Accepting request 116784 from home:cboltz

- add apparmor-techdoc.patch to remove traces of the build time in PDF files - update to AppArmor 2.8 beta5 (= 2.7.103 / r2031) - new utility aa-exec to confine a program with the specified AppArmor profile - add support for mount rules - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_8 for full upstream changelog - removed upstreamed and backported patches - remove outdated autobuild and "disable repo" patches that were disabled since the AppArmor 2.7 package - create the Immunix::SubDomain compat perl module only for openSUSE <= 12.1 (bnc#720617 #c7) OBS-URL: https://build.opensuse.org/request/show/116784 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=10
2012-05-08 20:39:34 +00:00 · 2012-05-08 20:39:34 +00:00 · 0237c25017
commit 0237c25017
parent 2550ecdff9
11 changed files with 126 additions and 13551 deletions
--- a/0001-fix-for-lp929531.patch
+++ b/0001-fix-for-lp929531.patch
@ -1,19 +0,0 @@
-Author: Jamie Strandboge <jamie@canonical.com>
-Description: glibc's __get_nprocs() now checks /sys/devices/system/cpu/online
- in addition to /proc/stat for the number of processors. This is used in the
- _SC_NPROCESSORS_ONLN implementation, a part of sysconf. This was introduced in
- upstream glibc commit:
- http://repo.or.cz/w/glibc.git/patch/84e2a551a72c79b020694bb327e33b6d71b09b63
-Bug-Ubuntu: https://launchpad.net/bugs/929531
-Index: apparmor-2.7.0/profiles/apparmor.d/abstractions/base
-===================================================================
--- apparmor-2.7.0.orig/profiles/apparmor.d/abstractions/base	2012-02-09 07:57:35.000000000 -0600
-+++ apparmor-2.7.0/profiles/apparmor.d/abstractions/base	2012-02-09 08:01:13.000000000 -0600
-@@ -86,6 +86,7 @@
-   @{PROC}/meminfo                r,
-   @{PROC}/stat                   r,
-   @{PROC}/cpuinfo                r,
-+  /sys/devices/system/cpu/online r,
- 
-   # glibc's *printf protections read the maps file
-   @{PROC}/*/maps                 r,
--- a/apparmor-2.5.1-rpmlint-asprintf
+++ b/apparmor-2.5.1-rpmlint-asprintf
@ -1,82 +0,0 @@
-From: Jeff Mahoney <jeffm@suse.com>
-Subject: apparmor: Use _GNU_SOURCE when asprintf is used
-
- There are a few places in the parser that use asprintf but don't actually
- get the prototype from stdio.h. _GNU_SOURCE is needed for that.
-
- It works as-is but rpmlint in the openSUSE Build Service complains about it.
-
-Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
- parser/Makefile.am        |    1 +
- parser/parser_include.c   |    2 ++
- parser/parser_interface.c |    1 +
- parser/parser_lex.l       |    4 ++++
- parser/parser_main.c      |    1 +
- parser/parser_variable.c  |    1 +
- 6 files changed, 10 insertions(+)
-
--- a/parser/Makefile.am
-+++ b/parser/Makefile.am
-@@ -14,6 +14,7 @@ dist_man_MANS = apparmor.d.5 apparmor.7
- BUILT_SOURCES = parser_lex.c parser_yacc.c af_names.h cap_names.h
- AM_YFLAGS = -d
- AM_CFLAGS = -DLOCALEDIR=\"$(localedir)\"
-+AM_LFLAGS = -D_GNU_SOURCE
- apparmor_parser_SOURCES = parser_yacc.y parser_lex.l parser_include.c \
- 			  parser_interface.c parser_main.c parser_misc.c \
- 			  parser_merge.c parser_symtab.c parser_regex.c \
--- a/parser/parser_include.c
-+++ b/parser/parser_include.c
-@@ -35,6 +35,8 @@
- 
- */
- 
-+#define _GNU_SOURCE /* for asprintf in stdio.h */
-+
- #include <assert.h>
- #include <ctype.h>
- #include <stdio.h>
--- a/parser/parser_interface.c
-+++ b/parser/parser_interface.c
-@@ -15,6 +15,7 @@
-  *   along with this program; if not, contact Novell, Inc.
