From 1776b493bab4923c950e73066521259775e4fddb7b87e4758213e08683fbdecb Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Thu, 22 Aug 2024 19:23:03 +0000 Subject: [PATCH] - remove dependency on /usr/bin/python3 using %python3_fix_shebang macro, [bsc#1212476] OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=423 --- .gitattributes | 23 + .gitignore | 1 + _multibuild | 4 + aa-remove-unknown-fix-unconfined.diff | 26 + apache-extra-profile-include-if-exists.diff | 23 + apparmor-enable-precompiled-cache.diff | 26 + apparmor-enable-profile-cache.diff | 26 + apparmor-lessopen-profile.patch | 57 + apparmor-rpmlintrc | 7 + apparmor-v4.0.1.tar.gz | 3 + apparmor-v4.0.1.tar.gz.asc | 18 + apparmor-v4.0.2.tar.gz | 3 + apparmor-v4.0.2.tar.gz.asc | 18 + apparmor.changes | 2461 +++++++++++++++++++ apparmor.keyring | 113 + apparmor.spec | 895 +++++++ baselibs.conf | 5 + libapparmor.spec | 128 + logprof-mount-empty-source.diff | 166 ++ plasmashell.diff | 31 + sampa-rpcd-witness.diff | 48 + sddm-xauth.diff | 22 + teardown-unconfined.diff | 21 + test-aa-notify.diff | 30 + tools-fix-redefinition.diff | 39 + utils-relax-mount-rules-2.diff | 182 ++ utils-relax-mount-rules.diff | 366 +++ 27 files changed, 4742 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _multibuild create mode 100644 aa-remove-unknown-fix-unconfined.diff create mode 100644 apache-extra-profile-include-if-exists.diff create mode 100644 apparmor-enable-precompiled-cache.diff create mode 100644 apparmor-enable-profile-cache.diff create mode 100644 apparmor-lessopen-profile.patch create mode 100644 apparmor-rpmlintrc create mode 100644 apparmor-v4.0.1.tar.gz create mode 100644 apparmor-v4.0.1.tar.gz.asc create mode 100644 apparmor-v4.0.2.tar.gz create mode 100644 apparmor-v4.0.2.tar.gz.asc create mode 100644 apparmor.changes create mode 100644 apparmor.keyring create mode 100644 apparmor.spec create mode 100644 baselibs.conf create mode 100644 libapparmor.spec create mode 100644 logprof-mount-empty-source.diff create mode 100644 plasmashell.diff create mode 100644 sampa-rpcd-witness.diff create mode 100644 sddm-xauth.diff create mode 100644 teardown-unconfined.diff create mode 100644 test-aa-notify.diff create mode 100644 tools-fix-redefinition.diff create mode 100644 utils-relax-mount-rules-2.diff create mode 100644 utils-relax-mount-rules.diff diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..e0a6910 --- /dev/null +++ b/_multibuild @@ -0,0 +1,4 @@ + + libapparmor + + diff --git a/aa-remove-unknown-fix-unconfined.diff b/aa-remove-unknown-fix-unconfined.diff new file mode 100644 index 0000000..c2970a2 --- /dev/null +++ b/aa-remove-unknown-fix-unconfined.diff @@ -0,0 +1,26 @@ +commit cabd88a94055d2a7b876758d36fe559a6b728f45 +Author: Christian Boltz +Date: Sat May 25 13:12:49 2024 +0200 + + Fix aa-remove-unknown for 'unconfined' profiles + + Without this patch, aa-remove-unknown uses 'profile_name (unconfined)' + when trying to unload unconfined profiles, which fails for obvious + reasons with (picking a random example) + + Removing 'busybox (unconfined)' + /sbin/aa-remove-unknown: line 112: echo: write error: No such file or directory + +diff --git a/utils/aa-remove-unknown b/utils/aa-remove-unknown +index 0e00d6a03..983d23727 100755 +--- a/utils/aa-remove-unknown ++++ b/utils/aa-remove-unknown +@@ -89,7 +89,7 @@ LOADED_PROFILES=$("$PARSER" -N $PROFILE_DIRS) || { + echo "$LOADED_PROFILES" | awk ' + BEGIN { + while (getline < "'${PROFILES}'" ) { +- str = sub(/ \((enforce|complain)\)$/, "", $0); ++ str = sub(/ \((enforce|complain|unconfined)\)$/, "", $0); + if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0) + arr[$str] = $str + } diff --git a/apache-extra-profile-include-if-exists.diff b/apache-extra-profile-include-if-exists.diff new file mode 100644 index 0000000..b1bb018 --- /dev/null +++ b/apache-extra-profile-include-if-exists.diff @@ -0,0 +1,23 @@ +Make the include optional to avoid problems with empty profile dir. +Probably doesn't happen on real systems, but openQA uses an empty profile dir +for some tests. + +Note: the patch gets applied before moving the profile to the extra directory +because quilt doesn't run the 'mv' command and therefore fails to patch the +profile at its new location (extra profiles directory) + +Fixes https://bugzilla.opensuse.org/show_bug.cgi?id=1178527 + +Index: profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2 +=================================================================== +--- profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2.orig 2020-12-02 12:01:37.000000000 +0100 ++++ profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2 2021-01-22 12:19:45.964708670 +0100 +@@ -75,7 +75,7 @@ include + # This directory contains web application + # package-specific apparmor files. + +- include ++ include if exists + + # Site-specific additions and overrides. See local/README for details. + include if exists diff --git a/apparmor-enable-precompiled-cache.diff b/apparmor-enable-precompiled-cache.diff new file mode 100644 index 0000000..ceb6b1f --- /dev/null +++ b/apparmor-enable-precompiled-cache.diff @@ -0,0 +1,26 @@ +Set the cache location to /var/cache/apparmor/ (writeable) and +/usr/share/apparmor/cache/ (packaged precompiled cache). + +See boo#1069906 and boo#1074429 + +Note that Tumbleweed packages don't include precompiled profile cache on +Tumbleweed as long as it's purely validated based on timestamps (boo#1205659) + + +Signed-off by: Christian Boltz + +Index: parser/parser.conf +=================================================================== +--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200 ++++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200 +@@ -31,6 +31,9 @@ + + ## Turn creating/updating of the cache on by default + write-cache ++ ++# cache location (cache writes go to the first directory in the list) ++cache-loc /var/cache/apparmor,/usr/share/apparmor/cache + + ## Show cache hits + #show-cache + diff --git a/apparmor-enable-profile-cache.diff b/apparmor-enable-profile-cache.diff new file mode 100644 index 0000000..2b5e162 --- /dev/null +++ b/apparmor-enable-profile-cache.diff @@ -0,0 +1,26 @@ +Enable caching of profiles. + +This speeds up loading the (unchanged) profiles about 20 times. + +Upstream doesn't enable caching because the cache directory is not +writeable at the time profiles are loaded in Ubuntu. + +See also bnc#689458 + + +Signed-off by: Christian Boltz + +Index: parser/parser.conf +=================================================================== +--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200 ++++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200 +@@ -31,7 +31,7 @@ + # match-string "pattern=aadfa audit perms=crwxamlk/ user::other" + + ## Turn creating/updating of the cache on by default +-#write-cache ++write-cache + + ## Show cache hits + #show-cache + diff --git a/apparmor-lessopen-profile.patch b/apparmor-lessopen-profile.patch new file mode 100644 index 0000000..04adb0d --- /dev/null +++ b/apparmor-lessopen-profile.patch @@ -0,0 +1,57 @@ +Index: profiles/apparmor.d/usr.bin.lessopen.sh +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ profiles/apparmor.d/usr.bin.lessopen.sh 2017-10-28 14:15:12.624358664 +0200 +@@ -0,0 +1,52 @@ ++# vim: ft=apparmor ++ ++abi , ++ ++#include ++ ++/usr/bin/lessopen.sh { ++ #include ++ #include ++ #include ++ #include ++ ++ capability dac_override, ++ capability dac_read_search, ++ ++ /** rk, ++ /{usr/,}bin/bash mrix, ++ /{usr/,}bin/rpm mrix, ++ /{usr/,}bin/tar mrix, ++ /tmp/less.* rw, ++ /usr/bin/bzip2 mrix, ++ /usr/bin/cabextract mrix, ++ /usr/bin/cat mrix, ++ /usr/bin/colordiff mrix, ++ /usr/bin/dvi2tty mrix, ++ /usr/bin/eqn mrix, ++ /usr/bin/file mrix, ++ /usr/bin/grep mrix, ++ /usr/bin/groff mrix, ++ /usr/bin/grotty mrix, ++ /usr/bin/gzip mrix, ++ /usr/bin/head mrix, ++ /usr/bin/lynx mrix, ++ /usr/bin/mktemp mrix, ++ /usr/bin/nm mrix, ++ /usr/bin/pic mrix, ++ /usr/bin/pdftotext mrix, ++ /usr/bin/ps2ascii mrix, ++ /usr/bin/rm mrix, ++ /usr/bin/seq mrix, ++ /usr/bin/soelim mrix, ++ /usr/bin/tar mrix, ++ /usr/bin/tbl mrix, ++ /usr/bin/troff mrix, ++ /usr/bin/unzip mrix, ++ /usr/bin/unzip-plain mrix, ++ /usr/bin/w3m mrix, ++ /usr/bin/which mrix, ++ /usr/bin/xz mrix, ++ ++ include if exists ++} diff --git a/apparmor-rpmlintrc b/apparmor-rpmlintrc new file mode 100644 index 0000000..dbff758 --- /dev/null +++ b/apparmor-rpmlintrc @@ -0,0 +1,7 @@ +# .features file for pre-compiled cache +addFilter("hidden-file-or-dir /usr/share/apparmor/cache/[0-9a-f]*.0/.features") + +# warnings for the disabled tomcat_apparmor subpackage +# addFilter("devel-file-in-non-devel-package.*/usr/lib63/libJNIChangeHat.so") +# addFilter("devel-file-in-non-devel-package.*/usr/lib/libJNIChangeHat.so") +# addFilter("shlib-policy-name-error.*libJNIChangeHat0") diff --git a/apparmor-v4.0.1.tar.gz b/apparmor-v4.0.1.tar.gz new file mode 100644 index 0000000..fa9018b --- /dev/null +++ b/apparmor-v4.0.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b0d72cedc48e533d189ea415bde721ad597101c77fa398fdd2858ec4f58f7e26 +size 6984984 diff --git a/apparmor-v4.0.1.tar.gz.asc b/apparmor-v4.0.1.tar.gz.asc new file mode 100644 index 0000000..4b20033 --- /dev/null +++ b/apparmor-v4.0.1.tar.gz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmYYxToaHGFwcGFybW9y +QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLuLfBAA1lpdyEcNhLvw0Ff0rkt7 +Zoj/TgxYal/6FwuJ10eUnHrZhwGjhiX8zin2gbZaM7X8kscsSwelEqquSliu6lqp +O63B8cGa6/eu0CnJ2s5aLteeEDWqt1SjD9CBufGtTjNpCvSKR59Hl4quj2zwGF8P ++XHAxpnXOzdaxZtbi8h18ehtOxz23A2QJvKJYavIpTNwVPIvwnS2ryKrXnF8NjH+ +s89xMc2ZE1JT+bjWA+DwcvjXPGmMBacijbfuKLrV77dYoML2dmPNvDJyuJpnvKQU +5FhfUjUILHmRYZJF5eT9f2KVt6cYzVlIUP9yxjbkrGoaAHGYijcASNZSQeRWvGER +S9T6TW7QO2TzetBT68xstHZBmcSEyKF+uQ9hoJjGAJJo6L1R2SQK8ILg3voyoF48 +Hi+Ud5i9w7vF+UFVphVt+904nmruVzJ57oLlDts+q0jEODM6+YwQODgBR4JeXF6T +PJAXKpUBmYc12GzRSu6zlTDQIGJ0LewKtt/u1NLEDym3hWHs/2P2ISAO+/RLDv0U +klc3MndlgH1Ua9Gu6crLg9YrDxIguCooT1GQKnpOiic80n8VgMMViT3FsnMVGtmK +VQ9XVyotbZrni7ctWRywPpQIwZuKEs3J9A3wbCX/fwuKgTiB5XQvl7EHLypAbWUp +6X11aT86R3L9vOckHjywgLY= +=eji6 +-----END PGP SIGNATURE----- + diff --git a/apparmor-v4.0.2.tar.gz b/apparmor-v4.0.2.tar.gz new file mode 100644 index 0000000..919333f --- /dev/null +++ b/apparmor-v4.0.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b847751b8c0e2344169ec2065cad6251063c5c5ff311953e194bbf25686d981 +size 6987316 diff --git a/apparmor-v4.0.2.tar.gz.asc b/apparmor-v4.0.2.tar.gz.asc new file mode 100644 index 0000000..f9f8b72 --- /dev/null +++ b/apparmor-v4.0.2.tar.gz.asc @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmagRIsaHGFwcGFybW9y +QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLtWbg//brM4s3laj5L+MnsiOeHr +x3V9lC3hM2N1IEMBLuEZLZ6pZg0WKDAyJ93DdBmVrX/xXIw6vPUvWRCW8rGv9JJr +e5KvCI8282gRqvldowc+GX92KuXVTWBafccqlxvfnjLPIjas1/Ft4oubsv5PK97F +ix4wlW6A+/CXNQ3vP2Dbpb/gVsCOwmSLqJUQz3g40PXUdmB6qHaw3XsIBQWUTX91 +AIPQ6WA9OEp4kupqTgw0ih/8XsLVzb8xx8v5AzQILy1jEV4E7IIN01nN5dXrj+25 +s0kZO1iEctNVgsU3Db7BJMJvAolps1R+c5I6grcS01FaOAwx1TuSacZaDkn+rqpn +mX62UOly3OHAV7WW1X5U/Jt0rqwekH1su1TlI66bqu7OATlfdceLXe0S79U8txEd +1T4iZZEPjflk5YjqNYN/C4nDgbNQ9wTDmnY4Q2+ExJKzv/ddD1ulEMiZAE/skNj2 +ztdwB3RZ6aeck0iWuWq/EQsg4c68rnKxwmROzmMuAPtMF3SS1B3CKQDMVib/aJn7 +DY+K4aXBMXrt0RTVa1n86/hDorWaJcB3XoVXGTaEAQhxzArVCF7/p3uVpoK0AM/D +VYCta1j6cFupVQAHRR2m2+Y3fOFiFRWY9TPE62TTNKERjLQpA2MujevkQ7UOGnuC +Q6BkrVpPQyVuhIXsP0GkH/c= +=fBvk +-----END PGP SIGNATURE----- + diff --git a/apparmor.changes b/apparmor.changes new file mode 100644 index 0000000..6ca6025 --- /dev/null +++ b/apparmor.changes @@ -0,0 +1,2461 @@ +------------------------------------------------------------------- +Thu Aug 22 11:52:52 UTC 2024 - pgajdos@suse.com + +- remove dependency on /usr/bin/python3 using + %python3_fix_shebang macro, [bsc#1212476] + +------------------------------------------------------------------- +Wed Jul 24 16:54:18 UTC 2024 - Christian Boltz + +- update to AppArmor 4.0.2 + - bugfix release with lots of fixes in all areas + - add new userns profiles for balena-etcher, chromium and wike + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.2 + for the detailed upstream changelog +- drop upstream(ed) patches: + - aa-remove-unknown-fix-unconfined.diff + - logprof-mount-empty-source.diff + - plasmashell.diff + - sampa-rpcd-witness.diff + - sddm-xauth.diff + - teardown-unconfined.diff + - test-aa-notify.diff + - tools-fix-redefinition.diff + - utils-relax-mount-rules-2.diff + - utils-relax-mount-rules.diff +- refresh GPG key (was expired) + +------------------------------------------------------------------- +Tue Jun 25 19:40:41 UTC 2024 - Christian Boltz + +- add sampa-rpcd-witness.diff: allow samba-dcerpcd to execute + rpcd_witness (boo#1225811) + +------------------------------------------------------------------- +Tue Jun 11 12:05:38 UTC 2024 - Christian Boltz + +- add logprof-mount-empty-source.diff: add support for mount rules + with quoted paths and empty source (boo#1226031) + +------------------------------------------------------------------- +Tue Jun 4 19:48:47 UTC 2024 - Christian Boltz + +- add sddm-xauth.diff - sddm uses a new path for xauth (boo#1223900) +- add plasmashell.diff - fix QtWebEngineProcess path to prevent a + crash in plasmashell (boo#1225961) + +------------------------------------------------------------------- +Thu May 30 10:19:32 UTC 2024 - Guillaume GARDET + +- Also exclude podman profile - boo#1225608 + +------------------------------------------------------------------- +Wed May 29 06:41:36 UTC 2024 - Fabian Vogt + +- Exclude the crun profile in addition to runc + +------------------------------------------------------------------- +Tue May 28 19:34:43 UTC 2024 - Christian Boltz + +- add utils-relax-mount-rules.diff and utils-relax-mount-rules-2.diff: + Relax handling of mount rules in utils to avoid errors when + parsing valid profiles +- add teardown-unconfined.diff to fix aa-teardown for 'unconfined' + profiles (boo#1225457) + +------------------------------------------------------------------- +Tue May 28 12:20:59 UTC 2024 - Christian Boltz + +- exclude runc profile until updated runc packages (including + updated profile with "signal peer=runc") have arrived + +------------------------------------------------------------------- +Sat May 25 11:31:05 UTC 2024 - Christian Boltz + +- add aa-remove-unknown-fix-unconfined.diff to fix + aa-remove-unknown for 'unconfined' profiles (boo#1225457) +- set permissions for %ghost files (boo#1223578) + +------------------------------------------------------------------- +Fri May 24 12:21:18 UTC 2024 - Christian Boltz + +- fix bashism in %post profiles + +------------------------------------------------------------------- +Sun May 5 19:53:21 UTC 2024 - Christian Boltz + +- Update to AppArmor 4.0.1 + Too many changes to list them here. See + https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1 + for the detailed upstream release notes +- add tools-fix-redefinition.diff: fix redefinition of _ in tools +- add test-aa-notify.diff: relax test-aa-notify to avoid a mismatch + with argparse on Leap 15.5 +- drop upstreamed patches: + - apparmor-abstractions-openssl-allow-version-specific-en.patch + - dovecot-unix_chkpwd.diff + - smbd-unix_chkpwd.diff +- apparmor-lessopen-profile.patch: update lessopen profile to + abi/4.0 +- mark local/* as %ghost so that these dummy files don't get + installed anymore (changed existing local/files will be kept, + unchanged files will be deleted) +- switch to gitlab tarballs (without pregenerated libapparmor + configure script and prebuilt techdoc.pdf) + - run libapparmor autogen.sh (needs additional BuildRequires + autoconf, autoconf-archive, automake and libtool) + - no longer package techdoc.pdf - old documentation, not worth + the texlive BuildRequires we would need to build it +- drop old (up to 2.12) cache location /var/lib/apparmor/ and the + /etc/apparmor.d/cache symlink pointing to it +- drop apparmor-samba-include-permissions-for-shares.diff - no + longer needed, update-apparmor-samba-profile in Tumbleweed works + without a pre-existing local/usr.sbin.smbd-shares file +- drop ruby-2_0-mkmf-destdir.patch - this ancient patch doesn't + change a single bit in the resulting build (anymore?) +- drop apparmor-lessopen-nfs-workaround.diff - no longer needed + since Kernel 6.0 (see https://bugs.launchpad.net/bugs/1784499) +- drop ancient, unused update-trans.sh + +------------------------------------------------------------------- +Fri Apr 5 15:16:04 UTC 2024 - Atri Bhattacharya + +- Use full URLs for source tarball and signature. + +------------------------------------------------------------------- +Fri Mar 1 20:54:12 UTC 2024 - Christian Boltz + +- Remove workaround for boo#853019 in %postun parser - + apparmor.service contains a more safe workaround. + This also fixes boo#1220708 (missing daemon-reload). + +------------------------------------------------------------------- +Tue Feb 27 14:26:58 UTC 2024 - Noel Power + +- Add smbd-unix_chkpwd.diff to allow smbd to execute + unix_chkpwd and fix other pam related denies; (boo#1220032). + +------------------------------------------------------------------- +Mon Feb 26 17:25:58 UTC 2024 - Ludwig Nussel + +- Fix systemd userdb access in unix-chkpwd + +------------------------------------------------------------------- +Tue Feb 20 10:16:27 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Tue Feb 20 02:41:09 UTC 2024 - David Disseldorp + +- Only run utils and profiles make check if kernel LSM is enabled + (bsc#1220084) + +------------------------------------------------------------------- +Thu Feb 8 05:20:26 UTC 2024 - David Disseldorp + +- Add apparmor-abstractions-openssl-allow-version-specific-en.patch to + allow version specific engdef & engines openssl paths (boo#1219571) + +------------------------------------------------------------------- +Mon Feb 5 22:19:27 UTC 2024 - Christian Boltz + +- Update to AppArmor 3.1.7 + - aa-logprof: don't skip exec events in hats + - fix aa-cleanprof to work with named profiles + - add permissions in various abstractions + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.7 + for the full list of changes +- drop upstreamed apparmor-systemd-sessions.patch + +------------------------------------------------------------------- +Mon Jan 29 20:56:13 UTC 2024 - Christian Boltz + +- Add dovecot-unix_chkpwd.diff to allow dovecot-auth to execute + unix_chkpwd, and add a profile for unix_chkpwd. This is needed + for PAM 1.6 (boo#1219139) +- Refresh apparmor.keyring - the key was renewed + +------------------------------------------------------------------- +Wed Nov 8 18:19:36 UTC 2023 - Christian Boltz + +- Actually apply the previously added patch for bsc#1216878 + +------------------------------------------------------------------- +Wed Nov 8 13:47:35 UTC 2023 - Julio Gonzalez Gil + +- Add apparmor-systemd-sessions.patch to allow read access to + /run/systemd/sessions/ (bsc#1216878) + +------------------------------------------------------------------- +Mon Sep 25 14:07:39 UTC 2023 - David Disseldorp + +- Fix pam_apparmor %post and %postun scripts to handle pam-config errors + (bsc#1215596) + +------------------------------------------------------------------- +Tue Jul 25 09:28:33 UTC 2023 - David Disseldorp + +- Add pam_apparmor README, referenced from online cha-apparmor-pam.html + documentation (bsc#1213472) + +------------------------------------------------------------------- +Thu Jun 22 11:16:52 UTC 2023 - Christian Boltz + +- update to AppArmor 3.1.6 (jsc#PED-5600) + - fix regression in mount rules (boo#1211989) + - some additions to the base and authentification abstractions + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.6 + for the full upstream changelog + +------------------------------------------------------------------- +Sun Jun 11 14:13:18 UTC 2023 - Christian Boltz + +- update to AppArmor 3.1.5 + - fix handling of mount rules in apparmor_parser + - minor additions to abstractions/base and snap_browsers + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.5 + for the full upstream changelog +- remove upstreamed aa-status-fix-json-mr1046.patch +- split off apparmor-enable-precompiled-cache.diff from + apparmor-enable-profile-cache.diff so that the precompiled cache + path doesn't get added in parser.conf for Tumbleweed builds. + This prevents a warning about the non-existing directory when + loading profiles. + +------------------------------------------------------------------- +Tue Jun 6 21:39:15 UTC 2023 - Christian Boltz + +- fix aa-status --json output (aa-status-fix-json-mr1046.patch, + boo#1211980#c12) + +------------------------------------------------------------------- +Mon May 29 16:55:46 UTC 2023 - Christian Boltz + +- update to AppArmor 3.1.4 + - parser: fix mount rules encoding (CVE-2016-1585) + - aa-logprof: fix error when choosing named exec with plain profile names + - aa-status: fix json output + - several fixes for profiles and abstractions + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.4 + for the full upstream changelog + +------------------------------------------------------------------- +Thu May 4 13:44:56 UTC 2023 - Frederic Crozat + +- Add _multibuild to define additional spec files as additional + flavors. + Eliminates the need for source package links in OBS. + +------------------------------------------------------------------- +Tue Feb 28 19:35:17 UTC 2023 - Christian Boltz + +- update to AppArmor 3.1.3 + - add support for more audit.log formats in libapparmor + - add abstractions/groff (boo#1065388) + - various additions in abstractions and profiles + - several bug fixes in parser and utils + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.3 + for the detailed upstream changelog +- drop upstreamed patches: + - abstractions-openssl-1_1.diff + - dnsmasq-cpu-possible.diff + - nscd-systemd-userdb.diff + +------------------------------------------------------------------- +Mon Feb 6 19:27:40 UTC 2023 - Christian Boltz + +- add abstractions-openssl-1_1.diff: allow to read + /etc/ssl/openssl-1_1.cnf in abstractions/openssl (boo#1207911) + +------------------------------------------------------------------- +Mon Jan 30 11:33:05 UTC 2023 - Christian Boltz + +- add nscd-systemd-userdb.diff: allow nscd to read systemd-userdb + (boo#1207698) + +------------------------------------------------------------------- +Tue Dec 27 10:20:43 UTC 2022 - Ludwig Nussel + +- Replace transitional %usrmerged macro with regular version check (boo#1206798) + +------------------------------------------------------------------- +Fri Dec 23 22:59:24 UTC 2022 - Samuel Cabrero + +- Add samba-4-17.patch to update the samba profiles for samba + version 4.17 (bsc#1206626); + - samba-4-17.patch superseded by upstream merge: + https://gitlab.com/apparmor/apparmor/-/merge_requests/926 + +------------------------------------------------------------------- +Tue Nov 22 18:54:46 UTC 2022 - Christian Boltz + +- update to AppArmor 3.1.2 + - lots of cleanups, improvements and bugfixes in all areas + - rework internal profile storage and handling in the aa-* tools + - support boolean variable definitions in the aa-* tools + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.1 + and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.2 + for the detailed upstream changelog +- remove upstream(ed) patches: + - apparmor-3.0.7-egrep.patch + - dnsmasq.diff + - profiles-permit-php-fpm-pid-files-directly-under-run.patch + - zgrep-profile-mr870.diff +- no longer ship precompiled profile cache for Tumbleweed (boo#1205659) +- BuildRequire iproute2 (needed for aa-unconfined tests) + +------------------------------------------------------------------- +Sun Sep 4 18:08:28 UTC 2022 - Andreas Stieger + +- aa-decode: use grep -E instead of deprecated egrep (boo#1203092) + add apparmor-3.0.7-egrep.patch + +------------------------------------------------------------------- +Sun Aug 28 10:41:29 UTC 2022 - Christian Boltz + +- update to AppArmor 3.0.7 + - fix setuptools version detection in buildpath.py + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.7 + for the detailed upstream changelog +- add dnsmasq-cpu-possible.diff: allow reading /sys/devices/system/cpu/possible + in dnsmasc//libvirt-leaseshelper profile (boo#1202849) + +------------------------------------------------------------------- +Fri Aug 26 11:37:21 UTC 2022 - David Disseldorp + +- add profiles-permit-php-fpm-pid-files-directly-under-run.patch + https://gitlab.com/apparmor/apparmor/-/merge_requests/914 (bsc#1202344) + +------------------------------------------------------------------- +Fri Aug 19 17:05:37 UTC 2022 - Ben Greiner + +- skip code linting for packaging + * removes pyflakes from the build