diff --git a/apparmor.changes b/apparmor.changes index e0c183f..5a10d9f 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Oct 13 18:35:52 UTC 2016 - suse-beta@cboltz.de + +- add changes-since-2.10.1--r3347..3353.diff with upstream changes and + fixes in the 2.10 branch, including + - allow writing *.qf files (for disk-based buffering) in syslog-ng profile + - add several permissions to the dovecot profiles (deb#835826) + - add a missing path in the traceroute profile + ------------------------------------------------------------------- Fri Aug 26 20:21:37 UTC 2016 - suse-beta@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 9a9d35c..94e340a 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -98,6 +98,9 @@ Patch7: apparmor-lessopen-profile.patch # fix import path for LibAppArmor for newer swig versions (boo#987607, not upstreamed yet) Patch8: libapparmor-fix-import-path.diff +# upstream changes/fixes from 2.10 branch r3347..3353 +Patch9: changes-since-2.10.1--r3347..3353.diff + Url: https://launchpad.net/apparmor PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -448,6 +451,7 @@ SubDomain. %patch6 %patch7 -p1 %patch8 +%patch9 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" diff --git a/changes-since-2.10.1--r3347..3353.diff b/changes-since-2.10.1--r3347..3353.diff new file mode 100644 index 0000000..8b85e8f --- /dev/null +++ b/changes-since-2.10.1--r3347..3353.diff @@ -0,0 +1,324 @@ +------------------------------------------------------------ +revno: 3353 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Thu 2016-10-13 20:29:59 +0200 +message: + syslog-ng profile: allow writing *.qf files + + These files are needed for disk-based buffering (added in syslog-ng 3.8). + This was reported to me by Peter Czanik, one of the syslog-ng developers. + + Note: I'm not sure about adding @{CHROOT_BASE} to this rule, so for now + I prefer not to do it - adding it later is easy, but finding out if it + could be removed is hard ;-) + + + Acked-by: John Johansen for trunk, 2.10 and 2.9. +------------------------------------------------------------ +revno: 3352 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Wed 2016-10-05 20:53:37 +0200 +message: + Add missing permissions to dovecot profiles + + - dovecot/auth: allow to read stats-user + - dovecot/config: allow to read /usr/share/dovecot/** + - dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and + /usr/share/dovecot/** + + These things were reported by FĂ©lix Sipma in Debian Bug#835826 + (with some help from sarnold on IRC) + + References: https://bugs.debian.org/835826 + + + Acked-by: Seth Arnold for trunk, 2.10 and 2.9. + + + + Also allow reading ~/.dovecot.svbin (that's the default filename in the + dovecot config) in dovecot/lmtp profile. + (*.svbin files can probably also appear inside @{DOVECOT_MAILSTORE}, but + that's already covered by the existing rules.) + + References: https://bugs.debian.org/835826 (again) + + + Acked-by: John Johansen for trunk, 2.10 and 2.9 +------------------------------------------------------------ +revno: 3351 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Mon 2016-10-03 21:02:15 +0200 +message: + Drop CMD_CONTINUE from ui.py (twice) + + The latest version of pyflakes (1.3.0 / python 3.5) complains that + CMD_CONTINUE is defined twice in ui.py (with different texts). + + Funnily CMD_CONTINUE isn't used anywhere, so we can just drop both. + + + + Acked-by: Seth Arnold for trunk, 2.10 and 2.9 +------------------------------------------------------------ +revno: 3350 +behebt den Fehler: https://launchpad.net/bugs/1379874 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Sat 2016-10-01 20:25:51 +0200 +message: + [39/38] Ignore exec events for non-existing profiles + + The switch to FileRule made some bugs visible that survived unnoticed + with hasher for years. + + If aa-logprof sees an exec event for a non-existing profile _and_ a + profile