-  */
- 
-+#define _GNU_SOURCE	/* for asprintf in stdio.h */
- #include <assert.h>
- #include <stdio.h>
- #include <string.h>
--- a/parser/parser_lex.l
-+++ b/parser/parser_lex.l
-@@ -20,6 +20,10 @@
- /* Definitions section */
- /* %option main */
- 
-+%{
-+#define _GNU_SOURCE	/* for asprintf in stdio.h */
-+%}
-+
- /* eliminates need to link with libfl */
- %option noyywrap
- %option nounput
--- a/parser/parser_main.c
-+++ b/parser/parser_main.c
-@@ -19,6 +19,7 @@
-  *   Ltd.
-  */
- 
-+#define _GNU_SOURCE	/* for asprintf in stdio.h */
- #include <stdio.h>
- #include <string.h>
- #include <stdlib.h>
--- a/parser/parser_variable.c
-+++ b/parser/parser_variable.c
-@@ -15,6 +15,7 @@
-  *   along with this program; if not, contact Novell, Inc.
-  */
- 
-+#define _GNU_SOURCE	/* for asprintf in stdio.h */
- #include <ctype.h>
- #include <stdlib.h>
- #include <stdio.h>
--- a/apparmor-2.5.1-unified-build
+++ b/apparmor-2.5.1-unified-build
--- a/apparmor-2.7.103.tar.gz
+++ b/apparmor-2.7.103.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8157ed9aed68db66318e424aa95644b28294876df2672d6c450600b84bafe315
+size 1452366
--- a/apparmor-2.7.2.tar.gz
+++ b/apparmor-2.7.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:42deb8cbf4937fac07a48ec8427b90131e92ed2f83b606beee092bdb4fc2a41f
-size 1403151
--- a/apparmor-r2022-log-parser-network-bnc755923.patch
+++ b/apparmor-r2022-log-parser-network-bnc755923.patch
@ -1,308 +0,0 @@
------------------------------------------------------------
-revno: 2022
-fixes bug: https://launchpad.net/bugs/800826
-committer: Steve Beattie <sbeattie@ubuntu.com>
-branch nick: apparmor
-timestamp: Fri 2012-04-06 15:59:04 -0700
-message:
-  libapparmor: add support for ip addresses and ports
-  
-  Bugs: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/800826
-    https://bugzilla.novell.com/show_bug.cgi?id=755923
-  
-  This patch modifies the libapparmor log parsing code to add support
-  for the additional ip address and port keywords that can occur in
-  network rejection rules. The laddr and faddr keywords stand for local
-  address and foreign address respectively.
-  
-  The regex used to match an ip address is not very strict, to hopefully
-  catch the formats that the kernel emits for ipv6 addresses; however,
-  because this is in a context triggered by the addr keywords, it should
-  not over-eagerly consume non-ip addresses. Said addresses are returned
-  as strings in the struct to be processed by the calling application.
