pool/apparmor
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 254060 from security:apparmor

Browse Source 
- update to AppArmor 2.8.97 (aka 2.9 beta3 aka r2721)
  - several bugfixes in python and C tools
  - rename "__unused" to "unused" in apparmor_parser to fix compilation
    on openSUSE <= 13.1 x86_64 (bnc#895495) 
  - usr.lib.dovecot.auth profile: allow access to auth-token-secret.dat
  - various small profile improvements
  - update and add several testcases
- drop upstreamed patch apparmor-profiles-dnsmasq-iface-mtu.patch
- re-number remaining patches

- split apparmor-profiles package into -profiles and -abstractions


Please also forward this SR to 13.2

OBS-URL: https://build.opensuse.org/request/show/254060
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=73
This commit is contained in:
Stephan Kulow 2014-10-06 10:06:16 +00:00 committed by Git OBS Bridge
commit 022c72be07
7 changed files with 76 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apparmor-2.8.96.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5950255fc0a6989a5123a46ec58ba0a7ef03eb0d28731e38aae55d0cd10ed0a1
size 2332645

7
apparmor-2.8.96.tar.gz.asc
View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlQI2pMACgkQgTeYuayTEnEALACgtB68bFa+u0F1KBSarph9lfB7
0V8AnRVmXpaq+dzhKmcspVoR+bzYn4GM
=VwGt
-----END PGP SIGNATURE-----

3
apparmor-2.8.97.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:170a6495dd48246df1c042aa562fb759b287331ceed62c67961c81dc7ce6cba4
size 2360991

7
apparmor-2.8.97.tar.gz.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlQuRy8ACgkQgTeYuayTEnFnyACgyxwM2udlu+OnuaZwyMo0vsNZ
YacAn0lEU5qGxRHoSQv/h7Uo7c9qhhtg
=Bo0m
-----END PGP SIGNATURE-----

30
apparmor-profiles-dnsmasq-iface-mtu.patch
View File

@ -1,30 +0,0 @@
Allow dnsmasq read access to IPv6 config
The IPv6 Neighbor Discovery protocol (RFC 2461) suggests
implementations provide MTU in Router Advertisement (RA)
messages. From section 4.2
MTU SHOULD be sent on links that have a variable MTU
(as specified in the document that describes how to
run IP over the particular link type). MAY be sent
on other links.
dnsmasq supports this option and should have read access
to an interface's MTU.
Index: apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
===================================================================
--- apparmor-2.8.3.orig/profiles/apparmor.d/usr.sbin.dnsmasq
+++ apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -44,6 +44,10 @@
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+ # access to iface mtu needed for Router Advertisement messages in IPv6
+ # Neighbor Discovery protocol (RFC 2461)
+ @{PROC}/sys/net/ipv6/conf/*/mtu r,
+
# for the read-only TFTP server
@{TFTP_DIR}/ r,
@{TFTP_DIR}/** r,

18
apparmor.changes
View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Sun Oct 5 18:53:43 UTC 2014 - opensuse@cboltz.de
- update to AppArmor 2.8.97 (aka 2.9 beta3 aka r2721)
- several bugfixes in python and C tools
- rename "__unused" to "unused" in apparmor_parser to fix compilation
on openSUSE <= 13.1 x86_64 (bnc#895495)
- usr.lib.dovecot.auth profile: allow access to auth-token-secret.dat
- various small profile improvements
- update and add several testcases
- drop upstreamed patch apparmor-profiles-dnsmasq-iface-mtu.patch
- re-number remaining patches
-------------------------------------------------------------------
Sun Sep 28 19:25:32 UTC 2014 - opensuse@cboltz.de
- split apparmor-profiles package into -profiles and -abstractions
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Sep 6 22:08:57 UTC 2014 - opensuse@cboltz.de Sat Sep 6 22:08:57 UTC 2014 - opensuse@cboltz.de