requirements and thus Ring1 + * see also https://gitlab.com/apparmor/apparmor/-/issues/121 + +------------------------------------------------------------------- +Mon Aug 8 18:51:26 UTC 2022 - Christian Boltz + +- add dnsmasq.diff: missing r permissions for dnsmasq//libvirt-leaseshelper + (boo#1202161) + +------------------------------------------------------------------- +Mon Aug 1 18:42:57 UTC 2022 - Christian Boltz + +- update to AppArmor 3.0.6 + - fix LTO build in the parser + - remove dbus deny rule in abstractions/exo-open + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.6 + for the detailed upstream changelog +- drop upstream patch dirtest-sort-mr900.diff + +------------------------------------------------------------------- +Mon Jul 25 18:18:04 UTC 2022 - Christian Boltz + +- update to AppArmor 3.0.5 + - several additions to profiles and abstractions + - bugfixes in parser and utils + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.5 + for the detailed upstream changelog +- remove upstream(ed) patchs: + - apparmor-setuptools61-mr897.patch + - dovecot-profiles-boo1199535-mr881.diff + - php8-fpm-mr876.patch + - python310-help-mr848.patch + - samba-new-dcerpcd.patch + - samba_deny_net_admin.patch + - update-samba-bgqd.diff + - update-usr-sbin-smbd.diff +- apparmor-samba-include-permissions-for-shares.diff: remove + upstreamed part +- add dirtest-sort-mr900.diff to fix random test failures +- change apache-extra-profile-include-if-exists.diff to the post-mv + path (new quilt executes mv) +- stop disabling lto (fixed upstream) (boo#1133091) +- package profile-load script in -parser + +------------------------------------------------------------------- +Fri Jul 15 23:01:42 UTC 2022 - Ben Greiner + +- Add apparmor-setuptools61-mr897.patch + https://gitlab.com/apparmor/apparmor/-/merge_requests/897 +- Add buildtime dependencies on python-rpm-macros and setuptools + +------------------------------------------------------------------- +Tue Jun 28 21:34:26 UTC 2022 - Christian Boltz + +- update zgrep-profile-mr870.diff: allow zgrep to execute egrep and fgrep + (poo#113108) + +------------------------------------------------------------------- +Sun May 15 18:59:47 UTC 2022 - Christian Boltz + +- add dovecot-profiles-boo1199535-mr881.diff: update dovecot profiles + for latest dovecot (boo#1199535) + +------------------------------------------------------------------- +Wed May 11 14:41:17 UTC 2022 - Noel Power + +- Update samba-new-dcerpcd.patch for aarch64 which needs some + additional rules; (bnc#1198309). + +------------------------------------------------------------------- +Sun May 8 13:25:28 UTC 2022 - Ben Greiner + +- Add python310-help-mr848.patch so that Tumbleweed can switch + python3 to Python 3.10 + (https://gitlab.com/apparmor/apparmor/-/merge_requests/848) + +------------------------------------------------------------------- +Fri Apr 29 11:48:14 UTC 2022 - Christian Boltz + +- add php8-fpm-mr876.patch so that php8 php-fpm can read its config + (boo#1186267#c11) +- parser: add conflict with apparmor-utils < 3.0 to avoid aa-status + file conflict on upgrade (boo#1198958) +- utils: add missing dependency on apparmor-parser (boo#1198958#c4) + +------------------------------------------------------------------- +Wed Apr 27 10:07:47 UTC 2022 - Dominique Leuenberger + +- Enhance zgrep-profile-mr870.diff to also allow/support zstd + (boo#1198922). + +------------------------------------------------------------------- +Sat Apr 16 20:33:13 UTC 2022 - Christian Boltz + +- update zgrep-profile-mr870.diff to allow executing 'expr' (boo#1198531) + +------------------------------------------------------------------- +Wed Apr 13 13:38:29 UTC 2022 - Noel Power + +- Add samba-new-dcerpcd.patch, samba-4.16 has a new dcerpcd daemon + which now will spawn new additional services on demand. We need to + modify the existing smbd/winbind profiles and additionally add a + new set of profiles to cater for the new functionality; + (bnc#1198309); + +------------------------------------------------------------------- +Mon Apr 11 14:34:51 UTC 2022 - Noel Power + +- Add samba_deny_net_admin.patch to add new rule to deny + noisy setsockopt calls from systemd; (bnc#1196850). + +------------------------------------------------------------------- +Sun Apr 10 13:08:56 UTC 2022 - Christian Boltz + +- add profile for zgrep and xzgrep to prevent CVE-2022-1271 + (zgrep-profile-mr870.diff) + +------------------------------------------------------------------- +Tue Mar 29 20:04:22 UTC 2022 - Christian Boltz + +- ensure precompiled cache files are newer than (text) profiles +- reload profiles in %posttrans instead of %post to ensure both + -profiles and -abstractons package are updated before the cache + in /var/cache/apparmor/ gets built (boo#1195463 #c20) + +------------------------------------------------------------------- +Thu Mar 24 14:09:58 UTC 2022 - Noel Power + +- Add update-samba-bgqd.diff to add new rule to fix 'DENIED' open on + /proc/{pid}/fd for samba-bgqd (bnc#1196850). +- Add update-usr-sbin-smbd.diff to add new rule to allow reading of + openssl.cnf (bnc#1195463). + +------------------------------------------------------------------- +Thu Feb 10 16:55:38 UTC 2022 - Christian Boltz + +- update to AppArmor 3.0.4 + - various fixes in profiles, abstractions, apparmor_parser and utils + (some of them were already included as patches) + - add support for mctp address family + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.4 + for the full upstream changelog +- remove upstream(ed) patches: + - aa-notify-more-arch-mr809.diff + - ruby-3.1-build-fix.diff + - add-samba-bgqd.diff + - openssl-engdef-mr818.diff + - profiles-python-3.10-mr783.diff + - update-samba-abstractions-ldb2.diff +- refresh patches: + - apparmor-samba-include-permissions-for-shares.diff + - ruby-2_0-mkmf-destdir.patch + +------------------------------------------------------------------- +Wed Jan 26 17:14:58 UTC 2022 - Christian Boltz + +- add ruby-3.1-build-fix.diff: fix build with ruby 3.1 (boo#1194221, + MR 827) + +------------------------------------------------------------------- +Mon Jan 17 10:27:38 UTC 2022 - Samuel Cabrero + +- add update-samba-abstractions-ldb2.diff: Cater for changes to ldb + packaging to allow parallel installation with libldb (bsc#1192684). + +------------------------------------------------------------------- +Mon Dec 20 11:01:50 UTC 2021 - Noel Power + +- Modify add-samba-bgqd.diff: Add new rule to fix new "DENIED + operation="file_mmap" violation in SLE15-SP4; (bsc#1192336). + +------------------------------------------------------------------- +Sun Dec 19 21:42:54 UTC 2021 - Christian Boltz + +- add openssl-engdef-mr818.diff: Allow reading /etc/ssl/engdef.d/ and + /etc/ssl/engines.d/ in abstractions/openssl which were introduced + with the latest openssl update + +------------------------------------------------------------------- +Tue Nov 9 17:45:22 UTC 2021 - Christian Boltz + +- add aa-notify-more-arch-mr809.diff: Add support for reading s390x + and aarch64 wtmp files (boo#1181155) + +------------------------------------------------------------------- +Fri Oct 15 20:22:11 UTC 2021 - Christian Boltz + +- add add-samba-bgqd.diff: add profile for samba-bgqd (boo#1191532) + +------------------------------------------------------------------- +Sat Sep 18 13:16:35 UTC 2021 - Christian Boltz + +- lessopen.sh profile: allow reading files that live on NFS over UDP + (added to apparmor-lessopen-nfs-workaround.diff) (boo#1190552) + +------------------------------------------------------------------- +Wed Aug 11 19:44:15 UTC 2021 - Christian Boltz + +- add profiles-python-3.10-mr783.diff: update abstractions/python and + profiles for python 3.10 + +------------------------------------------------------------------- +Sat Aug 7 10:46:52 UTC 2021 - Christian Boltz + +- update to AppArmor 3.0.3 + - fix a failure in the parser tests + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.3 + for the detailed upstream changelog + +------------------------------------------------------------------- +Fri Aug 6 10:20:01 UTC 2021 - Christian Boltz + +- update to AppArmor 3.0.2 + - add missing permissions to several profiles and abstractions + (including boo#1188296) + - bugfixes in utils and parser (including boo#1180766 and boo#1184779) + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.2 + for the detailed upstream changelog +- remove upstreamed patches: + - apparmor-dovecot-stats-metrics.diff + - abstractions-php8.diff + - crypto-policies-mr720.diff + +------------------------------------------------------------------- +Thu Jul 15 23:02:25 UTC 2021 - Michael Ströder + +- added apparmor-dovecot-stats-metrics.diff to allow Prometheus metrics end-point + +------------------------------------------------------------------- +Mon Jun 7 19:30:20 UTC 2021 - Christian Boltz + +- move Requires: python3 back to the python3-apparmor subpackage - + readline usage is in the python modules, not in apparmor-utils + +------------------------------------------------------------------- +Tue May 25 07:35:15 UTC 2021 - Matej Cepl + +- Remove python symbols (python means currently python2), work + only with python3 ones (fallout from bsc#1185588). + +------------------------------------------------------------------- +Fri May 21 20:59:49 UTC 2021 - Christian Boltz + +- add abstractions-php8.diff to support PHP8 in abstractions/php (boo#1186267) + +------------------------------------------------------------------- +Tue Apr 27 16:48:25 UTC 2021 - Christian Boltz + +- add crypto-policies-mr720.diff to allow reading crypto policies + in abstractions/ssl_certs (boo#1183597) + +------------------------------------------------------------------- +Sat Mar 27 22:56:06 UTC 2021 - Christian Boltz + +- replace %{?systemd_requires} with %{?systemd_ordering} to avoid dragging in + systemd into containers just because apparmor-parser ships a *.service file + +------------------------------------------------------------------- +Thu Feb 11 18:18:46 UTC 2021 - Christian Boltz + +- merge libapparmor.changes into apparmor.changes + +------------------------------------------------------------------- +Mon Feb 8 17:19:19 UTC 2021 - Ludwig Nussel + +- avoid file listed twice error + +------------------------------------------------------------------- +Tue Feb 2 18:35:17 UTC 2021 - Christian Boltz + +- define %_pamdir for <= 15.x to fix the build on those releases + +------------------------------------------------------------------- +Fri Jan 22 11:23:59 UTC 2021 - Christian Boltz + +- add apache-extra-profile-include-if-exists.diff: make + include in apache extra profile optional to avoid problems with empty + profile directory (boo#1178527) + +------------------------------------------------------------------- +Wed Jan 13 10:45:18 UTC 2021 - Ludwig Nussel + +- prepare usrmerge (boo#1029961) + * use %_pamdir + +------------------------------------------------------------------- +Wed Dec 2 19:29:34 UTC 2020 - Christian Boltz + +- update to AppArmor 3.0.1 + - minor additions to profiles and abstractions + - some bugfixes in libapparmor, apparmor_parser and the aa-* utils + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.1 + for the detailed upstream changelog +- removed upstream(ed) patches: + - changes-since-3.0.0.diff + - extra-profiles-fix-Pux.diff + - utils-fix-hotkey-conflict.diff + +------------------------------------------------------------------- +Wed Dec 2 14:31:18 UTC 2020 - Dominique Leuenberger + +- Use apache provided variables for the module_directry: + + Use %apache_libexecdir + + Add apache-rpm-macros BuildRequires + +------------------------------------------------------------------- +Sat Oct 31 19:05:14 UTC 2020 - Christian Boltz + +- add utils-fix-hotkey-conflict.diff to fix a hotkey conflict in + de, id and sv translations (and fix the test) (MR 675) +- add extra-profiles-fix-Pux.diff to fix an inactive profile - + prevents a crash in aa-logprof and aa-genprof when creating a new + profile (MR 676) + +------------------------------------------------------------------- +Sun Oct 25 11:32:16 UTC 2020 - Christian Boltz + +- update to AppArmor 3.0.0 + - introduce feature abi declaration in profiles to enable use of + new rule types (for openSUSE: dbus and unix rules) + - support xattr attachment conditionals + - experimental support for kill and unconfined profile modes + - rewritten aa-status (in C), including support for new profile modes + - rewritten aa-notify (in python), finally dropping the perl + requirement at runtime + - new tool aa-features-abi for extracting feature abis from the kernel + - update profiles to have profile names and to use 3.0 feature abi + - introduce @{etc_ro} and @{etc_rw} profile variables + - new profile for php-fpm + - several updates to profiles and abstractions (including boo#1166007) + - fully support 'include if exists' in the aa-* tools + - rewrite handling of alias, include, link and variable rules in + the aa-* tools + - rewrite and simplify log handling in the aa-logprof and aa-genprof + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0 + for the detailed upstream changelog +- patches: + - add changes-since-3.0.0.diff with upstream fixes since the 3.0.0 + release up to 3e18c0785abc03ee42a022a67a27a085516a7921 + - drop upstreamed usr-etc-abstractions-base-nameservice.diff + - drop 2.13-only libapparmor-so-number.diff + - refresh apparmor-enable-profile-cache.diff - partially upstreamed + - update apparmor-samba-include-permissions-for-shares.diff and + apparmor-lessopen-profile.patch - switch to "include if exists" + - apparmor-lessopen-profile.patch: add abi rule to lessopen profile + - refresh apparmor-lessopen-nfs-workaround.diff +- move away very loose apache profile that doesn't even match the + apache2 binary path in openSUSE to avoid confusion (boo#872984) +- move rewritten aa-status from utils to parser subpackage +- add aa-features-abi to parser subpackage +- replace perl and libnotify-tools requires with requiring + python3-notify2 and python3-psutil (needed by the rewritten + aa-notify) +- drop ancient cleanup for /etc/init.d/subdomain from parser %pre +- drop (never enabled) conditionals to build with python2 and to + build the python-apparmor subpackage (upstream dropped python2 + support) +- drop setting PYTHON and PYTHON_VERSIONS env variable, no longer needed +- set PYFLAKES path for utils check +- add precompiled_cache build conditional to allow faster local + builds without using kvm +- remove duplicated BuildRequires: swig + +------------------------------------------------------------------- +Sat Oct 17 15:46:01 UTC 2020 - Christian Boltz + +- update to AppArmor 2.13.5 + - add missing permissions to several profiles and abstractions + - bugfixes in parser and tools + - fix two potential build failures in libapparmor + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.5 + for the detailed upstream changelog +- remove upstream(ed) patches + - changes-since-2.13.4.diff + - abstractions-X-xauth-mr582.diff + - sevdb-caps-mr589.diff + - libvirt-leaseshelper.patch + - cap_checkpoint_restore.diff +- add libapparmor-so-number.diff to fix libapparmor so version (!658) + +------------------------------------------------------------------- +Wed Oct 14 12:16:52 UTC 2020 - Christian Boltz + +- add CAP_CHECKPOINT_RESTORE to severity.db (MR 656, + cap_checkpoint_restore.diff) + +------------------------------------------------------------------- +Thu Oct 8 20:56:45 UTC 2020 - Christian Boltz + +- %service_del_postun_without_restart only works for Tumbleweed, + keep using DISABLE_RESTART_ON_UPDATE for Leap 15.x + +------------------------------------------------------------------- +Fri Sep 11 15:32:37 UTC 2020 - Franck Bui + +- Make use of %service_del_postun_without_restart + + And stop using DISABLE_RESTART_ON_UPDATE as this interface is + obsolete. + +------------------------------------------------------------------- +Thu Sep 3 19:40:32 UTC 2020 - James Fehlig + +- libvirt-leaseshelper.patch: add /usr/libexec as a path to the + libvirt leaseshelper script (jsc#SLE-14253) + +------------------------------------------------------------------- +Fri Aug 7 21:01:02 UTC 2020 - Christian Boltz + +- sevdb-caps-mr589.diff: add new capabilities CAP_BPF and CAP_PERFMON + to severity.db (lp#1890547) + +------------------------------------------------------------------- +Mon Jul 20 18:42:02 UTC 2020 - Christian Boltz + +- add abstractions-X-xauth-mr582.diff to allow reading the xauth file + from its new sddm location (boo#1174290, boo#1174293) + +------------------------------------------------------------------- +Thu May 21 12:17:15 UTC 2020 - Christian Boltz + +- add changes-since-2.13.4.diff with upstream changes and fixes + since 2.13.4 up to 5f61bd4c: + - add several abstractions related to xdg-open: + dbus-network-manager-strict, exo-open, gio-open, gvfs-open, + kde-open5, xdg-open + - introduce @{run} variable + - update dnsmasq and winbindd profile + - update mdns, mesa and nameservice abstraction + - some bugfixes in the aa-* tools, including a remote bugfix in the + YaST AppArmor module (boo#1171315) +- drop upstream(ed) patches (now part of changes-since-2.13.4.diff): + - make-4.3-capabilities.diff + - make-4.3-capabilities-vim.diff + - make-4.3-fix-utils-network-test.diff + - make-4.3-network.diff + - abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch +- apply usr-etc-abstractions-base-nameservice.diff only for + Tumbleweed, but not for Leap 15.x where it's not needed +- refresh usr-etc-abstractions-base-nameservice.diff + +------------------------------------------------------------------- +Thu Apr 9 18:56:09 UTC 2020 - Goldwyn Rodrigues + +- Add abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch + (bsc#1168306) + +------------------------------------------------------------------- +Sat Mar 28 21:46:48 UTC 2020 - Christian Boltz + +- fix build with make 4.3 by backporting some commits from upstream + master (boo#1167953): + - make-4.3-capabilities.diff + - make-4.3-capabilities-vim.diff + - make-4.3-network.diff + - make-4.3-fix-utils-network-test.diff + +------------------------------------------------------------------- +Thu Mar 12 19:55:06 UTC 2020 - Christian Boltz + +- update to AppArmor 2.13.4 + - several abstraction updates (including boo#1153162) + - disallow writing to fontconfig cache in abstractions/fonts + - some bugfixes in the aa-* tools + - fix log parsing for logs with an embedded newline + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4 + for the detailed upstream changelog +- drop upstreamed patches: + - abstractions-ssl-certbot-paths.diff + - apparmor-krb5-conf-d.diff + - libapparmor-python3.8.diff + - usr-etc-abstractions-authentification.diff +- refresh usr-etc-abstractions-base-nameservice.diff + +------------------------------------------------------------------- +Sat Jan 25 18:51:17 UTC 2020 - Christian Boltz + +- add usr-etc-abstractions-base-nameservice.diff to adjust + abstractions/base and nameservice for /usr/etc/ (boo#1161756) + +------------------------------------------------------------------- +Mon Nov 18 10:39:28 UTC 2019 - Tomáš Chvátal + +- Properly pull in full python3 interpreter + +------------------------------------------------------------------- +Sat Nov 2 23:01:05 UTC 2019 - Christian Boltz + +- add libapparmor-python3.8.diff to fix building the libapparmor python + bindings (deb#943657) + +------------------------------------------------------------------- +Mon Oct 7 19:58:19 UTC 2019 - Christian Boltz + +- add usr-etc-abstractions-authentification.diff to allow reading + /usr/etc/pam.d/* and some other authentification-related files (boo#1153162) + +------------------------------------------------------------------- +Sat Sep 28 15:20:10 UTC 2019 - Christian Boltz + +- add abstractions-ssl-certbot-paths.diff - add certbot paths to + abstractions/ssl_certs and abstractions/ssl_keys + +------------------------------------------------------------------- +Fri Sep 27 21:43:55 UTC 2019 - Luiz Angelo Daros de Luca + +- add apparmor-krb5-conf-d.diff for kerberos client + +------------------------------------------------------------------- +Tue Jun 18 20:51:07 UTC 2019 - Christian Boltz + +- update to 2.13.3 + - profile updates for dnsmasq, dovecot, identd, syslog-ng + - new "lsb_release" profile (only used when using "Px -> lsb_release") + - fix buggy syntax in tunables/share + - several abstraction updates + - parser: fix "Px -> foo-bar" (the "-" was rejected before) + - several bugfixes in aa-genprof and aa-logprof + - some fixes in cache handling + - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.3 + for the detailed upstream changelog +- drop upstream(ed) patches: + - apparmor-nameservice-resolv-conf-link.patch + - profile_filename_cornercase.diff + - dnsmasq-libvirtd.diff + - dnsmasq-revert-alternation.diff + - usrmerge-fixes.diff + - libapparmor-swig-4.diff +- re-number remaining patches + +------------------------------------------------------------------- +Wed Jun 5 11:36:25 UTC 2019 - Christian Boltz + +- add upstream libapparmor-swig-4.diff: fix libapparmor tests with swig + 4.0 (boo#1135751) + +------------------------------------------------------------------- +Tue Apr 23 11:34:08 UTC 2019 - Martin Liška + +- Disable LTO (boo#1133091). + +------------------------------------------------------------------- +Sun Apr 14 13:59:55 UTC 2019 - Christian Boltz + +- update lessopen.sh profile for usrMerge (bash and tar) (boo#1132350) + +------------------------------------------------------------------- +Thu Mar 7 12:34:20 UTC 2019 - Christian Boltz + +- add usrmerge-fixes.diff: fix test failures when /bin/sh is handled by + update-alternatives (boo#1127877) + +------------------------------------------------------------------- +Wed Feb 27 19:28:14 UTC 2019 - Christian Boltz + +- add dnsmasq-revert-alternation.diff: revert path alternation in + dnsmasq profile and re-add peer=/usr/sbin/libvirtd rules to avoid + breaking libvirtd (boo#1127073) + +------------------------------------------------------------------- +Thu Jan 24 21:13:43 UTC 2019 - Christian Boltz + +- add dnsmasq-libvirtd.diff: allow peer=libvirtd in the dnsmasq profile + to match the newly added libvirtd profile name (boo#1118952#c3) + +------------------------------------------------------------------- +Mon Jan 14 14:41:14 CET 2019 - kukuk@suse.de + +- Use %license instead of %doc [bsc#1082318] + +------------------------------------------------------------------- +Sun Jan 6 19:10:58 UTC 2019 - Christian Boltz + +- add apparmor-lessopen-nfs-workaround.diff: allow network access in + lessopen.sh for reading files on NFS (workaround for boo#1119937 / + lp#1784499) + +------------------------------------------------------------------- +Wed Jan 2 19:11:16 UTC 2019 - Christian Boltz + +- add profile_filename_cornercase.diff: drop check that lets aa-logprof + error out in a corner-case (log event for a non-existing profile while + a profile file with the default filename for that non-existing profile + exists) (boo#1120472) + +------------------------------------------------------------------- +Fri Dec 21 13:41:32 UTC 2018 - mt@suse.de + +- netconfig: write resolv.conf to /run with link to /etc (fate#325872, + boo#1097370) [patch apparmor-nameservice-resolv-conf-link.patch] + +------------------------------------------------------------------- +Fri Dec 21 12:59:00 UTC 2018 - Christian Boltz + +- update to AppArmor 2.13.2 + - add profile names to most profiles + - update dnsmasq profile (pid file and logfile path) (boo#1111342) + - add vulkan abstraction + - add letsencrypt certificate path to abstractions/ssl_* + - ignore *.orig and *.rej files when loading profiles + - fix aa-complain etc. to handle named profiles + - several bugfixes and small profile improvements + - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.2 + for the detailed upstream changelog +- remove upstreamed fix-syntax-error-in-rc.apparmor.functions.patch + +------------------------------------------------------------------- +Sun Oct 14 11:02:58 UTC 2018 - Christian Boltz + +- update to 2.13.1 + - add qt5 and qt5-compose-cache-write abstractions + - add @{uid} and @{uids} kernel var placeholders + - several profile and abstraction updates + - ignore "abi" rules in parser and tools (instead of erroring out) + - utils: fix overwriting of child profile flags if they differ from + the main profile + - several bugfixes (including boo#1100779) + - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.1 + for the detailed upstream changelog +- remove upstream(ed) patches: + - aa-teardown-path.diff + - fix-apparmor-systemd-perms.diff + - logprof-skip-cache-d.diff + - fix-samba-profiles.patch + - make-pyflakes-happy.diff + - dnsmasq-Add-permission-to-open-log-files.patch +- refresh apparmor-samba-include-permissions-for-shares.diff +- add fix-syntax-error-in-rc.apparmor.functions.patch + +------------------------------------------------------------------- +Wed Oct 10 18:01:16 UTC 2018 - Christian Boltz + +- update rpmlintrc: + - whitelist .features file which is part of the pre-compiled cache + - comment out filters for the disabled tomcat_apparmor subpackage + +------------------------------------------------------------------- +Wed Oct 10 09:49:17 UTC 2018 - Petr Vorel + +- Backport dnsmasq fix: + 025c7dc6 - dnsmasq-Add-permission-to-open-log-files.patch + (boo#1111342) + +------------------------------------------------------------------- +Wed Aug 22 11:32:59 UTC 2018 - suse-beta@cboltz.de + +- add make-pyflakes-happy.diff to fix an unused variable (SR 629206) + +------------------------------------------------------------------- +Tue May 8 15:37:32 UTC 2018 - scabrero@suse.de + +- add fix-samba-profiles.patch - smbd loads new shared libraries. + Allow winbindd to access new kerberos credential cache location + (boo#1092099) + +------------------------------------------------------------------- +Sun Apr 29 22:24:33 UTC 2018 - suse-beta@cboltz.de + +- exclude the /etc/apparmor.d/cache.d/ directory from aa-logprof parsing + (logprof-skip-cache-d.diff) + +------------------------------------------------------------------- +Mon Apr 23 15:27:55 UTC 2018 - suse-beta@cboltz.de + +- add fix-apparmor-systemd-perms.diff - fix permissions of + /lib/apparmor/apparmor.systemd (boo#1090545) + +------------------------------------------------------------------- +Thu Apr 19 22:13:40 UTC 2018 - suse-beta@cboltz.de + +- create and package precompiled cache (/usr/share/apparmor/cache, + read-only) (boo#1069906, boo#1074429) +- change (writeable) cache directory to /var/cache/apparmor/ - with the + new btrfs layout, the only reason for using /var/lib/apparmor/cache/ + (which was "it's part of the / subvolume") is gone, and /var/cache + makes more sense for the cache +- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both + cache locations +- clear cache also in %post of abstractions package + +-------------------------------------------------------------------- +Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de + +- update to AppArmor 2.13 + - add support for multiple cache directories and cache overlays + (boo#1069906, boo#1074429) + - add support for conditional includes in policy + - remove group restrictions from aa-notify (boo#1058787) + - aa-complain etc.: set flags for profiles represented by a glob + - aa-status: split profile from exec name + - several profile and abstraction updates + - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13 + for the detailed upstream changelog +- drop upstreamed patches and files: + - aa-teardown + - apparmor.service + - apparmor.systemd + - 32-bit-no-uid.diff + - disable-cache-on-ro-fs.diff + - dovecot-stats.diff + - parser-write-cache-warn-only.diff + - set-flags-for-profiles-represented-by-glob.patch + - fix-regression-in-set-flags.patch +- drop spec code that handled installing aa-teardown, apparmor.service + and apparmor.systemd (now part of upstream Makefile) +- simplify "make -C profiles parser-check" call (upstream Makefile bug + that required to call "cd" was fixed) +- add aa-teardown-path.diff - install aa-teardown in /usr/sbin/ +- move 'exec' symlink to parser package (belongs to aa-exec) + +-------------------------------------------------------------------- +Thu Apr 19 11:23:37 UTC 2018 - rgoldwyn@suse.com + +- Set flags for profiles represented by glob (bsc#1086154) + set-flags-for-profiles-represented-by-glob.patch + fix-regression-in-set-flags.patch + +------------------------------------------------------------------- +Wed Apr 11 20:28:13 UTC 2018 - suse-beta@cboltz.de + +- add dovecot-stats.diff: + - add dovecot/stats profile and allow dovecot to run it (boo#1088161) + - allow dovecot/auth to write /run/dovecot/old-stats-user (part of boo#1087753) +- update 32-bit-no-uid.diff with upstream fix + +------------------------------------------------------------------- +Fri Mar 2 12:29:06 UTC 2018 - rgoldwyn@suse.com + +- Change of path of rpm in lessopen.sh (boo#1082956) + +------------------------------------------------------------------- +Thu Jan 11 18:14:47 CET 2018 - kukuk@suse.de + +- add disable-cache-on-ro-fs.diff - disable write cache if filesystem is + read-only and don't bail out (bsc#1069906, bsc#1074429) + +------------------------------------------------------------------- +Thu Jan 4 13:20:20 UTC 2018 - suse-beta@cboltz.de + +- add parser-write-cache-warn-only.diff to make cache write failures a + warning instead of an error (boo#1069906, boo#1074429) +- reduce dependeny on libnotify-tools (used by aa-notify -p) to "Suggests" + to avoid pulling in several Gnome packages on servers (boo#1067477) + +------------------------------------------------------------------- +Mon Dec 25 15:27:03 UTC 2017 - suse-beta@cboltz.de + +- update to AppArmor 2.12 + - add support for 'owner' rules in aa-logprof and aa-genprof + - add support for includes with absolute path in aa-logprof etc. (lp#1733700) + - update aa-decode to also decode PROCTITLE (lp#1736841) + - several profile and abstraction updates, including boo#1069470 + - preserve errno across aa_*_unref() functions + - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 + for the detailed upstream changelog +- drop upstreamed patches: + - read_inactive_profile-exactly-once.patch + - utils-fix-sorted-save_profiles-regression.diff +- lessopen profile: change all 'rix' rules to 'mrix' +- add 32-bit-no-uid.diff to fix handling of log events without ouid on + 32 bit systems +- no longer package static libapparmor.a + +------------------------------------------------------------------- +Tue Nov 30 10:30:33 UTC 2017 - suse-beta@cboltz.de + +- update to AppArmor 2.11.95 aka 2.12 beta1 + - add JSON interface to aa-logprof and aa-genprof (used by YaST) + - drop old YaST interface code + - update audio, base and nameservice abstractions + - allow @{pid} to match 7-digit pids + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 + for the detailed upstream changelog +- drop upstreamed patches + - apparmor-yast-cleanup.patch + - apparmor-json-support.patch + - nameservice-libtirpc.diff +- drop obsolete perl modules (YaST no longer needs them) +- drop patches that were only needed by the obsolete perl modules: + - apparmor-utils-string-split + - apparmor-abstractions-no-multiline.diff +- drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in + apparmor_parser +- refresh utils-fix-sorted-save_profiles-regression.diff +- add aa-teardown (new script to unload all profiles) +- make ExecStop in apparmor.service a no-op (workaround for a systemd + restriction, see boo#996520 and boo#853019 for details) +- lessopen profile: allow capability dac_read_search and dac_override, + allow groff to execute several helpers (boo#1065388) + +------------------------------------------------------------------- +Wed Nov 29 15:26:48 UTC 2017 - rgoldwyn@suse.com + +- read_inactive_profile-exactly-once.patch (bsc#1069346) + Perform reading of inactive profiles exactly once. + +------------------------------------------------------------------- +Wed Oct 25 19:36:55 UTC 2017 - suse-beta@cboltz.de + +- update to AppArmor 2.11.1 + - add permissions to several profiles and abstractions (including + lp#1650827 and boo#1057900) + - several fixes in the aa-* tools (including lp#1689667, lp#1628286, + lp#1661766 and boo#1062667) + - fix downgrading/converting of 'unix' rules (will be supported in + kernel 4.15) to 'network unix' rules in apparmor_parser (boo#1061195) + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for + upstream changelog +- remove upstream(ed) patches + - upstream-changes-r3616..3628.diff + - upstream-changes-r3629..3648.diff + - parser-tests-dbus-duplicated-conditionals.diff + - apparmor-fix-podsyntax.patch + - sshd-profile-drop-local-include-r3615.diff +- refresh apparmor-yast-cleanup.patch +- add utils-fix-sorted-save_profiles-regression.diff to fix a regression + in displaying the "changed profiles" list in aa-logprof + +------------------------------------------------------------------- +Tue Oct 17 21:42:38 UTC 2017 - suse-beta@cboltz.de + +- add nameservice-libtirpc.diff to fix NIS/YP logins (boo#1062244) + +------------------------------------------------------------------- +Tue Oct 3 16:28:52 UTC 2017 - rgoldwyn@suse.com + +- profiles-sockets-temporary-fix.patch to cater to nameservices with the + new sockets mediation, until unix rules are upstreamed (boo#1061195) + +------------------------------------------------------------------- +Sun Sep 24 09:14:02 UTC 2017 - coolo@suse.com + +- add apparmor-fix-podsyntax.patch from mailing list to fix + compilation with perl 5.26 + +------------------------------------------------------------------- +Fri Aug 11 14:20:17 UTC 2017 - jmatejek@suse.com + +- do not require exact X.Y version of "python3" +- require also matching python(abi) which is arguably more important + +------------------------------------------------------------------- +Fri Jul 14 18:51:26 UTC 2017 - suse-beta@cboltz.de + +- don't rely on implementation details for reload in %post + +------------------------------------------------------------------- +Wed Jul 12 13:33:20 UTC 2017 - rgoldwyn@suse.com + +- add JSON support. Required for FATE#323380. + (apparmor-yast-cleanup.patch, apparmor-json-support.patch) + +------------------------------------------------------------------- +Sat Mar 25 21:42:10 UTC 2017 - suse-beta@cboltz.de + +- add upstream-changes-r3629..3648.diff: + - preserve unknown profiles when reloading apparmor.service + (CVE-2017-6507, lp#1668892, boo#1029696) + - add aa-remove-unknown utility to unload unknown profiles (lp#1668892) + - update nvidia abstraction for newer nvidia drivers + - don't enforce ordering of dbus rule attributes in utils (lp#1628286) + - add --parser, --base and --Include option to aa-easyprof to allow + non-standard paths (useful for tests) (lp#1521031) + - move initialization code in apparmor.aa to init_aa(). This allows to + run all utils tests even if /etc/apparmor.d/ or /sbin/apparmor_parser + don't exist. + - several improvements in the utils tests +- drop upstreamed python3-drop-re-locale.patch +- no longer delete/skip some of the utils tests (to allow this, add + parser-tests-dbus-duplicated-conditionals.diff) +- add var.mount dependeny to apparmor.service (boo#1016259#c34) + +------------------------------------------------------------------- +Thu Mar 16 20:13:00 UTC 2017 - kukuk@suse.com + +- Cleanup spec file: + - don't use insserv if we afterwards call systemd, this can + have bad side effects + - remove dead code + - remove now obsolete 'distro' checks +- Replace init.d script with new wrapper working with systemd + +------------------------------------------------------------------- +Thu Feb 16 14:08:55 UTC 2017 - jmatejek@suse.com + +- add python3-drop-re-locale.patch: remove deprecated re.LOCALE + flag in Python UI as it was dropped from Python 3.6 (lp#1661766) + +------------------------------------------------------------------- +Sat Feb 11 11:33:16 UTC 2017 - jengelh@inai.de + +- Fix RPM groups + +------------------------------------------------------------------- +Mon Jan 30 21:37:48 UTC 2017 - suse-beta@cboltz.de + +- add upstream-changes-r3616..3628.diff: + - update abstractions/base, abstractions/apache2-common and dovecot profiles + - merge ask_the_questions() of aa-logprof and aa-mergeprof + - pass LDFLAGS when building parser, libapparmor perl bindings and pam_apparmor +- adjust deleting the cache in profiles %post to the new cache location +- silence errors when deleting the cache (boo#976914) + +------------------------------------------------------------------- +Sat Jan 28 21:40:11 UTC 2017 - suse-beta@cboltz.de + +- split libapparmor into separate spec to get rid of build loop + involving mariadb, systemd, apparmor, libapr and mariadb again + (see the discussion in SR 448871 for details) +- libapparmor.spec is based on the AppArmor 2.11 apparmor.spec, but + with minimum BuildRequires + +------------------------------------------------------------------- +Fri Jan 27 20:08:03 UTC 2017 - suse-beta@cboltz.de + +- update to AppArmor 2.11.0 + - apparmor_parser now supports parallel compiles and loads + - add full support for dbus, ptrace and signal rules and events to the + utils + - full rewrite of the file rule handling in the utils + - lots of improvements and fixes + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the + detailed changelog +- patches: + - add sshd-profile-drop-local-include-r3615.diff to fix 'make check' + - drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed + - refresh apparmor-abstractions-no-multiline.diff + - refresh apparmor-samba-include-permissions-for-shares.diff +- spec changes: + - aa-unconfined switched to using ss (from iproute2), adjust Recommends: + - move libapparmor to /usr/lib*/ + - drop %if %suse_version checks for 12.x + - change several Obsoletes from %version to < 2.9. Those package names + weren't used since years, and 2.9 is still a careful choice + - include apparmor.service independent of %suse_version + - techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires + - drop latex2html, texlive-* and w3m BuildRequires + - techdoc.txt and techdoc.html not included, drop them from the package + - run most of utils/ make check (some tests expect /etc/apparmor.d/ and + /sbin/apparmor_parser to exist, skip them) + - BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests) + - drop sed'ing python3 into aa-* shebang (upstreamed) + - build binutils + - aa-exec is now written in C and lives in /usr/bin/, move it to the + apparmor_parser package and create a compability symlink in /usr/sbin/ + - aa-exec manpage moved to section 1 + - aa-enabled is a small new tool to find out if AppArmor is enabled + - package new aa_stack_profile(2) manpage + +------------------------------------------------------------------- +Tue Jan 24 13:40:30 UTC 2017 - suse-beta@cboltz.de + +- change /etc/apparmor.d/cache symlink to /var/lib/apparmor/cache/. + This is part of the root partition (at least with default partitioning) + and should be available earlier than /var/cache/apparmor/ + (boo#1015249, boo#980081, bsc#1016259) +- add dependency on var-lib.mount to apparmor.service as safety net + +------------------------------------------------------------------- +Tue Jan 10 22:15:56 UTC 2017 - suse-beta@cboltz.de + +- update to AppArmor 2.10.2 maintenance release + - lots of bugfixes and profile updates (including boo#1000201, + boo#1009964, boo#1014463) + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_2 for details +- add aa-unconfined-fix-netstat-call-2.10r3380.diff to fix a regression + in aa-unconfined +- drop upstream(ed) patches: + - changes-since-2.10.1--r3326..3346.diff + - changes-since-2.10.1--r3347..3353.diff + - libapparmor-fix-import-path.diff (upstream fix is slightly different) + - nscd-var-lib.diff +- refresh apparmor-abstractions-no-multiline.diff + +------------------------------------------------------------------- +Sun Oct 23 13:18:43 UTC 2016 - suse-beta@cboltz.de + +- add nscd-var-lib.diff to allow /var/lib/nscd/ in the nscd profile and + abstractions/nameservice (path changed in latest nscd in Tumbleweed) + +------------------------------------------------------------------- +Thu Oct 13 18:35:52 UTC 2016 - suse-beta@cboltz.de + +- add changes-since-2.10.1--r3347..3353.diff with upstream changes and + fixes in the 2.10 branch, including + - allow writing *.qf files (for disk-based buffering) in syslog-ng profile + - add several permissions to the dovecot profiles (deb#835826) + - add a missing path in the traceroute profile + +------------------------------------------------------------------- +Fri Aug 26 20:21:37 UTC 2016 - suse-beta@cboltz.de + +- add changes-since-2.10.1--r3326..3346.diff with upstream changes and + fixes since the 2.10.1 release, including + - allow dac_override in winbindd profile (boo#990006#c5) + - allow mr for /usr/lib*/ldb/*.so in samba abstractions (needed since + Samba 4.4.x, boo#990006) + - abstractions/nameservice: also support ConnMan-managed resolv.conf + - let aa-genprof ask about profiles in extra dir (again) + - fix aa-logprof "add hat" endless loop (lp#1538306) + - honor 'chown' file events in logparser.py + - ignore log file events with a request mask of 'send' or 'receive' + because they are actually network events (lp#1577051, lp#1582374) + - accept hostname with dots when parsing logs (lp#1453300 comments #1 and #2) +- fix python LibAppArmor import failures with swig > 3.0.8 (boo#987607) + (libapparmor-fix-import-path.diff) +- refresh apparmor-abstractions-no-multiline.diff +- drop upstreamed profiles-ping-inet6-r3449.diff +- add %check section - runs libapparmor (including swig bindings), + parser and profiles tests +- add BuildRequires: perl(Locale::gettext) - needed for parser tests + +------------------------------------------------------------------- +Tue May 24 12:15:19 UTC 2016 - suse-beta@cboltz.de + +- add profiles-ping-inet6-r3449.diff - latest ping also does IPv6 (boo#980596) + +------------------------------------------------------------------- +Fri Apr 22 20:49:24 UTC 2016 - suse-beta@cboltz.de + +- update to AppArmor 2.10.1 (2.10 branch r3326): + - fix incorrect output of child profile names (apparmor_parser -N) which + caused 'rcapparmor reload' to remove child profiles and hats (lp#1551950) + - fix a crash in aa-logprof / logparser.py for change_hat log events + (lp#1523297) and log events that look like file events, but aren't + (lp#1540562, lp#1525119, lp#1466812) + - write unix rules when saving a profile (lp#1522938, boo#954104#c3) + - several fixes for variable handling in aa-logprof + - map c (create) log events to w instead of a + - add python to the "no Px rule" list in logprof.conf + - let aa-logprof check for duplicate profiles + - let aa-status work without the apparmor.fail python module (boo#971917, + lp#1480492) + - add permissions in several profiles (including boo#948584, boo#948753, + boo#954959, boo#954958, boo#971790, boo#964971, boo#921098, boo#923201 and + boo#921098#c15). + - and many more fixes, see the full changelog at + http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_1 +- drop upstream(ed) patches: + - fix-initscript-aa_log_end_msg.diff + - syslog-ng-profile-boo948584.diff + - upstream-profile-updates-r3205-3241.diff +- refresh patches: + - apparmor-abstractions-no-multiline.diff + - apparmor-samba-include-permissions-for-shares.diff +- drop libapparmor autogen.sh call (broke the build) and remove libtool BR + +------------------------------------------------------------------- +Wed Oct 7 16:12:24 UTC 2015 - opensuse@cboltz.de + +- add syslog-ng-profile-boo948584.diff - add several permissions needed + by latest syslog-ng (boo#948584, boo#948753) +- add upstream-profile-updates-r3205-3241.diff with several profile updates: + - add /usr/share/locale-bundle/** to abstractions/base + - allow dnsmask to use /bin/sh (boo#940749) and /bin/dash + - allow dovecot imap to read /run/dovecot/mounts + - allow avahi-daemon to write to /run/systemd/notify + - allow ntpd to read $PATH directory listings (boo#945592, boo#948752) + - update dhclient profile + - allow skype to read @{PROC}/@{pid}/net/dev (boo#939568) + - and some other small updates +- drop upstreamed apparmor-winbindd-r3213.diff (included in the + upstream-profile-updates patch) + +------------------------------------------------------------------- +Sun Sep 13 20:16:57 UTC 2015 - opensuse@cboltz.de + +- netstat moved to net-tools-deprecated in Tumbleweed (boo#944904) + +------------------------------------------------------------------- +Thu Jul 30 20:08:20 UTC 2015 - opensuse@cboltz.de + +- add apparmor-winbindd-r3213.diff - add missing k permissions for + /etc/samba/smbd.tmp/msg/* in winbindd profile (boo#921098 #c15..19) + +------------------------------------------------------------------- +Thu Jul 23 22:16:35 UTC 2015 - opensuse@cboltz.de + +- add fix-initscript-aa_log_end_msg.diff - fixes ugly initscript + output (boo#862170) + +------------------------------------------------------------------- +Thu Jul 16 20:51:00 UTC 2015 - opensuse@cboltz.de + +- update to AppArmor 2.10 (trunk r3205) + - profile names can now contain variables + - improved profile compile time in apparmor_parser + - lots of improvements, refactoring and bugfixes in the aa-* tools + - new apis for managing and loading profile caches into the kernel in + libapparmor + - lots of profile updates + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10 for the + complete changelog with more details +- add new apparmor_private.h and the aa_query_label(2), aa_features(3), + aa_kernel_interface(3), aa_policy_cache(3), aa_splitcon(3) manpages + to libapparmor-devel +- drop apparmor-2.5.1-edirectory-profile patch - it's most probably + no longer needed (see boo#621394 for details) +- drop upstreamed samba-4.2-profiles.diff +- refresh apparmor-samba-include-permissions-for-shares.diff + +------------------------------------------------------------------- +Mon Jun 15 22:13:21 UTC 2015 - opensuse@cboltz.de + +- systemd-rpm-macros and %systemd_requires were at the wrong place, + move them to the parser package (boo#931792) + +------------------------------------------------------------------- +Fri Apr 24 20:21:32 UTC 2015 - opensuse@cboltz.de + +- update to AppArmor 2.9.2 (2.9 branch r2911) + - lots of bugfixes in the parser and the aa-* tools (including + boo#918787) + - update dovecot and dnsmasq profiles and several abstractions + (including boo#911001) + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_2 for the + full changelog +- remove upstream(ed) patches apparmor-changes-since-2.9.1.diff and + apparmor-fix-stl-ostream.diff +- replace GPG key with new AppArmor GPG signing key, see + https://launchpad.net/apparmor/+announcement/13404 + +------------------------------------------------------------------- +Fri Apr 17 18:46:08 UTC 2015 - opensuse@cboltz.de + +- make sure %service_del_postun doesn't call systemctl try-restart + (boo#853019, bare systemd edition) +- add samba-4.2-profiles.diff: update samba (winbindd and nmb) + profiles for samba 4.2 (boo#921098, boo#923201) + +------------------------------------------------------------------- +Sun Apr 12 21:13:23 UTC 2015 - opensuse@cboltz.de + +- only install apparmor.service for openSUSE > 13.2 + +------------------------------------------------------------------- +Wed Apr 1 03:47:44 UTC 2015 - crrodriguez@opensuse.org + +- Add a native systemd unit which *at the moment* only + wraps/masks the early boot script. + +------------------------------------------------------------------- +Tue Feb 24 13:19:10 UTC 2015 - rguenther@suse.com + +- add apparmor-fix-stl-ostream.diff which fixes odd uses of + std::ostream which are not valid. Fixes build with GCC 5 + +------------------------------------------------------------------- +Fri Feb 20 18:15:18 UTC 2015 - opensuse@cboltz.de + +- allow lessopen.sh to run /usr/bin/unzip-plain (boo#906858) + +------------------------------------------------------------------- +Thu Feb 12 18:20:36 UTC 2015 - opensuse@cboltz.de + +- add Requires: python3 to python3-apparmor package - readline isn't + part of python3-base (boo#917577) + +------------------------------------------------------------------- +Tue Jan 20 20:33:55 UTC 2015 - opensuse@cboltz.de + +- add apparmor-changes-since-2.9.1.diff with upstream fixes since the + 2.9.1 release + - update logparser.py to support changed syslog format (lp#1399027) + - update usr.sbin.dovecot and usr.lib.dovecot.imap{, -login} profiles + (lp#1296667) + - update the mysqld profile + - fix network rule description in apparmor.d(5) manpage +- drop upstreamed dnsmasq-profile-fixes.patch +- update expired GPG key + +------------------------------------------------------------------- +Thu Jan 1 16:07:25 UTC 2015 - opensuse@cboltz.de + +- update to AppArmor 2.9.1 (2.9 branch r2831) + - fix log parsing for 3.16 kernels and syslog-style logs (boo#905368) + - several fixes and performance improvements in the aa-* utils + - profile updates for dnsmasq (boo#907870), nscd (boo#904620#c14 and + bnc#908856), useradd, sendmail, man and passwd + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_1 + for full release notes +- refresh dnsmasq-profile-fixes.patch + +------------------------------------------------------------------- +Mon Dec 22 10:26:15 UTC 2014 - cbosdonnat@suse.com + +- Fix dnsmasq profile to allow executing bash to run the --dhcp-script + argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt + leasehealper script to run even on x86_64. + dnsmasq-profile-fixes.patch. boo#911001 + +------------------------------------------------------------------- +Sun Dec 21 16:22:27 UTC 2014 - opensuse@cboltz.de + +- rename lessopen.sh profile file to usr.bin.lessopen.sh to match the + script filename + +------------------------------------------------------------------- +Wed Dec 10 10:15:16 UTC 2014 - meissner@suse.com + +- add apparmor-lessopen-profile.patch: /usr/bin/lessopen.sh needs + confinement. bnc#906858 + +------------------------------------------------------------------- +Sun Nov 16 16:28:14 UTC 2014 - opensuse@cboltz.de + +- delete cache in apparmor-profiles %post (workaround for + bnc#904620#c8 / lp#1392042) + +------------------------------------------------------------------- +Fri Nov 14 09:18:07 UTC 2014 - dimstar@opensuse.org + +- No longer perform gpg validation; osc source_validator does it + implicit: + + Drop gpg-offline BuildRequires. + + No longer execute gpg_verify. + +------------------------------------------------------------------- +Sun Nov 09 01:06:00 UTC 2014 - Led + +- fix bashism in post script + +------------------------------------------------------------------- +Sat Oct 18 09:43:19 UTC 2014 - opensuse@cboltz.de + +- update to AppArmor 2.9.0 (r2759) + - change aa-mergeprof to the final commandline syntax + - lots of bugfixes in the aa-* tools (bnc#900163, lp#1328707 and several + bugs without a formal bugreport) + - small additions to gnome, freedesktop.org, ubuntu-browsers.d/java + and user-mail abstractions + - fix mod_apparmor to not break basic auth + - update perl modules to support signal, unix and ptrace rules (bnc#900013) + - don't warn about rules not supported by the kernel + - fix logging of "audit capability" (lp#1378091) + - add support for the "hat" keyword in apparmor.vim + - build html version of apparmor.vim manpage again (lp#1366572) + - see also http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_0 +- update apparmor-abstractions-no-multiline.diff +- remove upstreamed apparmor-profiles-ntpd-pid-location.diff + +------------------------------------------------------------------- +Fri Oct 10 23:22:26 UTC 2014 - opensuse@cboltz.de + +- add apparmor-abstractions-no-multiline.diff: change all multiline + rules into one line. Needed for yast2-apparmor (bnc#900013) + +------------------------------------------------------------------- +Mon Oct 6 18:07:50 UTC 2014 - opensuse@cboltz.de + +- add apparmor-profiles-ntpd-pid-location.diff to cover new ntpd pid + location (bnc#899746) + +------------------------------------------------------------------- +Sun Oct 5 18:53:43 UTC 2014 - opensuse@cboltz.de + +- update to AppArmor 2.8.97 (aka 2.9 beta3 aka r2721) + - several bugfixes in python and C tools + - rename "__unused" to "unused" in apparmor_parser to fix compilation + on openSUSE <= 13.1 x86_64 (bnc#895495) + - usr.lib.dovecot.auth profile: allow access to auth-token-secret.dat + - various small profile improvements + - update and add several testcases +- drop upstreamed patch apparmor-profiles-dnsmasq-iface-mtu.patch +- re-number remaining patches + +------------------------------------------------------------------- +Sun Sep 28 19:25:32 UTC 2014 - opensuse@cboltz.de + +- split apparmor-profiles package into -profiles and -abstractions + +------------------------------------------------------------------- +Sat Sep 6 22:08:57 UTC 2014 - opensuse@cboltz.de + +- update to AppArmor 2.8.96 (aka 2.9 beta2 aka r2652) + - add unix abstract sockets, ptrace, and signal policy generation + - several bugfixes in the python tools and elsewhere + - move program-chunks/postfix-common to abstractions/ + - drop upstreamed patches: + - apparmor-profiles-clustered-samba.diff + - perl-apparmor-fix-bare-network-keyword-handling.diff + - perl-apparmor-handle-bare-capability-keyword.diff + - perl-apparmor-properly-handle-bare-file-keyword.diff +- re-enable installation of perl modules +- move python modules to python3-apparmor package +- create symlinks without aa- prefix only for tools existing in 2.8.x, + but not for new tools added in 2.9 +- make utils filelist explicit to ensure we have the right set of files + without aa- prefix in sbindir +- switch easyprof python module location to python3 +- drop unused defines APPARMOR_DOC_DIR and JNI_SO +- refresh patches: + - apparmor-utils-string-split (file moved) + - apparmor-profiles-dnsmasq-iface-mtu.patch + - apparmor-2.5.1-edirectory-profile + +------------------------------------------------------------------- +Fri Sep 5 12:34:56 UTC 2014 - opensuse@cboltz.de + +(prepared Thu Mar 20 23:35:03 UTC 2014 in home project) +- update to AppArmor 2.8.95 (aka 2.9 beta1) + - complete rewrite of the aa-* tools in python + - new tools: aa-cleanprof, aa-mergeprof + - extra profiles moved to /usr/share/apparmor/extra-profiles/ (bnc#713647) + - and much more, but there's no upstream changelog yet +- drop upstreamed patches and files: + - usr.sbin.winbindd + - usr.lib.dovecot.*, tunables-dovecot, apparmor-profiles-dovecot-bnc851984.diff + - apparmor-init.py-gsoc.diff + - apparmor-2.8.2-nm-dnsmasq-config.patch +- add %bcond_with perl and disable the perl subpackage temporarily (the perl + modules will be back in beta2) +- drop the apparmorapplet-gnome, apparmor-dbus and profile-editor subpackages + (they were disabled since a long time, and upstream no longer ships their code) + and the apparmor-profile-editor.desktop and apparmor-profile-editor.png files +- drop apparmor-utils-subdomain-compat patch (was only included for <= 12.1) +- remove libimmunix Provides/Obsoletes (libimmunix was a compat wrapper + and got finally dropped) +- refresh apparmor-samba-include-permissions-for-shares.diff and + apparmor-2.5.1-edirectory-profile + +------------------------------------------------------------------- +Thu Sep 4 11:39:40 MDT 2014 - jfehlig@suse.com + +- add apparmor-profiles-dnsmasq-iface-mtu.patch to allow dnsmasq + read access to interface mtu in + /proc/sys/net/ipv6/conf//mtu + (bnc#892374) + +------------------------------------------------------------------- +Mon Aug 11 21:18:25 UTC 2014 - opensuse@cboltz.de + +- usr.lib.dovecot.auth: add '/etc/dovecot/* r' to allow reading + plaintext password files (bnc#874094) + +------------------------------------------------------------------- +Thu Jul 31 14:17:30 UTC 2014 - dimstar@opensuse.org + +- Rename rpmlintrc to %{name}-rpmlintrc. + Follow the packaging guidelines. + +------------------------------------------------------------------- +Wed Jul 30 17:35:13 UTC 2014 - jeffm@suse.com + +- add perl-apparmor-fix-bare-network-keyword-handling.diff: + perl-apparmor: Fix handling of network (or network all) (bnc#889650) + +- add perl-apparmor-handle-bare-capability-keyword.diff: + perl-apparmor: Fix handling of capability keyword (bnc#889651) + +- add perl-apparmor-properly-handle-bare-file-keyword.diff: + perl-apparmor: Properly handle bare file keyword (bnc#889652) + +------------------------------------------------------------------- +Thu Jul 3 14:45:14 UTC 2014 - ddiss@suse.com + +- add apparmor-profiles-clustered-samba.diff to permit clustered Samba + access to CTDB socket and databases (bnc#885317) + +------------------------------------------------------------------- +Wed Jul 2 10:30:43 UTC 2014 - chris@computersalat.de + +- fix problems with dovecot and managesieve + * usr.lib.dovecot.managesieve-login: network inet6 stream + * usr.lib.dovecot.managesieve: + +#include + /usr/lib/dovecot/managesieve { + #include + + capability setgid, + + capability setuid, + + network inet stream, + + network inet6 stream, + + @{DOVECOT_MAILSTORE}/ rw, + + @{DOVECOT_MAILSTORE}/** rwkl, + +------------------------------------------------------------------- +Fri Jun 27 17:47:40 UTC 2014 - chris@computersalat.de + +- add #include to usr.lib.dovecot.auth + +------------------------------------------------------------------- +Tue Apr 1 16:06:24 UTC 2014 - lmuelle@suse.com + +- update usr.sbin.winbindd profile (bnc#870607) + - restrict rw access to /var/cache/krb5rcache/ instead /var/tmp/ + +------------------------------------------------------------------- +Fri Mar 28 14:24:19 UTC 2014 - lmuelle@suse.com + +- update usr.sbin.winbindd profile (bnc#870607) + - treat passdb.tdb.tmp as passdb.tdb + - allow rw access to /var/tmp/ + +------------------------------------------------------------------- +Thu Mar 20 19:58:47 UTC 2014 - opensuse@cboltz.de + +- add Recommends: libnotify-tools to apparmor-utils (aa-notify -p + needs notify-send) + +------------------------------------------------------------------- +Mon Feb 17 11:40:36 UTC 2014 - opensuse@cboltz.de + +- update to AppArmor 2.8.3 (r2122) bugfix release + - fix some cache clearing bugs in apparmor_parser + - various fixes in mod_apparmor + - several profile updates, most of them were already included as patches + (except abstractions/winbind (bnc#863226), abstractions/fonts and + abstractions/p11-kit) + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_8_3 for all details +- update partially upstreamed apparmor-2.8.2-nm-dnsmasq-config.patch +- remove upstream(ed) patches + - apparmor-2.8.2-fix-ntpd-profile.diff + - apparmor-abstractions-r2089-r2090.diff + - apparmor-abstractions-ssl_certs.diff + - apparmor-fix-url-in-manpages-r2093.diff + - apparmor-no-perl-smartmatch-r2088.diff + - apparmor-profiles-dnsmasq.diff + - apparmor-profiles-ntpd-r2103.diff + - apparmor-profiles-samba-create-dirs.diff + - apparmor-profiles-samba4.diff + - apparmor-unconfined-lang-r2094.diff + - apparmor-utils-po-de-r2091.diff + +------------------------------------------------------------------- +Sat Feb 1 11:23:45 UTC 2014 - coolo@suse.com + +- use current ruby macros, the rb_sitearch is obsolete since at least + 12.1 + +------------------------------------------------------------------- +Sun Jan 26 14:46:43 UTC 2014 - opensuse@cboltz.de + +- update apparmor-2.8.2-nm-dnsmasq-config.patch - allow access to pid file + and supplemental config directory (by develop7) +- update apparmor-profiles-dovecot-bnc851984.diff: + - do not add access to @{DOVECOT_MAILSTORE} - not required by the main binary + - add abstractions/mysql + - allow execution of some more /usr/lib/dovecot/* binaries + - better restrict access to /var/spool/postfix/private/ +- update usr.lib.dovecot.auth to allow to read mysql config files +- update usr.lib.dovecot.dict and usr.lib.dovecot.lmtp: + add abstractions/nameservice instead of allowing more and more files + +------------------------------------------------------------------- +Sun Jan 19 14:51:33 UTC 2014 - opensuse@cboltz.de + +- add Recommends: net-tools to apparmor-utils (needed by aa-unconfined) +- update usr.lib.dovecot.lmtp (add /proc/*/mounts, /tmp/dovecot.lmtp.*, + /{var/,}run/dovecot/mounts, deny capability block_suspend) + +------------------------------------------------------------------- +Fri Jan 17 16:29:54 UTC 2014 - develop7@develop7.info + +- add apparmor-2.8.2-nm-dnsmasq-config.patch - allow dnsmasq read config + created by recent NetworkManager (see + http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=d82669d3fdaa7ec70ef1b64941c101ac810c394b + for update details) + +------------------------------------------------------------------- +Sat Jan 4 12:04:25 UTC 2014 - opensuse@cboltz.de + +- add apparmor-profiles-samba-create-dirs.diff to allow samba to + mkdir /var/run/samba and /var/cache/samba (bnc#856651) +- add abstractions/samba to usr.sbin.winbindd profile +- add capabilities ipc_lock and setuid to usr.sbin.winbindd profile (bnc#851131) + +- update dovecot profiles to support dovecot 2.x, and add profiles for + the parts of dovecot that were not covered yet (bnc#851984) + NOTE: Please adjust /etc/apparmor.d/tunables/dovecot to your needs. + (apparmor-profiles-dovecot-bnc851984.diff, usr.lib.dovecot.*) + +- %restart_on_update (in parser %postun) is "translated" to stop/start by + the systemd wrapper, which removes AppArmor protection from running + processes. Fixed by using a custom script instead (bnc#853019) + NOTE: The %postun from the previously installed apparmor-parser package + will remove AppArmor protection from running processes a last time. + Run aa-status to get a list of processes you need to restart, or reboot + your computer. +- reload profiles in %post of the apparmor-profiles package + +------------------------------------------------------------------- +Mon Nov 25 23:44:40 UTC 2013 - opensuse@cboltz.de + +- add apparmor-abstractions-ssl_certs.diff to allow access to + certificates in /var/lib/ca-certificates/ (bnc#852018) + +------------------------------------------------------------------- +Thu Nov 14 20:54:23 UTC 2013 - opensuse@cboltz.de + +- add apparmor-profiles-ntpd-r2103.diff with updated driftfile + location for ntpd (bnc#850374) + +------------------------------------------------------------------- +Sat Nov 2 14:15:58 UTC 2013 - opensuse@cboltz.de + +- apparmor-profiles-samba4.diff, usr.sbin.winbindd: some more profile + updates for samba 4.x and kerberos (bnc#846586#c12 and #c15) + +------------------------------------------------------------------- +Wed Oct 30 11:06:39 UTC 2013 - opensuse@cboltz.de + +- add apparmor-profiles-dnsmasq.diff - add missing permissions for + libvirt-generated files to dnsmasq profile (bnc#848215) + +------------------------------------------------------------------- +Sun Oct 20 11:59:28 UTC 2013 - opensuse@cboltz.de + +- apparmor-profiles-samba4.diff, usr.sbin.winbindd: some more profile + updates for samba 4.x (bnc#846054#c5) + +------------------------------------------------------------------- +Tue Oct 15 20:10:49 UTC 2013 - opensuse@cboltz.de + +- add apparmor-profiles-samba4.diff - various profile additions for + samba 4.x (bnc#845867, bnc#846054) +- update usr.sbin.winbindd for samba 4.x (bnc#845867, bnc#846054) + +------------------------------------------------------------------- +Sun Sep 29 15:00:20 UTC 2013 - opensuse@cboltz.de + +- update apparmor-init.py-gsoc.diff to the final GSoC apparmor/__init__.py + +------------------------------------------------------------------- +Fri Sep 20 11:28:20 UTC 2013 - opensuse@cboltz.de + +- add apparmor-fix-url-in-manpages-r2093.diff: fix URL in manpages +- add apparmor-unconfined-lang-r2094.diff: fix aa-unconfined to work + in all languages + +------------------------------------------------------------------- +Mon Sep 16 18:23:46 UTC 2013 - seife+obs@b1-systems.com + +- fix ntp by allowing read access to openssl.cnf + +------------------------------------------------------------------- +Fri Sep 13 22:41:18 UTC 2013 - opensuse@cboltz.de + +- add apparmor-utils-po-de-r2091.diff: fix some (mis)translations + +------------------------------------------------------------------- +Thu Sep 12 20:40:38 UTC 2013 - opensuse@cboltz.de + +- add apparmor-abstractions-r2089-r2090.diff (from upstream 2.8 branch) + - p11-kit needs access to /usr/share/p11-kit/modules + - allow reading /etc/machine-id in the dbus-session abstraction +- add apparmor-init.py-gsoc.diff - make apparmor/__init__.py ready for + the new tools developed in GSoC + +------------------------------------------------------------------- +Fri Aug 23 20:09:59 UTC 2013 - opensuse@cboltz.de + +- add apparmor-no-perl-smartmatch-r2088.diff: ~~ was marked as experimental + in perl 5.18 again - use grep instead (upstream 2.8 branch r2088) +- fix ruby requires + +------------------------------------------------------------------- +Fri Aug 16 18:26:20 UTC 2013 - opensuse@cboltz.de + +- update to AppArmor 2.8.2 + - several fixes for python3 compability + - various profile improvements: + - various additions to abstractions/fonts + - move poppler's cMaps from gnome to fonts; gnome includes fonts + - deny @{HOME}/.gnome2/keyrings/** to abstractions/private-files-strict + - add read access to @{PROC}/sys/vm/overcommit_memory to abstractions/base + (bnc#824577) + - update pulseaudio directory and cookie file paths + - add missing permissions to the nscd profile (bnc#807104) + - deny capability block_suspend to nscd (bnc#807104) + - MariaDB compatability in abstractions/mysql (bnc#798183) + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_8_2 for all details +- removed upstream(ed) patches + - apparmor-abstractions-mysql-path.diff + - apparmor-profiles-nscd.diff + - apparmor-python3-r2052.diff + +------------------------------------------------------------------- +Thu Aug 15 18:59:41 UTC 2013 - opensuse@cboltz.de + +- swig for python3 is broken on openSUSE 12.2 - build python-apparmor + (for python2) instead on 12.2 + +------------------------------------------------------------------- +Thu Aug 15 00:01:46 UTC 2013 - opensuse@cboltz.de + +- add python3-apparmor subpackage (currently py2 OR py3 package can be + build, but not both at the same time) +- add upstream apparmor-python3-r2052.diff to fix various python3 issues + +------------------------------------------------------------------- +Tue Jun 4 13:06:37 UTC 2013 - kkaempf@suse.com + +- Ruby 2.0 mkmf gets the path to ruby.h wrong (bnc#822277) + +------------------------------------------------------------------- +Mon May 13 12:42:04 UTC 2013 - coolo@suse.com + +- do not package directories as %config - especially not as noreplace + +------------------------------------------------------------------- +Tue Apr 23 20:11:39 UTC 2013 - opensuse@cboltz.de + +- enable python and ruby subpackages (using %bcond_without) +- update/fix paths in %files for python and ruby subpackages + +------------------------------------------------------------------- +Tue Apr 2 18:56:56 UTC 2013 - opensuse@cboltz.de + +- add Requires: insserv to parser package (needed by initscript) + +------------------------------------------------------------------- +Tue Mar 5 17:49:42 UTC 2013 - opensuse@cboltz.de + +- nscd profile: add missing permissions and deny capability block_suspend + (bnc#807104, apparmor-profiles-nscd.diff) + +------------------------------------------------------------------- +Sun Feb 17 09:59:48 UTC 2013 - jengelh@inai.de + +- Add missing files to SRPM (bnc#777471) + +------------------------------------------------------------------- +Sun Jan 13 13:46:01 UTC 2013 - opensuse@cboltz.de + +- update abstractions/mysql with correct paths and add MariaDB paths + (bnc#798183) + +------------------------------------------------------------------- +Thu Jan 10 10:57:40 UTC 2013 - opensuse@cboltz.de + +- update to AppArmor 2.8.1 (=2.8 branch r2069) + Bugfix release, http://wiki.apparmor.net/index.php/ReleaseNotes_2_8_1 + Most important changes are: + - add various missing parts to profiles and abstractions + - fix a possible x conflict with hats or child profiles in + apparmor_parser + - fix and speedup stdin handling in aa-decode + - various other bugfixes + - add pkgconfig support to libapparmor +- remove upstream(ed) patches + +------------------------------------------------------------------- +Mon Dec 3 20:58:04 UTC 2012 - opensuse@cboltz.de + +- verify tarball with gpg-offline + +------------------------------------------------------------------- +Tue Sep 25 13:55:56 UTC 2012 - coolo@suse.com + +- fix directory flags for /etc/apparmor.d to be in sync between + -parser and -profiles subpackage + +------------------------------------------------------------------- +Fri Sep 21 19:58:32 UTC 2012 - opensuse@cboltz.de + +- remove %stop_on_removal for no longer existing aaeventd (bnc#781564) +- don't hide TeX output when building the parser and techdoc + +------------------------------------------------------------------- +Thu Aug 9 23:31:26 UTC 2012 - opensuse@cboltz.de + +- clear and update inconsistent profile cache (bnc#774529) + +------------------------------------------------------------------- +Sun Aug 5 16:05:44 UTC 2012 - opensuse@cboltz.de + +- abstractions/bash: update /bin/ls to also match /usr/bin/ls (usrMerge) + +------------------------------------------------------------------- +Mon Jul 30 08:17:01 UTC 2012 - werner@suse.de + +- Add required fonts for new TeXLive 2012 + +------------------------------------------------------------------- +Fri Jul 6 22:33:39 UTC 2012 - opensuse@cboltz.de + +- update /bin/ping profile to also match /usr/bin/ping (usrMerge) + +------------------------------------------------------------------- +Sat Jun 2 19:55:14 UTC 2012 - opensuse@cboltz.de + +- update to AppArmor 2.8.0 (= r2047) + - new utility aa-easyprof - templated profile generation tool (the resulting + profile may be less strict than profiles generated with genprof/logprof) + - various small bugfixes +- removed upstreamed patches + +------------------------------------------------------------------- +Tue May 8 19:30:23 UTC 2012 - opensuse@cboltz.de + +- add apparmor-techdoc.patch to remove traces of the build time in PDF files + +------------------------------------------------------------------- +Sat May 5 20:25:49 UTC 2012 - opensuse@cboltz.de + +- update to AppArmor 2.8 beta5 (= 2.7.103 / r2031) + - new utility aa-exec to confine a program with the specified AppArmor profile + - add support for mount rules + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_8 for full upstream + changelog +- removed upstreamed and backported patches +- remove outdated autobuild and "disable repo" patches that were disabled since + the AppArmor 2.7 package +- create the Immunix::SubDomain compat perl module only for openSUSE <= 12.1 + (bnc#720617 #c7) + +------------------------------------------------------------------- +Mon Apr 16 21:16:41 UTC 2012 - opensuse@cboltz.de + +- replace patch for dnsmasq profile with upstream patch (bnc#738905) + +------------------------------------------------------------------- +Fri Apr 13 22:22:27 UTC 2012 - opensuse@cboltz.de + +- add apparmor-r2022-log-parser-network-bnc755923.patch - logprof didn't + create network rules because of changed log format (bnc#755923, lp#800826) +- add profile for samba winbindd (bnc#748499) + +------------------------------------------------------------------- +Fri Apr 6 13:38:11 CEST 2012 - mszeredi@suse.cz + +- fix dnsmasq profile (bnc#738905) + +------------------------------------------------------------------- +Thu Feb 9 19:01:07 UTC 2012 - opensuse@cboltz.de + +- add 0001-fix-for-lp929531.patch to allow reading + /sys/devices/system/cpu/online in abstractions/base (lp#929531) + +------------------------------------------------------------------- +Tue Jan 31 09:53:06 UTC 2012 - opensuse@cboltz.de + +- Update to AppArmor 2.7.2 (= 2.7 branch / r1894) + - move various permissions from httpd2-prefork profile to + abstractions/apache2-common. Backward-incompatible change: *.htaccess + files are no longer allowed for ^HANDLING_UNTRUSTED_INPUT + - allow access for more /usr/lib*/samba/ files for smbd (bnc#725967#c5) + - allow various .conf files for dovecot (lp#458922) + - disallow wl for *.so in @{HOME}/.pki/nssdb/ in abstractions/private-files + and abstractions/private-files-strict (lp#911847) + - update abstractions/kde, private-files* and ubuntu-browsers.d/user-files + to use ~/.kde4, not only ~/.kde (bnc#741592) + - block write access to ~/.kde{,4}/env in abstractions/private-files + (lp#914190) + - allow write access for personal dictionary etc. in abstractions/aspell + (lp#917859) + - when using genprof for a script, include read access to the script itsself + - automatically include abstractions/python or abstractions/ruby for + python/ruby scripts + - add profile for smbldap-useradd and allow smbd to call it (bnc#738041) + - allow creation of the .config directory in abstractions/enchant (lp#914184) + - allow TFTP read-only access in dnsmasq profile (lp#905412) + - allow capability dac_read_search for syslog-ng (bnc#731876) + - add p11-kit abstraction and include it in abstractions/authentification + (lp#912754, lp#912752) + - add audacity to abstractions/ubuntu-media-players (lp#899963) + - allow software-center, fireclam plugin, [tT]unar, exo-open, kate and + /dev/nvidia* in abstractons/ubuntu-browsers.d/* (lp#662906, lp#562831, + lp#890894, lp#890894, lp#884748) + - fix typo for multiarch gconf-modules in abstractions/base (lp#904548) + - allow avahi to do dbus introspection (lp#769148) + - allow access to ~/.fonts.conf.d in abstractions/fonts (lp#870992) + - allow transmission in abstractions/ubuntu-bittorrent-clients (lp#852062) + - allow reading ~/.cups/client.conf and ~/.cups/lpoptions in + abstractions/cups-client (lp#887992) + - allow read access of /etc/python{2,3}.