Accepting request 435008 from home:cboltz

- add changes-since-2.10.1--r3347..3353.diff with upstream changes and
  fixes in the 2.10 branch, including
  - allow writing *.qf files (for disk-based buffering) in syslog-ng profile
  - add several permissions to the dovecot profiles (deb#835826)
  - add a missing path in the traceroute profile

OBS-URL: https://build.opensuse.org/request/show/435008
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=155
This commit is contained in:
Christian Boltz 2016-10-13 19:45:07 +00:00 committed by Git OBS Bridge
parent 4bdce4a3da
commit 041a6f7868
3 changed files with 337 additions and 0 deletions

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Thu Oct 13 18:35:52 UTC 2016 - suse-beta@cboltz.de
- add changes-since-2.10.1--r3347..3353.diff with upstream changes and
fixes in the 2.10 branch, including
- allow writing *.qf files (for disk-based buffering) in syslog-ng profile
- add several permissions to the dovecot profiles (deb#835826)
- add a missing path in the traceroute profile
-------------------------------------------------------------------
Fri Aug 26 20:21:37 UTC 2016 - suse-beta@cboltz.de

View File

@ -98,6 +98,9 @@ Patch7: apparmor-lessopen-profile.patch
# fix import path for LibAppArmor for newer swig versions (boo#987607, not upstreamed yet)
Patch8: libapparmor-fix-import-path.diff
# upstream changes/fixes from 2.10 branch r3347..3353
Patch9: changes-since-2.10.1--r3347..3353.diff
Url: https://launchpad.net/apparmor
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -448,6 +451,7 @@ SubDomain.
%patch6
%patch7 -p1
%patch8
%patch9
# search for left-over multiline rules
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"

