Accepting request 435008 from home:cboltz
- add changes-since-2.10.1--r3347..3353.diff with upstream changes and fixes in the 2.10 branch, including - allow writing *.qf files (for disk-based buffering) in syslog-ng profile - add several permissions to the dovecot profiles (deb#835826) - add a missing path in the traceroute profile OBS-URL: https://build.opensuse.org/request/show/435008 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=155
This commit is contained in:
parent
4bdce4a3da
commit
041a6f7868
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 13 18:35:52 UTC 2016 - suse-beta@cboltz.de
|
||||
|
||||
- add changes-since-2.10.1--r3347..3353.diff with upstream changes and
|
||||
fixes in the 2.10 branch, including
|
||||
- allow writing *.qf files (for disk-based buffering) in syslog-ng profile
|
||||
- add several permissions to the dovecot profiles (deb#835826)
|
||||
- add a missing path in the traceroute profile
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 26 20:21:37 UTC 2016 - suse-beta@cboltz.de
|
||||
|
||||
|
@ -98,6 +98,9 @@ Patch7: apparmor-lessopen-profile.patch
|
||||
# fix import path for LibAppArmor for newer swig versions (boo#987607, not upstreamed yet)
|
||||
Patch8: libapparmor-fix-import-path.diff
|
||||
|
||||
# upstream changes/fixes from 2.10 branch r3347..3353
|
||||
Patch9: changes-since-2.10.1--r3347..3353.diff
|
||||
|
||||
Url: https://launchpad.net/apparmor
|
||||
PreReq: sed
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -448,6 +451,7 @@ SubDomain.
|
||||
%patch6
|
||||
%patch7 -p1
|
||||
%patch8
|
||||
%patch9
|
||||
|
||||
# search for left-over multiline rules
|
||||
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
|
||||
|
324
changes-since-2.10.1--r3347..3353.diff
Normal file
324
changes-since-2.10.1--r3347..3353.diff
Normal file
@ -0,0 +1,324 @@
|
||||
------------------------------------------------------------
|
||||
revno: 3353
|
||||
committer: Christian Boltz <apparmor@cboltz.de>
|
||||
branch nick: 2.10
|
||||
timestamp: Thu 2016-10-13 20:29:59 +0200
|
||||
message:
|
||||
syslog-ng profile: allow writing *.qf files
|
||||
|
||||
These files are needed for disk-based buffering (added in syslog-ng 3.8).
|
||||
This was reported to me by Peter Czanik, one of the syslog-ng developers.
|
||||
|
||||
Note: I'm not sure about adding @{CHROOT_BASE} to this rule, so for now
|
||||
I prefer not to do it - adding it later is easy, but finding out if it
|
||||
could be removed is hard ;-)
|
||||
|
||||
|
||||
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9.
|
||||
------------------------------------------------------------
|
||||
revno: 3352
|
||||
committer: Christian Boltz <apparmor@cboltz.de>
|
||||
branch nick: 2.10
|
||||
timestamp: Wed 2016-10-05 20:53:37 +0200
|
||||
message:
|
||||
Add missing permissions to dovecot profiles
|
||||
|
||||
- dovecot/auth: allow to read stats-user
|
||||
- dovecot/config: allow to read /usr/share/dovecot/**
|
||||
- dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and
|
||||
/usr/share/dovecot/**
|
||||
|
||||
These things were reported by Félix Sipma in Debian Bug#835826
|
||||
(with some help from sarnold on IRC)
|
||||
|
||||
References: https://bugs.debian.org/835826
|
||||
|
||||
|
||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
|
||||
|
||||
|
||||
|
||||
Also allow reading ~/.dovecot.svbin (that's the default filename in the
|
||||
dovecot config) in dovecot/lmtp profile.
|
||||
(*.svbin files can probably also appear inside @{DOVECOT_MAILSTORE}, but
|
||||
that's already covered by the existing rules.)