-
-
-=== modified file 'libraries/libapparmor/src/aalogparse.h'
--- libraries/libapparmor/src/aalogparse.h	2011-02-23 22:02:45 +0000
-+++ libraries/libapparmor/src/aalogparse.h	2012-04-06 22:59:04 +0000
-@@ -141,6 +141,10 @@
- 	char *net_family;
- 	char *net_protocol;
- 	char *net_sock_type;
-+	char *net_local_addr;
-+	unsigned long net_local_port;
-+	char *net_foreign_addr;
-+	unsigned long net_foreign_port;
- } aa_log_record;
- 
- /**
-
-=== modified file 'libraries/libapparmor/src/grammar.y'
--- libraries/libapparmor/src/grammar.y	2011-11-30 19:07:48 +0000
-+++ libraries/libapparmor/src/grammar.y	2012-04-06 22:59:04 +0000
-@@ -83,6 +83,7 @@
- %token <t_str> TOK_QUOTED_STRING TOK_ID TOK_MODE TOK_DMESG_STAMP
- %token <t_str> TOK_AUDIT_DIGITS TOK_DATE_MONTH TOK_DATE_TIME
- %token <t_str> TOK_HEXSTRING TOK_TYPE_OTHER TOK_MSG_REST
-+%token <t_str> TOK_IP_ADDR
- 
- %token TOK_EQUALS
- %token TOK_COLON
-@@ -133,6 +134,10 @@
- %token TOK_KEY_CAPNAME
- %token TOK_KEY_OFFSET
- %token TOK_KEY_TARGET
-+%token TOK_KEY_LADDR
-+%token TOK_KEY_FADDR
-+%token TOK_KEY_LPORT
-+%token TOK_KEY_FPORT
- 
- %token TOK_SYSLOG_KERNEL
- 
-@@ -268,6 +273,14 @@
- 	{ /* target was always name2 in the past */
- 	  ret_record->name2 = $3;
- 	}
-+	| TOK_KEY_LADDR TOK_EQUALS TOK_IP_ADDR
-+	{ ret_record->net_local_addr = $3;}
-+	| TOK_KEY_FADDR TOK_EQUALS TOK_IP_ADDR
-+	{ ret_record->net_foreign_addr = $3;}
-+	| TOK_KEY_LPORT TOK_EQUALS TOK_DIGITS
-+	{ ret_record->net_local_port = $3;}
-+	| TOK_KEY_FPORT TOK_EQUALS TOK_DIGITS
-+	{ ret_record->net_foreign_port = $3;}
- 	| TOK_MSG_REST
- 	{
- 		ret_record->event = AA_RECORD_INVALID;
-
-=== modified file 'libraries/libapparmor/src/scanner.l'
--- libraries/libapparmor/src/scanner.l	2011-11-30 19:07:48 +0000
-+++ libraries/libapparmor/src/scanner.l	2012-04-06 22:59:04 +0000
-@@ -133,8 +133,15 @@
- key_capname		"capname"
- key_offset		"offset"
- key_target		"target"
-+key_laddr		"laddr"
-+key_faddr		"faddr"
-+key_lport		"lport"
-+key_fport		"fport"
- audit			"audit"
- 
-+/* network addrs */
-+ip_addr			[a-f[:digit:].:]{3,}
-+
- /* syslog tokens */
- syslog_kernel		kernel{colon}
- syslog_month 		Jan(uary)?|Feb(ruary)?|Mar(ch)?|Apr(il)?|May|Jun(e)?|Jul(y)?|Aug(ust)?|Sep(tember)?|Oct(ober)?|Nov(ember)?|Dec(ember)?