View File

@ -0,0 +1,324 @@
------------------------------------------------------------
revno: 3353
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Thu 2016-10-13 20:29:59 +0200
message:
syslog-ng profile: allow writing *.qf files
These files are needed for disk-based buffering (added in syslog-ng 3.8).
This was reported to me by Peter Czanik, one of the syslog-ng developers.
Note: I'm not sure about adding @{CHROOT_BASE} to this rule, so for now
I prefer not to do it - adding it later is easy, but finding out if it
could be removed is hard ;-)
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3352
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Wed 2016-10-05 20:53:37 +0200
message:
Add missing permissions to dovecot profiles
- dovecot/auth: allow to read stats-user
- dovecot/config: allow to read /usr/share/dovecot/**
- dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and
/usr/share/dovecot/**
These things were reported by Félix Sipma in Debian Bug#835826
(with some help from sarnold on IRC)
References: https://bugs.debian.org/835826
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
Also allow reading ~/.dovecot.svbin (that's the default filename in the
dovecot config) in dovecot/lmtp profile.
(*.svbin files can probably also appear inside @{DOVECOT_MAILSTORE}, but
that's already covered by the existing rules.)
References: https://bugs.debian.org/835826 (again)
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3351
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Mon 2016-10-03 21:02:15 +0200
message:
Drop CMD_CONTINUE from ui.py (twice)
The latest version of pyflakes (1.3.0 / python 3.5) complains that
CMD_CONTINUE is defined twice in ui.py (with different texts).
Funnily CMD_CONTINUE isn't used anywhere, so we can just drop both.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
------------------------------------------------------------
revno: 3350
behebt den Fehler: https://launchpad.net/bugs/1379874
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Sat 2016-10-01 20:25:51 +0200
message:
[39/38] Ignore exec events for non-existing profiles
The switch to FileRule made some bugs visible that survived unnoticed
with hasher for years.
If aa-logprof sees an exec event for a non-existing profile _and_ a
profile file matching the expected profile filename exists in
/etc/apparmor.d/, it asks for the exec mode nevertheless (instead of
being silent). In the old code, this created a superfluous entry
somewhere in the aa hasher, and caused the existing profile to be
rewritten (without changes).
However, with FileRule it causes a crash saying
File ".../utils/apparmor/aa.py", line 1335, in handle_children
aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True))
AttributeError: 'collections.defaultdict' object has no attribute 'add'
This patch makes sure exec events for unknown profiles get ignored.
Reproducer:
python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"')
This causes a crash without this patch because
/etc/apparmor.d/sbin.klogd exists, but has
profile klogd /{usr/,}sbin/klogd {
References: https://bugs.launchpad.net/bugs/1379874
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
*** *** *** backport
*** *** *** --fixes lp:1379874
------------------------------------------------------------
revno: 3349
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Fri 2016-09-30 00:08:08 +0200
message:
Allow both paths in traceroute profile
In 2011 (r1803), the traceroute profile was changed to also match
/usr/bin/traceroute.db:
/usr/{sbin/traceroute,bin/traceroute.db} {
However, permissions for /usr/bin/traceroute.db were never added.
This patch fixes this.
While on it, also change the /usr/sbin/traceroute permissions from
rmix to the less confusing mrix.
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
------------------------------------------------------------
revno: 3348
committer: Tyler Hicks <tyhicks@canonical.com>
branch nick: apparmor-2.10
timestamp: Wed 2016-09-14 12:50:43 -0500
message:
libapparmor: Force libtoolize to replace existing files
Fixes build error when attempting to build and test the 2.10.95 release
on Ubuntu 14.04:
$ (cd libraries/libapparmor/ && ./autogen.sh && ./configure && \
make && make check) > /dev/null
...
libtool: Version mismatch error. This is libtool 2.4.6 Debian-2.4.6-0.1, but the
libtool: definition of this LT_INIT comes from libtool 2.4.2.
libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-0.1
libtool: and run autoconf again.
make[2]: *** [grammar.lo] Error 63
make[1]: *** [all] Error 2
make: *** [all-recursive] Error 1
The --force option is needed to regenerate the libtool file in
libraries/libapparmor/.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
------------------------------------------------------------
revno: 3347
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.10
timestamp: Mon 2016-09-12 23:35:00 +0200
message:
Allow 'kcm' in network rules
This is probably
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/plain/Documentation/networking/kcm.txt
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
=== modified file 'libraries/libapparmor/autogen.sh'
--- libraries/libapparmor/autogen.sh 2014-01-03 23:13:26 +0000
+++ libraries/libapparmor/autogen.sh 2016-09-14 17:50:43 +0000
@@ -38,6 +38,6 @@
echo "Running autoconf"
autoconf --force
echo "Running libtoolize"
-libtoolize --automake -c
+libtoolize --automake -c --force
echo "Running automake"
automake -ac
=== modified file 'profiles/apparmor.d/sbin.syslog-ng'
--- profiles/apparmor.d/sbin.syslog-ng 2015-11-11 15:44:47 +0000
+++ profiles/apparmor.d/sbin.syslog-ng 2016-10-13 18:29:59 +0000
@@ -48,6 +48,7 @@
/{usr/,}sbin/syslog-ng mr,
/sys/devices/system/cpu/online r,
/usr/share/syslog-ng/** r,
+ /var/lib/syslog-ng/syslog-ng-?????.qf rw,
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
@{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
--- profiles/apparmor.d/usr.lib.dovecot.auth 2016-04-06 22:53:30 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.auth 2016-10-05 18:53:37 +0000
@@ -38,7 +38,7 @@
/var/tmp/smtp_* rw,
/{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
- /{var/,}run/dovecot/stats-user w,
+ /{var/,}run/dovecot/stats-user rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.auth>
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.config'
--- profiles/apparmor.d/usr.lib.dovecot.config 2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.config 2016-10-05 18:53:37 +0000
@@ -23,6 +23,7 @@
/usr/bin/doveconf rix,
/usr/lib/dovecot/config mr,
/usr/lib/dovecot/managesieve Px,
+ /usr/share/dovecot/** r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.config>
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
--- profiles/apparmor.d/usr.lib.dovecot.imap 2015-09-03 16:27:00 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2016-10-05 18:53:37 +0000
@@ -25,7 +25,14 @@
@{DOVECOT_MAILSTORE}/** rwkl,
@{HOME} r, # ???
- /usr/lib/dovecot/imap mr,
+
+ /etc/dovecot/dovecot.conf r,
+ /etc/dovecot/conf.d/ r,
+ /etc/dovecot/conf.d/** r,
+
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/imap mrix,
+ /usr/share/dovecot/** r,
/{,var/}run/dovecot/auth-master rw,
/{,var/}run/dovecot/mounts r,
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.lmtp'
--- profiles/apparmor.d/usr.lib.dovecot.lmtp 2015-04-27 19:33:06 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2016-10-05 18:53:37 +0000
@@ -25,6 +25,8 @@
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
+ @{HOME}/.dovecot.svbin r,
+
/proc/*/mounts r,
/tmp/dovecot.lmtp.* rw,
/usr/lib/dovecot/lmtp mr,
=== modified file 'profiles/apparmor.d/usr.sbin.traceroute'
--- profiles/apparmor.d/usr.sbin.traceroute 2011-11-30 12:15:21 +0000
+++ profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:08:08 +0000
@@ -20,7 +20,8 @@
network inet raw,
network inet6 raw,
- /usr/sbin/traceroute rmix,
+ /usr/sbin/traceroute mrix,
+ /usr/bin/traceroute.db mrix,
@{PROC}/net/route r,
# Site-specific additions and overrides. See local/README for details.
=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2016-08-15 20:06:47 +0000
+++ utils/apparmor/aa.py 2016-10-01 18:25:51 +0000
@@ -1168,6 +1168,9 @@
prelog[aamode][profile][hat]['path'][path] = mode
if do_execute:
+ if not aa[profile][hat]:
+ continue # ignore log entries for non-existing profiles
+
if profile_known_exec(aa[profile][hat], 'exec', exec_target):
continue
=== modified file 'utils/apparmor/rule/network.py'
--- utils/apparmor/rule/network.py 2016-02-18 22:31:56 +0000
+++ utils/apparmor/rule/network.py 2016-09-12 21:35:00 +0000
@@ -27,7 +27,7 @@
network_domain_keywords = [ 'unspec', 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
- 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib' ]
+ 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm' ]
network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet']
network_protocol_keywords = ['tcp', 'udp', 'icmp']
=== modified file 'utils/apparmor/ui.py'
--- utils/apparmor/ui.py 2014-11-17 12:30:04 +0000
+++ utils/apparmor/ui.py 2016-10-03 19:02:15 +0000
@@ -249,7 +249,6 @@
'CMD_EXEC_IX_ON': _('(X) ix On'),
'CMD_EXEC_IX_OFF': _('(X) ix Off'),
'CMD_SAVE': _('(S)ave Changes'),
- 'CMD_CONTINUE': _('(C)ontinue Profiling'),
'CMD_NEW': _('(N)ew'),
'CMD_GLOB': _('(G)lob'),
'CMD_GLOBEXT': _('Glob with (E)xtension'),
@@ -278,7 +277,6 @@
'CMD_NET_FAMILY': _('Allow Network Fa(m)ily'),
'CMD_OVERWRITE': _('(O)verwrite Profile'),
'CMD_KEEP': _('(K)eep Profile'),
- 'CMD_CONTINUE': _('(C)ontinue'),
'CMD_IGNORE_ENTRY': _('(I)gnore')
}