pool/apparmor
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 888862 from home:cboltz

Browse Source 
- add crypto-policies-mr720.diff to allow reading crypto policies
  in abstractions/ssl_certs (boo#1183597)

- replace %{?systemd_requires} with %{?systemd_ordering} to avoid dragging in
  systemd into containers just because apparmor-parser ships a *.service file

OBS-URL: https://build.opensuse.org/request/show/888862
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=296
This commit is contained in:
Christian Boltz 2021-04-27 17:07:13 +00:00 committed by Git OBS Bridge
parent 4710d6ccea
commit 0916435d00
4 changed files with 53 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
apparmor.changes
View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Tue Apr 27 16:48:25 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
- add crypto-policies-mr720.diff to allow reading crypto policies
in abstractions/ssl_certs (boo#1183597)
-------------------------------------------------------------------
Sat Mar 27 22:56:06 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
- replace %{?systemd_requires} with %{?systemd_ordering} to avoid dragging in
systemd into containers just because apparmor-parser ships a *.service file
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Feb 11 18:18:46 UTC 2021 - Christian Boltz <suse-beta@cboltz.de> Thu Feb 11 18:18:46 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>

6
apparmor.spec
View File

@ -78,6 +78,9 @@ Patch5: apparmor-lessopen-nfs-workaround.diff
# make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527) # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
Patch6: apache-extra-profile-include-if-exists.diff Patch6: apache-extra-profile-include-if-exists.diff
# allow reading crypto policies (submitted upstream 2021-03-08 - https://gitlab.com/apparmor/apparmor/-/merge_requests/720)
Patch7: crypto-policies-mr720.diff
PreReq: sed PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@ -132,7 +135,7 @@ Provides: subdomain-parser-demo = %{version}
Provides: subdomain_parser = %{version} Provides: subdomain_parser = %{version}
Provides: apparmor-parser(CAP_SYSLOG) Provides: apparmor-parser(CAP_SYSLOG)
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
%{?systemd_requires} %{?systemd_ordering}
%description parser %description parser
The AppArmor Parser is a userlevel program that is used to load in The AppArmor Parser is a userlevel program that is used to load in
@ -341,6 +344,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
%patch3 -p1 %patch3 -p1
%patch4 %patch4
%patch5 %patch5
%patch7 -p1
%build %build
%define _lto_cflags %{nil} %define _lto_cflags %{nil}

36
crypto-policies-mr720.diff Normal file
View File

@ -0,0 +1,36 @@
[current version of https://gitlab.com/apparmor/apparmor/-/merge_requests/720 - might still be changed or extended, but this patch solves the most urgent denials]
From 0aea44f43a1d6cd6b7ebd32bbff803455b3aad44 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Mon, 8 Mar 2021 01:20:24 +0100
Subject: [PATCH] abstractions/ssl_certs: allow reading crypto policies
See https://gitlab.com/redhat-crypto/fedora-crypto-policies for details.
Reported by darix and also my own audit.log - the actual denial was for
/usr/share/crypto-policies/DEFAULT/openssl.txt.
(I'm aware that the crypto policies are not really certificates, but
since they are used by several crypto libraries, ssl_certs is probably
the best place for them even if the filename doesn't match.)
---
profiles/apparmor.d/abstractions/ssl_certs | 3 +++
1 file changed, 3 insertions(+)
diff --git a/profiles/apparmor.d/abstractions/ssl_certs b/profiles/apparmor.d/abstractions/ssl_certs
index 57d0f41a2..0392c0ccc 100644
--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -41,5 +41,8 @@
/etc/certbot/archive/*/chain*.pem r,
/etc/certbot/archive/*/fullchain*.pem r,
+ # crypto policies used by various libraries
+ /usr/share/crypto-policies/*/*.txt r,
+
# Include additions to the abstraction
include if exists <abstractions/ssl_certs.d>
--
GitLab

3
libapparmor.spec
View File

@ -37,7 +37,6 @@ This package provides the libapparmor library, which contains the
change_hat(2) symbol, used for sub-process confinement by AppArmor, as change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages. well as functions to parse AppArmor log messages.
%package -n libapparmor1 %package -n libapparmor1
Summary: Utility library for AppArmor Summary: Utility library for AppArmor
Group: System/Libraries Group: System/Libraries
@ -63,8 +62,6 @@ Provides: libapparmor:/usr/include/sys/apparmor.h
These libraries are needed for developing software that makes use of the These libraries are needed for developing software that makes use of the
AppArmor API. AppArmor API.
%prep %prep
%setup -q -n apparmor-%{version} %setup -q -n apparmor-%{version}