Accepting request 910590 from home:cboltz

- update to AppArmor 3.0.3 - fix a failure in the parser tests - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.3 for the detailed upstream changelog - update to AppArmor 3.0.2 - add missing permissions to several profiles and abstractions (including boo#1188296) - bugfixes in utils and parser (including boo#1180766 and boo#1184779) - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.2 for the detailed upstream changelog - remove upstreamed patches: - apparmor-dovecot-stats-metrics.diff - abstractions-php8.diff - crypto-policies-mr720.diff OBS-URL: https://build.opensuse.org/request/show/910590 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=305
2021-08-07 11:29:35 +00:00 · 2021-08-07 11:29:35 +00:00 · 07f7b7b8e2
commit 07f7b7b8e2
parent 5607b21278
10 changed files with 44 additions and 131 deletions
--- a/abstractions-php8.diff
+++ b/abstractions-php8.diff
@ -1,47 +0,0 @@
 commit 5853f52233d9d86754096e4b64415226b943b502
 Author: Christian Boltz <apparmor@cboltz.de>
 Date:   Fri May 21 22:50:54 2021 +0200
    abstractions/php: support PHP 8
    References: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267
 diff --git a/profiles/apparmor.d/abstractions/php b/profiles/apparmor.d/abstractions/php
 index cd3172d4..ddafb077 100644
 --- a/profiles/apparmor.d/abstractions/php
 +++ b/profiles/apparmor.d/abstractions/php
@@ -13,26 +13,26 @@
   abi <abi/3.0>,
   # shared snippets for config files
 -  /etc/php{,5,7}/**/ r,
 -  /etc/php{,5,7}/**.ini r,
 +  /etc/php{,5,7,8}/**/ r,
 +  /etc/php{,5,7,8}/**.ini r,
   # Xlibs
   /usr/X11R6/lib{,32,64}/lib*.so* mr,
   # php extensions
 -  /usr/lib{64,}/php{,5,7}/*/*.so mr,
 +  /usr/lib{64,}/php{,5,7,8}/*/*.so mr,
   # ICU (unicode support) data tables
   /usr/share/icu/*/*.dat r,
   # php session mmap socket
 -  /var/lib/php{,5,7}/session_mm_* rwlk,
 +  /var/lib/php{,5,7,8}/session_mm_* rwlk,
   # file based session handler
 -  /var/lib/php{,5,7}/sess_* rwlk,
 -  /var/lib/php{,5,7}/sessions/* rwlk,
 +  /var/lib/php{,5,7,8}/sess_* rwlk,
 +  /var/lib/php{,5,7,8}/sessions/* rwlk,
   # php libraries
 -  /usr/share/php{,5,7}/ r,
 -  /usr/share/php{,5,7}/** mr,
 +  /usr/share/php{,5,7,8}/ r,
 +  /usr/share/php{,5,7,8}/** mr,
   # MySQL extension
   /usr/share/mysql/** r,
--- a/apparmor-3.0.1.tar.gz
+++ b/apparmor-3.0.1.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:8fada772d9a60989525594346d9aa22af938daafc1781adce9a1acb3c75bdf24
 size 7785713
--- a/apparmor-3.0.1.tar.gz.asc
+++ b/apparmor-3.0.1.tar.gz.asc