file matching the expected profile filename exists in + /etc/apparmor.d/, it asks for the exec mode nevertheless (instead of + being silent). In the old code, this created a superfluous entry + somewhere in the aa hasher, and caused the existing profile to be + rewritten (without changes). + + However, with FileRule it causes a crash saying + + File ".../utils/apparmor/aa.py", line 1335, in handle_children + aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True)) + AttributeError: 'collections.defaultdict' object has no attribute 'add' + + This patch makes sure exec events for unknown profiles get ignored. + + + + Reproducer: + + python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"') + + This causes a crash without this patch because + /etc/apparmor.d/sbin.klogd exists, but has + profile klogd /{usr/,}sbin/klogd { + + + + References: https://bugs.launchpad.net/bugs/1379874 + + + + Acked-by: Steve Beattie for trunk, 2.10 and 2.9 + + + *** *** *** backport + *** *** *** --fixes lp:1379874 +------------------------------------------------------------ +revno: 3349 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Fri 2016-09-30 00:08:08 +0200 +message: + Allow both paths in traceroute profile + + In 2011 (r1803), the traceroute profile was changed to also match + /usr/bin/traceroute.db: + /usr/{sbin/traceroute,bin/traceroute.db} { + + However, permissions for /usr/bin/traceroute.db were never added. + This patch fixes this. + + + While on it, also change the /usr/sbin/traceroute permissions from + rmix to the less confusing mrix. + + + Acked-by: Seth Arnold for trunk, 2.10 and 2.9. +------------------------------------------------------------ +revno: 3348 +committer: Tyler Hicks +branch nick: apparmor-2.10 +timestamp: Wed 2016-09-14 12:50:43 -0500 +message: + libapparmor: Force libtoolize to replace existing files + + Fixes build error when attempting to build and test the 2.10.95 release + on Ubuntu 14.04: + + $ (cd libraries/libapparmor/ && ./autogen.sh && ./configure && \ + make && make check) > /dev/null + ... + libtool: Version mismatch error. This is libtool 2.4.6 Debian-2.4.6-0.1, but the + libtool: definition of this LT_INIT comes from libtool 2.4.2. + libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-0.1 + libtool: and run autoconf again. + make[2]: *** [grammar.lo] Error 63 + make[1]: *** [all] Error 2 + make: *** [all-recursive] Error 1 + + The --force option is needed to regenerate the libtool file in + libraries/libapparmor/. + + Signed-off-by: Tyler Hicks + Acked-by: Steve Beattie +------------------------------------------------------------ +revno: 3347 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Mon 2016-09-12 23:35:00 +0200 +message: + Allow 'kcm' in network rules + + This is probably + https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/plain/Documentation/networking/kcm.txt + + + Acked-by: Seth Arnold for trunk and 2.10. + + + + + + + +=== modified file 'libraries/libapparmor/autogen.sh' +--- libraries/libapparmor/autogen.sh 2014-01-03 23:13:26 +0000 ++++ libraries/libapparmor/autogen.sh 2016-09-14 17:50:43 +0000 +@@ -38,6 +38,6 @@ + echo "Running autoconf" + autoconf --force + echo "Running libtoolize" +-libtoolize --automake -c ++libtoolize --automake -c --force + echo "Running automake" + automake -ac + +=== modified file 'profiles/apparmor.d/sbin.syslog-ng' +--- profiles/apparmor.d/sbin.syslog-ng 2015-11-11 15:44:47 +0000 ++++ profiles/apparmor.d/sbin.syslog-ng 2016-10-13 18:29:59 +0000 +@@ -48,6 +48,7 @@ + /{usr/,}sbin/syslog-ng mr, + /sys/devices/system/cpu/online r, + /usr/share/syslog-ng/** r, ++ /var/lib/syslog-ng/syslog-ng-?????.qf rw, + # chrooted applications + @{CHROOT_BASE}/var/lib/*/dev/log w, + @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw, + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth' +--- profiles/apparmor.d/usr.lib.dovecot.auth 2016-04-06 22:53:30 