66
apparmor.spec
View File

@ -60,7 +60,7 @@ Name: apparmor
%if ! %{?distro:1}0 %if ! %{?distro:1}0
%define distro suse %define distro suse
%endif %endif
Version: 2.8.96 Version: 2.8.97
Release: 0 Release: 0
Summary: AppArmor userlevel parser utility Summary: AppArmor userlevel parser utility
License: GPL-2.0+ License: GPL-2.0+
@ -80,16 +80,13 @@ Patch1: apparmor-enable-profile-cache.diff
Patch2: apparmor-samba-include-permissions-for-shares.diff Patch2: apparmor-samba-include-permissions-for-shares.diff
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
Patch5: apparmor-utils-string-split Patch3: apparmor-utils-string-split
# Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions # Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
Patch12: apparmor-2.5.1-edirectory-profile Patch4: apparmor-2.5.1-edirectory-profile
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
Patch22: ruby-2_0-mkmf-destdir.patch Patch5: ruby-2_0-mkmf-destdir.patch
# allow dnsmasq to read access to IPv6 config (bnc#892374) (commited upstream trunk r2657, 2.8 branch r2140)
Patch28: apparmor-profiles-dnsmasq-iface-mtu.patch
Url: https://launchpad.net/apparmor Url: https://launchpad.net/apparmor
PreReq: sed PreReq: sed
@ -304,10 +301,30 @@ applications interfacing with AppArmor.
%endif %endif
%package abstractions
Summary: AppArmor abstractions and directory structure
License: GPL-2.0 and LGPL-2.1+
Group: Productivity/Security
Requires: apparmor-parser(CAP_SYSLOG)
BuildArch: noarch
%description abstractions
AppArmor abstractions (common parts used in various profiles) and
the /etc/apparmor.d/ directory structure.
AppArmor is a file and network mandatory access control mechanism.
AppArmor confines processes to the resources allowed by the systems
administrator and can constrain the scope of potential security
vulnerabilities.
This package is part of a suite of tools that used to be named
SubDomain.
%package profiles %package profiles
Summary: AppArmor profiles that are loaded into the apparmor kernel module Summary: AppArmor profiles that are loaded into the apparmor kernel module
License: GPL-2.0 and LGPL-2.1+ License: GPL-2.0 and LGPL-2.1+
Group: Productivity/Security Group: Productivity/Security
Requires: apparmor-abstractions >= %{version}
Requires: apparmor-parser(CAP_SYSLOG) Requires: apparmor-parser(CAP_SYSLOG)
Obsoletes: subdomain-profiles < %{version} Obsoletes: subdomain-profiles < %{version}
Provides: subdomain-profiles = %{version} Provides: subdomain-profiles = %{version}
@ -402,16 +419,14 @@ SubDomain.
%setup -q %setup -q
%patch1 -p1 %patch1 -p1
%patch2 %patch2
%patch5 -p1 %patch3 -p1
%patch12 %patch4
# Ruby 2.0 mkmf prefixes every path with $(DESTDIR) # Ruby 2.0 mkmf prefixes every path with $(DESTDIR)
%if 0%{?suse_version} > 1230 %if 0%{?suse_version} > 1230
%patch22 -p1 %patch5 -p1
%endif %endif
%patch28 -p1
%build %build
echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1
@ -628,22 +643,24 @@ fi
%{_includedir}/sys/apparmor.h %{_includedir}/sys/apparmor.h
%{_includedir}/aalogparse/* %{_includedir}/aalogparse/*
%files profiles %files abstractions
%defattr(644,root,root,755) %defattr(644,root,root,755)
%dir %{_sysconfdir}/apparmor.d/ %dir %{_sysconfdir}/apparmor.d/
%dir %{_sysconfdir}/apparmor.d/abstractions %dir %{_sysconfdir}/apparmor.d/abstractions
%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/* %config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/*
%dir %{_sysconfdir}/apparmor.d/apache2.d
%dir %{_sysconfdir}/apparmor.d/disable %dir %{_sysconfdir}/apparmor.d/disable
%dir %{_sysconfdir}/apparmor.d/local
%dir %{_sysconfdir}/apparmor.d/tunables
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/*
%files profiles
%defattr(644,root,root,755)
%dir %{_sysconfdir}/apparmor.d/apache2.d
%config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo %config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo
%config(noreplace) %{_sysconfdir}/apparmor.d/bin.* %config(noreplace) %{_sysconfdir}/apparmor.d/bin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.* %config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.* %config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
%dir %{_sysconfdir}/apparmor.d/local
%config(noreplace) %{_sysconfdir}/apparmor.d/local/* %config(noreplace) %{_sysconfdir}/apparmor.d/local/*
%dir %{_sysconfdir}/apparmor.d/tunables
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/*
%dir %{_sysconfdir}/apparmor/
/usr/share/apparmor/extra-profiles/ /usr/share/apparmor/extra-profiles/
%files utils %files utils
@ -814,6 +831,19 @@ fi
%{insserv_cleanup} || true %{insserv_cleanup} || true
%endif %endif
%post abstractions
%if %{distro} == "suse"
#restart_on_update boot.apparmor - but non-broken (bnc#853019)
# (copy&paste from parser postun script)
test -n "$FIRST_ARG" || FIRST_ARG=$1
if test "$FIRST_ARG" -ge 1 ; then
if test "$YAST_IS_RUNNING" != "instsys" -a "$DISABLE_RESTART_ON_UPDATE" != yes ; then
test -x /bin/systemctl && /bin/systemctl daemon-reload >/dev/null 2>&1 || :
/etc/init.d/boot.apparmor status >/dev/null && /etc/init.d/boot.apparmor reload || :
fi
fi
%endif
%post profiles %post profiles
%if %{distro} == "suse" %if %{distro} == "suse"
#restart_on_update boot.apparmor - but non-broken (bnc#853019) #restart_on_update boot.apparmor - but non-broken (bnc#853019)