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl/H050aHGFwcGFybW9y
 QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLs3rg//X88R7I+7HkokugnZnWPk
 3nx6M4DtvrPdz5xFsxj/Ucg+kwxNvL0CwivadPdZldW+HqUNG9GxF31S9TkNa4Q9
 480N1o7I2W+WhO2P2JPqvE97f4dfxi+c0nzbwuMJdpVQi5yOJ3eHHzg9DfiLHSSq
 u5X/YzoAf4lFIa+OWbhsWA+YB51FthGrvp8pcLdKfr4pcR3XmTdYFtRtBn+r0peG
 ryma63WE2P4rmyDx99ZU0DaHwZY4qlN56JYX3vZ8XN2tW1FYxmz1FYfp2JqG3SmD
 N0WrVPLEFSHlQEO8/x8Ua74gQS6XcntWE3MjLLOxNnbJUM4lO92UqKpkn4pffNP7
 t3IwOqS1kJkxSU7IWWUuy6eY434igsmtuJuVwOma9Svm8Mu4LpOcDyThWFc0QsTL
 E22mRdjmiVDh43CNhBXq68G2RmX0XMr1HeV3F1r4QwDmLnCHpUEeLfjOKt60rXZF
 nOCwoRuu0i9LGE0gjwNRxs9YQREg75SDTnp3jBE4YLkokihLYENNsfsLX7/PUs/E
 A0OU9jIak3yZm0zl5Zm9RdU+ISn8C54FNHUJmes3DW0Vj/aO30qZQgGIuOLBzJHw
 bVpAS6c6mZhhaBzLacxcOjvLQ1M6ufaYac2MlIqg7JM2+mPO72ebe+VVKd53pkFH
 c0QhJHU3mB4kc9uTXImKP4o=
 =kioe
 -----END PGP SIGNATURE-----
--- a/apparmor-3.0.3.tar.gz
+++ b/apparmor-3.0.3.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:153db05d8f491e0596022663c19fb1166806cb473b3c6f0a7279feda2ec25a59
 size 7790012
--- a/apparmor-3.0.3.tar.gz.asc
+++ b/apparmor-3.0.3.tar.gz.asc
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmEOR6AaHGFwcGFybW9y
 QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLsckQ//V7k3Kao73EXlJKtTjMnt
 AVc1qUqht/bxfT014BYZs0eT8HYRyBq0BhbDBfjPJA05kyXO0eHDOip5QmltXHR6
 qeRD974rgv4jmIHInHiY2QlFuAtxhO+CPsSw2WZtdQMb1zFYg9BMh+lSz2aNECrc
 GRYi4UflsNFxnUGnKCIt3FKvaGX9S9dA3vEgQrXMcIEFvHzrcRPYtUGiutFe66xF
 S6Z2PoymQAK5fW4D1lkBZXAx1jqzNzVzaaA6D0H8GcFb7zL2c2q/0L4+EfFabxXv
 uP4Vtw6ZS6upLr7AsbE55t8QlJ0IwiA7EJhn7cFfvJNkGWsJh9dr0LGtIf+B+zTd
 1dVtwuNtWotz202WeyYuokddX/zCSldb6/Sc2BhyFhqmUWjeQdDqjfLyTVsmBpc9
 0+NwY53/Em1qoFvMAtiqGWG3JjTF3ZVEdQEzRQyG9zMBDm2Vm3+uplL70MjgdSm0
 Cb1wpSsef5/Q28qY7+1/WV3/OGdq/9kqWS0n3+i2JtuxAaiHK6FRhSZi+0QGU0QH
 igJ+TKYmtyDGiqYrCasmED9sBkGNKvSDRmc+0hfCEzk5sj3tYR65OBmO0JBMKVR4
 9Lyt2hXScP7avuMdTPU0kj/2i7o5N6OfDdCV9LQinN8rzMmwGIYinmTxcVoRN9i/
 wYTg3RfP5TxHfmrOnuzWCCM=
 =2ySc
 -----END PGP SIGNATURE-----
--- a/apparmor-dovecot-stats-metrics.diff
+++ b/apparmor-dovecot-stats-metrics.diff
@ -1,14 +0,0 @@
 diff -ur apparmor-3.0.1.orig/profiles/apparmor.d/usr.lib.dovecot.stats apparmor-3.0.1/profiles/apparmor.d/usr.lib.dovecot.stats
 --- apparmor-3.0.1.orig/profiles/apparmor.d/usr.lib.dovecot.stats	2020-12-02 12:01:37.000000000 +0100
 +++ apparmor-3.0.1/profiles/apparmor.d/usr.lib.dovecot.stats	2021-07-16 01:00:53.266471947 +0200
@@ -20,6 +20,10 @@
   capability setuid,
   capability sys_chroot,
 +  # for metrics end-point (Prometheus)