-@@ -149,6 +156,7 @@
- %x dmesg_timestamp
- %x safe_string
- %x audit_types
-+%x ip_addr
- %x other_audit
- %x unknown_message
- 
-@@ -201,6 +209,12 @@
- 	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
- 	}
- 
-+<ip_addr>{
-+	{ip_addr}	{ yylval->t_str = strdup(yytext); yy_pop_state(yyscanner); return(TOK_IP_ADDR); }
-+	{equals}	{ return(TOK_EQUALS); }
-+	.		{ /* eek, error! try another state */ BEGIN(INITIAL); yyless(0); }
-+	}
-+
- <audit_types>{
- 	{equals}	{ return(TOK_EQUALS); }
- 	{digits}	{ yylval->t_long = atol(yytext); BEGIN(INITIAL); return(TOK_DIGITS); }
-@@ -270,6 +284,10 @@
- {key_capname}		{ return(TOK_KEY_CAPNAME); }
- {key_offset}		{ return(TOK_KEY_OFFSET); }
- {key_target}		{ return(TOK_KEY_TARGET); }
-+{key_laddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_LADDR); }
-+{key_faddr}		{ yy_push_state(ip_addr, yyscanner); return(TOK_KEY_FADDR); }
-+{key_lport}		{ return(TOK_KEY_LPORT); }
-+{key_fport}		{ return(TOK_KEY_FPORT); }
- 
- {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
- {syslog_month}		{ yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
-
-=== modified file 'libraries/libapparmor/testsuite/test_multi.c'
--- libraries/libapparmor/testsuite/test_multi.c	2010-07-26 16:20:02 +0000
-+++ libraries/libapparmor/testsuite/test_multi.c	2012-04-06 22:59:04 +0000
-@@ -51,6 +51,18 @@
- 	return ret;
- }
- 
-+#define print_string(description, var) \
-+	if ((var) != NULL) { \
-+		printf("%s: %s\n", (description), (var)); \
-+	}
-+
-+/* unset is the value that the library sets to the var to indicate
-+   that it is unset */
-+#define print_long(description, var, unset) \
-+	if ((var) != (unsigned long) (unset)) { \
-+		printf("%s: %ld\n", (description), (var)); \
-+	}
-+
- int print_results(aa_log_record *record)
- {
- 		printf("Event type: ");
-@@ -185,6 +197,11 @@
- 		{
- 			printf("Protocol: %s\n", record->net_protocol);
- 		}
-+		print_string("Local addr", record->net_local_addr);
-+		print_string("Foreign addr", record->net_foreign_addr);
-+		print_long("Local port", record->net_local_port, 0);
-+		print_long("Foreign port", record->net_foreign_port, 0);
-+
- 		printf("Epoch: %lu\n", record->epoch);
- 		printf("Audit subid: %u\n", record->audit_sub_id);
- 	return(0);
-
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_01.err'
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_01.in'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_01.in	1970-01-01 00:00:00 +0000
-+++ libraries/libapparmor/testsuite/test_multi/testcase_network_01.in	2012-04-06 22:59:04 +0000
-@@ -0,0 +1,1 @@
-+Apr  5 19:30:56 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" laddr=192.168.66.150 lport=765 faddr=192.168.66.200 fport=2049 family="inet" sock_type="stream" protocol=6
-
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_01.out'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_01.out	1970-01-01 00:00:00 +0000
-+++ libraries/libapparmor/testsuite/test_multi/testcase_network_01.out	2012-04-06 22:59:04 +0000
-@@ -0,0 +1,18 @@
-+START
-+File: test_multi/testcase_network_01.in
-+Event type: AA_RECORD_DENIED
-+Audit ID: 1308766940.698:3704
-+Operation: sendmsg
-+Profile: /usr/bin/evince-thumbnailer
-+Command: evince-thumbnai
-+Parent: 24737
-+PID: 24743
-+Network family: inet
-+Socket type: stream
-+Protocol: tcp
-+Local addr: 192.168.66.150
-+Foreign addr: 192.168.66.200
-+Local port: 765
-+Foreign port: 2049
-+Epoch: 1308766940
-+Audit subid: 3704
-
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_02.err'
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_02.in'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_02.in	1970-01-01 00:00:00 +0000
-+++ libraries/libapparmor/testsuite/test_multi/testcase_network_02.in	2012-04-06 22:59:04 +0000
-@@ -0,0 +1,1 @@
-+Apr  5 19:31:04 precise-amd64 kernel: [153073.826757] type=1400 audit(1308766940.698:3704): apparmor="DENIED" operation="sendmsg" parent=24737 profile="/usr/bin/evince-thumbnailer" pid=24743 comm="evince-thumbnai" lport=765 fport=2049 family="inet" sock_type="stream" protocol=6
-
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_02.out'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_02.out	1970-01-01 00:00:00 +0000
