pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 247917 from home:cboltz

Browse Source 
- update to AppArmor 2.8.96 (aka 2.9 beta2 aka r2652)
  - add unix abstract sockets, ptrace, and signal policy generation
  - several bugfixes in the python tools and elsewhere
  - move program-chunks/postfix-common to abstractions/
  - drop upstreamed patches:
    - apparmor-profiles-clustered-samba.diff
    - perl-apparmor-fix-bare-network-keyword-handling.diff
    - perl-apparmor-handle-bare-capability-keyword.diff
    - perl-apparmor-properly-handle-bare-file-keyword.diff
- re-enable installation of perl modules
- move python modules to python3-apparmor package
- create symlinks without aa- prefix only for tools existing in 2.8.x,
  but not for new tools added in 2.9
- make utils filelist explicit to ensure we have the right set of files
  without aa- prefix in sbindir
- switch easyprof python module location to python3
- drop unused defines APPARMOR_DOC_DIR and JNI_SO
- refresh patches:
  - apparmor-utils-string-split (file moved)
  - apparmor-profiles-dnsmasq-iface-mtu.patch
  - apparmor-2.5.1-edirectory-profile

(prepared Thu Mar 20 23:35:03 UTC 2014 in home project)
- update to AppArmor 2.8.95 (aka 2.9 beta1)
  - complete rewrite of the aa-* tools in python
  - new tools: aa-cleanprof, aa-mergeprof
  - extra profiles moved to /usr/share/apparmor/extra-profiles/ (bnc#713647)
  - and much more, but there's no upstream changelog yet
- drop upstreamed patches and files:
  - usr.sbin.winbindd
  - usr.lib.dovecot.*, tunables-dovecot, apparmor-profiles-dovecot-bnc851984.diff
  - apparmor-init.py-gsoc.diff
  - apparmor-2.8.2-nm-dnsmasq-config.patch
- add %bcond_with perl and disable the perl subpackage temporarily (the perl
  modules will be back in beta2)
- drop the apparmorapplet-gnome, apparmor-dbus and profile-editor subpackages 
  (they were disabled since a long time, and upstream no longer ships their code)
  and the apparmor-profile-editor.desktop and apparmor-profile-editor.png files
- drop apparmor-utils-subdomain-compat patch (was only included for <= 12.1)
- remove libimmunix Provides/Obsoletes (libimmunix was a compat wrapper
  and got finally dropped)
- refresh apparmor-samba-include-permissions-for-shares.diff and
  apparmor-2.5.1-edirectory-profile

OBS-URL: https://build.opensuse.org/request/show/247917
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=97
This commit is contained in:
Christian Boltz 2014-09-07 19:10:23 +00:00 committed by Git OBS Bridge
parent b652414aa1
commit 2863c2011e
31 changed files with 154 additions and 1166 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
apparmor-2.5.1-edirectory-profile
View File

@ -15,9 +15,11 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
profiles/apparmor.d/abstractions/novell-edirectory | 13 +++++++++++++
2 files changed, 16 insertions(+)
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -70,6 +70,9 @@
Index: profiles/apparmor.d/abstractions/nameservice
===================================================================
--- profiles/apparmor.d/abstractions/nameservice.orig 2014-09-03 21:21:31.000000000 +0200
+++ profiles/apparmor.d/abstractions/nameservice 2014-09-07 17:53:18.412834868 +0200
@@ -81,6 +81,9 @@
# kerberos
#include <abstractions/kerberosclient>
@ -27,8 +29,10 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
# TCP/UDP network access
network inet stream,
network inet6 stream,
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/novell-edirectory
Index: profiles/apparmor.d/abstractions/novell-edirectory
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ profiles/apparmor.d/abstractions/novell-edirectory 2014-09-07 17:53:18.412834868 +0200
@@ -0,0 +1,13 @@
+# $Id$
+# ------------------------------------------------------------------

16
apparmor-2.8.2-nm-dnsmasq-config.patch
View File

@ -1,16 +0,0 @@
Index: profiles/apparmor.d/usr.sbin.dnsmasq
===================================================================
--- profiles/apparmor.d/usr.sbin.dnsmasq.orig
+++ profiles/apparmor.d/usr.sbin.dnsmasq
@@ -55,6 +55,11 @@
/{,var/}run/nm-dns-dnsmasq.conf r,
/{,var/}run/sendsigs.omit.d/*dnsmasq.pid w,
/{,var/}run/NetworkManager/dnsmasq.conf r,
+ # new dnsmasq config path (as of 2012-11-05)
+ /{,var/}run/NetworkManager/dnsmasq.pid w,
+ # dnsmasq supplemental config directory
+ /etc/NetworkManager/dnsmasq.d/ r,
+ /etc/NetworkManager/dnsmasq.d/* r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.dnsmasq>