|
||||
|
||||
References: https://bugs.debian.org/835826 (again)
|
||||
|
||||
|
||||
Acked-by: John Johansen <john.johansen@canonical.com> for trunk, 2.10 and 2.9
|
||||
------------------------------------------------------------
|
||||
revno: 3351
|
||||
committer: Christian Boltz <apparmor@cboltz.de>
|
||||
branch nick: 2.10
|
||||
timestamp: Mon 2016-10-03 21:02:15 +0200
|
||||
message:
|
||||
Drop CMD_CONTINUE from ui.py (twice)
|
||||
|
||||
The latest version of pyflakes (1.3.0 / python 3.5) complains that
|
||||
CMD_CONTINUE is defined twice in ui.py (with different texts).
|
||||
|
||||
Funnily CMD_CONTINUE isn't used anywhere, so we can just drop both.
|
||||
|
||||
|
||||
|
||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9
|
||||
------------------------------------------------------------
|
||||
revno: 3350
|
||||
behebt den Fehler: https://launchpad.net/bugs/1379874
|
||||
committer: Christian Boltz <apparmor@cboltz.de>
|
||||
branch nick: 2.10
|
||||
timestamp: Sat 2016-10-01 20:25:51 +0200
|
||||
message:
|
||||
[39/38] Ignore exec events for non-existing profiles
|
||||
|
||||
The switch to FileRule made some bugs visible that survived unnoticed
|
||||
with hasher for years.
|
||||
|
||||
If aa-logprof sees an exec event for a non-existing profile _and_ a
|
||||
profile file matching the expected profile filename exists in
|
||||
/etc/apparmor.d/, it asks for the exec mode nevertheless (instead of
|
||||
being silent). In the old code, this created a superfluous entry
|
||||
somewhere in the aa hasher, and caused the existing profile to be
|
||||
rewritten (without changes).
|
||||
|
||||
However, with FileRule it causes a crash saying
|
||||
|
||||
File ".../utils/apparmor/aa.py", line 1335, in handle_children
|
||||
aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True))
|
||||
AttributeError: 'collections.defaultdict' object has no attribute 'add'
|
||||
|
||||
This patch makes sure exec events for unknown profiles get ignored.
|
||||
|
||||
|
||||
|
||||
Reproducer:
|
||||
|
||||
python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"')
|
||||
|
||||
This causes a crash without this patch because
|
||||
/etc/apparmor.d/sbin.klogd exists, but has
|
||||
profile klogd /{usr/,}sbin/klogd {
|
||||
|
||||
|
||||
|
||||
References: https://bugs.launchpad.net/bugs/1379874
|
||||
|
||||
|
||||
|
||||
Acked-by: Steve Beattie <steve@nxnw.org> for trunk, 2.10 and 2.9
|
||||
|
||||
|
||||
*** *** *** backport
|
||||
*** *** *** --fixes lp:1379874
|
||||
------------------------------------------------------------
|
||||
revno: 3349
|
||||
committer: Christian Boltz <apparmor@cboltz.de>
|
||||
branch nick: 2.10
|
||||
timestamp: Fri 2016-09-30 00:08:08 +0200
|
||||
message:
|
||||
Allow both paths in traceroute profile
|
||||
|
||||
In 2011 (r1803), the traceroute profile was changed to also match
|
||||
/usr/bin/traceroute.db:
|
||||
/usr/{sbin/traceroute,bin/traceroute.db} {
|
||||
|
||||
However, permissions for /usr/bin/traceroute.db were never added.
|
||||
This patch fixes this.
|
||||
|
||||
|
||||
While on it, also change the /usr/sbin/traceroute permissions from
|
||||
rmix to the less confusing mrix.
|
||||
|
||||
|
||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk, 2.10 and 2.9.
|
||||
------------------------------------------------------------
|
||||
revno: 3348
|
||||
committer: Tyler Hicks <tyhicks@canonical.com>
|
||||
branch nick: apparmor-2.10
|
||||
timestamp: Wed 2016-09-14 12:50:43 -0500
|
||||
message:
|
||||
libapparmor: Force libtoolize to replace existing files
|
||||
|
||||
Fixes build error when attempting to build and test the 2.10.95 release
|
||||
on Ubuntu 14.04:
|
||||
|
||||
$ (cd libraries/libapparmor/ && ./autogen.sh && ./configure && \
|
||||
make && make check) > /dev/null
|
||||
...
|
||||
libtool: Version mismatch error. This is libtool 2.4.6 Debian-2.4.6-0.1, but the
|
||||
libtool: definition of this LT_INIT comes from libtool 2.4.2.