[0-7]*/sitecustomize.py in + abstractions/python (lp#860856) + - various updates to the sshd profile (lp#817956) + - (and some more changes I already included in the apparmor-2.7-branch.diff) + +------------------------------------------------------------------- +Tue Jan 3 23:52:38 UTC 2012 - opensuse@cboltz.de + +- Update to AppArmor 2.7.0 (= r1858) + - make traceroute6 work (bnc#733312) + - allow access to pyconfig.h in abstractions/python (lp#840734) + - fix logprof/genprof for hex-encoded program filenames (= filenames + containing space etc.) +- add apparmor-2.7-branch.diff with some upstreamed fixes: + - usr.sbin.smbd needs read access for /etc/netgroup (bnc#738041) + - create /etc/apparmor.d/tunables/multiarch.d as directory, not as file + - fix syntax error in abstractons/python + +------------------------------------------------------------------- +Tue Nov 29 18:34:54 CET 2011 - meissner@suse.de + +- changed a $ -> % (typo) + +------------------------------------------------------------------- +Sat Nov 26 21:52:31 UTC 2011 - opensuse@cboltz.de + +- package subdomain.conf only in -parser, not in -utils package +- package libapparmor.so and libimmunix.so only in libapparmor-devel, + not in libapparmor1 +- make Provides for perl-libapparmor versioned to avoid self-Obsoletes +- move libapparmor.a and libimmunix.a from libapparmor1 to + libapparmor-devel package + +------------------------------------------------------------------- +Thu Nov 10 20:16:24 UTC 2011 - opensuse@cboltz.de + +- update to AppArmor 2.7.0 rc2 + Most of the changes since rc1 were already included as patches. + Additional changes: + - fix logprof/genprof to recognize "mknod" in audit.log + - fix libapparmor python bindings to compile with python 3 + - fix wrong status message in initscript if apparmor-utils are not installed + - parser/Makefile: fix some warnings, always respect CXX and LDFLAGS + - fix some warnings in utils/Makefile +- remove 4 upstreamed patches +- remove mkdir /etc/apparmor.d/disable - that's done by upstream Makefile now +- update line numbers in 2 patches + +------------------------------------------------------------------- +Tue Nov 1 17:39:29 UTC 2011 - opensuse@cboltz.de + +- make abstractions/winbind working on 64bit systems +- allow loading the libraries for samba "vfs objects" also on 32bit + systems (bnc#725967) + +------------------------------------------------------------------- +Wed Oct 26 20:48:16 UTC 2011 - opensuse@cboltz.de + +- allow loading the libraries for samba "vfs objects" (bnc#725967) + +------------------------------------------------------------------- +Wed Oct 19 09:53:14 UTC 2011 - opensuse@cboltz.de + +- include autogenerated profile sniplet for samba shares (bnc#688040) +- more helpful error message for "aa-notify -p" if the user is not in + the configured group + +------------------------------------------------------------------- +Thu Oct 13 22:52:24 UTC 2011 - opensuse@cboltz.de + +- update to AppArmor 2.7.0 rc1 + - aa-notify: add --display option and warn if $DISPLAY is not set + (important for usage with sudo on openSUSE) + - fix syntax error on "rcapparmor stop" + - allow read access to /proc/*/mounts in the dovecot profile + +------------------------------------------------------------------- +Sun Oct 9 19:42:05 UTC 2011 - opensuse@cboltz.de + +- add patch with upstream changes since 2.7.0 beta2 release + - add example parser.conf + - print warning if profile cache directory doesn't exist + - remove initscript for no longer existing aa-eventd (bnc#720617) + - set correct $HOME in aa-notify +- enable caching of profiles (= massive speedup) (bnc#689458) +- add comments for patches in .spec and comments in some patches +- run spec-cleaner + +------------------------------------------------------------------- +Fri Sep 30 20:07:41 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to make the spec file more reliable + +------------------------------------------------------------------- +Fri Sep 16 15:25:19 UTC 2011 - opensuse@cboltz.de + +- update to AppArmor 2.7.0 beta2 + - includes fixes for bnc#717707, bnc#678749, bnc#685674, bnc#679182, + bnc#691072, bnc#705319, bnc#713728 +- add some missing perl module Requires to perl-apparmor + +------------------------------------------------------------------- +Tue Sep 13 18:47:36 UTC 2011 - opensuse@cboltz.de + +- update to AppArmor 2.7.0 beta1, for details see + http://wiki.apparmor.net/index.php/ReleaseNotes_2_7 +- removed lots of patches I pushed upstream +- disabled apparmor-2.5.1-unified-build (patch to use automake, + does not apply to 2.7 and probably won't be accepted upstream) +- disabled build of tomcat_apparmor (doesn't build, deprecated upstream) +- run spec-cleaner +- remove *.la files +- move usr.sbin.nscd profile back to apparmor-profiles package + +------------------------------------------------------------------- +Wed Sep 7 10:35:12 MDT 2011 - jfehlig@suse.com + +- Update patch apparmor-profiles-usr.sbin.dnsmasq to include + /var/lib/libvirt/dnsmasq/*.leases (bnc#694197). + +------------------------------------------------------------------- +Mon Aug 22 11:54:21 UTC 2011 - opensuse@cboltz.de + +- install SubDomain.pm compat module (bnc#713408) + +------------------------------------------------------------------- +Wed Aug 3 02:46:08 CEST 2011 - jeffm@suse.de + +- Update to 2.6.1. + - One patch eliminated + - Lots of minor fixes + - Split out more common abstractions +- Add check_for_apparmor() helper. + +------------------------------------------------------------------- +Tue Aug 2 17:07:43 CEST 2011 - jeffm@suse.de + +- dhcpd: Fix apparmor profile (bnc#692428) + +------------------------------------------------------------------- +Tue Aug 2 09:19:45 UTC 2011 - fcrozat@suse.com + +- Add apparmor-securityfs-systemd.patch: do not mount securityfs + when running under systemd, just access the directory, systemd + will automount it (bnc#704460). + +------------------------------------------------------------------- +Sun Jul 17 20:04:18 UTC 2011 - andrea.turrini@gmail.com + +- Fixed typos in descriptions and summaries of apparmor.spec + +------------------------------------------------------------------- +Fri Jun 24 16:02:21 CEST 2011 - jeffm@suse.de + +- Fixed building of pam_apparmor to properly link libpam (bnc#696553). +- Fixed building of apache2-mod_apparmor to properly link (bnc#701821). + +------------------------------------------------------------------- +Tue Jun 21 09:54:28 UTC 2011 - coolo@novell.com + +- move the requires and prerequires to the right package + +------------------------------------------------------------------- +Wed Apr 27 17:28:58 UTC 2011 - opensuse@cboltz.de + +- make the -doc and -profiles subpackages noarch (again) + +------------------------------------------------------------------- +Thu Mar 24 21:30:15 CET 2011 - jeffm@suse.de + +- Added alias from Immunix::SubDomain to Immunix:AppArmor to allow + older users of perl-apparmor to work properly. + +------------------------------------------------------------------- +Tue Mar 22 21:29:49 CET 2011 - jeffm@suse.de + +- Properly re-created links to old utility names. + +------------------------------------------------------------------- +Mon Mar 14 19:24:02 CET 2011 - jeffm@suse.de + +- Added /etc/ethers and /var/run/dnsmasq-forwarders to + usr.sbin.dnsmasq (bnc#678749) + +------------------------------------------------------------------- +Mon Mar 14 16:48:53 CET 2011 - jeffm@suse.de + +- Update to 2.6.0 + - 19 patches eliminated + - Lots of minor fixes. + - Split out more common abstractions + - Added more local includes + +------------------------------------------------------------------- +Tue Mar 1 09:56:30 UTC 2011 - rhafer@suse.de + +- Additional libvirt related fixes in usr.sbin.dnsmasq (bnc#675867) + +------------------------------------------------------------------- +Thu Feb 24 15:52:15 CET 2011 - jeffm@suse.de + +- Added 'network packet raw' to dhclient profile. + +------------------------------------------------------------------- +Tue Feb 22 12:45:43 UTC 2011 - bwiedemann@novell.com + +- Add Requires for used perl packages (bnc#670650). + +------------------------------------------------------------------- +Tue Jan 25 23:25:28 CET 2011 - jeffm@suse.de + +- Updated dhclient profile and added dhclient-script profile (bnc#561152). + +------------------------------------------------------------------- +Tue Jan 25 18:11:00 CET 2011 - jeffm@suse.de + +- Added ability to completely disable repositories. + +------------------------------------------------------------------- +Mon Jan 24 21:27:45 CET 2011 - jeffm@suse.de + +- Properly indent sub-profiles after genprof completion (bnc#480795). + +------------------------------------------------------------------- +Mon Jan 24 20:16:03 CET 2011 - jeffm@suse.de + +- Inherit flags in sub-profiles when generating profiles (bnc#496204). + +------------------------------------------------------------------- +Mon Jan 24 01:02:53 CET 2011 - jeffm@suse.de + +- Stop treating profiles shipped with the package as config files. + - /etc/apparmor.d will still be treated specially. +- Add support for parsing network operation events (bnc#665483) + +------------------------------------------------------------------- +Mon Jan 24 00:23:35 CET 2011 - jeffm@suse.de + +- Fix for sbin.klogd profile using kernel versions >= 2.6.38-rc1. + +------------------------------------------------------------------- +Mon Jan 24 00:11:28 CET 2011 - jeffm@suse.de + +- Update to apparmor-2.5 r1445. + - Includes 3 of the fixes below. + - Several testsuite fixes. + - Update for Thunderbird profile. + +------------------------------------------------------------------- +Fri Jan 21 19:07:15 CET 2011 - jeffm@suse.de + +- Add support for libvirt in usr.sbin.dnsmasq (bnc#666090) + +------------------------------------------------------------------- +Tue Jan 18 10:51:33 UTC 2011 - coolo@novell.com + +- fix rm call for nscd profile to avoid file conflict + +------------------------------------------------------------------- +Tue Jan 11 15:24:16 CET 2011 - jeffm@suse.de + +- profiles: Add openssl abstraction (bnc#623886). + +------------------------------------------------------------------- +Tue Jan 11 15:12:45 CET 2011 - jeffm@suse.de + +- Added support for sys_nice to ntpd profile (bnc#657054). + +------------------------------------------------------------------- +Mon Jan 10 19:27:01 CET 2011 - jeffm@suse.de + +- apparmor-utils: Support newer auditd formatted messages. +- Fix two x transition conflict bugs. (bnc#662928) + +------------------------------------------------------------------- +Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de + +- Splitted ldap related things from nameservice into separate + profile and added some missing paths (bnc#662761) + +------------------------------------------------------------------- +Wed Dec 22 03:41:43 CET 2010 - jeffm@suse.de + +- Fixed pod2man macros with older versions of GNU make + +------------------------------------------------------------------- +Tue Dec 21 00:36:39 CET 2010 - jeffm@suse.de + +- Fixed building of perl and ruby SWIG modules. The former + is required for apparmor-utils to work properly. + +------------------------------------------------------------------- +Tue Dec 7 18:22:55 CET 2010 - jeffm@suse.de + +- Fixed use-after-free issue in apparmor_parser. + +------------------------------------------------------------------- +Tue Dec 7 17:52:59 CET 2010 - jeffm@suse.de + +- Added fixes for logprof issuing uninitialized variable errors + while encountering audit messages for unconfined processes. + +------------------------------------------------------------------- +Wed Dec 1 19:52:58 CET 2010 - jeffm@suse.de + +- Updated cupsd profile (bnc#539401) + +------------------------------------------------------------------- +Wed Dec 1 19:00:56 CET 2010 - jeffm@suse.de + +- Fix {proc} vs {PROC} macro usage in firefox profile (bnc#436262) + +------------------------------------------------------------------- +Wed Dec 1 18:41:31 CET 2010 - jeffm@suse.de + +- Added support for eDirectory nameservice (bnc#621394) + +------------------------------------------------------------------- +Wed Dec 1 18:05:44 CET 2010 - jeffm@suse.de + +- Fixed incorrect /proc/*/sys usage in usr.sbin.ntpd profile (bnc#634801) + +------------------------------------------------------------------- +Wed Dec 1 17:39:08 CET 2010 - jeffm@suse.de + +- Added fix for another case of whitespace affecting profile + removal (bnc#510740) + +------------------------------------------------------------------- +Tue Nov 30 12:00:00 CET 2010 - jeffm@suse.de + +- Added support for unified build, which massively simplified + the packaging. + +------------------------------------------------------------------- +Fri Nov 15 21:22:46 CET 2010 - czanik@balabit.hu + +- Fix for syslog-ng profile to allow upgrade to v3.2 +- add mysql support to syslog-ng profile + +------------------------------------------------------------------- +Thu Oct 21 15:16:38 CEST 2010 - jeffm@suse.de + +- Added support for enabling/disabling the module automatically + during installation/removal (bnc#623246) + +------------------------------------------------------------------- +Tue Oct 5 17:58:31 CEST 2010 - jeffm@suse.de + +- Converted archive to tar.bz2. + +------------------------------------------------------------------- +Tue Oct 5 17:49:16 CEST 2010 - jeffm@suse.de + +- Updated to 2.5.1-final. + - Lots of testcase updates. + +------------------------------------------------------------------- +Fri Aug 27 21:21:38 CEST 2010 - jeffm@suse.de + +- Initial packaging of AppArmor 2.5 + - Now contained in a single archive so built from a single spec file + diff --git a/apparmor.keyring b/apparmor.keyring new file mode 100644 index 0000000..7fa0c37 --- /dev/null +++ b/apparmor.keyring @@ -0,0 +1,113 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFUwHrABEADZVFn6TF2SxrpMiknHVeUHW7l4mOjHcxtULlEOQ3yaxyNxA0iE +GFWnbP7ek2cjzrfNIA1HNiS0FNsKipRAd5EfRUvJO3lrVfPBRBMLExeyA5h8vXtc +fcp9zpmKAlNVkx85LtVHxch6eUZapNPwqxKJFiDCrFM/zGk4vbRODy2KO3C8XWiy +gHQEW4mjPEsJw6xhyNC63LpCRol7qQu8j6rLJur7GWzSaLKgcUpDktsMJhNRPmCd +Dzb4mbEsbSmWUZ0C2e4HqTs6yjkc3HCIPCsxi4Y8e55qVJRvmOvlx0vGqfUrZyXD +cUQb8PX02V7sjA1DvE4PnZ8yHj1bS7/Q9x+R5ZjTMkqQ0cYXFnMb8pJ/oZucwl41 +RM7Nc57J7XLJmLRv/E7OL4v9DrobIPMOLvAU+PPdYzw+mUZx0jElOo84135nR/0K +EC7twaZxXVfF79iCY3OEhbHlPUH+62ucfcIdiV+TBKMhx70XJb4qDn1iDo2XW++N +8LF+7sZNLJnfJ7QfHUwVodWIXNaMsGOfknrZ4mcYbhETk2t6RpfmWUp61nVGeXgo +t1k3DXH93rFyccnEkGI8Y/+zFNN2QuZUx56kq6OF4Z3bhk7tSwA1/RubDRoNEQgF +94eGrKMgCfHhwPcV6KCtigtmXbdzhFQS5hJkvGOBHhVht9KbMrs9zh4RLQARAQAB +tExBcHBBcm1vciBEZXZlbG9wbWVudCBUZWFtIChBcHBBcm1vciBzaWduaW5nIGtl +eSkgPGFwcGFybW9yQGxpc3RzLnVidW50dS5jb20+iQI9BBMBCgAnBQJVMB6wAhsD +BQkPCZwABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEGaJ5k49NmS7Lp4QAIS3 +D070h7N/giZLUsciLedixqLW8bDzDNFLLturd9ng3x3GwEGdEzibh4TASE6fAQAR +x6oW51ndgI5o7ZoNU3I0I/uLPM1B6YscmN9W2SD5oK8uQ7/K5//b8OGLq/cg1ych +O2lAh5jaGAhmfHy1MS4ZPQ9zbuwARddB7ESD81P4XIRvd/XzfsB2xW+k/7IR/P3M +ZQg+GZm6PxgbK6iwlVyWKj1NyTppzxCWu1yljlbq+Noi5LiucbRdG5qCrymnjgwR +kTeFlvBLYP7NDUifP6JsHgxwKbmvrMmFVJTRx2QnsmGv5DA0Evyz8Bof78S4lJQJ +TkfiiBmWUc6VNv3IQ56PqMQ6RlsKdaGUxXlcPekyeWKC5K6r80m8YjJNBQ+RQMlh +OC7AIckqcB/wPk3/iHvuNbJ0oNd/x/BFBgCs1Wlkktah+tc1aYVPvN1MKhChKD++ +RJYZE+BzR3HSgwBE2Oth7s53D+7ZZPtQoQvhxgKBLAlO7rvhlZi1G0id2BaAqris +Bwj/zFztNewOFCplM4cIXN2pRthgTJYSv/lCarnHsenTZ9zqqkWj3OsFPcMeWhtI +p3jyHXbGC9PtzodG51Aefmz0TqUwIvQxXQ6gOTVlGxMK64MweypYLxMOh9bQOMpS +29XKiX1dKB9ThjTJ6cDBKS7tnZ3cRxAHD3ZOGtiIiEYEEBEKAAYFAlUwIioACgkQ +gTeYuayTEnF41wCfVgK6+6dvch7YdkxGYOzkyt2G/EEAoIJq94o9guRD5OWVKS6N +gkjXvKQtiQIcBBABCgAGBQJVMCJMAAoJEC8Jno0AXoH0orQP/Rjx0Mdsorjfir+Y +ahNk5g4y4ZH425usPRMxRARNpZeGu58RLWOmSW5Fv//I95V0GnK8vyl5YuquHBJM +BRN4PR1XqHUqXdzG8zPZLG5elcqyV3cs58QSUyO+6Nbh4OY/VxqcawZYFaL5XE8N +y0qo2zeFcACIgsmuPMGBgkB3LAEJQxYZab6n2uIuMnJVai2DSIO5Ql2XC4mrKZOW +2GG6vlvM/MmrKKD+gFKCoGvoea9wYYb/3Lu/DU7nARGcCYyvX2zRTuasUO95Anm5 +zYxeXMvSJEq36U+xPLliTcT+bZrzf/dK93SSi/B6txYdM1KQhU0/vLQtdtDDQPFO +edvHIVo+UFrve/lNYSmNEcjgd7iAGwFPe7y6dAQs3KQvE70g10KuSVQuYqSVHJ7t +AC0AGHHsBcijFLzsSn9hOve8DSo/Jwjgvb1Rx1wl8RsmegATOik7FnWRsU+2OM9f +/BU3sLXuKWRQFXiVHsEpRO+vKVFVtcdu7BGzuFBnLS26SNP2jKRYIWJ1ea177w82 +vcjX5URSTBSQef0ABuYgzcV3CmTkKmpDmy49X+bpLQjYwX26XVh4Fm8yULTXT+Wc +pyDNf4itO8VSQpzrecBBcNJnyYvKBOuV0ASs4bZ0/ghmfGNHENk18ZQHZQ0pI1vX +eNk5l60Ensk0WWA/sz1732WzhTtRiQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYC +AwEAAh4BAheAFiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmRRDVUFCRECIiUACgkQ +ZonmTj02ZLsLKg/9FOHsQ9aab5nZd3UfHxT3YTC73wkRIkKtoO1Y3Sv4pHzMr3CP +AV9Z+5YA8rUGyaSB14AFyVKjCswv3Rymd3IV+i2UYO9RwUpv3nM+adumIRga/mXp +yMwARcsRhlrrsUQL0H8R868Z/Pmq7yQw60/0jUXC/O+BJwD0xtTe/oIOwc7oyCDL +oOX8R0XcuVcnoDn0Mc27hFV1xK3iz5c0LtqTLLW20I3YqIVPdiF52SAwFo57xNZ7 +ntIvhntEHvhTzSD/BtiTNolhxf3C/pm/tmkgZ1CbkZn/TmXGEibHauP6Q9l1T7y9 +HkrPrq89c6kRVDnl6k3/W8f38ocat6U2xBcRQYtcLPvns3VpLIcLge1E2k0C7pYT +KxhyCo3Oc8WGpNX7ta/i3umUk0JlNl2vKiqjFilDWiu2ygXzzucmcQCkYQElrmUC +qGMBDnZWAi6qR1yMDiOdeIHni6V8GAjRUGVUhrqzMRNF091Szthxn4EQGOoZSBZl +9MkKm02hlj95eE+7UtSk/tAtLNxnIhwsz4OYxQxKh/kmj7AD8D2mD4ImQKaoCIPv +YJOXt6fHSLWZGNOSAn6oOWgAb4yMfausgJsE+USEsYphAyE/gfyPEqM3h7RzWmFi +u6UHYeKGpEzi6r66x/+WBH7VwJDM0Zg3KfDPXznyq3ZSUjpplQQI56UXttGJAlQE +EwEKAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQQ+zcul+zTSVJYcxT9m +ieZOPTZkuwUCZqBB6wUJFxO9uwAKCRBmieZOPTZku9aiEACv1PUxGDIQGJsbLhQE +rDVW7zKReA7tuRB8x2b3oqZmDom0Myf4ARrh7ELDemLU1FwlWxV6UAl0fDiKY7X1 +gAyFuWZzjqj7R79OruE2UoQHgkrmi+EqUhBTDL3Nmx3aStPSZ+Oo8vgbPcEks+Do +9TJUOTLHV5VM7RnHUNtQgIk/MoxsRngCldk8tKua8GYT29JBrtNxuSshbzzfv9c7 +J22PO0D8HTSNJuuWNVZSAwo0GdcyRSagi4xx++55deGwaKIf7Q4tU0SWXiAdVqdr +V+6QfEE1NSqvE6ELLDnVIErez7zHYi4cqmlwnD0CXtIxBV6xugbpKYTKU7CjwYAd +kVreSixvp1mHM+6BP1UBBF1UUzRTpm5gKkhFF/sztJuZdbYrQF7k4eOR5cvsA61i +DVdI78Xx4WDb4XBQy1KilKeQPjjGuDOWt96wBVQ147jiZ7LeOipgZhtKMda7JA/M +1epZo4OYi/272esCrlAiniEyTRwiwzJ0IyVHtUDgpZaYwmBEqsLWysMTqEPqhl28 +XS9JiEBuL2FM9SZCoebncCE0eXduB6jdqxYTLjmSi4d1UgPrkRPoQpqbjKzUWd6H +wkSAaYc4eoavOU5vzY0Pc0J8iuVkeSkLkCv1Ryt9Lw3boeljopzb0ETCtoPwx7TS +4kxiFLSwRVUMp08RVfFRZ1RUTbkCDQRVMB6wARAAs6tnA4eYBh+NfT8CBppMWK2V +slYJZlzyP+LH/3QKsq6/xUZEjVvlWc8P8i1XwOM1vbbWEXibJhSql6UqBfHIuUX2 +X9X22vcb+COceFgRjXGlGc3Spu7zFv63iUQ7DcO3+s7y/VZVFLZS/JUp7Dm2xMgq +yPKDFMCc7vKIxTIlH0X5kNCEK2AvIRYJjJJJ7BuoEE6ykl98Q5hT3gGjddUwNfbY +Zvhq3BGyrwzIkuURhvduC5s/uuwvoZinOh0bwz5Daeqaw5ojIi5Arp+qkEAuW43T +t8ipRLocXjXDQMSiBKb+UssvYBF10/A3i0JrrUhx29UmEjAeps1+2/t8LZGvhLgs +FpN1a7raThw9BwiTDLcWy67ZcqvL/t5vL/bcnzQVWnhckeyBLfXIhoiHuXjcPEdx +NwURhCFuwAbOea5wOO5plTupwRqvFTK4iwnlUjuyPw/vXp0r3E54O/DyvfYgVu3u +oGxrRlFy6b8f27utR6UK5xuA1lSe45Oltm20i3JU/A8CQ0IjfqaGpjbqEI6gFsa8 +bGDzUbHOv0aNCyTFwJHNMUKkobV5dqXQnSa6I/IF6t4tx6UHw2a48zW1tNoDDR0g +keUKZhkuFKy/Hsftw2JxlGYf0sTFVVW0UOHT2zuck28A3WkJAHpwOhWo+JTO0o7+ +E6Ihui3enOlDFNQeQlUAEQEAAYkCJQQYAQoADwUCVTAesAIbDAUJDwmcAAAKCRBm +ieZOPTZkuy38D/9DPpE4eW74suK6+jrQlJ3f6gqG/wwS5Gwmx6xGc//tslEGtSEv +dwYyq1Nrpg/wnDBFNBespbR6+0LRbn1hJHM9R730a7th9Qd66zca9XGm9HpOyvuO +eoDeTrNv4z/9S+AbAIwD4otcLYaR+fc/Jt99y9rg55JHfHFE2iFvkwTxtsDdgjif +j4MnfUgGqqVRZjtAqC4VosciuNjiU25tdksnlKtlZVV/r/ktq6peuEWSSPSnJzf9 ++pFgIDHQ7gqWvFxIST9g8QvEHBcnbj+/2XWCWTVrop8ulT/hym5T+iJp3OsY8x10 +kGrg7KeYVLsc/mi2gCUktcgQNt5X3YX/mH7uK7jBhSAnR1wJEVwbdiRSFbJLd3C/ +7QazRJA4tCRuhc2AEvYCySMr5SZRJYF1xdDmZetJI4dueMUQxB+UPP7KQQ3c8NBZ +B0t4T1ozN7A0kmbl/WAGQ88NMEBjOrJeMvgV/CNiXq4RfUiEutOjQGk/tOpDh+cG +uEudbulzflHV6F2ul0qP36oVR7f+TLtQPdIDJAOuY4tF/l7v2KKN1ItU8efOLarR +yRZw0GuMCW5owe7s6m6ZJO8ShSCNb4C2skvDJBb4PpZ5o74K/73tIaB2Z1Qks5nf +ZGYBpCkH02hhSGUXNuA+OLXCC9SttAfnLJEaoaXnuxBmm2u7Gs3aVZNwNIkCPAQY +AQoAJgIbDBYhBD7Ny6X7NNJUlhzFP2aJ5k49NmS7BQJkUQ2jBQkRAiJzAAoJEGaJ +5k49NmS7jt4QALbK94RIgZOcBzIlbTjqKAgrg1HB18Xz1MM7mslrxmsqFs/DZCTo +I1/nvlwuPj8IyjqglXfO/hrgJfO1nYHw5snzelZfwAStDEDh1l13Yn7CX7ls995c +jVGbsWY6bfYisl8EjmFFIKrz8YFqBoXGdfkFOaedaINEq+Kh1neRv0lWXivU2PgQ +t8LZ5amSn0qwC2s/jy8rsMPvA/a5z9meAJXPNKJZEsU6xTJWyxiOApmUUZhnTDSR +xMmh6gJNdTX9i+50WN5hv28cEIkigNQ1mLhLPHDDpueGB4KV0/sev2urC4+TxF5V +y9tA5OE5G5tjv2gZ0Kn5maagwWoCUMs96S0h2LRmg/Vr+793upZO60t+RIcvbHAh +O2NVC1hjfCy5/0VW5ryySyiFJe5hb50O8/vrLkQdmOK26HKRabVIHvi/LtfDFMmq +HBNSCN2NzozCbjC7Z4YJqt9JM+sSKfdfqgUHtNQV10NzyAAMqY+zL5Da2ztEBnOX +V09ASYcGHBsf2J9e1qFCOWDtcpg3sDoHJ8PFyiejRUcG17mBMciiL2TsLAQgeqOU +emGkI5GfMV6a7naR1I3j2DCuormEZOu6/QF8b8txi7anH07ZvrlBNxHicXVmvTtd +/MvekxQewOq5gFLrsvYWfJfA4R/FGdcQLfgFmnJWS/tB8HkC65AZsh4ViQI8BBgB +CgAmAhsMFiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmagQiYFCRcTvfYACgkQZonm +Tj02ZLt61A//dhIMU1VyuoaIpWbYtKoM4j1iJGl76EynpemY9bvHrU/DkJYCOxwO +XRu2OlRwp5Kf5RNSS4g7Aloqhdk9MTPWgxxvXRYRF0gbTnYSjN4pi1abi3PqrMsB +B/2xHEbmZpDfUu2nvyzkULhmmxYktHCEqUA9Eh3OkWztWq4eH7TwHIxEcE+TnGwo +vP0pxyPhYZP2fA6prVnSwfd5HB9CuJc9bVPPbnvv1FUbxFbbxA3ysU92Y2YqxQxF +2u4+f3D1bKMEOTfNY04AflpEHdeO8wG/em/SgHUsv2V++4kOfa/xW2siM5CW7h2Y +WRbgmg9E7CrR80sCw0/J8O+hCdRKHGZmXT3G0tyvPJOMY0M5eCctzz2RlxPp3W4D +U3GgOjF0s52kE5O2Kv9J3Xse8erYm18DzNfb/H3ALwWBL3lCep8cjk+C8OkTp+ZZ +pxN6UnDHDXRuuFBvD9dZW5/JqHer50BOiFiOlC1W2KbkPGk/s3AU2YLXy7SS29ZD +rrgLpsMKYkOuu1eQQVvLwH8WnwwxFwsKXUmTpl97ScqkqGl7gRIZtQpV8hgG6Y1t +L7323BytkbKejrcBmMEYXSbNhjff8hLfPuBVOrOZ+OrOd3uLPgzZN+9o9R2rn4eW +Xt3r7xAbhQFB0YU+8kIO5M2cSv3QGfu8uzudVmaQedz7lc3wjSrRw9k= +=z6xV +-----END PGP PUBLIC KEY BLOCK----- diff --git a/apparmor.spec b/apparmor.spec new file mode 100644 index 0000000..d87de9a --- /dev/null +++ b/apparmor.spec @@ -0,0 +1,895 @@ +# +# spec file for package apparmor +# +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2011-2024 Christian Boltz +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%if 0%{?suse_version} >= 1550 +%define sbindir %_sbindir +%define apparmor_bin_prefix /usr/lib/apparmor +%else +%define sbindir /sbin +%define apparmor_bin_prefix /lib/apparmor +%endif + +%if 0%{?suse_version} <= 1500 +# _pamdir isn't defined in 15.x +%define _pamdir /%{_lib}/security +%endif + +# warning - confusing syntax ahead ;-) +# bcond_with means "disable" +# bcond_without means "enable" +%bcond_with tomcat +%bcond_without pam +%bcond_without apache +%bcond_without perl +%bcond_without python3 +%bcond_without ruby + +%if 0%{?suse_version} <= 1550 +# enable precompiled profile cache on <= 15.x +%bcond_without precompiled_cache +%else +# don't build precompiled profile cache on Tumbleweed as long as it's purely validated based on timestamps (boo#1205659) +%bcond_with precompiled_cache +%endif + +%define CATALINA_HOME /usr/share/tomcat6 +%define JAR_FILE changeHatValve.jar + +%define tarversion v4.0.2 +%define pyeggversion 4.0.2 + +Name: apparmor +Version: 4.0.2 +Release: 0 +Summary: AppArmor userlevel parser utility +License: GPL-2.0-or-later +Group: Productivity/Networking/Security +URL: https://gitlab.com/apparmor/apparmor/ +Source0: https://gitlab.com/apparmor/apparmor/-/archive/%{tarversion}/apparmor-%{tarversion}.tar.gz +# from https://gitlab.com/apparmor/apparmor/-/wikis/%{version}_Signatures +Source1: apparmor-%{tarversion}.tar.gz.asc +Source2: %{name}.keyring + +Source6: baselibs.conf +Source7: apparmor-rpmlintrc + +# enable caching of profiles (= massive performance speedup when loading profiles) +# and set cache-loc in parser.conf and apparmor.service accordingly +Patch1: apparmor-enable-profile-cache.diff + +# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) +Patch4: apparmor-lessopen-profile.patch + +# make include in apache extra profile optional to make openQA happy (boo#1178527) +Patch6: apache-extra-profile-include-if-exists.diff + +# add path for precompiled cache (only done/applied if precompiled_cache is enabled) +Patch7: apparmor-enable-precompiled-cache.diff + +PreReq: sed +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: autoconf +BuildRequires: autoconf-archive +BuildRequires: automake +BuildRequires: bison +BuildRequires: dejagnu +BuildRequires: flex +BuildRequires: gcc-c++ +BuildRequires: iproute2 +BuildRequires: libtool +BuildRequires: pcre-devel +BuildRequires: pkg-config +BuildRequires: python3 +BuildRequires: swig +BuildRequires: perl(Locale::gettext) + +%if %{with python3} +BuildRequires: python-rpm-macros +BuildRequires: python3-devel +BuildRequires: python3-notify2 +BuildRequires: python3-psutil +BuildRequires: python3-setuptools +%endif + +%if %{with ruby} +BuildRequires: ruby-devel +%endif + +%if %{with apache} +BuildRequires: apache-rpm-macros +BuildRequires: apache2-devel +%endif + +%if %{with tomcat} +BuildRequires: ant +BuildRequires: java-devel >= 1.6.0 +BuildRequires: tomcat6 +%endif + +%package parser +Summary: AppArmor userlevel parser utility +License: GPL-2.0-or-later +Group: Productivity/Networking/Security +Conflicts: apparmor-utils < 3.0 +Obsoletes: libimnxcert < 2.9 +Obsoletes: subdomain-leaf-cert < 2.9 +Obsoletes: subdomain-parser < 2.9 +Obsoletes: subdomain-parser-common < 2.9 +Obsoletes: subdomain-parser-demo < 2.9 +Obsoletes: subdomain_parser < 2.9 +Provides: libimnxcert = %{version} +Provides: subdomain-leaf-cert = %{version} +Provides: subdomain-parser = %{version} +Provides: subdomain-parser-common = %{version} +Provides: subdomain-parser-demo = %{version} +Provides: subdomain_parser = %{version} +Provides: apparmor-parser(CAP_SYSLOG) +BuildRequires: systemd-rpm-macros +%{?systemd_ordering} + +%description parser +The AppArmor Parser is a userlevel program that is used to load in +program profiles to the AppArmor Security kernel module. + +This package is part of a suite of tools that used to be named +SubDomain. + +%package docs +Summary: AppArmor Documentation package +License: GPL-2.0-or-later +Group: Documentation/Other +BuildArch: noarch + +%description docs +This package contains documentation for AppArmor. + +This package is part of a suite of tools that used to be named +SubDomain. + +%if %{with apache} + +%package -n apache2-mod_apparmor +Summary: AppArmor module for apache2 +License: GPL-2.0-or-later +Group: Productivity/Security + +%description -n apache2-mod_apparmor +apache2-modapparmor adds support to apache2 to provide AppArmor +confinement to individual cgi scripts handled by apache modules like +mod_php and mod_perl. + +This package is part of a suite of tools that used to be named +SubDomain. + +The documentation is in the apparmor-admin_en package. + +%endif + +%if %{with perl} + +%package -n perl-apparmor +Summary: Perl interface for libapparmor functions +License: GPL-2.0-only AND LGPL-2.1-or-later +Group: Development/Libraries/Perl +Requires: libapparmor1 = %{version} +Requires: perl = %{perl_version} +Provides: perl-libapparmor = %{version} +Obsoletes: perl-libapparmor < 2.5 + +%description -n perl-apparmor +This package provides the perl interface to AppArmor. It is used for perl +applications interfacing with AppArmor. + +%endif + +%if %{with python3} + +%package -n python3-apparmor +Summary: Python 3 interface for libapparmor functions +License: GPL-2.0-only AND LGPL-2.1-or-later +Group: Development/Libraries/Python +Requires: libapparmor1 = %{version} +Requires: python3 +Requires: python(abi) = %{py3_ver} + +%description -n python3-apparmor +This package provides the python interface to AppArmor. It is used for python +applications interfacing with AppArmor. + +%endif + +%if %{with ruby} + +%package -n ruby-apparmor +Summary: Ruby interface for libapparmor functions +License: GPL-2.0-only AND LGPL-2.1-or-later +Group: Development/Languages/Ruby +Requires: libapparmor1 = %{version} +Requires: ruby = %(rpm -q --qf '%%{version}' ruby) +Provides: ruby-libapparmor = %{version} +Obsoletes: ruby-libapparmor < 2.5 + +%description -n ruby-apparmor +This package provides the ruby interface to AppArmor. It is used for ruby +applications interfacing with AppArmor. + +%endif + +%package abstractions +Summary: AppArmor abstractions and directory structure +License: GPL-2.0-only AND LGPL-2.1-or-later +Group: Productivity/Security +Requires: apparmor-parser(CAP_SYSLOG) +BuildArch: noarch + +%description abstractions +AppArmor abstractions (common parts used in various profiles) and +the /etc/apparmor.d/ directory structure. + +AppArmor is a file and network mandatory access control mechanism. +AppArmor confines processes to the resources allowed by the systems +administrator and can constrain the scope of potential security +vulnerabilities. + +This package is part of a suite of tools that used to be named +SubDomain. + +%package profiles +Summary: AppArmor profiles that are loaded into the apparmor kernel module +License: GPL-2.0-only AND LGPL-2.1-or-later +Group: Productivity/Security +Requires: apparmor-abstractions >= %{version} +Requires: apparmor-parser(CAP_SYSLOG) +Obsoletes: subdomain-profiles < 2.9 +Provides: subdomain-profiles = %{version} +BuildArch: noarch + +%description profiles +Base profiles. AppArmor is a file and network mandatory access control +mechanism. AppArmor confines processes to the resources allowed by the +systems administrator and can constrain the scope of potential security +vulnerabilities. + +This package is part of a suite of tools that used to be named +SubDomain. + +%package utils +Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles +License: GPL-2.0-only AND LGPL-2.1-or-later +Group: Productivity/Security +Requires: apparmor-parser +Requires: libapparmor1 = %{version} +Requires: python3-apparmor = %{version} +Requires: python3-base +Requires: python3-notify2 +Requires: python3-psutil +# aa-unconfined needs ss +Recommends: iproute2 +BuildArch: noarch + +%description utils +This package provides the aa-logprof, aa-genprof, aa-autodep, +aa-enforce, and aa-complain tools to assist with profile authoring. +Besides it provides the aa-unconfined server information tool. +It is part of a suite of tools that used to be named SubDomain. + +%if %{with tomcat} + +%package -n tomcat_apparmor +Summary: Tomcat 6 plugin for AppArmor change_hat +License: GPL-2.0-only AND LGPL-2.1-or-later +Group: System/Libraries +Requires: libapparmor1 = %{version} +Requires: tomcat6 + +%description -n tomcat_apparmor +tomcat_apparmor - is a plugin for Apache Tomcat version 6 that +provides support for AppArmor change_hat for creating AppArmor +containers that are bound to discrete elements of processing within the +Tomcat servlet container. The AppArmor containers, or "hats", can be +created for individual URL processing or per servlet. + +%endif + +%if %{with pam} + +%package -n pam_apparmor +Summary: PAM module for AppArmor change_hat +License: GPL-2.0-only AND LGPL-2.1-or-later +Group: Productivity/Security +BuildRequires: pam-devel +PreReq: pam +PreReq: pam-config +Requires: pam +Requires: pam-config + +%description -n pam_apparmor +The pam_apparmor module provides the means for any PAM applications +that call pam_open_session() to automatically perform an AppArmor +change_hat operation in order to switch to a user-specific security +policy. + +%endif + +%description +The AppArmor Parser is a userlevel program that is used to load in +program profiles to the AppArmor Security kernel module. + +This package is part of a suite of tools that used to be named +SubDomain. + +%lang_package -n apparmor-utils +%lang_package -n apparmor-parser + +%prep +%setup -q -n %{name}-%{tarversion} + +# very loose profile that doesn't even match the apache2 binary path in openSUSE. Move it away instead of confusing people (boo#872984) +mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/profiles/extras/ + +%patch -P 1 +%patch -P 4 +%patch -P 6 +%if %{with precompiled_cache} +%patch -P 7 +%endif + +%build +export SUSE_ASNEEDED=0 + +# libapparmor: +( + cd ./libraries/libapparmor + sh ./autogen.sh && \ + %configure \ +%if %{with perl} + --with-perl \ +%endif +%if %{with python3} + --with-python \ +%else + --without-python \ +%endif +%if %{with ruby} + --with-ruby \ +%else + --without-ruby \ +%endif + + make +) + +# Utilities: +make -C utils + +# binutils +make -C binutils + +# parser: +make -C parser V=1 + +# Apache mod_apparmor: +%if %{with apache} + make -C changehat/mod_apparmor +%endif + +# PAM AppArmor: +%if %{with pam} + make -C changehat/pam_apparmor +%endif + +# Profiles: +make -C profiles + +%if %{with tomcat} + make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME} +%endif + +# pre-build profile cache +# note that -L only works with an absolute path, therefore prefix it with $(pwd) +%if %{with precompiled_cache} +parser/apparmor_parser --config-file $(pwd)/parser/parser.conf --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/ +%endif + +# create filelist of previously (up to 3.1.x) shipped local/* files +# (adding them as %ghost prevents modified files from being moved to *.rpmsave) +for oldlocal in \ + bin.ping lsb_release nvidia_modprobe php-fpm samba-bgqd samba-dcerpcd samba-rpcd samba-rpcd-classic samba-rpcd-spoolss sbin.klogd sbin.syslogd sbin.syslog-ng \ + usr.bin.lessopen.sh usr.lib.dovecot.anvil usr.lib.dovecot.auth usr.lib.dovecot.config usr.lib.dovecot.deliver usr.lib.dovecot.dict usr.lib.dovecot.director \ + usr.lib.dovecot.doveadm-server usr.lib.dovecot.dovecot-auth usr.lib.dovecot.dovecot-lda usr.lib.dovecot.imap usr.lib.dovecot.imap-login usr.lib.dovecot.lmtp \ + usr.lib.dovecot.log usr.lib.dovecot.managesieve usr.lib.dovecot.managesieve-login usr.lib.dovecot.pop3 usr.lib.dovecot.pop3-login usr.lib.dovecot.replicator \ + usr.lib.dovecot.script-login usr.lib.dovecot.ssl-params usr.lib.dovecot.stats usr.sbin.apache2 usr.sbin.avahi-daemon usr.sbin.dnsmasq usr.sbin.dovecot \ + usr.sbin.identd usr.sbin.mdnsd usr.sbin.nmbd usr.sbin.nscd usr.sbin.ntpd usr.sbin.smbd usr.sbin.smbd-shares usr.sbin.smbldap-useradd usr.sbin.traceroute \ + usr.sbin.winbindd zgrep +do + echo "%ghost %config %attr(0644,root,root) /etc/apparmor.d/local/$oldlocal" +done > oldlocal.files + +%check +make check -C libraries/libapparmor +make check -C parser +make check -C binutils + +# some tests depend on kernel LSM (e.g. access /proc/PID/attr/apparmor/current) +if grep -q apparmor /sys/kernel/security/lsm; then + # profiles make check fails for the utils (they expect + # /sbin/apparmor_parser to exist), therefore only do parser-based check + make -C profiles check-parser + +%if %{with precompiled_cache} + # test for a few files that should exist in the cache + test -f profiles/cache/*/bin.ping + test -f profiles/cache/*/.features +%endif + + # run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121 + make check -o check_lint -C utils +else + # clear grep status to avoid flagging check failure + true +fi + +%install +# libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec +%makeinstall -C libraries/libapparmor/swig + +# utilities +%makeinstall -C utils +test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568 +mkdir -p %{buildroot}%{_localstatedir}/log/apparmor + +# binutils +%makeinstall -C binutils +( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec ) + +%makeinstall -C profiles + +%if %{with precompiled_cache} +install -d -m 755 %{buildroot}/usr/share/apparmor/cache +echo -e "\n\n *** WARNING: precompiling cache is known to fail under 'osc build' - use 'osc build --vm-type kvm' instead or skip building the precompiled cache with 'osc build --without precompiled_cache' ***\n\n" +# ensure cache files are newer than (text) profiles by sleeping a few seconds, and using cp -r which updates the timestamps +sleep 2 +cp -r profiles/cache/* %{buildroot}/usr/share/apparmor/cache +test -f %{buildroot}/usr/share/apparmor/cache/*/.features +test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping +%endif + +%makeinstall SBINDIR="%{buildroot}%{sbindir}" APPARMOR_BIN_PREFIX="%{buildroot}%{apparmor_bin_prefix}" -C parser +# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location +# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it +mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor +( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d ) + +%if %{with apache} + %makeinstall -C changehat/mod_apparmor +%endif + +%if %{with pam} + %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_pamdir} +%endif + +%if %{with tomcat} + mkdir -p %{buildroot}/%{CATALINA_HOME} + %makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME} +%endif + +find %{buildroot} -name .packlist -exec rm -vf {} \; +find %{buildroot} -name perllocal.pod -exec rm -vf {} \; + +# Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm]. +# Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix +for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do + d=$(dirname $file) + f=$(basename $file) + case "${f#aa-}" in + audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \ + audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.1* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* ) + if [ "${f#aa-}" != "$f" ]; then + ln -s $f $d/${f#aa-} + fi + ;; + esac +done + +mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8} +mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8} +rm -f %{buildroot}%{_mandir}/man8/decode.8 + +for pkg in apparmor-utils apparmor-parser aa-binutils; do + %find_lang $pkg +done + +# remove *.la files +rm -fv %{buildroot}%{_libdir}/libapparmor.la + +# bsc#1212476 +%python3_fix_shebang + +%files docs +%defattr(-,root,root) +%doc parser/*.[1-9].html +%doc utils/vim/apparmor.vim.5.html +%doc common/apparmor.css +#doc parser/techdoc.pdf +# apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file +%dir %{_datadir}/apparmor +%{_datadir}/apparmor/apparmor.vim + +%files parser +%defattr(-,root,root) +%license parser/COPYING.GPL +%doc parser/README +%{sbindir}/apparmor_parser +%{_bindir}/aa-enabled +%{_bindir}/aa-exec +%{_bindir}/aa-features-abi +%{_sbindir}/aa-load +%{_sbindir}/aa-status +%{_sbindir}/apparmor_status +%{_sbindir}/status +%{_sbindir}/aa-teardown +%{_sbindir}/exec +%dir %attr(-, root, root) %{_sysconfdir}/apparmor +%dir %{_sysconfdir}/apparmor.d +%{_sysconfdir}/apparmor.d/cache.d +%{sbindir}/rcapparmor +%{_unitdir}/apparmor.service +%config(noreplace) %{_sysconfdir}/apparmor/parser.conf +%{_localstatedir}/cache/apparmor +%dir %attr(-, root, root) %{apparmor_bin_prefix} +%{apparmor_bin_prefix}/rc.apparmor.functions +%{apparmor_bin_prefix}/apparmor.systemd +%{apparmor_bin_prefix}/profile-load +%doc %{_mandir}/man1/aa-enabled.1.gz +%doc %{_mandir}/man1/aa-exec.1.gz +%doc %{_mandir}/man1/aa-features-abi.1.gz +%doc %{_mandir}/man1/exec.1.gz +%doc %{_mandir}/man5/apparmor.d.5.gz +%doc %{_mandir}/man5/apparmor.vim.5.gz +%doc %{_mandir}/man7/apparmor.7.gz +%doc %{_mandir}/man7/apparmor_xattrs.7.gz +%doc %{_mandir}/man8/aa-status.8.gz +%doc %{_mandir}/man8/aa-teardown.8.gz +%doc %{_mandir}/man8/apparmor_parser.8.gz +%doc %{_mandir}/man8/apparmor_status.8.gz + +%pre parser +%service_add_pre apparmor.service + +%files parser-lang -f apparmor-parser.lang -f aa-binutils.lang +%defattr(-,root,root) + +%files abstractions +%defattr(644,root,root,755) +%dir %{_sysconfdir}/apparmor.d/ +%dir %{_sysconfdir}/apparmor.d/abi +%config(noreplace) %{_sysconfdir}/apparmor.d/abi/3.0 +%config(noreplace) %{_sysconfdir}/apparmor.d/abi/4.0 +%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-outoftree-network +%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-vanilla +%dir %{_sysconfdir}/apparmor.d/abstractions +%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/* +%dir %{_sysconfdir}/apparmor.d/disable +%dir %{_sysconfdir}/apparmor.d/local +%dir %{_sysconfdir}/apparmor.d/tunables +%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/* + +%files profiles -f oldlocal.files +%defattr(644,root,root,755) +%dir %{_sysconfdir}/apparmor.d/apache2.d +%config(noreplace) %{_sysconfdir}/apparmor.d/bin.* +%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.* +%config(noreplace) %{_sysconfdir}/apparmor.d/usr.* + +%config(noreplace) %{_sysconfdir}/apparmor.d/1password +%config(noreplace) %{_sysconfdir}/apparmor.d/Discord +%config(noreplace) %{_sysconfdir}/apparmor.d/MongoDB_Compass +%config(noreplace) %{_sysconfdir}/apparmor.d/QtWebEngineProcess +%config(noreplace) %{_sysconfdir}/apparmor.d/balena-etcher +%config(noreplace) %{_sysconfdir}/apparmor.d/brave +%config(noreplace) %{_sysconfdir}/apparmor.d/buildah +%config(noreplace) %{_sysconfdir}/apparmor.d/busybox +%config(noreplace) %{_sysconfdir}/apparmor.d/cam +%config(noreplace) %{_sysconfdir}/apparmor.d/ch-checkns +%config(noreplace) %{_sysconfdir}/apparmor.d/ch-run +%config(noreplace) %{_sysconfdir}/apparmor.d/chrome +%config(noreplace) %{_sysconfdir}/apparmor.d/chromium +%config(noreplace) %{_sysconfdir}/apparmor.d/code +# exclude crun, podman and runc profiles until the updated container engines (including updated profile with "signal peer=runc") has arrived +#config(noreplace) %{_sysconfdir}/apparmor.d/crun +%exclude %{_sysconfdir}/apparmor.d/crun +%exclude %{_sysconfdir}/apparmor.d/podman +%exclude %{_sysconfdir}/apparmor.d/runc +%config(noreplace) %{_sysconfdir}/apparmor.d/devhelp +%config(noreplace) %{_sysconfdir}/apparmor.d/element-desktop +%config(noreplace) %{_sysconfdir}/apparmor.d/epiphany +%config(noreplace) %{_sysconfdir}/apparmor.d/evolution +%config(noreplace) %{_sysconfdir}/apparmor.d/firefox +%config(noreplace) %{_sysconfdir}/apparmor.d/flatpak +%config(noreplace) %{_sysconfdir}/apparmor.d/foliate +%config(noreplace) %{_sysconfdir}/apparmor.d/geary +%config(noreplace) %{_sysconfdir}/apparmor.d/github-desktop +%config(noreplace) %{_sysconfdir}/apparmor.d/goldendict +%config(noreplace) %{_sysconfdir}/apparmor.d/ipa_verify +%config(noreplace) %{_sysconfdir}/apparmor.d/kchmviewer +%config(noreplace) %{_sysconfdir}/apparmor.d/keybase +%config(noreplace) %{_sysconfdir}/apparmor.d/lc-compliance +%config(noreplace) %{_sysconfdir}/apparmor.d/libcamerify +%config(noreplace) %{_sysconfdir}/apparmor.d/linux-sandbox +%config(noreplace) %{_sysconfdir}/apparmor.d/loupe +%config(noreplace) %{_sysconfdir}/apparmor.d/lsb_release +%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-attach +%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-create +%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-destroy +%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-execute +%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-stop +%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-unshare +%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-usernsexec +%config(noreplace) %{_sysconfdir}/apparmor.d/mmdebstrap +%config(noreplace) %{_sysconfdir}/apparmor.d/msedge +%config(noreplace) %{_sysconfdir}/apparmor.d/nautilus +%config(noreplace) %{_sysconfdir}/apparmor.d/notepadqq +%config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe +%config(noreplace) %{_sysconfdir}/apparmor.d/obsidian +%config(noreplace) %{_sysconfdir}/apparmor.d/opam +%config(noreplace) %{_sysconfdir}/apparmor.d/opera +%config(noreplace) %{_sysconfdir}/apparmor.d/pageedit +%config(noreplace) %{_sysconfdir}/apparmor.d/plasmashell +%config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm +%config(noreplace) %{_sysconfdir}/apparmor.d/polypane +%config(noreplace) %{_sysconfdir}/apparmor.d/privacybrowser +%config(noreplace) %{_sysconfdir}/apparmor.d/qcam +%config(noreplace) %{_sysconfdir}/apparmor.d/qmapshack +%config(noreplace) %{_sysconfdir}/apparmor.d/qutebrowser +%config(noreplace) %{_sysconfdir}/apparmor.d/rootlesskit +%config(noreplace) %{_sysconfdir}/apparmor.d/rpm +%config(noreplace) %{_sysconfdir}/apparmor.d/rssguard +#config(noreplace) %{_sysconfdir}/apparmor.d/runc +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-* +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-abort +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-adduser +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-apt +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-checkpackages +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-clean +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-createchroot +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-destroychroot +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-distupgrade +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-hold +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-shell +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-unhold +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-update +%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-upgrade +%config(noreplace) %{_sysconfdir}/apparmor.d/scide +%config(noreplace) %{_sysconfdir}/apparmor.d/signal-desktop +%config(noreplace) %{_sysconfdir}/apparmor.d/slack +%config(noreplace) %{_sysconfdir}/apparmor.d/slirp4netns +%config(noreplace) %{_sysconfdir}/apparmor.d/steam +%config(noreplace) %{_sysconfdir}/apparmor.d/stress-ng +%config(noreplace) %{_sysconfdir}/apparmor.d/surfshark +%config(noreplace) %{_sysconfdir}/apparmor.d/systemd-coredump +%config(noreplace) %{_sysconfdir}/apparmor.d/thunderbird +%config(noreplace) %{_sysconfdir}/apparmor.d/toybox +%config(noreplace) %{_sysconfdir}/apparmor.d/transmission +%config(noreplace) %{_sysconfdir}/apparmor.d/trinity +%config(noreplace) %{_sysconfdir}/apparmor.d/tup +%config(noreplace) %{_sysconfdir}/apparmor.d/tuxedo-control-center +%config(noreplace) %{_sysconfdir}/apparmor.d/unix-chkpwd +%config(noreplace) %{_sysconfdir}/apparmor.d/unprivileged_userns +%config(noreplace) %{_sysconfdir}/apparmor.d/userbindmount +%config(noreplace) %{_sysconfdir}/apparmor.d/uwsgi-core +%config(noreplace) %{_sysconfdir}/apparmor.d/vdens +%config(noreplace) %{_sysconfdir}/apparmor.d/virtiofsd +%config(noreplace) %{_sysconfdir}/apparmor.d/vivaldi-bin +%config(noreplace) %{_sysconfdir}/apparmor.d/vpnns +%config(noreplace) %{_sysconfdir}/apparmor.d/wike +%config(noreplace) %{_sysconfdir}/apparmor.d/wpcom +%config(noreplace) %{_sysconfdir}/apparmor.d/zgrep + +%config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo +%config(noreplace) %{_sysconfdir}/apparmor.d/local/README +%dir /usr/share/apparmor/ +%if %{with precompiled_cache} +/usr/share/apparmor/cache/ +%endif +/usr/share/apparmor/extra-profiles/ + +%files utils +%defattr(-,root,root) +%dir %{_sysconfdir}/apparmor +%config(noreplace) %{_sysconfdir}/apparmor/easyprof.conf +%config(noreplace) %{_sysconfdir}/apparmor/logprof.conf +%config(noreplace) %{_sysconfdir}/apparmor/notify.conf +%config(noreplace) %{_sysconfdir}/apparmor/severity.db +%{_sbindir}/aa-audit +%{_sbindir}/aa-autodep +%{_sbindir}/aa-cleanprof +%{_sbindir}/aa-complain +%{_sbindir}/aa-decode +%{_sbindir}/aa-disable +%{_sbindir}/aa-enforce +%{_sbindir}/aa-genprof +%{_sbindir}/aa-logprof +%{_sbindir}/aa-mergeprof +%{_sbindir}/aa-notify +%{_sbindir}/aa-remove-unknown +%{_sbindir}/aa-unconfined +%{_sbindir}/audit +%{_sbindir}/autodep +%{_sbindir}/complain +%{_sbindir}/decode +%{_sbindir}/disable +%{_sbindir}/enforce +%{_sbindir}/genprof +%{_sbindir}/logprof +%{_sbindir}/notify +%{_sbindir}/unconfined +%{_bindir}/aa-easyprof +%dir %{_datadir}/apparmor +%{_datadir}/apparmor/easyprof/ +%dir %{_localstatedir}/log/apparmor +%doc %{_mandir}/man5/logprof.conf.5.gz +%doc %{_mandir}/man8/apparmor_notify.8.gz +%doc %{_mandir}/man8/aa-audit.8.gz +%doc %{_mandir}/man8/aa-autodep.8.gz +%doc %{_mandir}/man8/aa-cleanprof.8.gz +%doc %{_mandir}/man8/aa-complain.8.gz +%doc %{_mandir}/man8/aa-decode.8.gz +%doc %{_mandir}/man8/aa-disable.8.gz +%doc %{_mandir}/man8/aa-easyprof.8.gz +%doc %{_mandir}/man8/aa-enforce.8.gz +%doc %{_mandir}/man8/aa-genprof.8.gz +%doc %{_mandir}/man8/aa-logprof.8.gz +%doc %{_mandir}/man8/aa-mergeprof.8.gz +%doc %{_mandir}/man8/aa-notify.8.gz +%doc %{_mandir}/man8/aa-remove-unknown.8.gz +%doc %{_mandir}/man8/aa-unconfined.8.gz +%doc %{_mandir}/man8/audit.8.gz +%doc %{_mandir}/man8/autodep.8.gz +%doc %{_mandir}/man8/complain.8.gz +%doc %{_mandir}/man8/disable.8.gz +%doc %{_mandir}/man8/easyprof.8.gz +%doc %{_mandir}/man8/enforce.8.gz +%doc %{_mandir}/man8/genprof.8.gz +%doc %{_mandir}/man8/logprof.8.gz +%doc %{_mandir}/man8/unconfined.8.gz +%doc utils/*.