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.auth 2016-10-05 18:53:37 +0000 +@@ -38,7 +38,7 @@ + /var/tmp/smtp_* rw, + + /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw, +- /{var/,}run/dovecot/stats-user w, ++ /{var/,}run/dovecot/stats-user rw, + + # Site-specific additions and overrides. See local/README for details. + #include + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.config' +--- profiles/apparmor.d/usr.lib.dovecot.config 2014-06-27 19:14:53 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.config 2016-10-05 18:53:37 +0000 +@@ -23,6 +23,7 @@ + /usr/bin/doveconf rix, + /usr/lib/dovecot/config mr, + /usr/lib/dovecot/managesieve Px, ++ /usr/share/dovecot/** r, + + # Site-specific additions and overrides. See local/README for details. + #include + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' +--- profiles/apparmor.d/usr.lib.dovecot.imap 2015-09-03 16:27:00 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.imap 2016-10-05 18:53:37 +0000 +@@ -25,7 +25,14 @@ + @{DOVECOT_MAILSTORE}/** rwkl, + + @{HOME} r, # ??? +- /usr/lib/dovecot/imap mr, ++ ++ /etc/dovecot/dovecot.conf r, ++ /etc/dovecot/conf.d/ r, ++ /etc/dovecot/conf.d/** r, ++ ++ /usr/bin/doveconf rix, ++ /usr/lib/dovecot/imap mrix, ++ /usr/share/dovecot/** r, + /{,var/}run/dovecot/auth-master rw, + /{,var/}run/dovecot/mounts r, + + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.lmtp' +--- profiles/apparmor.d/usr.lib.dovecot.lmtp 2015-04-27 19:33:06 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2016-10-05 18:53:37 +0000 +@@ -25,6 +25,8 @@ + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + ++ @{HOME}/.dovecot.svbin r, ++ + /proc/*/mounts r, + /tmp/dovecot.lmtp.* rw, + /usr/lib/dovecot/lmtp mr, + +=== modified file 'profiles/apparmor.d/usr.sbin.traceroute' +--- profiles/apparmor.d/usr.sbin.traceroute 2011-11-30 12:15:21 +0000 ++++ profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:08:08 +0000 +@@ -20,7 +20,8 @@ + network inet raw, + network inet6 raw, + +- /usr/sbin/traceroute rmix, ++ /usr/sbin/traceroute mrix, ++ /usr/bin/traceroute.db mrix, + @{PROC}/net/route r, + + # Site-specific additions and overrides. See local/README for details. + +=== modified file 'utils/apparmor/aa.py' +--- utils/apparmor/aa.py 2016-08-15 20:06:47 +0000 ++++ utils/apparmor/aa.py 2016-10-01 18:25:51 +0000 +@@ -1168,6 +1168,9 @@ + prelog[aamode][profile][hat]['path'][path] = mode + + if do_execute: ++ if not aa[profile][hat]: ++ continue # ignore log entries for non-existing profiles ++ + if profile_known_exec(aa[profile][hat], 'exec', exec_target): + continue + + +=== modified file 'utils/apparmor/rule/network.py' +--- utils/apparmor/rule/network.py 2016-02-18 22:31:56 +0000 ++++ utils/apparmor/rule/network.py 2016-09-12 21:35:00 +0000 +@@ -27,7 +27,7 @@ + network_domain_keywords = [ 'unspec', 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6', + 'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna', + 'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet', +- 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib' ] ++ 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm' ] + + network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet'] + network_protocol_keywords = ['tcp', 'udp', 'icmp'] + +=== modified file 'utils/apparmor/ui.py' +--- utils/apparmor/ui.py 2014-11-17 12:30:04 +0000 ++++ utils/apparmor/ui.py 2016-10-03 19:02:15 +0000 +@@ -249,7 +249,6 @@ + 'CMD_EXEC_IX_ON': _('(X) ix On'), + 'CMD_EXEC_IX_OFF': _('(X) ix Off'), + 'CMD_SAVE': _('(S)ave Changes'), +- 'CMD_CONTINUE': _('(C)ontinue Profiling'), + 'CMD_NEW': _('(N)ew'), + 'CMD_GLOB': _('(G)lob'), + 'CMD_GLOBEXT': _('Glob with (E)xtension'), +@@ -278,7 +277,6 @@ + 'CMD_NET_FAMILY': _('Allow Network Fa(m)ily'), + 'CMD_OVERWRITE': _('(O)verwrite Profile'), + 'CMD_KEEP': _('(K)eep Profile'), +- 'CMD_CONTINUE': _('(C)ontinue'), + 'CMD_IGNORE_ENTRY': _('(I)gnore') + } + +