|
||||
libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-0.1
|
||||
libtool: and run autoconf again.
|
||||
make[2]: *** [grammar.lo] Error 63
|
||||
make[1]: *** [all] Error 2
|
||||
make: *** [all-recursive] Error 1
|
||||
|
||||
The --force option is needed to regenerate the libtool file in
|
||||
libraries/libapparmor/.
|
||||
|
||||
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
|
||||
Acked-by: Steve Beattie <steve@nxnw.org>
|
||||
------------------------------------------------------------
|
||||
revno: 3347
|
||||
committer: Christian Boltz <apparmor@cboltz.de>
|
||||
branch nick: 2.10
|
||||
timestamp: Mon 2016-09-12 23:35:00 +0200
|
||||
message:
|
||||
Allow 'kcm' in network rules
|
||||
|
||||
This is probably
|
||||
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/plain/Documentation/networking/kcm.txt
|
||||
|
||||
|
||||
Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.10.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
=== modified file 'libraries/libapparmor/autogen.sh'
|
||||
--- libraries/libapparmor/autogen.sh 2014-01-03 23:13:26 +0000
|
||||
+++ libraries/libapparmor/autogen.sh 2016-09-14 17:50:43 +0000
|
||||
@@ -38,6 +38,6 @@
|
||||
echo "Running autoconf"
|
||||
autoconf --force
|
||||
echo "Running libtoolize"
|
||||
-libtoolize --automake -c
|
||||
+libtoolize --automake -c --force
|
||||
echo "Running automake"
|
||||
automake -ac
|
||||
|
||||
=== modified file 'profiles/apparmor.d/sbin.syslog-ng'
|
||||
--- profiles/apparmor.d/sbin.syslog-ng 2015-11-11 15:44:47 +0000
|
||||
+++ profiles/apparmor.d/sbin.syslog-ng 2016-10-13 18:29:59 +0000
|
||||
@@ -48,6 +48,7 @@
|
||||
/{usr/,}sbin/syslog-ng mr,
|
||||
/sys/devices/system/cpu/online r,
|
||||
/usr/share/syslog-ng/** r,
|
||||
+ /var/lib/syslog-ng/syslog-ng-?????.qf rw,
|
||||
# chrooted applications
|
||||
@{CHROOT_BASE}/var/lib/*/dev/log w,
|
||||
@{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
|
||||
|
||||
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
|
||||
--- profiles/apparmor.d/usr.lib.dovecot.auth 2016-04-06 22:53:30 +0000
|
||||
+++ profiles/apparmor.d/usr.lib.dovecot.auth 2016-10-05 18:53:37 +0000
|
||||
@@ -38,7 +38,7 @@
|
||||
/var/tmp/smtp_* rw,
|
||||
|
||||
/{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
|
||||
- /{var/,}run/dovecot/stats-user w,
|
||||
+ /{var/,}run/dovecot/stats-user rw,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.lib.dovecot.auth>
|
||||
|
||||
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.config'
|
||||
--- profiles/apparmor.d/usr.lib.dovecot.config 2014-06-27 19:14:53 +0000
|
||||
+++ profiles/apparmor.d/usr.lib.dovecot.config 2016-10-05 18:53:37 +0000
|
||||
@@ -23,6 +23,7 @@
|
||||
/usr/bin/doveconf rix,
|
||||
/usr/lib/dovecot/config mr,
|
||||
/usr/lib/dovecot/managesieve Px,
|
||||
+ /usr/share/dovecot/** r,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.lib.dovecot.config>
|
||||
|
||||
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
|
||||
--- profiles/apparmor.d/usr.lib.dovecot.imap 2015-09-03 16:27:00 +0000
|
||||
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2016-10-05 18:53:37 +0000
|
||||
@@ -25,7 +25,14 @@
|
||||
@{DOVECOT_MAILSTORE}/** rwkl,
|
||||
|
||||
@{HOME} r, # ???
