From 153645aade1a1626b1251eb461a82fcf9bee24bb8899cd95a28e8b3c82b44057 Mon Sep 17 00:00:00 2001 From: Goldwyn Rodrigues Date: Fri, 25 Mar 2022 12:18:52 +0000 Subject: [PATCH] Accepting request 964827 from home:npower:branches:security:apparmor - Add new rule to fix 'DENIED' open on /proc/{pid}/fd for samba-bgqd; (bnc#1196850). - Add new rule to allow reading of openssl.cnf; (bnc#1195463). OBS-URL: https://build.opensuse.org/request/show/964827 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=317 --- apparmor.changes | 7 +++++++ apparmor.spec | 10 ++++++++++ update-samba-bgqd.diff | 19 +++++++++++++++++++ update-usr-sbin-smbd.diff | 12 ++++++++++++ 4 files changed, 48 insertions(+) create mode 100644 update-samba-bgqd.diff create mode 100644 update-usr-sbin-smbd.diff diff --git a/apparmor.changes b/apparmor.changes index 7600954..d3c028f 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Mar 24 14:09:58 UTC 2022 - Noel Power + +- Add new rule to fix 'DENIED' open on /proc/{pid}/fd for + samba-bgqd; (bnc#1196850). +- Add new rule to allow reading of openssl.cnf; (bnc#1195463). + ------------------------------------------------------------------- Thu Feb 10 16:55:38 UTC 2022 - Christian Boltz diff --git a/apparmor.spec b/apparmor.spec index 3efc383..174364d 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -77,6 +77,14 @@ Patch5: apparmor-lessopen-nfs-workaround.diff # make include in apache extra profile optional to make openQA happy (boo#1178527) Patch6: apache-extra-profile-include-if-exists.diff +# bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd +# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/860) +# bsc#1195463 add rule to allow reading of openssl.cnf +# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862) +Patch7: update-samba-bgqd.diff +# bsc#1195463 add rule to allow reading of openssl.cnf +# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862) +Patch8: update-usr-sbin-smbd.diff PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -340,6 +348,8 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/ %patch3 -p1 %patch4 %patch5 +%patch7 -p1 +%patch8 -p1 %build %define _lto_cflags %{nil} diff --git a/update-samba-bgqd.diff b/update-samba-bgqd.diff new file mode 100644 index 0000000..dfb26e9 --- /dev/null +++ b/update-samba-bgqd.diff @@ -0,0 +1,19 @@ +Index: apparmor-3.0.4/profiles/apparmor.d/samba-bgqd +=================================================================== +--- apparmor-3.0.4.orig/profiles/apparmor.d/samba-bgqd ++++ apparmor-3.0.4/profiles/apparmor.d/samba-bgqd +@@ -6,11 +6,14 @@ profile samba-bgqd /usr/lib*/samba/samba + include + include + include ++ include + include + + signal receive set=term peer=smbd, + + @{PROC}/sys/kernel/core_pattern r, ++ owner @{PROC}/@{pid}/fd/ r, ++ + @{run}/samba/samba-bgqd.pid wk, + + /usr/lib*/samba/samba-bgqd m, diff --git a/update-usr-sbin-smbd.diff b/update-usr-sbin-smbd.diff new file mode 100644 index 0000000..f21ab05 --- /dev/null +++ b/update-usr-sbin-smbd.diff @@ -0,0 +1,12 @@ +Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd +=================================================================== +--- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd ++++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd +@@ -8,6 +8,7 @@ profile smbd /usr/{bin,sbin}/smbd { + include + include + include ++ include + include + include + include