[0-9].html +%doc common/apparmor.css + +%files utils-lang -f apparmor-utils.lang + +%if %{with perl} +%files -n perl-apparmor +%defattr(-,root,root) +%{perl_vendorarch}/auto/LibAppArmor/ +%{perl_vendorarch}/LibAppArmor.pm +%endif + +%if %{with python3} + +%files -n python3-apparmor +%defattr(-,root,root) +%{python3_sitearch}/LibAppArmor-%{pyeggversion}-py*.egg-info +%dir %{python3_sitearch}/LibAppArmor +%dir %{python3_sitearch}/LibAppArmor/__pycache__ +%{python3_sitearch}/LibAppArmor/_LibAppArmor.cpython-*.so +%{python3_sitearch}/LibAppArmor/__pycache__/__init__.cpython-*.pyc +%{python3_sitearch}/LibAppArmor/__pycache__/LibAppArmor.cpython-*.pyc +%{python3_sitearch}/LibAppArmor/__init__.py +%{python3_sitearch}/LibAppArmor/LibAppArmor.py +%{python3_sitelib}/apparmor/ +%{python3_sitelib}/apparmor-%{pyeggversion}-py*.egg-info +%endif + +%if %{with ruby} + +%files -n ruby-apparmor +%defattr(-,root,root) +%{rb_sitearchdir}/LibAppArmor.so +%endif + +%if %{with pam} + +%files -n pam_apparmor +%defattr(444,root,root,755) +%attr(555,root,root) %{_pamdir}/pam_apparmor.so +%doc changehat/pam_apparmor/README +%endif + +%if %{with tomcat} + +%files -n tomcat_apparmor +%defattr(-,root,root) +%{CATALINA_HOME}/lib/%{JAR_FILE} +%{_libdir}/libJNI* +%doc %attr(0644,root,root) changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor +%endif + +%if %{with apache} + +%files -n apache2-mod_apparmor +%defattr(-,root,root) +%{apache_libexecdir}/mod_apparmor.so +%doc %{_mandir}/man8/mod_apparmor.8.gz +%endif + +%post parser +%service_add_post apparmor.service + +%preun parser +%service_del_preun apparmor.service + +%postun parser +# bnc#853019 aka boo#853019 is still a thing, but in the meantime apparmor.service has ExecStop=/bin/true (= do nothing), +# which means that 'systemctl restart apparmor' is safe now +%service_del_postun apparmor.service + +%posttrans abstractions +# workaround for bnc#904620#c8 / lp#1392042 +rm -f /var/cache/apparmor/* 2>/dev/null +#restart_on_update apparmor - but non-broken (bnc#853019) +systemctl is-active -q apparmor && systemctl reload apparmor ||: + +%post profiles +# delete old cache (location up to 2.12) +rm -f /var/lib/apparmor/cache/* 2>/dev/null + +# cleanup old, unchanged local/* files +for oldlocal in \ + bin.ping lsb_release nvidia_modprobe php-fpm samba-bgqd samba-dcerpcd samba-rpcd samba-rpcd-classic samba-rpcd-spoolss sbin.klogd sbin.syslogd sbin.syslog-ng \ + usr.bin.lessopen.sh usr.lib.dovecot.anvil usr.lib.dovecot.auth usr.lib.dovecot.config usr.lib.dovecot.deliver usr.lib.dovecot.dict usr.lib.dovecot.director \ + usr.lib.dovecot.doveadm-server usr.lib.dovecot.dovecot-auth usr.lib.dovecot.dovecot-lda usr.lib.dovecot.imap usr.lib.dovecot.imap-login usr.lib.dovecot.lmtp \ + usr.lib.dovecot.log usr.lib.dovecot.managesieve usr.lib.dovecot.managesieve-login usr.lib.dovecot.pop3 usr.lib.dovecot.pop3-login usr.lib.dovecot.replicator \ + usr.lib.dovecot.script-login usr.lib.dovecot.ssl-params usr.lib.dovecot.stats usr.sbin.apache2 usr.sbin.avahi-daemon usr.sbin.dnsmasq usr.sbin.dovecot \ + usr.sbin.identd usr.sbin.mdnsd usr.sbin.nmbd usr.sbin.nscd usr.sbin.ntpd usr.sbin.smbd usr.sbin.smbd-shares usr.sbin.smbldap-useradd usr.sbin.traceroute \ + usr.sbin.winbindd zgrep +do + if [ -f "/etc/apparmor.d/local/$oldlocal" ] && [ "$(cat /etc/apparmor.d/local/$oldlocal)" = "# Site-specific additions and overrides for '$oldlocal'" ] ; then + rm "/etc/apparmor.d/local/$oldlocal" || : + fi +done + +%posttrans profiles +# workaround for bnc#904620#c8 / lp#1392042 +rm -f /var/cache/apparmor/* 2>/dev/null +#restart_on_update apparmor - but non-broken (bnc#853019) +systemctl is-active -q apparmor && systemctl reload apparmor ||: + +%if %{with tomcat} +%post -n tomcat_apparmor -p /sbin/ldconfig + +%postun -n tomcat_apparmor -p /sbin/ldconfig +%endif + +%if %{with pam} +%post -n pam_apparmor +if [ $1 -eq 1 ]; then + pam-config --add --apparmor || : +fi + +%postun -n pam_apparmor +if [ $1 -eq 0 ]; then + pam-config --delete --apparmor || : +fi +%endif + +%changelog diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..35d2885 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,5 @@ +pam_apparmor + supplements "packageand(pam_apparmor:pam-)" +libapparmor1 + obsoletes "libapparmor- <= " + provides "libapparmor- = " diff --git a/libapparmor.spec b/libapparmor.spec new file mode 100644 index 0000000..30d6adb --- /dev/null +++ b/libapparmor.spec @@ -0,0 +1,128 @@ +# +# spec file for package libapparmor +# +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2011-2024 Christian Boltz +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define tarversion v4.0.2 + +Name: libapparmor +Version: 4.0.2 +Release: 0 +Summary: Utility library for AppArmor +License: LGPL-2.1-or-later +Group: Development/Libraries/C and C++ +URL: https://gitlab.com/apparmor/apparmor/ +Source0: https://gitlab.com/apparmor/apparmor/-/archive/%{tarversion}/apparmor-%{tarversion}.tar.gz +# from https://gitlab.com/apparmor/apparmor/-/wikis/%{version}_Signatures +Source1: apparmor-%{tarversion}.tar.gz.asc +Source2: apparmor.keyring +BuildRequires: autoconf +BuildRequires: autoconf-archive +BuildRequires: automake +BuildRequires: bison +BuildRequires: dejagnu +BuildRequires: flex +BuildRequires: libtool +BuildRequires: pkg-config +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +This package provides the libapparmor library, which contains the +change_hat(2) symbol, used for sub-process confinement by AppArmor, as +well as functions to parse AppArmor log messages. + +%package -n libapparmor1 +Summary: Utility library for AppArmor +Group: System/Libraries +%ifarch ppc64 +Obsoletes: libapparmor-64bit < 2.9 +Provides: libapparmor-64bit = %{version} +%endif +Provides: libapparmor = %{version} +Obsoletes: libapparmor < 2.9 + +%description -n libapparmor1 +This package provides the libapparmor library, which contains the +change_hat(2) symbol, used for sub-process confinement by AppArmor, as +well as functions to parse AppArmor log messages. + +%package -n libapparmor-devel +Summary: Development headers and libraries for libapparmor +Group: Development/Libraries/C and C++ +Requires: libapparmor1 = %{version} +Provides: libapparmor:/usr/include/sys/apparmor.h + +%description -n libapparmor-devel +These libraries are needed for developing software that makes use of the +AppArmor API. + +%prep +%setup -q -n apparmor-%{tarversion} + +%build +( + cd ./libraries/libapparmor + sh ./autogen.sh && + %configure \ + --without-perl \ + --without-python \ + --without-ruby \ + + make +) + +%check +make check -C libraries/libapparmor + +%install +%makeinstall -C libraries/libapparmor +# create symlink for old change_hat(2) manpage +( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 ) + +# remove *.la and *.a files +rm -fv %{buildroot}%{_libdir}/libapparmor.la +rm -fv %{buildroot}%{_libdir}/libapparmor.a + +%post -n libapparmor1 -p /sbin/ldconfig + +%postun -n libapparmor1 -p /sbin/ldconfig + +%files -n libapparmor1 +%defattr(-,root,root) +%{_libdir}/libapparmor.so.* + +%files -n libapparmor-devel +%defattr(-,root,root) +%{_libdir}/libapparmor.so +%{_libdir}/pkgconfig/libapparmor.pc +%doc %{_mandir}/man2/aa_change_hat.2.gz +%doc %{_mandir}/man2/aa_change_profile.2.gz +%doc %{_mandir}/man2/aa_stack_profile.2.gz +%doc %{_mandir}/man2/change_hat.2.gz +%doc %{_mandir}/man2/aa_find_mountpoint.2.gz +%doc %{_mandir}/man2/aa_getcon.2.gz +%doc %{_mandir}/man2/aa_query_label.2.gz +%doc %{_mandir}/man3/aa_features.3.gz +%doc %{_mandir}/man3/aa_kernel_interface.3.gz +%doc %{_mandir}/man3/aa_policy_cache.3.gz +%doc %{_mandir}/man3/aa_splitcon.3.gz +%dir %{_includedir}/aalogparse +%{_includedir}/sys/apparmor.h +%{_includedir}/sys/apparmor_private.h +%{_includedir}/aalogparse/* + +%changelog diff --git a/logprof-mount-empty-source.diff b/logprof-mount-empty-source.diff new file mode 100644 index 0000000..9dc6a9b --- /dev/null +++ b/logprof-mount-empty-source.diff @@ -0,0 +1,166 @@ +From aada708bc1c1787d190529aeafce66e3ce52fb7e Mon Sep 17 00:00:00 2001 +From: Christian Boltz +Date: Sun, 9 Jun 2024 21:51:01 +0200 +Subject: [PATCH 1/2] MountRule: add support for quoted paths + +While on it, make the output for failing tests more verbose for easier +debugging. + +(cherry picked from commit 900f233101553182cffb29aab53e014d25138489, +test-mount.py adjusted for 4.0 branch) +--- + utils/apparmor/rule/mount.py | 6 +++--- + utils/test/test-mount.py | 4 +++- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py +index b2d73a27b..992c29142 100644 +--- a/utils/apparmor/rule/mount.py ++++ b/utils/apparmor/rule/mount.py +@@ -15,7 +15,7 @@ import re + + from apparmor.common import AppArmorBug, AppArmorException + +-from apparmor.regex import RE_PROFILE_MOUNT, strip_parenthesis ++from apparmor.regex import RE_PROFILE_MOUNT, strip_parenthesis, strip_quotes + from apparmor.rule import AARE + from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers, logprof_value_or_all, check_and_split_list + +@@ -171,12 +171,12 @@ class MountRule(BaseRule): + options = cls.ALL + + if operation == 'mount' and r['source_file'] is not None: # Umount cannot have a source +- source = r['source_file'] ++ source = strip_quotes(r['source_file']) + else: + source = cls.ALL + + if r['dest_file'] is not None: +- dest = r['dest_file'] ++ dest = strip_quotes(r['dest_file']) + else: + dest = cls.ALL + +diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py +index cb1a89630..6dfe1ac85 100644 +--- a/utils/test/test-mount.py ++++ b/utils/test/test-mount.py +@@ -42,7 +42,9 @@ class MountTestParse(AATest): + ('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )), + ('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )), + ('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )), ++ ('mount "/a space",', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a space', MountRule.ALL, False, False, False, '')), + ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '' )), ++ ('mount fstype=(ext3, ext4) /a -> "/bar space",', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/bar space', False, False, False, '')), + ('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, '' )), + ('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')), + ('mount fstype=({ext3,ext4}) options in (ro, sync) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'sync')), '/a', '/b', False, False, False, '' )), +@@ -66,7 +68,7 @@ class MountTestParse(AATest): + self.assertTrue(MountRule.match(rawrule)) + obj = MountRule.create_instance(rawrule) + expected.raw_rule = rawrule.strip() +- self.assertTrue(obj.is_equal(expected, True)) ++ self.assertTrue(obj.is_equal(expected, True), f'\n {rawrule} expected,\n {obj.get_clean()} returned by obj.get_clean()\n {expected.get_clean()} returned by expected.get_clean()') + + def test_valid_mount_changing_propagation(self): + # Rules changing propagation type can either specify a source or a dest (these are equivalent for apparmor_parser in this specific case) but not both. +-- +GitLab + + +From 98a0a2fee92b86155de258711c554f068ead8f6c Mon Sep 17 00:00:00 2001 +From: Christian Boltz +Date: Sun, 9 Jun 2024 23:03:13 +0200 +Subject: [PATCH 2/2] MountRule: Add support for empty ("") source + +This needs adding of an empty_ok flag in _aare_or_all(). + +Also add a few tests from boo#1226031 to utils and parser tests. + +Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1226031 + +(cherry picked from commit 1f33fc9b29c174698fdf0116a4a9f50680ec4fdb, +test-mount.py changes adjusted for 4.0 branch) +--- + parser/tst/simple_tests/mount/ok_quoted_1.sd | 9 +++++++++ + utils/apparmor/rule/__init__.py | 4 ++-- + utils/apparmor/rule/mount.py | 4 ++-- + utils/test/test-mount.py | 2 ++ + 4 files changed, 15 insertions(+), 4 deletions(-) + create mode 100644 parser/tst/simple_tests/mount/ok_quoted_1.sd + +diff --git a/parser/tst/simple_tests/mount/ok_quoted_1.sd b/parser/tst/simple_tests/mount/ok_quoted_1.sd +new file mode 100644 +index 000000000..c819caea3 +--- /dev/null ++++ b/parser/tst/simple_tests/mount/ok_quoted_1.sd +@@ -0,0 +1,9 @@ ++# ++#=Description basic mount rules with quoted paths ++#=EXRESULT PASS ++# ++/usr/bin/foo { ++ mount "" -> "/", ++ mount "" -> "/tmp/", ++ umount "/", ++} +diff --git a/utils/apparmor/rule/__init__.py b/utils/apparmor/rule/__init__.py +index ede7909ca..11e2f1f17 100644 +--- a/utils/apparmor/rule/__init__.py ++++ b/utils/apparmor/rule/__init__.py +@@ -51,7 +51,7 @@ class BaseRule(metaclass=ABCMeta): + # Set only in the parse() class method + self.raw_rule = None + +- def _aare_or_all(self, rulepart, partname, is_path, log_event): ++ def _aare_or_all(self, rulepart, partname, is_path, log_event, empty_ok=False): + """checks rulepart and returns + - (AARE, False) if rulepart is a (non-empty) string + - (None, True) if rulepart is all_obj (typically *Rule.ALL) +@@ -67,7 +67,7 @@ class BaseRule(metaclass=ABCMeta): + if rulepart == self.ALL: + return None, True + elif isinstance(rulepart, str): +- if not rulepart.strip(): ++ if not rulepart.strip() and not empty_ok: + raise AppArmorBug( + 'Passed empty %(partname)s to %(classname)s: %(rulepart)s' + % {'partname': partname, 'classname': self.__class__.__name__, 'rulepart': str(rulepart)}) +diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py +index 992c29142..d20522971 100644 +--- a/utils/apparmor/rule/mount.py ++++ b/utils/apparmor/rule/mount.py +@@ -66,7 +66,7 @@ mount_condition_pattern = rf'({fs_type_pattern})?\s*({option_pattern})?' + # - A path : /foo + # - A globbed Path : ** + +-glob_pattern = r'(\s*(?P<%s>(([/{]|\*\*)\S*|"([/{]|\*\*)[^"]*"|@{\S+}\S*|"@{\S+}[^"]*")|\w+))' ++glob_pattern = r'(\s*(?P<%s>(([/{]|\*\*)\S*|"([/{]|\*\*)[^"]*"|@{\S+}\S*|"@{\S+}[^"]*"|"")|\w+))' + source_fileglob_pattern = glob_pattern % 'source_file' + dest_fileglob_pattern = glob_pattern % 'dest_file' + +@@ -114,7 +114,7 @@ class MountRule(BaseRule): + raise AppArmorException(_('Passed unknown options keyword to %s: %s') % (type(self).__name__, ' '.join(unknown_items))) + self.is_options_equal = options[0] if not self.all_options else None + +- self.source, self.all_source = self._aare_or_all(source, 'source', is_path=False, log_event=log_event) ++ self.source, self.all_source = self._aare_or_all(source, 'source', is_path=False, log_event=log_event, empty_ok=True) + self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event) + + if not self.all_fstype and self.is_fstype_equal not in ('=', 'in'): +diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py +index 6dfe1ac85..7af46a5d8 100644 +--- a/utils/test/test-mount.py ++++ b/utils/test/test-mount.py +@@ -55,6 +55,8 @@ class MountTestParse(AATest): + MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/', + '/tmp/snap.rootfs_*{,/usr}/lib/modules/', + False, False, False, '' )), ++ ('mount options=(runbindable, rw) -> /,', MountRule('mount', MountRule.ALL, ('=', ['runbindable', 'rw']), MountRule.ALL, '/', False, False, False, '')), ++ ('mount "" -> /,', MountRule('mount', MountRule.ALL, MountRule.ALL, '', '/', False, False, False, '')), + ('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), + ('umount fstype=ext3,', MountRule('umount', ('=', ['ext3']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), + ('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '' )), +-- +GitLab + diff --git a/plasmashell.diff b/plasmashell.diff new file mode 100644 index 0000000..bf6d1de --- /dev/null +++ b/plasmashell.diff @@ -0,0 +1,31 @@ +commit 64469afa2c65eb8a90a19d2b658a9559fb3964b0 +Author: Christian Boltz +Date: Tue Jun 4 21:14:50 2024 +0200 + + Add openSUSE path to plasmashell profile + + While on it, + - add some comments explaining what the profile does + - adjust the rule with the Debian/Ubuntu path to work with Qt6 + + Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225961 + +diff --git a/profiles/apparmor.d/plasmashell b/profiles/apparmor.d/plasmashell +index d743ff7a3..51c50a689 100644 +--- a/profiles/apparmor.d/plasmashell ++++ b/profiles/apparmor.d/plasmashell +@@ -17,8 +17,13 @@ profile plasmashell /usr/bin/plasmashell { + unix, + ptrace, + +- /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess, ++ # allow executing QtWebEngineProcess with full permissions including userns (using profile stacking to avoid no_new_privs issues) ++ /usr/lib/x86_64-linux-gnu/qt[56]/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess, ++ /usr/libexec/qt[56]/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess, ++ ++ # allow to execute all other programs under their own profile, or to run unconfined + /** pux, ++ + /{,**} mrwlk, + + profile QtWebEngineProcess { diff --git a/sampa-rpcd-witness.diff b/sampa-rpcd-witness.diff new file mode 100644 index 0000000..2f9aa4a --- /dev/null +++ b/sampa-rpcd-witness.diff @@ -0,0 +1,48 @@ +From https://gitlab.com/apparmor/apparmor/-/merge_requests/1256 +(adjusted to currently packaged samba-rpcd profile) + + +From 94ccd111deac35d7deadb07e66d25e045633e221 Mon Sep 17 00:00:00 2001 +From: Christian Boltz +Date: Sat, 8 Jun 2024 22:46:53 +0200 +Subject: [PATCH] samba-dcerpcd: allow to execute rpcd_witness + +... and extend the samba-rpcd profile to also include rpcd_witness. + +Patch by Noel Power + +Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225811 +--- + profiles/apparmor.d/samba-dcerpcd | 2 +- + profiles/apparmor.d/samba-rpcd | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +Index: apparmor-v4.0.1/profiles/apparmor.d/samba-dcerpcd +=================================================================== +--- apparmor-v4.0.1.orig/profiles/apparmor.d/samba-dcerpcd 2024-04-12 05:59:30.000000000 +0200 ++++ apparmor-v4.0.1/profiles/apparmor.d/samba-dcerpcd 2024-06-25 21:49:49.017901846 +0200 +@@ -21,7 +21,7 @@ profile samba-dcerpcd /usr/lib*/samba/{, + /usr/lib*/samba/{,samba/}samba-dcerpcd mr, + + /usr/lib*/samba/ r, +- /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd, ++ /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} Px -> samba-rpcd, + /usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic, + /usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss, + +Index: apparmor-v4.0.1/profiles/apparmor.d/samba-rpcd +=================================================================== +--- apparmor-v4.0.1.orig/profiles/apparmor.d/samba-rpcd 2024-04-12 05:59:30.000000000 +0200 ++++ apparmor-v4.0.1/profiles/apparmor.d/samba-rpcd 2024-06-25 21:49:49.017901846 +0200 +@@ -13,9 +13,9 @@ abi , + + include + +-profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} { ++profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} { + include +- /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr, ++ /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} mr, + + @{run}/samba/ncalrpc/np/winreg wr, + diff --git a/sddm-xauth.diff b/sddm-xauth.diff new file mode 100644 index 0000000..701adc5 --- /dev/null +++ b/sddm-xauth.diff @@ -0,0 +1,22 @@ +commit 0c6e031c02fb18affd3bb7f15e269d9dd5c3317a +Author: Christian Boltz +Date: Tue Jun 4 21:45:06 2024 +0200 + + abstractions/X: add another xauth path + + This time it's /tmp/xauth_?????? r, which gets used by latest sddm. + + Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1223900 + +diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X +index 6f0272d64..6df891185 100644 +--- a/profiles/apparmor.d/abstractions/X ++++ b/profiles/apparmor.d/abstractions/X +@@ -28,6 +28,7 @@ + owner @{run}/user/*/gdm/Xauthority r, + owner @{run}/user/*/X11/Xauthority r, + owner @{run}/user/*/xauth_* r, ++ owner /tmp/xauth_?????? r, + + # the unix socket to use to connect to the display + /tmp/.X11-unix/* rw, diff --git a/teardown-unconfined.diff b/teardown-unconfined.diff new file mode 100644 index 0000000..5708bd9 --- /dev/null +++ b/teardown-unconfined.diff @@ -0,0 +1,21 @@ +commit f497afbe1364b45540a6582870e5a76f1ada7a2b +Author: Christian Boltz +Date: Tue May 28 21:13:47 2024 +0200 + + Fix aa-teardown for `unconfined` profiles + + Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225457 + +diff --git a/parser/rc.apparmor.functions b/parser/rc.apparmor.functions +index f66fea422..099ab67d3 100644 +--- a/parser/rc.apparmor.functions ++++ b/parser/rc.apparmor.functions +@@ -253,7 +253,7 @@ remove_profiles() { + retval=0 + # We filter child profiles as removing the parent will remove + # the children +- sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | \ ++ sed -e "s/ (\(enforce\|complain\|unconfined\))$//" "$SFS_MOUNTPOINT/profiles" | \ + LC_COLLATE=C sort | grep -v // | { + while read -r profile ; do + printf "%s" "$profile" > "$SFS_MOUNTPOINT/.remove" diff --git a/test-aa-notify.diff b/test-aa-notify.diff new file mode 100644 index 0000000..3ed0c0c --- /dev/null +++ b/test-aa-notify.diff @@ -0,0 +1,30 @@ +https://gitlab.com/apparmor/apparmor/-/merge_requests/1226 + +From 715cb711ba26d3ccff490f35f80721cf3678abb6 Mon Sep 17 00:00:00 2001 +From: Christian Boltz +Date: Sun, 5 May 2024 22:05:43 +0200 +Subject: [PATCH] Don't rely on argparse saying "options:" + +Some argparse versions (for example on openSUSE Leap 15.5) instead say +"optional arguments:" + +Don't rely on the "options:" line to allow both wordings. +--- + utils/test/test-aa-notify.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/utils/test/test-aa-notify.py b/utils/test/test-aa-notify.py +index 4f3e540e9..abffd0631 100644 +--- a/utils/test/test-aa-notify.py ++++ b/utils/test/test-aa-notify.py +@@ -194,7 +194,6 @@ Display AppArmor notifications or messages for DENIED entries. + + expected_output_2 = \ + ''' +-options: + -h, --help show this help message and exit + -p, --poll poll AppArmor logs and display notifications + --display DISPLAY set the DISPLAY environment variable (might be needed if +-- +GitLab + diff --git a/tools-fix-redefinition.diff b/tools-fix-redefinition.diff new file mode 100644 index 0000000..365686d --- /dev/null +++ b/tools-fix-redefinition.diff @@ -0,0 +1,39 @@ +From 553acd22324ed013d9f468aa8585518cf68b34f7 Mon Sep 17 00:00:00 2001 +From: Christian Boltz +Date: Sun, 21 Apr 2024 17:32:24 +0200 +Subject: [PATCH] Fix redefinition of _ + +... which unsurprisingly broke using the translations. + +This was a regression introduced in 4f51c93f9dc2516a32bfccc79b4dcf4985e61f47 + +Fixes: https://gitlab.com/apparmor/apparmor/-/issues/387 +--- + utils/apparmor/tools.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/utils/apparmor/tools.py b/utils/apparmor/tools.py +index e8a99bbe6..f7d4a0d36 100644 +--- a/utils/apparmor/tools.py ++++ b/utils/apparmor/tools.py +@@ -90,7 +90,7 @@ class aa_tools: + def get_next_for_modechange(self): + """common code for mode/flags changes""" + +- for (program, _, prof_filename) in self.get_next_to_profile(): ++ for (program, ignored, prof_filename) in self.get_next_to_profile(): + output_name = prof_filename if program is None else program + + if not os.path.isfile(prof_filename) or is_skippable_file(prof_filename): +@@ -162,7 +162,7 @@ class aa_tools: + def cmd_autodep(self): + apparmor.loadincludes() + +- for (program, _, prof_filename) in self.get_next_to_profile(): ++ for (program, ignored, prof_filename) in self.get_next_to_profile(): + if not program: + aaui.UI_Info(_('Please pass an application to generate a profile for, not a profile itself - skipping %s.') % prof_filename) + continue +-- +GitLab + diff --git a/utils-relax-mount-rules-2.diff b/utils-relax-mount-rules-2.diff new file mode 100644 index 0000000..94b34c9 --- /dev/null +++ b/utils-relax-mount-rules-2.diff @@ -0,0 +1,182 @@ +commit 1f4bba0448563b7d1fe4d86c230556ebf8d3805b +Author: Maxime Bélair +Date: Mon May 20 11:09:04 2024 +0200 + + Cherry-pick: MountRule: Aligning behavior with apparmor_parser + + Mount Rules with options in { remount, [make-] { [r]unbindable, [r]shared, [r]private, and [r]slave }} do not support specifying a source. This commit aligns utils implementation to apparmor_parser's, which prohibits having a both source and a destination simultaneously, instad of just prohibiting source. + + Therefore, both `mount options=(unbindable) /a,` and `mount options=(unbindable) -> /a,` are now supported (and equivalent for apparmor_parser). However, `mount options=(unbindable) /a -> /b,` is invalid. + + For the same reason, specifying a fstype in these cases is also prohibited. + + Similarly, we prohibit to specify a fstype for bind mount rules. + + Fixes: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2065685 + + (cherry picked from commit 60acc4a4053ddb3718b9a2f5ceb1ef02fea3a226) + + Signed-off-by: Maxime Bélair + +diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py +index abfa2b75e..b2d73a27b 100644 +--- a/utils/apparmor/rule/mount.py ++++ b/utils/apparmor/rule/mount.py +@@ -25,15 +25,18 @@ _ = init_translation() + + # TODO : Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules. + +-flags_keywords = [ +- # keep in sync with parser/mount.cc mnt_opts_table! +- 'ro', 'r', 'read-only', 'rw', 'w', 'suid', 'nosuid', 'dev', 'nodev', 'exec', 'noexec', 'sync', 'async', 'remount', +- 'mand', 'nomand', 'dirsync', 'symfollow', 'nosymfollow', 'atime', 'noatime', 'diratime', 'nodiratime', 'bind', 'B', +- 'move', 'M', 'rbind', 'R', 'verbose', 'silent', 'loud', 'acl', 'noacl', 'unbindable', 'make-unbindable', 'runbindable', +- 'make-runbindable', 'private', 'make-private', 'rprivate', 'make-rprivate', 'slave', 'make-slave', 'rslave', 'make-rslave', +- 'shared', 'make-shared', 'rshared', 'make-rshared', 'relatime', 'norelatime', 'iversion', 'noiversion', 'strictatime', +- 'nostrictatime', 'lazytime', 'nolazytime', 'user', 'nouser', +- '([A-Za-z0-9])', ++flags_bind_mount = {'B', 'bind', 'R', 'rbind'} ++flags_change_propagation = { ++ 'remount', 'unbindable', 'shared', 'private', 'slave', 'runbindable', 'rshared', 'rprivate', 'rslave', ++ 'make-unbindable', 'make-shared', 'make-private', 'make-slave', 'make-runbindable', 'make-rshared', 'make-rprivate', ++ 'make-rslave' ++} ++# keep in sync with parser/mount.cc mnt_opts_table! ++flags_keywords = list(flags_bind_mount) + list(flags_change_propagation) + [ ++ 'ro', 'r', 'read-only', 'rw', 'w', 'suid', 'nosuid', 'dev', 'nodev', 'exec', 'noexec', 'sync', 'async', 'mand', ++ 'nomand', 'dirsync', 'symfollow', 'nosymfollow', 'atime', 'noatime', 'diratime', 'nodiratime', 'move', 'M', ++ 'verbose', 'silent', 'loud', 'acl', 'noacl', 'relatime', 'norelatime', 'iversion', 'noiversion', 'strictatime', ++ 'nostrictatime', 'lazytime', 'nolazytime', 'user', 'nouser', '([A-Za-z0-9])', + ] + join_valid_flags = '|'.join(flags_keywords) + +@@ -112,6 +115,7 @@ class