|
||||
- /usr/lib/dovecot/imap mr,
|
||||
+
|
||||
+ /etc/dovecot/dovecot.conf r,
|
||||
+ /etc/dovecot/conf.d/ r,
|
||||
+ /etc/dovecot/conf.d/** r,
|
||||
+
|
||||
+ /usr/bin/doveconf rix,
|
||||
+ /usr/lib/dovecot/imap mrix,
|
||||
+ /usr/share/dovecot/** r,
|
||||
/{,var/}run/dovecot/auth-master rw,
|
||||
/{,var/}run/dovecot/mounts r,
|
||||
|
||||
|
||||
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.lmtp'
|
||||
--- profiles/apparmor.d/usr.lib.dovecot.lmtp 2015-04-27 19:33:06 +0000
|
||||
+++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2016-10-05 18:53:37 +0000
|
||||
@@ -25,6 +25,8 @@
|
||||
@{DOVECOT_MAILSTORE}/ rw,
|
||||
@{DOVECOT_MAILSTORE}/** rwkl,
|
||||
|
||||
+ @{HOME}/.dovecot.svbin r,
|
||||
+
|
||||
/proc/*/mounts r,
|
||||
/tmp/dovecot.lmtp.* rw,
|
||||
/usr/lib/dovecot/lmtp mr,
|
||||
|
||||
=== modified file 'profiles/apparmor.d/usr.sbin.traceroute'
|
||||
--- profiles/apparmor.d/usr.sbin.traceroute 2011-11-30 12:15:21 +0000
|
||||
+++ profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:08:08 +0000
|
||||
@@ -20,7 +20,8 @@
|
||||
network inet raw,
|
||||
network inet6 raw,
|
||||
|
||||
- /usr/sbin/traceroute rmix,
|
||||
+ /usr/sbin/traceroute mrix,
|
||||
+ /usr/bin/traceroute.db mrix,
|
||||
@{PROC}/net/route r,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
|
||||
=== modified file 'utils/apparmor/aa.py'
|
||||
--- utils/apparmor/aa.py 2016-08-15 20:06:47 +0000
|
||||
+++ utils/apparmor/aa.py 2016-10-01 18:25:51 +0000
|
||||
@@ -1168,6 +1168,9 @@
|
||||
prelog[aamode][profile][hat]['path'][path] = mode
|
||||
|
||||
if do_execute:
|
||||
+ if not aa[profile][hat]:
|
||||
+ continue # ignore log entries for non-existing profiles
|
||||
+
|
||||
if profile_known_exec(aa[profile][hat], 'exec', exec_target):
|
||||
continue
|
||||
|
||||
|
||||
=== modified file 'utils/apparmor/rule/network.py'
|
||||
--- utils/apparmor/rule/network.py 2016-02-18 22:31:56 +0000
|
||||
+++ utils/apparmor/rule/network.py 2016-09-12 21:35:00 +0000
|
||||
@@ -27,7 +27,7 @@
|
||||
network_domain_keywords = [ 'unspec', 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
|
||||
'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
|
||||
'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
|
||||
- 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib' ]
|
||||
+ 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm' ]
|
||||
|
||||
network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet']
|
||||
network_protocol_keywords = ['tcp', 'udp', 'icmp']
|
||||
|
||||
=== modified file 'utils/apparmor/ui.py'
|
||||
--- utils/apparmor/ui.py 2014-11-17 12:30:04 +0000
|
||||
+++ utils/apparmor/ui.py 2016-10-03 19:02:15 +0000
|
||||
@@ -249,7 +249,6 @@
|
||||
'CMD_EXEC_IX_ON': _('(X) ix On'),
|
||||
'CMD_EXEC_IX_OFF': _('(X) ix Off'),
|
||||
'CMD_SAVE': _('(S)ave Changes'),
|
||||
- 'CMD_CONTINUE': _('(C)ontinue Profiling'),
|
||||
'CMD_NEW': _('(N)ew'),
|
||||
'CMD_GLOB': _('(G)lob'),
|
||||
'CMD_GLOBEXT': _('Glob with (E)xtension'),
|
||||
@@ -278,7 +277,6 @@
|
||||
'CMD_NET_FAMILY': _('Allow Network Fa(m)ily'),
|
||||
'CMD_OVERWRITE': _('(O)verwrite Profile'),
|
||||
'CMD_KEEP': _('(K)eep Profile'),
|
||||
- 'CMD_CONTINUE': _('(C)ontinue'),
|
||||
'CMD_IGNORE_ENTRY': _('(I)gnore')
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user