Accepting request 595789 from home:cboltz
- add dovecot-stats.diff: - add dovecot/stats profile and allow dovecot to run it (boo#1088161) - allow dovecot/auth to write /run/dovecot/old-stats-user (part of boo#1087753) - update 32-bit-no-uid.diff with upstream fix OBS-URL: https://build.opensuse.org/request/show/595789 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=204
This commit is contained in:
parent
392c25f2eb
commit
01604b0fc7
@ -2,12 +2,20 @@ diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py
|
||||
index 0e74c3f5..5738bb10 100644
|
||||
--- a/utils/apparmor/logparser.py
|
||||
+++ b/utils/apparmor/logparser.py
|
||||
@@ -12,6 +12,7 @@
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# ----------------------------------------------------------------------
|
||||
+import ctypes
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
@@ -118,7 +118,7 @@ class ReadLog:
|
||||
ev['protocol'] = event.net_protocol
|
||||
ev['sock_type'] = event.net_sock_type
|
||||
|
||||
- if event.ouid != 18446744073709551615: # 2^64 - 1
|
||||
+ if event.ouid != 18446744073709551615 and event.ouid != 4294967295: # 2^64 - 1 and 2^32 - 1
|
||||
+ if event.ouid != ctypes.c_ulong(-1).value: # ULONG_MAX
|
||||
ev['fsuid'] = event.fsuid
|
||||
ev['ouid'] = event.ouid
|
||||
|
||||
|
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 11 20:28:13 UTC 2018 - suse-beta@cboltz.de
|
||||
|
||||
- add dovecot-stats.diff:
|
||||
- add dovecot/stats profile and allow dovecot to run it (boo#1088161)
|
||||
- allow dovecot/auth to write /run/dovecot/old-stats-user (part of boo#1087753)
|
||||
- update 32-bit-no-uid.diff with upstream fix
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 2 12:29:06 UTC 2018 - rgoldwyn@suse.com
|
||||
|
||||
|
@ -64,15 +64,18 @@ Patch5: ruby-2_0-mkmf-destdir.patch
|
||||
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
|
||||
Patch7: apparmor-lessopen-profile.patch
|
||||
|
||||
# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a log event on 32 bit systems (submitted upstream 2017-12-26)
|
||||
# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a log event on 32 bit systems (fixed upstream 2018-03-07)
|
||||
Patch8: 32-bit-no-uid.diff
|
||||
|
||||
# make cache write failures a warning instead of an error - (patch from https://gitlab.com/apparmor/apparmor/merge_requests/49 2018-01-04)
|
||||
Patch9: parser-write-cache-warn-only.diff
|
||||
|
||||
# Disable write cache if filesystem is read-only, don't abort
|
||||
# Disable write cache if filesystem is read-only, don't abort (merged upstream 2018-01-16 to 2.10..trunk)
|
||||
Patch10: disable-cache-on-ro-fs.diff
|
||||
|
||||
# allow dovecot to run dovecot/stats, and add that profile (submitted upstream 2018-04-11 https://gitlab.com/apparmor/apparmor/merge_requests/90)
|
||||
Patch11: dovecot-stats.diff
|
||||
|
||||
PreReq: sed
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%define apparmor_bin_prefix /lib/apparmor
|
||||
@ -363,6 +366,7 @@ SubDomain.