MountRule(BaseRule): + self.is_options_equal = options[0] if not self.all_options else None + + self.source, self.all_source = self._aare_or_all(source, 'source', is_path=False, log_event=log_event) ++ self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event) + + if not self.all_fstype and self.is_fstype_equal not in ('=', 'in'): + raise AppArmorBug(f'Invalid is_fstype_equal : {self.is_fstype_equal}') +@@ -120,11 +124,14 @@ class MountRule(BaseRule): + if self.operation != 'mount' and not self.all_source: + raise AppArmorException(f'Operation {self.operation} cannot have a source') + +- flags_forbidden_with_source = {'remount', 'unbindable', 'shared', 'private', 'slave', 'runbindable', 'rshared', 'rprivate', 'rslave'} +- if self.operation == 'mount' and not self.all_source and not self.all_options and flags_forbidden_with_source & self.options != set(): +- raise AppArmorException(f'Operation {flags_forbidden_with_source & self.options} cannot have a source. Source = {self.source}') ++ if self.operation == 'mount' and not self.all_options and flags_change_propagation & self.options != set(): ++ if not (self.all_source or self.all_dest): ++ raise AppArmorException(f'Operation {flags_change_propagation & self.options} cannot specify a source. Source = {self.source}') ++ elif not self.all_fstype: ++ raise AppArmorException(f'Operation {flags_change_propagation & self.options} cannot specify a fstype. Fstype = {self.fstype}') + +- self.dest, self.all_dest = self._aare_or_all(dest, 'dest', is_path=False, log_event=log_event) ++ if self.operation == 'mount' and not self.all_options and flags_bind_mount & self.options != set() and not self.all_fstype: ++ raise AppArmorException(f'Bind mount rules cannot specify a fstype. Fstype = {self.fstype}') + + self.can_glob = not self.all_source and not self.all_dest and not self.all_options + +diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py +index 7f88ff7db..cb1a89630 100644 +--- a/utils/test/test-mount.py ++++ b/utils/test/test-mount.py +@@ -43,12 +43,12 @@ class MountTestParse(AATest): + ('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )), + ('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )), + ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '' )), +- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), +- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), +- ('mount fstype=({ext3,ext4}) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), +- ('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), +- ('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')), +- ('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), ++ ('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, '' )), ++ ('mount fstype=(ext3, ext4) options=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')), ++ ('mount fstype=({ext3,ext4}) options in (ro, sync) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'sync')), '/a', '/b', False, False, False, '' )), ++ ('mount fstype in (ext3, ext4) options=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')), ++ ('mount fstype in (ext3, ext4) option in (ro, sync) /a, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('in', ('ro', 'sync')), '/a', MountRule.ALL, False, False, False, ' #cmt')), ++ ('mount fstype=(ext3, ext4) option=(ro, sync) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'sync')), '/a', '/b', False, False, False, ' #cmt')), + ('mount options=(rw, rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,', + MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/', + '/tmp/snap.rootfs_*{,/usr}/lib/modules/', +@@ -68,6 +68,17 @@ class MountTestParse(AATest): + expected.raw_rule = rawrule.strip() + self.assertTrue(obj.is_equal(expected, True)) + ++ def test_valid_mount_changing_propagation(self): ++ # Rules changing propagation type can either specify a source or a dest (these are equivalent for apparmor_parser in this specific case) but not both. ++ MountRule('mount', MountRule.ALL, ('=', ('runbindable')), '/foo', MountRule.ALL) ++ MountRule('mount', MountRule.ALL, ('=', ('runbindable')), MountRule.ALL, '/foo') ++ ++ def test_valid_bind_mount(self): ++ # Fstype must remain empty in bind rules ++ MountRule('mount', MountRule.ALL, ('=', ('bind')), '/foo', MountRule.ALL) ++ MountRule('mount', MountRule.ALL, ('=', ('bind')), MountRule.ALL, '/bar') ++ MountRule('mount', MountRule.ALL, ('=', ('bind')), '/foo', '/bar') ++ + + class MountTestParseInvalid(AATest): + tests = ( +@@ -143,6 +154,20 @@ class MountTestParseInvalid(AATest): + with self.assertRaises(AppArmorException): + MountRule('remount', MountRule.ALL, MountRule.ALL, '/foo', MountRule.ALL) + ++ def test_invalid_mount_changing_propagation(self): ++ # Rules changing propagation type can either specify a source or a dest (these are equivalent for apparmor_parser in this specific case) but not both. ++ with self.assertRaises(AppArmorException): ++ MountRule('mount', MountRule.ALL, ('=', ('runbindable')), '/foo', '/bar') ++ ++ # Rules changing propagation type cannot specify a fstype. ++ with self.assertRaises(AppArmorException): ++ MountRule('mount', ('=', ('ext4')), ('=', ('runbindable')), MountRule.ALL, '/foo') ++ ++ def test_invalid_bind_mount(self): ++ # Bind mount rules cannot specify a fstype. ++ with self.assertRaises(AppArmorException): ++ MountRule('mount', ('=', ('ext4')), ('=', ('bind')), MountRule.ALL, '/foo') ++ + + class MountTestGlob(AATest): + def test_glob(self): +diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py +index 451af7d22..60a738aed 100644 +--- a/utils/test/test-parser-simple-tests.py ++++ b/utils/test/test-parser-simple-tests.py +@@ -85,16 +85,6 @@ exception_not_raised = ( + 'mount/bad_1.sd', + 'mount/bad_2.sd', + +- # not checked/detected: "make-*" mount opt and an invalid src +- 'mount/bad_opt_17.sd', +- 'mount/bad_opt_18.sd', +- 'mount/bad_opt_19.sd', +- 'mount/bad_opt_20.sd', +- 'mount/bad_opt_21.sd', +- 'mount/bad_opt_22.sd', +- 'mount/bad_opt_23.sd', +- 'mount/bad_opt_24.sd', +- + 'profile/flags/flags_bad10.sd', + 'profile/flags/flags_bad11.sd', + 'profile/flags/flags_bad12.sd', +@@ -324,19 +314,6 @@ unknown_line = ( + 'bare_include_tests/ok_85.sd', + 'bare_include_tests/ok_86.sd', + +- # Mount with flags in {remount, [r]unbindable, [r]shared, [r]private, [r]slave} does not support a source +- 'mount/ok_opt_68.sd', +- 'mount/ok_opt_69.sd', +- 'mount/ok_opt_70.sd', +- 'mount/ok_opt_71.sd', +- 'mount/ok_opt_72.sd', +- 'mount/ok_opt_73.sd', +- 'mount/ok_opt_74.sd', +- 'mount/ok_opt_75.sd', +- +- # options=slave with /** src (first rule in the test causes exception) +- 'mount/ok_opt_84.sd', +- + # According to spec mount should be in the form fstype=... options=... and NOT in the form options=... fstype=... + 'mount/ok_opt_combo_3.sd', + 'mount/ok_opt_combo_2.sd', diff --git a/utils-relax-mount-rules.diff b/utils-relax-mount-rules.diff new file mode 100644 index 0000000..dbcf2a7 --- /dev/null +++ b/utils-relax-mount-rules.diff @@ -0,0 +1,366 @@ +commit eee50538da9a240bc151f26c6cff309808d33590 +Author: Georgia Garcia +Date: Wed May 8 12:58:42 2024 +0000 + + Merge MountRule: Relaxing constraints on fstype and completing AARE support + + - Before this commit, fstype had to match a known fs. However, having and maintaining the exhaustive list of fstypes proved challenging (see !1195 and !1176). Therefore, we add support for any filesystem name. + - Completing AARE support for fstype (brace expressions like ext{3,4} are now supported). + + MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1198 + Approved-by: Christian Boltz + Merged-by: Christian Boltz + + + (cherry picked from commit baa8b67248f3467cde40683600d7a945b05f9a3b) + + dad5ee28 MountRule: Relaxing constraints on fstype and completing AARE support + + Co-authored-by: Christian Boltz + +diff --git a/utils/apparmor/rule/mount.py b/utils/apparmor/rule/mount.py +index f62c08e4b..abfa2b75e 100644 +--- a/utils/apparmor/rule/mount.py ++++ b/utils/apparmor/rule/mount.py +@@ -23,19 +23,7 @@ from apparmor.translations import init_translation + + _ = init_translation() + +-# TODO : +-# - match correctly AARE on every field +-# - Find the actual list of supported filesystems. This one comes from /proc/filesystems. We also blindly accept fuse.* +-# - Support path that begin by { (e.g. {,/usr}/lib/...) This syntax is not a valid AARE but is used by usr.lib.snapd.snap-confine.real in Ubuntu and will currently raise an error in genprof if these lines are not modified. +-# - Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules. +- +-valid_fs = [ +- 'sysfs', 'tmpfs', 'bdevfs', 'procfs', 'cgroup', 'cgroup2', 'cpuset', 'devtmpfs', 'configfs', 'debugfs', 'tracefs', +- 'securityfs', 'sockfs', 'bpf', 'npipefs', 'ramfs', 'hugetlbfs', 'devpts', 'ext3', 'ext2', 'ext4', 'squashfs', +- 'vfat', 'ecryptfs', 'fuseblk', 'fuse', 'fusectl', 'efivarfs', 'mqueue', 'store', 'autofs', 'binfmt_misc', 'overlay', +- 'none', 'bdev', 'proc', 'pipefs', 'pstore', 'btrfs', 'xfs', '9p', 'resctrl', 'zfs', 'iso9660', 'udf', 'ntfs3', +- 'nfs', 'cifs', 'overlayfs', 'aufs', 'rpc_pipefs', 'msdos', 'nfs4', +-] ++# TODO : Apparmor remount logs are displayed as mount (with remount flag). Profiles generated with aa-genprof are therefore mount rules. It could be interesting to make them remount rules. + + flags_keywords = [ + # keep in sync with parser/mount.cc mnt_opts_table! +@@ -48,7 +36,6 @@ flags_keywords = [ + '([A-Za-z0-9])', + ] + join_valid_flags = '|'.join(flags_keywords) +-join_valid_fs = '|'.join(valid_fs) + + sep = r'\s*[\s,]\s*' + +@@ -106,27 +93,18 @@ class MountRule(BaseRule): + + self.operation = operation + +- self.fstype, self.all_fstype, unknown_items = check_and_split_list(fstype[1] if fstype != self.ALL else fstype, valid_fs, self.ALL, type(self).__name__, 'fstype') +- +- if unknown_items: +- for it in unknown_items: +- +- # Several filesystems use fuse internally and are referred as fuse. (e.g. fuse.jmtpfs, fuse.s3fs, fuse.obexfs). +- # Since this list seems to evolve too fast for a fixed list to work in practice, we just accept fuse.* +- # See https://github.com/libfuse/libfuse/wiki/Filesystems and, https://doc.ubuntu-fr.org/fuse +- if it.startswith('fuse.') and len(it) > 5: +- continue +- +- it = AARE(it, is_path=False) +- found = False +- for fs in valid_fs: +- if self._is_covered_aare(it, self.all_fstype, AARE(fs, False), self.all_fstype, 'fstype'): +- found = True +- break +- if not found: +- raise AppArmorException(_('Passed unknown fstype keyword to %s: %s') % (type(self).__name__, ' '.join(unknown_items))) +- +- self.is_fstype_equal = fstype[0] if not self.all_fstype else None ++ if fstype == self.ALL or fstype[1] == self.ALL: ++ self.all_fstype = True ++ self.fstype = None ++ self.is_fstype_equal = None ++ else: ++ self.all_fstype = False ++ for it in fstype[1]: ++ l, unused = parse_aare(it, 0, 'fstype') ++ if l != len(it): ++ raise AppArmorException(f'Invalid aare : {it}') ++ self.fstype = fstype[1] ++ self.is_fstype_equal = fstype[0] + + self.options, self.all_options, unknown_items = check_and_split_list(options[1] if options != self.ALL else options, flags_keywords, self.ALL, type(self).__name__, 'options') + if unknown_items: +@@ -173,7 +151,7 @@ class MountRule(BaseRule): + + if r['fstype'] is not None: + is_fstype_equal = r['fstype_equals_or_in'] +- fstype = strip_parenthesis(r['fstype']).replace(',', ' ').split() ++ fstype = parse_aare_list(strip_parenthesis(r['fstype']), 'fstype') + else: + is_fstype_equal = None + fstype = cls.ALL +@@ -316,6 +294,38 @@ class MountRuleset(BaseRuleset): + '''Class to handle and store a collection of Mount rules''' + + ++ ++def parse_aare(s, offset, param): ++ parsed = '' ++ brace_count = 0 ++ for i, c in enumerate(s[offset:], start=offset): ++ if c in [' ', ',', '\t'] and brace_count == 0: ++ break ++ parsed += c ++ if c == '{': ++ brace_count += 1 ++ elif c == '}': ++ brace_count -= 1 ++ if brace_count < 0: ++ raise AppArmorException(f"Unmatched closing brace in {param}: {s[offset:]}") ++ offset = i ++ ++ if brace_count != 0: ++ raise AppArmorException(f"Unmatched opening brace in {param}: {s[offset:]}") ++ ++ return offset + 1, parsed ++ ++ ++def parse_aare_list(s, param): ++ res = [] ++ offset = 0 ++ while offset <= len(s): ++ offset, part = parse_aare(s, offset, param) ++ if part.translate(' ,\t') != '': ++ res.append(part) ++ return res ++ ++ + def wrap_in_with_spaces(value): + ''' wrap 'in' keyword in spaces, and leave everything else unchanged ''' + +diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py +index e37c287c7..7f88ff7db 100644 +--- a/utils/test/test-mount.py ++++ b/utils/test/test-mount.py +@@ -20,7 +20,7 @@ from common_test import AATest, setup_all_loops + from apparmor.common import AppArmorException, AppArmorBug + from apparmor.translations import init_translation + +-from apparmor.rule.mount import MountRule, valid_fs ++from apparmor.rule.mount import MountRule + + _ = init_translation() + +@@ -31,34 +31,34 @@ class MountTestParse(AATest): + # Rule Operation Filesystem Options Source Destination Audit Deny Allow Comment + ('mount -> **,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '**', False, False, False, '' )), + ('mount options=(rw, shared) -> **,', MountRule('mount', MountRule.ALL, ('=', ('rw', 'shared')), MountRule.ALL, '**', False, False, False, '' )), +- ('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('bpf')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), +- ('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('fuse.obex*')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), +- ('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('fuse.*')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), +- ('mount fstype=bpf options=(rw) random_label -> /sys/fs/bpf/,', MountRule('mount', ('=', ("bpf")), ('=', ('rw')), 'random_label', '/sys/fs/bpf/', False, False, False, '' )), ++ ('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), ++ ('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.obex*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), ++ ('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )), ++ ('mount fstype=bpf options=(rw) random_label -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'random_label', '/sys/fs/bpf/', False, False, False, '' )), + ('mount,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), +- ('mount fstype=(ext3, ext4),', MountRule('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), ++ ('mount fstype=(ext3, ext4),', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), + ('mount bpf,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'bpf', MountRule.ALL, False, False, False, '' )), + ('mount none,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'none', MountRule.ALL, False, False, False, '' )), +- ('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )), ++ ('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )), + ('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )), + ('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )), +- ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, '/a', '/b', False, False, False, '' )), +- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), +- ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), +- ('mount fstype=(ext3, ext4) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), +- ('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), +- ('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ('ext3', 'ext4')), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')), +- ('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), ++ ('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '' )), ++ ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), ++ ('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), ++ ('mount fstype=({ext3,ext4}) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )), ++ ('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), ++ ('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')), ++ ('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')), + ('mount options=(rw, rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,', + MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/', + '/tmp/snap.rootfs_*{,/usr}/lib/modules/', + False, False, False, '' )), + ('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), +- ('umount fstype=ext3,', MountRule('umount', ('=', ('ext3')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), ++ ('umount fstype=ext3,', MountRule('umount', ('=', ['ext3']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), + ('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '' )), + + ('remount,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), +- ('remount fstype=ext4,', MountRule('remount', ('=', ('ext4')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), ++ ('remount fstype=ext4,', MountRule('remount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )), + ('remount /b,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/b', False, False, False, '' )), + ) + +@@ -72,7 +72,6 @@ class MountTestParse(AATest): + class MountTestParseInvalid(AATest): + tests = ( + ('mount fstype=,', AppArmorException), +- ('mount fstype=(foo),', AppArmorException), + ('mount fstype=(),', AppArmorException), + ('mount options=(),', AppArmorException), + ('mount option=(invalid),', AppArmorException), +@@ -90,7 +89,7 @@ class MountTestParseInvalid(AATest): + + def test_diff_non_mountrule(self): + exp = namedtuple('exp', ('audit', 'deny')) +- obj = MountRule('mount', ('=', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL) ++ obj = MountRule('mount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL) + with self.assertRaises(AppArmorBug): + obj.is_equal(exp(False, False), False) + +@@ -98,9 +97,25 @@ class MountTestParseInvalid(AATest): + with self.assertRaises(AppArmorBug): + MountRule('mount', ('ext3', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in' + +- def test_diff_invalid_fstype_keyword(self): +- with self.assertRaises(AppArmorException): +- MountRule('mount', ('=', 'invalidfs'), MountRule.ALL, MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in' ++ def test_diff_invalid_fstype_aare(self): ++ tests = [ ++ 'mount fstype=({unclosed_regex),', ++ 'mount fstype=({closed}twice}),', ++ ] ++ ++ for t in tests: ++ with self.assertRaises(AppArmorException): ++ MountRule.create_instance(t) ++ ++ def test_diff_invalid_fstype_aare_2(self): ++ fslists = [ ++ ['invalid_{_regex'], ++ ['ext4', 'invalid_}_regex'], ++ ['ext4', '{invalid} {regex}'] ++ ] ++ for fslist in fslists: ++ with self.assertRaises(AppArmorException): ++ MountRule('mount', ('=', fslist), MountRule.ALL, MountRule.ALL, MountRule.ALL) + + def test_diff_invalid_options_equals_or_in(self): + with self.assertRaises(AppArmorBug): +@@ -111,7 +126,7 @@ class MountTestParseInvalid(AATest): + MountRule('mount', MountRule.ALL, ('=', 'invalid'), MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in' + + def test_diff_fstype(self): +- obj1 = MountRule('mount', ('=', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL) ++ obj1 = MountRule('mount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL) + obj2 = MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL) + self.assertFalse(obj1.is_equal(obj2, False)) + +@@ -129,14 +144,6 @@ class MountTestParseInvalid(AATest): + MountRule('remount', MountRule.ALL, MountRule.ALL, '/foo', MountRule.ALL) + + +-class MountTestFilesystems(AATest): +- def test_fs(self): +- with open('/proc/filesystems') as f: +- for line in f: +- fs_name = line.split()[-1] +- self.assertTrue(fs_name in valid_fs, '/proc/filesystems contains %s which is not listed in MountRule valid_fs' % fs_name) +- +- + class MountTestGlob(AATest): + def test_glob(self): + globList = [( +@@ -199,49 +206,58 @@ class MountIsCoveredTest(AATest): + def test_is_covered(self): + obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/b*') + tests = [ +- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b', '/bar'), +- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/bar', '/b') ++ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b', '/bar'), ++ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/bar', '/b') + ] + for test in tests: + self.assertTrue(obj.is_covered(MountRule(*test))) + self.assertFalse(obj.is_equal(MountRule(*test))) + + def test_is_covered_fs_source(self): +- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', MountRule.ALL) +- self.assertTrue(obj.is_covered(MountRule('mount', ('=', ('ext3')), ('=', ('ro')), 'tmpfs', MountRule.ALL))) +- self.assertFalse(obj.is_equal(MountRule('mount', ('=', ('ext3')), ('=', ('ro')), 'tmpfs', MountRule.ALL))) ++ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', MountRule.ALL) ++ self.assertTrue(obj.is_covered(MountRule('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL))) ++ self.assertFalse(obj.is_equal(MountRule('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL))) + +- def test_is_covered_regex(self): +- obj = MountRule('mount', ('=', ('sys*', 'fuse.*')), ('=', ('ro')), 'tmpfs', MountRule.ALL) ++ def test_is_covered_aare_1(self): ++ obj = MountRule('mount', ('=', ['sys*', 'fuse.*']), ('=', ('ro')), 'tmpfs', MountRule.ALL) + tests = [ +- ('mount', ('=', ('sysfs', 'fuse.s3fs')), ('=', ('ro')), 'tmpfs', MountRule.ALL), +- ('mount', ('=', ('sysfs', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso')), ('=', ('ro')), 'tmpfs', MountRule.ALL) ++ ('mount', ('=', ['sysfs', 'fuse.s3fs']), ('=', ('ro')), 'tmpfs', MountRule.ALL), ++ ('mount', ('=', ['sysfs', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso']), ('=', ('ro')), 'tmpfs', MountRule.ALL) ++ ] ++ for test in tests: ++ self.assertTrue(obj.is_covered(MountRule(*test))) ++ self.assertFalse(obj.is_equal(MountRule(*test))) ++ def test_is_covered_aare_2(self): ++ obj = MountRule('mount', ('=', ['ext{3,4}', '{cgroup*,fuse.*}']), ('=', ('ro')), 'tmpfs', MountRule.ALL) ++ tests = [ ++ ('mount', ('=', ['ext3']), ('=', ('ro')), 'tmpfs', MountRule.ALL), ++ ('mount', ('=', ['ext3', 'ext4', 'cgroup', 'cgroup2', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso']), ('=', ('ro')), 'tmpfs', MountRule.ALL) + ] + for test in tests: + self.assertTrue(obj.is_covered(MountRule(*test))) + self.assertFalse(obj.is_equal(MountRule(*test))) + + def test_is_notcovered(self): +- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/b*') ++ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b*', '/b*') + tests = [ +- ('mount', ('in', ('ext3', 'ext4')), ('=', ('ro')), '/foo/bar', '/bar' ), +- ('mount', ('=', ('procfs', 'ext4')), ('=', ('ro')), '/foo/bar', '/bar' ), +- ('mount', ('=', ('ext3')), ('=', ('rw')), '/foo/bar', '/bar' ), +- ('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, '/foo/b*', '/bar' ), ++ ('mount', ('in', ['ext3', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar' ), ++ ('mount', ('=', ['procfs', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar' ), ++ ('mount', ('=', ['ext3']), ('=', ('rw')), '/foo/bar', '/bar' ), ++ ('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/foo/b*', '/bar' ), + ('mount', MountRule.ALL, ('=', ('ro')), '/foo/b*', '/bar' ), +- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/invalid/bar', '/bar' ), ++ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/invalid/bar', '/bar' ), + ('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ), + ('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ), +- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', '/bar' ), +- ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/invalid'), ++ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', '/bar' ), ++ ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b*', '/invalid'), + ] + for test in tests: + self.assertFalse(obj.is_covered(MountRule(*test))) + self.assertFalse(obj.is_equal(MountRule(*test))) + + def test_is_not_covered_fs_source(self): +- obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', MountRule.ALL) +- test = ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'procfs', MountRule.ALL) ++ obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', MountRule.ALL) ++ test = ('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'procfs', MountRule.ALL) + self.assertFalse(obj.is_covered(MountRule(*test))) + self.assertFalse(obj.is_equal(MountRule(*test))) + +diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py +index 40f61ef85..451af7d22 100644 +--- a/utils/test/test-parser-simple-tests.py ++++ b/utils/test/test-parser-simple-tests.py +@@ -324,9 +324,6 @@ unknown_line = ( + 'bare_include_tests/ok_85.sd', + 'bare_include_tests/ok_86.sd', + +- # mount with fstype using AARE +- 'mount/ok_12.sd', +- + # Mount with flags in {remount, [r]unbindable, [r]shared, [r]private, [r]slave} does not support a source + 'mount/ok_opt_68.sd', + 'mount/ok_opt_69.sd',