc %{_mandir}/man8/autodep.8.gz
%doc %{_mandir}/man8/complain.8.gz
%doc %{_mandir}/man8/disable.8.gz
%doc %{_mandir}/man8/easyprof.8.gz
%doc %{_mandir}/man8/enforce.8.gz
%doc %{_mandir}/man8/genprof.8.gz
%doc %{_mandir}/man8/logprof.8.gz
%doc %{_mandir}/man8/unconfined.8.gz
%doc utils/*.[0-9].html
%doc common/apparmor.css
%files utils-lang -f apparmor-utils.lang
%if %{with perl}
%files -n perl-apparmor
%defattr(-,root,root)
%{perl_vendorarch}/auto/LibAppArmor/
%{perl_vendorarch}/LibAppArmor.pm
%endif
%if %{with python3}
%files -n python3-apparmor
%defattr(-,root,root)
%{python3_sitearch}/LibAppArmor-%{version}-py*.egg-info
%dir %{python3_sitearch}/LibAppArmor
%dir %{python3_sitearch}/LibAppArmor/__pycache__
%{python3_sitearch}/LibAppArmor/_LibAppArmor.cpython-*.so
%{python3_sitearch}/LibAppArmor/__pycache__/__init__.cpython-*.pyc
%{python3_sitearch}/LibAppArmor/__pycache__/LibAppArmor.cpython-*.pyc
%{python3_sitearch}/LibAppArmor/__init__.py
%{python3_sitearch}/LibAppArmor/LibAppArmor.py
%{python3_sitelib}/apparmor/
%{python3_sitelib}/apparmor-%{version}-py*.egg-info
%endif
%if %{with ruby}
%files -n ruby-apparmor
%defattr(-,root,root)
%{rb_sitearchdir}/LibAppArmor.so
%endif
%if %{with pam}
%files -n pam_apparmor
%defattr(444,root,root,755)
%attr(555,root,root) %{_pamdir}/pam_apparmor.so
%doc changehat/pam_apparmor/README
%endif
%if %{with tomcat}
%files -n tomcat_apparmor
%defattr(-,root,root)
%{CATALINA_HOME}/lib/%{JAR_FILE}
%{_libdir}/libJNI*
%doc %attr(0644,root,root) changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor
%endif
%if %{with apache}
%files -n apache2-mod_apparmor
%defattr(-,root,root)
%{apache_libexecdir}/mod_apparmor.so
%doc %{_mandir}/man8/mod_apparmor.8.gz
%endif
%post parser
%service_add_post apparmor.service
%preun parser
%service_del_preun apparmor.service
%postun parser
# don't call try-restart, see bnc#853019
%if 0%{?suse_version} <= 1500
export DISABLE_RESTART_ON_UPDATE="yes"
%service_del_postun apparmor.service
%else
%service_del_postun_without_restart apparmor.service
%endif
%posttrans abstractions
# workaround for bnc#904620#c8 / lp#1392042
rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:
%posttrans profiles
# workaround for bnc#904620#c8 / lp#1392042
# old cache location up to 2.12
rm -f /var/lib/apparmor/cache/* 2>/dev/null
# cache location starting with 2.13
rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:
%if %{with tomcat}
%post -n tomcat_apparmor -p /sbin/ldconfig
%postun -n tomcat_apparmor -p /sbin/ldconfig
%endif
%if %{with pam}
%post -n pam_apparmor
if [ $1 -eq 1 ]; then
pam-config --add --apparmor || :
fi
%postun -n pam_apparmor
if [ $1 -eq 0 ]; then
pam-config --delete --apparmor || :
fi
%endif
%changelog

5
baselibs.conf Normal file
View File

@ -0,0 +1,5 @@
pam_apparmor
supplements "packageand(pam_apparmor:pam-<targettype>)"
libapparmor1
obsoletes "libapparmor-<targettype> <= <version>"
provides "libapparmor-<targettype> = <version>"

