Accepting request 243065 from home:jeff_mahoney:branches:security:apparmor

- add perl-apparmor-fix-bare-network-keyword-handling.diff:
  perl-apparmor: Fix handling of network (or network all) (bnc#889650)
- add perl-apparmor-handle-bare-capability-keyword.diff:
  perl-apparmor: Fix handling of capability keyword (bnc#889651)
- add perl-apparmor-properly-handle-bare-file-keyword.diff:
  perl-apparmor: Properly handle bare file keyword (bnc#889652)

OBS-URL: https://build.opensuse.org/request/show/243065
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=90

apparmor.changes

@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed Jul 30 17:35:13 UTC 2014 - jeffm@suse.com
+
+- add perl-apparmor-fix-bare-network-keyword-handling.diff:
+  perl-apparmor: Fix handling of network (or network all) (bnc#889650)
+
+- add perl-apparmor-handle-bare-capability-keyword.diff:
+  perl-apparmor: Fix handling of capability keyword (bnc#889651)
+
+- add perl-apparmor-properly-handle-bare-file-keyword.diff:
+  perl-apparmor: Properly handle bare file keyword (bnc#889652)
+
 -------------------------------------------------------------------
 Thu Jul  3 14:45:14 UTC 2014 - ddiss@suse.com
 

apparmor.spec

@@ -123,6 +123,15 @@ Patch23:        apparmor-2.8.2-nm-dnsmasq-config.patch
 # Permit clustered Samba access to CTDB socket and databases (bnc#885317, commited upstream trunk r2556 - TODO: merge into 2.8 branch)
 Patch24:        apparmor-profiles-clustered-samba.diff
 
+# perl-apparmor: Fix handling of network (or network all) (bnc#889650)
+Patch25:        perl-apparmor-fix-bare-network-keyword-handling.diff
+
+# perl-apparmor: Fix handling of capability keyword (bnc#889651)
+Patch26:        perl-apparmor-handle-bare-capability-keyword.diff
+
+# perl-apparmor: Properly handle bare file keyword (bnc#889652)
+Patch27:        perl-apparmor-properly-handle-bare-file-keyword.diff
+
 Url:            https://launchpad.net/apparmor
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -507,6 +516,9 @@ SubDomain.
 %endif
 
 %patch24
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
 
 # profile for winbindd (bnc#748499, commited upstream trunk r2078, updated in trunk r2328)
 test ! -e profiles/apparmor.d/usr.sbin.winbindd

perl-apparmor-fix-bare-network-keyword-handling.diff

@@ -0,0 +1,34 @@
+From: Jeff Mahoney <jeffm@suse.com>
+Subject: perl-apparmor: Fix bare 'network' keyword handling
+References: bnc#889650
+
+The 'network' bare keyword was being printed as "audit network all" due to
+two different bugs:
+
+1) {audit}{all} was always being set to 1, regardless of whether the audit
+   keyword was used
+2) {rule} eq 'all' is the wrong test - it should be {rule}{all}
+
+With these fixed, 'network' is properly handled.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+--- a/utils/Immunix/AppArmor.pm
++++ b/utils/Immunix/AppArmor.pm
+@@ -5353,7 +5368,7 @@
+ 		$profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{$fam} = $audit;
+             } else {
+                 $profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{all} = 1;
+-                $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = 1;
++                $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = $audit;
+             }
+         } elsif (/^\s*(tcp_connect|tcp_accept|udp_send|udp_receive)/) {
+ # just ignore and drop old style network
+@@ -5708,7 +5729,7 @@
+     # dump out the netdomain entries...
+     if (exists $profile_data->{$allow}{netdomain}) {
+         if ( $profile_data->{$allow}{netdomain}{rule} &&
+-             $profile_data->{$allow}{netdomain}{rule} eq 'all') {
++             $profile_data->{$allow}{netdomain}{rule}{all}) {
+ 	    $audit = "audit " if $profile_data->{$allow}{netdomain}{audit}{all};
+             push @data, "${pre}${audit}network,";
+         } else {