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p0
|
||||
%patch11 -p1
|
||||
|
||||
%build
|
||||
export SUSE_ASNEEDED=0
|
||||
@ -429,6 +433,7 @@ make check -C parser
|
||||
make check -C binutils
|
||||
|
||||
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
|
||||
# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/80 should allow to switch to make -C
|
||||
# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
|
||||
(cd profiles && make check-parser)
|
||||
|
||||
@ -509,6 +514,7 @@ test ! -f %{buildroot}%{apparmor_bin_prefix}/apparmor.systemd
|
||||
install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix}
|
||||
test ! -f %{buildroot}%{_sbindir}/aa-teardown
|
||||
install -m0755 %{S:10} %{buildroot}%{_sbindir}
|
||||
# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/79 obsoletes the next 3 lines
|
||||
rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor
|
||||
rm %{buildroot}/sbin/rcsubdomain
|
||||
ln -sf service %{buildroot}/sbin/rcapparmor
|
||||
|
79
dovecot-stats.diff
Normal file
79
dovecot-stats.diff
Normal file
@ -0,0 +1,79 @@
|
||||
commit d7cb151eb0da3ce6ac152b37ca84435266d34c88
|
||||
Author: Christian Boltz <apparmor@cboltz.de>
|
||||
Date: Wed Apr 11 22:17:29 2018 +0200
|
||||
|
||||
allow dovecot/auth to write /run/dovecot/old-stats-user
|
||||
|
||||
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c4
|
||||
(3rd bullet point)
|
||||
|
||||
commit 3521edc41c3f01ebdd7681b107b5c5daa40fe896
|
||||
Author: Christian Boltz <apparmor@cboltz.de>
|
||||
Date: Wed Apr 11 21:34:51 2018 +0200
|
||||
|
||||
add dovecot/stats profile, and allow dovecot to run it
|
||||
|
||||
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1088161
|
||||
diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth
|
||||
index fcb54364..b44441e2 100644
|
||||
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
|
||||
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
|
||||
@@ -1,6 +1,6 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
-# Copyright (C) 2013 Christian Boltz
|
||||
+# Copyright (C) 2013-2018 Christian Boltz
|
||||
# Copyright (C) 2014 Christian Wittmer
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
@@ -43,6 +43,7 @@
|
||||
/run/dovecot/auth-worker rw,
|
||||
/run/dovecot/login/login rw,
|
||||
/{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
|
||||
+ /{var/,}run/dovecot/old-stats-user w,
|
||||
/{var/,}run/dovecot/stats-user rw,
|
||||
/{var/,}run/dovecot/anvil-auth-penalty rw,
|
||||
|
||||
diff --git a/profiles/apparmor.d/usr.lib.dovecot.stats b/profiles/apparmor.d/usr.lib.dovecot.stats
|
||||
new file mode 100644
|
||||
index 00000000..151e4ed6
|
||||
--- /dev/null
|
||||
+++ b/profiles/apparmor.d/usr.lib.dovecot.stats
|
||||
@@ -0,0 +1,25 @@
|
||||
+# ------------------------------------------------------------------
|
||||
+#
|
||||
+# Copyright (C) 2018 Christian Boltz
|
||||
+#
|
||||
+# This program is free software; you can redistribute it and/or
|
||||
+# modify it under the terms of version 2 of the GNU General Public
|
||||
+# License published by the Free Software Foundation.
|
||||
+#
|
||||
+# ------------------------------------------------------------------
|
||||
+# vim: ft=apparmor
|
||||
+
|
||||
+#include <tunables/global>
|
||||
+
|
||||
+/usr/lib/dovecot/stats {
|
||||
+ #include <abstractions/base>
|
||||
+ #include <abstractions/dovecot-common>
|
||||
+
|
||||
+ capability setuid,
|
||||
+ capability sys_chroot,
|
||||
+
|
||||
+ /usr/lib/dovecot/stats mr,
|
||||
+
|
||||
+ # Site-specific additions and overrides. See local/README for details.
|
||||
+ #include <local/usr.lib.dovecot.stats>
|
||||
+}
|
||||
diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot
|
||||
index c0b180b4..e3a85fa0 100644
|
||||
--- a/profiles/apparmor.d/usr.sbin.dovecot
|
||||
+++ b/profiles/apparmor.d/usr.sbin.dovecot
|
||||
@@ -54,6 +54,7 @@
|
||||
/usr/lib/dovecot/pop3-login Pxmr,
|
||||
/usr/lib/dovecot/ssl-build-param rix,
|
||||
/usr/lib/dovecot/ssl-params mrPx,
|
||||
+ /usr/lib/dovecot/stats Px,
|
||||
/usr/sbin/dovecot mrix,
|
||||
/usr/share/dovecot/protocols.d/ r,
|
||||
/usr/share/dovecot/protocols.d/** r,
|
Loading…
Reference in New Issue
Block a user