53
dovecot-unix_chkpwd.diff Normal file
View File

@ -0,0 +1,53 @@
Index: apparmor-3.1.6/profiles/apparmor.d/unix-chkpwd
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ apparmor-3.1.6/profiles/apparmor.d/unix-chkpwd 2024-01-29 21:53:27.234254724 +0100
@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+# The apparmor.d project comes with several variables and abstractions
+# that are not part of upstream AppArmor yet. Therefore this profile was
+# adopted to use abstractions and variables that are available.
+# Copyright (C) Christian Boltz 2024
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+
+ # To write records to the kernel auditing log.
+ capability audit_write,
+
+ network netlink raw,
+
+ /{,usr/}{,s}bin/unix_chkpwd mr,
+
+ /etc/shadow r,
+
+ # file_inherit
+ owner /dev/tty[0-9]* rw,
+
+ include if exists <local/unix-chkpwd>
+}
Index: apparmor-3.1.6/profiles/apparmor.d/usr.lib.dovecot.auth
===================================================================
--- apparmor-3.1.6.orig/profiles/apparmor.d/usr.lib.dovecot.auth 2023-06-21 23:13:41.000000000 +0200
+++ apparmor-3.1.6/profiles/apparmor.d/usr.lib.dovecot.auth 2024-01-29 21:45:32.528140518 +0100
@@ -52,8 +52,12 @@ profile dovecot-auth /usr/lib/dovecot/au
@{run}/dovecot/stats-user rw,
@{run}/dovecot/anvil-auth-penalty rw,
+ owner /proc/@{pid}/loginuid r,
+
/var/spool/postfix/private/auth rw,
+ /usr/sbin/unix_chkpwd Px,
+
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.lib.dovecot.auth>
}

119
libapparmor.spec Normal file
View File

@ -0,0 +1,119 @@
#
# spec file for package libapparmor
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2011-2024 Christian Boltz
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: libapparmor
Version: 3.1.7
Release: 0
Summary: Utility library for AppArmor
License: LGPL-2.1-or-later
Group: Development/Libraries/C and C++
URL: https://launchpad.net/apparmor
Source0: apparmor-%{version}.tar.gz
Source1: apparmor-%{version}.tar.gz.asc
BuildRequires: bison
BuildRequires: dejagnu
BuildRequires: flex
BuildRequires: pkg-config
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
This package provides the libapparmor library, which contains the
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages.
%package -n libapparmor1
Summary: Utility library for AppArmor
Group: System/Libraries
%ifarch ppc64
Obsoletes: libapparmor-64bit < 2.9
Provides: libapparmor-64bit = %{version}
%endif
Provides: libapparmor = %{version}
Obsoletes: libapparmor < 2.9
%description -n libapparmor1
This package provides the libapparmor library, which contains the
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages.
%package -n libapparmor-devel
Summary: Development headers and libraries for libapparmor
Group: Development/Libraries/C and C++
Requires: libapparmor1 = %{version}
Provides: libapparmor:/usr/include/sys/apparmor.h
%description -n libapparmor-devel
These libraries are needed for developing software that makes use of the
AppArmor API.
%prep
%setup -q -n apparmor-%{version}
%build
(
cd ./libraries/libapparmor
%configure \
--without-perl \
--without-python \
--without-ruby \
make
)
%check
make check -C libraries/libapparmor
%install
%makeinstall -C libraries/libapparmor
# create symlink for old change_hat(2) manpage
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
# remove *.la and *.a files
rm -fv %{buildroot}%{_libdir}/libapparmor.la
rm -fv %{buildroot}%{_libdir}/libapparmor.a
%post -n libapparmor1 -p /sbin/ldconfig
%postun -n libapparmor1 -p /sbin/ldconfig
%files -n libapparmor1
%defattr(-,root,root)
%{_libdir}/libapparmor.so.*
%files -n libapparmor-devel
%defattr(-,root,root)
%{_libdir}/libapparmor.so
%{_libdir}/pkgconfig/libapparmor.pc
%doc %{_mandir}/man2/aa_change_hat.2.gz
%doc %{_mandir}/man2/aa_change_profile.2.gz
%doc %{_mandir}/man2/aa_stack_profile.2.gz
%doc %{_mandir}/man2/change_hat.2.gz
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz
%doc %{_mandir}/man2/aa_getcon.2.gz
%doc %{_mandir}/man2/aa_query_label.2.gz
%doc %{_mandir}/man3/aa_features.3.gz
%doc %{_mandir}/man3/aa_kernel_interface.3.gz
%doc %{_mandir}/man3/aa_policy_cache.3.gz
%doc %{_mandir}/man3/aa_splitcon.3.gz
%dir %{_includedir}/aalogparse
%{_includedir}/sys/apparmor.h
%{_includedir}/sys/apparmor_private.h
%{_includedir}/aalogparse/*
%changelog

