pool/apparmor
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 807998 from home:cboltz

Browse Source 
- add changes-since-2.13.4.diff with upstream changes and fixes
  since 2.13.4 up to 5f61bd4c:
  - add several abstractions related to xdg-open:
    dbus-network-manager-strict, exo-open, gio-open, gvfs-open,
    kde-open5, xdg-open
  - introduce @{run} variable
  - update dnsmasq and winbindd profile
  - update mdns, mesa and nameservice abstraction
  - some bugfixes in the aa-* tools, including a remote bugfix in the
    YaST AppArmor module (boo#1171315)
- drop upstream(ed) patches (now part of changes-since-2.13.4.diff):
  - make-4.3-capabilities.diff
  - make-4.3-capabilities-vim.diff
  - make-4.3-fix-utils-network-test.diff
  - make-4.3-network.diff
  - abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch
- apply usr-etc-abstractions-base-nameservice.diff only for
  Tumbleweed, but not for Leap 15.x where it's not needed
- refresh usr-etc-abstractions-base-nameservice.diff

OBS-URL: https://build.opensuse.org/request/show/807998
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=266
This commit is contained in:
Christian Boltz 2020-05-21 13:33:21 +00:00 committed by Git OBS Bridge
parent 3d58d48604
commit 15e585724c
9 changed files with 1635 additions and 323 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch
View File

@ -1,31 +0,0 @@
From eeac8c11c935edf9eea2bed825af6c57e9fb52e3 Mon Sep 17 00:00:00 2001
From: Rich McAllister <Nopublic@address.provided>
Date: Tue, 31 Mar 2020 21:01:21 -0700
Subject: [PATCH] abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns
References: bsc#1168306
In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.
It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow
Therefore I'm asking to add
/etc/mdns.allow r,
to the file
/etc/apparmor.d/abstractions/mdns"
by default.
---
profiles/apparmor.d/abstractions/mdns | 1 +
1 file changed, 1 insertion(+)
--- a/profiles/apparmor.d/abstractions/mdns
+++ b/profiles/apparmor.d/abstractions/mdns
@@ -9,5 +9,6 @@
# ------------------------------------------------------------------
# mdnsd
+ /etc/mdns.allow r,
/etc/nss_mdns.conf r,
/{,var/}run/mdnsd w,

23
apparmor.changes
View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Thu May 21 12:17:15 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
- add changes-since-2.13.4.diff with upstream changes and fixes
since 2.13.4 up to 5f61bd4c:
- add several abstractions related to xdg-open:
dbus-network-manager-strict, exo-open, gio-open, gvfs-open,
kde-open5, xdg-open
- introduce @{run} variable
- update dnsmasq and winbindd profile
- update mdns, mesa and nameservice abstraction
- some bugfixes in the aa-* tools, including a remote bugfix in the
YaST AppArmor module (boo#1171315)
- drop upstream(ed) patches (now part of changes-since-2.13.4.diff):
- make-4.3-capabilities.diff
- make-4.3-capabilities-vim.diff
- make-4.3-fix-utils-network-test.diff
- make-4.3-network.diff
- abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch
- apply usr-etc-abstractions-base-nameservice.diff only for
Tumbleweed, but not for Leap 15.x where it's not needed
- refresh usr-etc-abstractions-base-nameservice.diff
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Apr 9 18:56:09 UTC 2020 - Goldwyn Rodrigues <rgoldwyn@suse.com> Thu Apr 9 18:56:09 UTC 2020 - Goldwyn Rodrigues <rgoldwyn@suse.com>

28
apparmor.spec
View File

@ -65,24 +65,12 @@ Patch4: apparmor-lessopen-profile.patch
# workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix) # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
Patch5: apparmor-lessopen-nfs-workaround.diff Patch5: apparmor-lessopen-nfs-workaround.diff
# changes and fixes since the 2.13.4 Release (v2.13.4 (= df0ac742)..5f61bd4c
Patch9: changes-since-2.13.4.diff
# update abstractions/base and nameservice for /usr/etc (submitted upstream 2020-01-25 https://gitlab.com/apparmor/apparmor/merge_requests/447, only merged to master, not 2.13.x) # update abstractions/base and nameservice for /usr/etc (submitted upstream 2020-01-25 https://gitlab.com/apparmor/apparmor/merge_requests/447, only merged to master, not 2.13.x)
Patch10: ./usr-etc-abstractions-base-nameservice.diff Patch10: ./usr-etc-abstractions-base-nameservice.diff
# fix build with make 4.3 - network rules (taken from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/307, not in 2.13.x, boo#1167953)
Patch11: make-4.3-network.diff
# fix build with make 4.3 - fix utils network tests (taken from upstream 9144e39d2, not in 2.13.x, boo#1167953)
Patch12: make-4.3-fix-utils-network-test.diff
# fix build with make 4.3 - capability rules (taken from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/461, not in 2.13.x, boo#1167953)
Patch13: make-4.3-capabilities.diff
# fix build with make 4.3 - fix apparmor.vim capability rules (submitted upstream 2020-03-29 https://gitlab.com/apparmor/apparmor/-/merge_requests/463, not in 2.13.x, boo#1167953)
Patch14: make-4.3-capabilities-vim.diff
#Bug 1168306 - apparmor prevents the resolver from reading /etc/mdns.allow, and therefore forbids using any custom domain name
Patch15: abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch
PreReq: sed PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apparmor_bin_prefix /lib/apparmor %define apparmor_bin_prefix /lib/apparmor
@ -371,12 +359,12 @@ SubDomain.
%patch3 -p1 %patch3 -p1
%patch4 %patch4
%patch5 %patch5
%patch9 -p1
%if 0%{?suse_version} > 1500
# /usr/etc/ changes in abstractions, apply only to Tumbleweed, but not to Leap 15.x
%patch10 -p1 %patch10 -p1
%patch11 -p1 %endif
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%build %build
%define _lto_cflags %{nil} %define _lto_cflags %{nil}