-+++ libraries/libapparmor/testsuite/test_multi/testcase_network_02.out	2012-04-06 22:59:04 +0000
-@@ -0,0 +1,16 @@
-+START
-+File: test_multi/testcase_network_02.in
-+Event type: AA_RECORD_DENIED
-+Audit ID: 1308766940.698:3704
-+Operation: sendmsg
-+Profile: /usr/bin/evince-thumbnailer
-+Command: evince-thumbnai
-+Parent: 24737
-+PID: 24743
-+Network family: inet
-+Socket type: stream
-+Protocol: tcp
-+Local port: 765
-+Foreign port: 2049
-+Epoch: 1308766940
-+Audit subid: 3704
-
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_03.err'
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_03.in'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_03.in	1970-01-01 00:00:00 +0000
-+++ libraries/libapparmor/testsuite/test_multi/testcase_network_03.in	2012-04-06 22:59:04 +0000
-@@ -0,0 +1,1 @@
-+type=AVC msg=audit(1333648169.009:11707146): apparmor="ALLOWED" operation="accept" parent=25932 profile="/usr/lib/dovecot/imap-login" pid=5049 comm="imap-login" lport=143 family="inet6" sock_type="stream" protocol=6
-
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_03.out'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_03.out	1970-01-01 00:00:00 +0000
-+++ libraries/libapparmor/testsuite/test_multi/testcase_network_03.out	2012-04-06 22:59:04 +0000
-@@ -0,0 +1,15 @@
-+START
-+File: test_multi/testcase_network_03.in
-+Event type: AA_RECORD_ALLOWED
-+Audit ID: 1333648169.009:11707146
-+Operation: accept
-+Profile: /usr/lib/dovecot/imap-login
-+Command: imap-login
-+Parent: 25932
-+PID: 5049
-+Network family: inet6
-+Socket type: stream
-+Protocol: tcp
-+Local port: 143
-+Epoch: 1333648169
-+Audit subid: 11707146
-
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_04.err'
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_04.in'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_04.in	1970-01-01 00:00:00 +0000
-+++ libraries/libapparmor/testsuite/test_multi/testcase_network_04.in	2012-04-06 22:59:04 +0000
-@@ -0,0 +1,1 @@
-+type=AVC msg=audit(1333697181.284:273901): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1056 comm="nc" laddr=::1 lport=2048 faddr=::1 fport=33986 family="inet6" sock_type="stream" protocol=6
-
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_04.out'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_04.out	1970-01-01 00:00:00 +0000
-+++ libraries/libapparmor/testsuite/test_multi/testcase_network_04.out	2012-04-06 22:59:04 +0000
-@@ -0,0 +1,18 @@
-+START
-+File: test_multi/testcase_network_04.in
-+Event type: AA_RECORD_DENIED
-+Audit ID: 1333697181.284:273901
-+Operation: recvmsg
-+Profile: /home/ubuntu/tmp/nc
-+Command: nc
-+Parent: 1596
-+PID: 1056
-+Network family: inet6
-+Socket type: stream
-+Protocol: tcp
-+Local addr: ::1
-+Foreign addr: ::1
-+Local port: 2048
-+Foreign port: 33986
-+Epoch: 1333697181
-+Audit subid: 273901
-
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_05.err'
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_05.in'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_05.in	1970-01-01 00:00:00 +0000
-+++ libraries/libapparmor/testsuite/test_multi/testcase_network_05.in	2012-04-06 22:59:04 +0000
-@@ -0,0 +1,1 @@
-+type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="/home/ubuntu/tmp/nc" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6
-
-=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_05.out'
--- libraries/libapparmor/testsuite/test_multi/testcase_network_05.out	1970-01-01 00:00:00 +0000
-+++ libraries/libapparmor/testsuite/test_multi/testcase_network_05.out	2012-04-06 22:59:04 +0000
-@@ -0,0 +1,18 @@
-+START
-+File: test_multi/testcase_network_05.in
-+Event type: AA_RECORD_DENIED
-+Audit ID: 1333698107.128:273917
-+Operation: recvmsg
-+Profile: /home/ubuntu/tmp/nc
-+Command: nc
-+Parent: 1596
-+PID: 1875
-+Network family: inet6
-+Socket type: stream
-+Protocol: tcp
-+Local addr: ::ffff:127.0.0.1
-+Foreign addr: ::ffff:127.0.0.1
-+Local port: 2048
-+Foreign port: 59180
-+Epoch: 1333698107
-+Audit subid: 273917
--- a/56
+++ b/56
@ -1,56 +0,0 @@
-From: Jeff Mahoney <jeffm@suse.com>
-Subject: apparmor-utils: Allow repository to be completely disabled
-
- This patch allows the repository to be completely disabled. It's been
- subject to massive bitrot and isn't really maintained.