20
ruby-2_0-mkmf-destdir.patch Normal file
View File

@ -0,0 +1,20 @@
Index: libraries/libapparmor/swig/ruby/extconf.rb
===================================================================
--- a/libraries/libapparmor/swig/ruby/extconf.rb.orig 2022-02-10 17:54:05.008544807 +0100
+++ b/libraries/libapparmor/swig/ruby/extconf.rb 2022-02-10 17:54:21.792506325 +0100
@@ -20,7 +20,14 @@ if find_library('apparmor', 'parse_recor
# hack 2: strip all rpath references
open('Makefile.ruby', 'w') do |out|
IO.foreach('Makefile') do |line|
- out.puts line.gsub(/-Wl,-R'[^']*'/, '')
+ l = line.gsub(/-Wl,-R'[^']*'/, '')
+ # oldincludedir = $(DESTDIR)/usr/include
+ # -> oldincludedir = /usr/include
+ l = l.gsub(/(oldincludedir)\s+=\s+\$\(DESTDIR\)(.*)/) { |m| "#{$1} = #{$2}" }
+ # hdrdir = $(includedir)/$(RUBY_VERSION_NAME)
+ # -> hdrdir = $(oldincludedir)/$(RUBY_VERSION_NAME)
+ l = l.gsub(/(hdrdir)\s+=\s+\$\(includedir\)(.*)/) { |m| "#{$1} = $(oldincludedir)#{$2}" }
+ out.puts l
end
end
else

71
update-trans.sh Normal file
View File

@ -0,0 +1,71 @@
CFILES="
deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
deprecated/management/applets/apparmorapplet-gnome/src/preferences_dialog.c
deprecated/management/applets/apparmorapplet-gnome/src/reject_list.c
parser/parser_alias.c
parser/parser_include.c
parser/parser_interface.c
parser/parser_lex.l
parser/parser_main.c
parser/parser_merge.c
parser/parser_misc.c
parser/parser_policy.c
parser/parser_regex.c
parser/parser_symtab.c
parser/parser_variable.c
parser/parser_yacc.y
"
CPPFILES="
deprecated/management/profile-editor/src/AboutDialog.cpp
deprecated/management/profile-editor/src/AboutDialog.h
deprecated/management/profile-editor/src/Configuration.cpp
deprecated/management/profile-editor/src/Preferences.cpp
deprecated/management/profile-editor/src/Preferences.h
deprecated/management/profile-editor/src/profileeditor.cpp
deprecated/management/profile-editor/src/SearchAllProfiles.cpp
deprecated/management/profile-editor/src/SearchAllProfiles.h
parser/libapparmor_re/regexp.yy
"
PERLFILES="
utils/aa-repo.pl
utils/audit
utils/autodep
utils/complain
utils/enforce
utils/genprof
utils/logprof
utils/Reports.pm
utils/SubDomain.pm
utils/unconfined
"
ARGS="--keyword=_ --keyword=N_ -n --force-po"
xgettext $ARGS --output=apparmor-C.pot -L C $CFILES
xgettext $ARGS --output=apparmor-CPP.pot -L C++ $CPPFILES
xgettext $ARGS --output=apparmor-PERL.pot -L Perl $PERLFILES
msgcat apparmor-*.pot > apparmor.pot
sed \
-e 's/Project-Id-Version: PACKAGE VERSION/Project-Id-Version: apparmor/g' \
-e 's/PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE/PO-Revision-Date: 2009-02-05 13:38/' \
-e 's/Report-Msgid-Bugs-To: /Report-Msgid-Bugs-To: apparmor-general@forge.novell.com/' \
-e 's/Last-Translator: FULL NAME <EMAIL@ADDRESS>/Last-Translator: Novell Language <language@novell.com>/' \
-e 's/Language-Team: LANGUAGE <LL@li.org>/Language-Team: Novell Language <language@novell.com>/' \
-e 's/Content-Type: text\/plain; charset=CHARSET/Content-Type: text\/plain; charset=UTF-8/' \
< apparmor.pot > apparmor.pot.new
mv apparmor.pot.new apparmor.pot
for file in $(find . -name '*.po'); do
f=$(basename $file)
msgmerge -U apparmor.pot $file
if [ -e "po/$f" ]; then
msgcat $file po/$f > $f
mv $f po/$f
else
cp $file po/$f
fi
done