1602
changes-since-2.13.4.diff Normal file
View File

File diff suppressed because it is too large Load Diff

26
make-4.3-capabilities-vim.diff
View File

@ -1,26 +0,0 @@
commit 60b005788e79c1be7276349242e0cc97b99f7118
Author: Christian Boltz <apparmor@cboltz.de>
Date: Sun Mar 29 00:07:11 2020 +0100
fix capabilities in apparmor.vim
https://gitlab.com/apparmor/apparmor/-/merge_requests/461 /
e92da079ca12e776991bd36524430bd67c1cb72a changed creating the
capabilities to use a script.
A side effect is that the list is now separated by \n instead of
spaces. Adjust create-apparmor.vim.py to the new output.
diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
index 6a5f02a2..b5df957a 100644
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -50,7 +50,7 @@ if rc != 0:
sys.stderr.write("make list_capabilities failed: " + output)
exit(rc)
-capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
+capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n')
benign_caps = []
for cap in capabilities:
if cap not in danger_caps:

94
make-4.3-capabilities.diff
View File

@ -1,94 +0,0 @@
commit e92da079ca12e776991bd36524430bd67c1cb72a
Author: allgdante <allan.garret@gmail.com>
Date: Mon Mar 23 15:09:15 2020 +0000
Generate CAPABILITIES in a script due to make 4.3
This way we could generate the capabilities in a way that works with
every version of make.
Changes to list_capabilities are intended to exactly replicate the old
behavior.
diff --git a/common/Make.rules b/common/Make.rules
index 357bdec8..ecc6181a 100644
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -74,19 +74,6 @@ endif
pod_clean:
-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
-# =====================
-# generate list of capabilities based on
-# /usr/include/linux/capabilities.h for use in multiple locations in
-# the source tree
-# =====================
-
-# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
-CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort)
-
-.PHONY: list_capabilities
-list_capabilities: /usr/include/linux/capability.h
- @echo "$(CAPABILITIES)"
-
# =====================
# manpages
# =====================
diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh
new file mode 100755
index 00000000..4e37cda7
--- /dev/null
+++ b/common/list_capabilities.sh
@@ -0,0 +1,14 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of capabilities based on
+# /usr/include/linux/capabilities.h for use in multiple locations in
+# the source tree
+# =====================
+
+echo "#include <linux/capability.h>" | \
+ cpp -dM | \
+ LC_ALL=C sed -n \
+ -e '/CAP_EMPTY_SET/d' \
+ -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \
+ LC_ALL=C sort
diff --git a/parser/Makefile b/parser/Makefile
index 2d40b06f..a71b5788 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -284,7 +284,7 @@ af_names.h: ../common/list_af_names.sh
# cat $@
cap_names.h: /usr/include/linux/capability.h
- echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
+ ../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
diff --git a/utils/Makefile b/utils/Makefile
index 8fae738d..80990004 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -79,7 +79,7 @@ clean: pod_clean
.SILENT: check_severity_db
check_severity_db: /usr/include/linux/capability.h severity.db
# The sed statement is based on the one in the parser's makefile
- RC=0 ; for cap in ${CAPABILITIES} ; do \
+ RC=0 ; for cap in $(shell ../common/list_capabilities.sh) ; do \
if ! grep -q -w $${cap} severity.db ; then \
echo "Warning! capability $${cap} not found in severity.db" ; \
RC=1 ; \
diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
index fea134f6..6a5f02a2 100644
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -45,7 +45,7 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s
return [sp.returncode, out + outerr]
# get capabilities list
-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
+(rc, output) = cmd(['../../common/list_capabilities.sh'])
if rc != 0:
sys.stderr.write("make list_capabilities failed: " + output)
exit(rc)

24
make-4.3-fix-utils-network-test.diff
View File

@ -1,24 +0,0 @@
commit 9144e39d252cd75dd2d6941154e014f7d46147ca
Author: John Johansen <john.johansen@canonical.com>
Date: Fri Jun 14 01:04:22 2019 -0700
Revert "utils/test-network.py: fix failing testcase"
This reverts commit 378519d23f8b6e55b1c0741e8cd197863e0ff8a0.
this commit was meant for the 2.13 branch not master
Signed-off-by: John Johansen <john.johansen@canonical.com>
diff --git a/utils/test/test-network.py b/utils/test/test-network.py
index 6088327a..ee325abe 100644
--- a/utils/test/test-network.py
+++ b/utils/test/test-network.py
@@ -31,7 +31,7 @@ exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
class NetworkKeywordsTest(AATest):
def test_network_keyword_list(self):
- rc, output = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+ rc, output = cmd('../../common/list_af_names.sh')
self.assertEqual(rc, 0)
af_names = []