-
- It will only confuse the user if they are asked for repository information
- and it doesn't work.
-
-Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
- utils/Immunix/AppArmor.pm |    5 +++++
- utils/logprof.conf        |    4 ++++
- 2 files changed, 9 insertions(+)
-
--- a/utils/Immunix/AppArmor.pm
-+++ b/utils/Immunix/AppArmor.pm
-@@ -3153,6 +3153,8 @@ sub UI_repo_signup() {
- sub UI_ask_to_enable_repo() {
- 
-     my $q = { };
-+    return if (defined $cfg->{settings}{allow_repository} &&
-+		       $cfg->{settings}{allow_repository} eq "no");
-     return if ( not defined $cfg->{repository}{url} );
-     $q->{headers} = [
-       gettext("Repository"), $cfg->{repository}{url},
-@@ -3277,6 +3279,8 @@ sub get_preferred_user ($) {
- 
- sub repo_is_enabled () {
-     my $enabled;
-+    return 0 if defined($cfg->{settings}{allow_repository}) &&
-+		        $cfg->{settings}{allow_repository} eq "no";
-     if ($cfg->{repository}{url} &&
-         $repo_cfg &&
-         $repo_cfg->{repository}{enabled} &&
-@@ -3290,6 +3294,7 @@ sub repo_is_enabled () {
- sub update_repo_profile($) {
-     my $profile = shift;
- 
-+    return undef if not repo_is_enabled();
-     return undef if ( not is_repo_profile($profile) );
-     my $distro = $cfg->{repository}{distro};
-     my $url    = $profile->{repo}{url};
--- a/utils/logprof.conf
-+++ b/utils/logprof.conf
-@@ -34,6 +34,10 @@
-   # files.
-   custom_includes =
- 
-+  # whether to prompt to enable repositories (values: yes/no)
-+  # This feature has fallen to bitrot and should not be used.
-+  allow_repository = no
-+
- 
- [repository]
-   distro         = ubuntu-intrepid
--- a/apparmor-techdoc.patch
+++ b/apparmor-techdoc.patch
@ -0,0 +1,80 @@
+Various changes in building techdoc.tex:
+- make table of contents, footnotes etc. clickable hyperlinks
+- use timestamp of techdoc.tex (instead of build time) as creationdate
+  in the PDF metadata
+- don't include build date on first page of the PDF
+- make clean:
+  - delete techdoc.out (created by pdftex)
+  - fix deletion of techdoc.txt (was techdo_r_.txt)
+
+The initial target was to get reproduceable PDF builds (therefore the 
+timestamp-related changes), the other things came up during discussing
+this patch with David Haller.
+
+The only remaining difference in the PDF from build to build is the /ID
+line.  This line can't be controlled in pdflatex and is now filtered 
+out by build-compare in the openSUSE build service (bnc#760867).