perl-apparmor-handle-bare-capability-keyword.diff

@@ -0,0 +1,43 @@
+From: Jeff Mahoney <jeffm@suse.com>
+Subject: perl-apparmor: Handle bare 'capability' keyword
+References: bnc#889651
+
+Specifying 'capability' implies all capabilities, but the perl code didn't
+recognize it.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+--- a/utils/Immunix/AppArmor.pm
++++ b/utils/Immunix/AppArmor.pm
+@@ -5151,7 +5151,7 @@
+ 
+             $initial_comment = "";
+ 
+-        } elsif (m/^\s*(audit\s+)?(deny\s+)?capability\s+(\S+)\s*,\s*(#.*)?$/) {  # capability entry
++        } elsif (m/^\s*(audit\s+)?(deny\s+)?capability(\s+(\S+))?\s*,\s*(#.*)?$/) {  # capability entry
+             if (not $profile) {
+                 die sprintf(gettext('%s contains syntax errors.'), $file) . "\n";
+             }
+@@ -5159,7 +5159,7 @@
+ 	    my $audit = $1 ? 1 : 0;
+ 	    my $allow = $2 ? 'deny' : 'allow';
+ 	    $allow = 'deny' if ($2);
+-            my $capability = $3;
++            my $capability = $3 ? $3 : 'all';
+             $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{set} = 1;
+             $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{audit} = $audit;
+         } elsif (m/^\s*set capability\s+(\S+)\s*,\s*(#.*)?$/) {  # capability entry
+@@ -5675,7 +5690,13 @@
+ 
+     my @data;
+     if (exists $profile_data->{$allow}{capability}) {
+-        for my $cap (sort keys %{$profile_data->{$allow}{capability}}) {
++	my $audit;
++	if (exists $profile_data->{$allow}{capability}{all}) {
++	    $audit = ($profile_data->{$allow}{capability}{all}{audit}) ? 'audit ' : '';
++	    push @data, "${pre}${audit}${allowstr}capability,";
++	}
++	for my $cap (sort keys %{$profile_data->{$allow}{capability}}) {
++	    next if ($cap eq "all");
+ 	    my $audit = ($profile_data->{$allow}{capability}{$cap}{audit}) ? 'audit ' : '';
+ 	    if ($profile_data->{$allow}{capability}{$cap}{set}) {
+ 		push @data, "${pre}${audit}${allowstr}capability ${cap},";

perl-apparmor-properly-handle-bare-file-keyword.diff

@@ -0,0 +1,73 @@
+From: Jeff Mahoney <jeffm@suse.com>
+Subject: perl-apparmor: Properly handle bare 'file' keyword
+References: bnc#889652
+
+The bare file keyword is a shortcut for /{**,}. There are also implied
+permissions that go with it.
+
+This patch accepts the file keyword as well as allowing for missing mode
+specifiers.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+---
+
+ utils/Immunix/AppArmor.pm |   27 ++++++++++++++++++++++++---
+ 1 file changed, 24 insertions(+), 3 deletions(-)
+
+--- a/utils/Immunix/AppArmor.pm
++++ b/utils/Immunix/AppArmor.pm
+@@ -5252,7 +5252,7 @@
+         } elsif (m/^\s*if\s+(not\s+)?(\$\{?[[:alpha:]][[:alnum:]_]*\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean
+         } elsif (m/^\s*if\s+(not\s+)?defined\s+(@\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- variable defined
+         } elsif (m/^\s*if\s+(not\s+)?defined\s+(\$\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean defined
+-        } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?([\"\@\/].*?)\s+(\S+)(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) {     # path entry
++        } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?(file|([\"\@\/].*?)\s+(\S+))(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) {     # path entry
+             if (not $profile) {
+                 die sprintf(gettext('%s contains syntax errors.'), $file) . "\n";
+             }
+@@ -5260,7 +5260,19 @@
+ 	    my $audit = $1 ? 1 : 0;
+ 	    my $allow = $2 ? 'deny' : 'allow';
+ 	    my $user = $3 ? 1 : 0;
+-            my ($path, $mode, $nt_name) = ($4, $5, $7);
++            my ($path, $mode, $nt_name) = ($5, $6, $8);
++            my $file_keyword = 0;
++            my $use_mode = 1;
++
++            if ($4 eq "file") {
++                $path = "/{**,}";
++                $file_keyword = 1;
++                if (!$mode) {
++                    # what the parser uses, but we don't care
++                    $mode = "rwixlka";
++                    $use_mode = 0;
++                }
++            }
+ 
+             # strip off any trailing spaces.
+             $path =~ s/\s+$//;
+@@ -5281,6 +5293,9 @@
+                 fatal_error(sprintf(gettext('Profile %s contains invalid mode %s.'), $file, $mode));
+             }
+ 
++	    $profile_data->{$profile}{$hat}{$allow}{path}{$path}{use_mode} = $use_mode;
++	    $profile_data->{$profile}{$hat}{$allow}{path}{$path}{file_keyword} = 1 if $file_keyword;
++
+ 	    my $tmpmode;
+ 	    if ($user) {
+ 		$tmpmode = str_to_mode("${mode}::");
+@@ -5838,7 +5859,13 @@
+ 		    }
+ 		    $tmpmode &= ~$tmpaudit;
+ 		}
+-		if ($tmpmode) {
++		my $kw = $profile_data->{$allow}{path}{$path}{file_keyword};
++		my $use_mode = $profile_data->{$allow}{path}{$path}{use_mode};
++		if ($kw) {
++		    my $modestr = "";
++		    $modestr = " " . mode_to_str($tmpmode) if $use_mode;
++		    push @data, "${pre}${allowstr}${ownerstr}file${modestr}${tail},";
++		} elsif ($tmpmode) {
+ 		    my $modestr = mode_to_str($tmpmode);
+ 		    if ($path =~ /\s/) {
+ 			push @data, "${pre}${allowstr}${ownerstr}\"$path\" ${modestr}${tail},";