126
make-4.3-network.diff
View File

@ -1,126 +0,0 @@
commit cb8c3377babfed4600446d1f60d53d8e2a581578
Author: Eric Chiang <ericchiang@google.com>
Date: Thu Jan 17 11:02:57 2019 -0800
*: ensure make apparmor_parser is cached
This change updates parser/Makefile to respect target dependencies and
not rebuild apparmor_parser if nothing's changed. The goal is to allow
cross-compiled tests #17 to run on a target system without the tests
attempting to rebuild the parser.
Two changes were made:
* Generate af_names.h in a script so the script timestamp is compared.
* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
Changes to list_af_names are intended to exactly replicate the old
behavior.
Signed-off-by: Eric Chiang <ericchiang@google.com>
diff --git a/common/Make.rules b/common/Make.rules
index d2149fcd..357bdec8 100644
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -87,27 +87,6 @@ CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C
list_capabilities: /usr/include/linux/capability.h
@echo "$(CAPABILITIES)"
-# =====================
-# generate list of network protocols based on
-# sys/socket.h for use in multiple locations in
-# the source tree
-# =====================
-
-# These are the families that it doesn't make sense for apparmor
-# to mediate. We use PF_ here since that is what is required in
-# bits/socket.h, but we will rewrite these as AF_.
-
-FILTER_FAMILIES=PF_UNIX
-
-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
-
-# emits the AF names in a "AF_NAME NUMBER," pattern
-AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
-
-.PHONY: list_af_names
-list_af_names:
- @echo "$(AF_NAMES)"
-
# =====================
# manpages
# =====================
diff --git a/common/list_af_names.sh b/common/list_af_names.sh
new file mode 100755
index 00000000..d7987537
--- /dev/null
+++ b/common/list_af_names.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of network protocols based on
+# sys/socket.h for use in multiple locations in
+# the source tree
+# =====================
+
+# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search
+# for "PF_" constants since that is what is required in bits/socket.h, but
+# rewrite as "AF_".
+
+echo "#include <sys/socket.h>" | \
+ cpp -dM | \
+ LC_ALL=C sed -n \
+ -e '/PF_UNIX/d' \
+ -e 's/PF_LOCAL/PF_UNIX/' \
+ -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \
+ sort -n -k2
diff --git a/parser/Makefile b/parser/Makefile
index 558d9616..9a18f4da 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -278,10 +278,9 @@ parser_version.h: Makefile
# as well as the filtering that occurs for network protocols that
# apparmor should not mediate.
-.PHONY: af_names.h
-af_names.h:
- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
+af_names.h: ../common/list_af_names.sh
+ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@
+ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@
# cat $@
cap_names.h: /usr/include/linux/capability.h
@@ -301,10 +300,7 @@ tests: apparmor_parser ${TESTS}
sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
$(Q)$(MAKE) -s -C tst tests
-# always need to rebuild.
-.SILENT: $(AAREOBJECT)
-.PHONY: $(AAREOBJECT)
-$(AAREOBJECT):
+$(AAREOBJECT): FORCE
$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
.PHONY: install-rhel4
@@ -404,3 +400,4 @@ clean: pod_clean
$(MAKE) -s -C po clean
$(MAKE) -s -C tst clean
+FORCE:
diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
index 1ea8191d..ca14df5c 100644
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -57,7 +57,7 @@ for cap in capabilities:
benign_caps.append(cap)
# get network protos list
-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+(rc, output) = cmd(['../../common/list_af_names.sh'])
if rc != 0:
sys.stderr.write("make list_af_names failed: " + output)
exit(rc)

4
usr-etc-abstractions-base-nameservice.diff
View File

@ -72,7 +72,7 @@ index ec639cda..4024ba1e 100644
# When using libnss-extrausers, the passwd and group files are merged from # When using libnss-extrausers, the passwd and group files are merged from
# an alternate path # an alternate path
@@ -36,15 +36,15 @@ @@ -41,15 +41,15 @@
/var/lib/sss/mc/passwd r, /var/lib/sss/mc/passwd r,
/var/lib/sss/pipes/nss rw, /var/lib/sss/pipes/nss rw,
@ -92,7 +92,7 @@ index ec639cda..4024ba1e 100644
# db backend # db backend
/var/lib/misc/*.db r, /var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading # The Name Service Cache Daemon can cache lookups, sometimes leading
@@ -60,14 +60,14 @@ @@ -65,14 +65,14 @@
# they are available # they are available
/{usr/,}lib{,32,64}/libnss_*.so* mr, /{usr/,}lib{,32,64}/libnss_*.so* mr,
/{usr/,}lib/@{multiarch}/libnss_*.so* mr, /{usr/,}lib/@{multiarch}/libnss_*.so* mr,