+
+Credits go to David Haller for writing large parts of this patch
+(but he didn't notice the techdo_r_.txt ;-)
+
+
+Signed-Off-By: Christian Boltz <apparmor@cboltz.de>
+
+
+
+=== modified file 'parser/Makefile'
+--- parser/Makefile	2012-03-22 20:19:27 +0000
+++ parser/Makefile	2012-05-08 18:40:10 +0000
+@@ -118,7 +118,8 @@
+ 	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
+ 
+ techdoc.pdf: techdoc.tex
+-	while pdflatex $< ${BUILD_OUTPUT} || exit 1 ; \
+	timestamp=$(shell date "+%Y%m%d%H%M%S+02'00'" -r $< );\
+	while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \
+ 		grep -q "Label(s) may have changed" techdoc.log; \
+ 	do :; done
+ 
+@@ -302,7 +303,7 @@
+ 	rm -f $(NAME)*.tar.gz $(NAME)*.tgz
+ 	rm -f af_names.h
+ 	rm -f cap_names.h
+-	rm -rf techdoc.aux techdoc.log techdoc.pdf techdoc.toc techdor.txt techdoc/
+	rm -rf techdoc.aux techdoc.out techdoc.log techdoc.pdf techdoc.toc techdoc.txt techdoc/
+ 	$(MAKE) -s -C $(AAREDIR) clean
+ 	$(MAKE) -s -C po clean
+ 	$(MAKE) -s -C tst clean
+
+=== modified file 'parser/techdoc.tex'
+--- parser/techdoc.tex	2011-02-09 22:29:05 +0000
+++ parser/techdoc.tex	2012-05-08 18:55:56 +0000
+@@ -5,6 +5,17 @@
+ \usepackage{url}
+ %\usepackage{times}
+ 
+\usepackage[pdftex,
+  pdfauthor={Andreas Gruenbacher and Seth Arnold},
+  pdftitle={AppArmor Technical Documentation},%
+\ifx\fixedpdfdate\@empty\else
+  pdfcreationdate={\fixedpdfdate},
+  pdfmoddate={\fixedpdfdate},
+\fi
+  pdfsubject={AppArmor},
+  pdfkeywords={AppArmor}
+]{hyperref}
+
+ \hyphenation{App-Armor}
+ \hyphenation{name-space}
+ 
+@@ -14,7 +25,8 @@
+ \author{Andreas Gruenbacher and Seth Arnold \\
+ \url{{agruen,seth.arnold}@suse.de} \\
+ SUSE Labs / Novell}
+-%\date{}
+% don't include the (build!) date
+\date{}
+ 
+ \begin{document}
+ 
+
--- a/2
+++ b/2
@ -28,7 +28,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
 --- a/utils/Makefile	2011-05-27 21:08:50.000000000 +0200
 +++ b/utils/Makefile	2011-09-10 17:57:55.000000000 +0200
@@ -31,7 +31,7 @@ PERLTOOLS = aa-genprof aa-logprof aa-aut
- 	aa-unconfined aa-notify aa-disable
+ 	aa-unconfined aa-notify aa-disable aa-exec
 TOOLS = ${PERLTOOLS} aa-decode aa-status
 MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
 -	${MODDIR}/Config.pm ${MODDIR}/Severity.pm
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Tue May  8 19:30:23 UTC 2012 - opensuse@cboltz.de
+
+- add apparmor-techdoc.patch to remove traces of the build time in PDF files
+
+-------------------------------------------------------------------
+Sat May  5 20:25:49 UTC 2012 - opensuse@cboltz.de
+
+- update to AppArmor 2.8 beta5 (= 2.7.103 / r2031)
+  - new utility aa-exec to confine a program with the specified AppArmor profile
+  - add support for mount rules
+  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_8 for full upstream
+    changelog
+- removed upstreamed and backported patches
+- remove outdated autobuild and "disable repo" patches that were disabled since
+  the AppArmor 2.7 package
+- create the Immunix::SubDomain compat perl module only for openSUSE <= 12.1
+  (bnc#720617 #c7)
+
 -------------------------------------------------------------------
 Mon Apr 16 21:16:41 UTC 2012 - opensuse@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@ -43,9 +43,8 @@ Name:           apparmor
 %if ! %{?distro:1}0
  %define distro suse
 %endif
-Version:        2.7.2
+Version:        2.7.103
 Release:        0
-%define versiondir        2.7.2
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security
@ -57,9 +56,6 @@ Source3:        update-trans.sh
 # profile for winbindd (bnc#748499, not upstreamed yet)
 Source4:        usr.sbin.winbindd

-# add "/sys/devices/system/cpu/online r" to abstractions/base. Will be included in upstream > 2.7.2
-Patch:          0001-fix-for-lp929531.patch
-
 # enable caching of profiles (= massive performance speedup when loading profiles)
 Patch1:         apparmor-enable-profile-cache.diff

@ -69,25 +65,17 @@ Patch2:         apparmor-samba-include-permissions-for-shares.diff
 # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
 Patch5:         apparmor-utils-string-split

-# use autobuild everywhere. Patch applies to 2.6.1 only and probably won't be accepted upstream.
