Accepting request 964827 from home:npower:branches:security:apparmor

- Add new rule to fix 'DENIED' open on /proc/{pid}/fd for samba-bgqd; (bnc#1196850). - Add new rule to allow reading of openssl.cnf; (bnc#1195463). OBS-URL: https://build.opensuse.org/request/show/964827 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=317
2022-03-25 12:18:52 +00:00 · 2022-03-25 12:18:52 +00:00 · 153645aade
commit 153645aade
parent 7ae734d682
4 changed files with 48 additions and 0 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Thu Mar 24 14:09:58 UTC 2022 - Noel Power <nopower@suse.com>
 - Add new rule to fix 'DENIED' open on /proc/{pid}/fd for
  samba-bgqd; (bnc#1196850).
 - Add new rule to allow reading of openssl.cnf; (bnc#1195463).
 -------------------------------------------------------------------
 Thu Feb 10 16:55:38 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
--- a/apparmor.spec
+++ b/apparmor.spec
@ -77,6 +77,14 @@ Patch5:         apparmor-lessopen-nfs-workaround.diff
 # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
 Patch6:         apache-extra-profile-include-if-exists.diff
 # bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd
 # see (https://gitlab.com/apparmor/apparmor/-/merge_requests/860)
 # bsc#1195463 add rule to allow reading of openssl.cnf
 # see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862)
 Patch7:         update-samba-bgqd.diff
 # bsc#1195463 add rule to allow reading of openssl.cnf
 # see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862)
 Patch8:         update-usr-sbin-smbd.diff
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -340,6 +348,8 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch3 -p1
 %patch4
 %patch5
 %patch7 -p1
 %patch8 -p1
 %build
 %define _lto_cflags %{nil}
--- a/update-samba-bgqd.diff
+++ b/update-samba-bgqd.diff
@ -0,0 +1,19 @@
 Index: apparmor-3.0.4/profiles/apparmor.d/samba-bgqd
 ===================================================================
 --- apparmor-3.0.4.orig/profiles/apparmor.d/samba-bgqd
 +++ apparmor-3.0.4/profiles/apparmor.d/samba-bgqd
@@ -6,11 +6,14 @@ profile samba-bgqd /usr/lib*/samba/samba
   include <abstractions/base>
   include <abstractions/cups-client>
   include <abstractions/nameservice>
 +  include <abstractions/openssl>
   include <abstractions/samba>
   signal receive set=term peer=smbd,
   @{PROC}/sys/kernel/core_pattern r,
 +  owner @{PROC}/@{pid}/fd/ r,
 +
   @{run}/samba/samba-bgqd.pid wk,
   /usr/lib*/samba/samba-bgqd m,
--- a/update-usr-sbin-smbd.diff
+++ b/update-usr-sbin-smbd.diff
@ -0,0 +1,12 @@
 Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
 ===================================================================
 --- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd
 +++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
@@ -8,6 +8,7 @@ profile smbd /usr/{bin,sbin}/smbd {
   include <abstractions/consoles>
   include <abstractions/cups-client>
   include <abstractions/nameservice>
 +  include <abstractions/openssl>
   include <abstractions/samba>
   include <abstractions/user-tmp>
   include <abstractions/wutmp>