 +  network inet stream,
 +  network inet6 stream,
 +
   /usr/lib/dovecot/stats mr,
   # Site-specific additions and overrides. See local/README for details.
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,25 @@
 -------------------------------------------------------------------
 Sat Aug  7 10:46:52 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
 - update to AppArmor 3.0.3
  - fix a failure in the parser tests
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.3
    for the detailed upstream changelog
 -------------------------------------------------------------------
 Fri Aug  6 10:20:01 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
 - update to AppArmor 3.0.2
  - add missing permissions to several profiles and abstractions
    (including boo#1188296)
  - bugfixes in utils and parser (including boo#1180766 and boo#1184779)
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.2
    for the detailed upstream changelog
 - remove upstreamed patches:
  - apparmor-dovecot-stats-metrics.diff
  - abstractions-php8.diff
  - crypto-policies-mr720.diff
 -------------------------------------------------------------------
 Thu Jul 15 23:02:25 UTC 2021 - Michael Ströder <michael@stroeder.com>
--- a/apparmor.spec
+++ b/apparmor.spec
@ -45,7 +45,7 @@
 %define JAR_FILE changeHatValve.jar
 Name:           apparmor
-Version:        3.0.1
+Version:        3.0.3
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@ -78,15 +78,6 @@ Patch5:         apparmor-lessopen-nfs-workaround.diff
 # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
 Patch6:         apache-extra-profile-include-if-exists.diff
 # allow reading crypto policies (submitted upstream 2021-03-08 - https://gitlab.com/apparmor/apparmor/-/merge_requests/720)
 Patch7:         crypto-policies-mr720.diff
 # extend abstractions/php for PHP 8 (accepted upstream 2021-05-24 - https://gitlab.com/apparmor/apparmor/-/merge_requests/755)
 Patch8:         abstractions-php8.diff
 # allow Prometheus metrics end-point (submitted upstream 2021-07-19 - https://gitlab.com/apparmor/apparmor/-/merge_requests/776)
 Patch9:         apparmor-dovecot-stats-metrics.diff
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@ -349,9 +340,6 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch3 -p1
 %patch4
 %patch5
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %build
 %define _lto_cflags %{nil}
--- a/crypto-policies-mr720.diff
+++ b/crypto-policies-mr720.diff
@ -1,36 +0,0 @@
 [current version of https://gitlab.com/apparmor/apparmor/-/merge_requests/720 - might still be changed or extended, but this patch solves the most urgent denials]
 From 0aea44f43a1d6cd6b7ebd32bbff803455b3aad44 Mon Sep 17 00:00:00 2001
 From: Christian Boltz <apparmor@cboltz.de>
 Date: Mon, 8 Mar 2021 01:20:24 +0100
 Subject: [PATCH] abstractions/ssl_certs: allow reading crypto policies
 See https://gitlab.com/redhat-crypto/fedora-crypto-policies for details.
 Reported by darix and also my own audit.log - the actual denial was for
 /usr/share/crypto-policies/DEFAULT/openssl.txt.
 (I'm aware that the crypto policies are not really certificates, but
 since they are used by several crypto libraries, ssl_certs is probably
 the best place for them even if the filename doesn't match.)
 ---
 profiles/apparmor.d/abstractions/ssl_certs | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/profiles/apparmor.d/abstractions/ssl_certs b/profiles/apparmor.d/abstractions/ssl_certs
 index 57d0f41a2..0392c0ccc 100644
 --- a/profiles/apparmor.d/abstractions/ssl_certs
 +++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -41,5 +41,8 @@
   /etc/certbot/archive/*/chain*.pem r,
   /etc/certbot/archive/*/fullchain*.pem r,
 +  # crypto policies used by various libraries
 +  /usr/share/crypto-policies/*/*.txt r,
 +
   # Include additions to the abstraction
   include if exists <abstractions/ssl_certs.d>
 -- 
 GitLab
--- a/libapparmor.spec
+++ b/libapparmor.spec
@ -18,7 +18,7 @@
 Name:           libapparmor
-Version:        3.0.1
+Version:        3.0.3
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later