-Patch10:        apparmor-2.5.1-unified-build
-# requires Patch10
-Patch11:        apparmor-2.5.1-rpmlint-asprintf
-
 # Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
 Patch12:        apparmor-2.5.1-edirectory-profile

-# obsolete, upstream implemented this in another way
-Patch15:        apparmor-remove-repo
-
-# remove after 12.1 release - bnc#720617 #c7
+# create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 - bnc#720617 #c7
 Patch21:        apparmor-utils-subdomain-compat

-# bnc#738905 - commited upstream (after 2.7.2)
+# bnc#738905 - commited upstream (after 2.7.2 / 2.8 beta5)
 Patch22:        apparmor-dnsmasq-profile-fix.patch

-# bnc#755923 / lp#800826 - logprof etc. ignores network log entries because of changed log format. from upstream r2022 (2.8 beta5 will have it)
-Patch23:        apparmor-r2022-log-parser-network-bnc755923.patch
+# use hyperref and use techdoc.tex's file date for the pdf's creation and mod date (avoids useless rebuilds) - patch sent upstream after 2.8 beta5
+Patch30:        apparmor-techdoc.patch

 Url:            https://launchpad.net/apparmor
 PreReq:         sed
@ -104,6 +92,7 @@ BuildRequires:  latex2html
 BuildRequires:  libtool
 BuildRequires:  pcre-devel
 BuildRequires:  pkg-config
+BuildRequires:  python
 BuildRequires:  texlive-latex
 BuildRequires:  w3m

@ -412,18 +401,25 @@ SubDomain.
 %endif

 %prep
-%setup -q -n %{name}-%{versiondir}
-%patch  -p1
+%setup -q
 %patch1 -p1
 %patch2 -p0
 %patch5 -p1
-#%patch10 -p1 # disabled, see above
-#%patch11 -p1 # disabled, see above
 %patch12 -p1
-#%patch15 -p1 # obsolete, see above
+
+# only create Immunix::SubDomain perl module for openSUSE <= 12.1 
+%if 0%{?suse_version}
+%if 0%{?suse_version} <= 1210
 %patch21 -p1
+%endif
+%endif
 %patch22 -p1
-%patch23 -p0
+
+# preserve timestamp of techdoc.tex
+touch -r parser/techdoc.tex parser/techdoc.timestamp 
+%patch30 -p0
+# preserve timestamp of techdoc.tex
+touch -r parser/techdoc.timestamp parser/techdoc.tex

 # profile for winbindd (bnc#748499, not upstreamed yet)
 test ! -e profiles/apparmor.d/usr.sbin.winbindd
@ -571,6 +567,9 @@ echo -------------------------------------------------------------------
 %doc parser/*.[1-9].html
 %doc common/apparmor.css
 %doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt
+# apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file
+%dir /usr/share/apparmor
+/usr/share/apparmor/apparmor.vim

 %files parser
 %defattr(-,root,root)
@ -656,6 +655,7 @@ fi
 %doc %{_mandir}/man8/complain.8.gz
 %doc %{_mandir}/man8/disable.8.gz
 %doc %{_mandir}/man8/enforce.8.gz
+%doc %{_mandir}/man8/exec.8.gz
 %doc %{_mandir}/man8/genprof.8.gz
 %doc %{_mandir}/man8/logprof.8.gz
 %doc %{_mandir}/man8/unconfined.8.gz