3
apparmor-2.8.3.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:84c2ca7fb6d170e5bb56270f01c9b78e78a991b9eee7fa53a9e6409ef0845c7e
size 1534245

7
apparmor-2.8.3.tar.gz.asc
View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iEYEABECAAYFAlMBmasACgkQgTeYuayTEnEGUgCffqcl+7dchiLlbXj75UnVwayv
qcwAnjsArLD0+9UwU4f/VKgWTo1pJSMo
=SGfh
-----END PGP SIGNATURE-----

3
apparmor-2.8.96.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5950255fc0a6989a5123a46ec58ba0a7ef03eb0d28731e38aae55d0cd10ed0a1
size 2332645

7
apparmor-2.8.96.tar.gz.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlQI2pMACgkQgTeYuayTEnEALACgtB68bFa+u0F1KBSarph9lfB7
0V8AnRVmXpaq+dzhKmcspVoR+bzYn4GM
=VwGt
-----END PGP SIGNATURE-----

37
apparmor-init.py-gsoc.diff
View File

@ -1,37 +0,0 @@
to make testing Kshitij's new tools easier, merge his code in
utils/apparmor/__init__.py - that's the only filename conflict (at
least in the 2.8 branch). If we do this, we can ship his new tools
in a testing package that can be installed on top of the 2.8.x packages
without problems
=== modified file 'utils/apparmor/__init__.py'
--- utils/apparmor/__init__.py 2012-05-08 05:37:48 +0000
+++ utils/apparmor/__init__.py 2013-09-12 15:10:50 +0000
@@ -1,9 +1,25 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2011-2012 Canonical Ltd.
+# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
+
+import gettext
+import locale
+
+def init_localisation():
+ locale.setlocale(locale.LC_ALL, '')
+ #If a correct locale has been provided set filename else let an IOError be raised
+ filename = '/usr/share/locale/%s/LC_MESSAGES/apparmor-utils.mo' % locale.getlocale()[0]
+ try:
+ trans = gettext.GNUTranslations(open(filename, 'rb'))
+ except IOError:
+ trans = gettext.NullTranslations()
+ trans.install()
+
+init_localisation()

10
apparmor-profile-editor.desktop
View File

@ -1,10 +0,0 @@
[Desktop Entry]
Encoding=UTF-8
Name=AppArmor Profile Editor
Comment=Edit AppArmor profiles
Exec=profileeditor %f
Terminal=false
Type=Application
Icon=apparmor-profile-editor
Categories=Utility;TextEditor;
X-KDE-SubstituteUID=true

3
apparmor-profile-editor.png
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:99e35156e4b59d83f418dc348626ea88651e548d9d734c7316d89b500adcce41
size 3754

10
apparmor-profiles-clustered-samba.diff
View File

@ -1,10 +0,0 @@
=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba 2013-12-23 21:15:47 +0000
+++ profiles/apparmor.d/abstractions/samba 2014-07-04 10:03:10 +0000
@@ -20,3 +20,5 @@
/{,var/}run/samba/ w,
/{,var/}run/samba/*.tdb rw,
+ # required for clustering
+ /var/lib/ctdb/** rwk,

2
apparmor-profiles-dnsmasq-iface-mtu.patch
View File

@ -17,7 +17,7 @@ Index: apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
===================================================================
--- apparmor-2.8.3.orig/profiles/apparmor.d/usr.sbin.dnsmasq
+++ apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -38,6 +38,10 @@
@@ -44,6 +44,10 @@
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage

313
apparmor-profiles-dovecot-bnc851984.diff
View File

@ -1,313 +0,0 @@
Index: profiles/apparmor.d/usr.lib.dovecot.deliver
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.deliver.orig 2012-01-06 17:34:44.000000000 +0100
+++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-26 15:48:52.227261272 +0100
@@ -1,6 +1,19 @@
-# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2012 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/deliver {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,20 +21,16 @@
capability setgid,
capability setuid,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
# http://www.postfix.org/SASL_README.html#server_dovecot
/etc/dovecot/dovecot.conf r,
/etc/dovecot/{auth,conf}.d/*.conf r,
- /etc/dovecot/dovecot-postfix.conf r,
+ /etc/dovecot/dovecot-postfix.conf r, # ???
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{HOME} r, # ???
/usr/lib/dovecot/deliver mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.deliver>
Index: profiles/apparmor.d/usr.lib.dovecot.dovecot-auth
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth.orig 2011-08-27 03:51:03.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-26 15:48:52.227261272 +0100
@@ -1,6 +1,17 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/dovecot-auth {
#include <abstractions/authentication>
#include <abstractions/base>
Index: profiles/apparmor.d/usr.lib.dovecot.imap
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.imap.orig 2011-08-27 01:12:10.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-26 15:48:52.227261272 +0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/imap {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,18 +20,11 @@
capability setgid,
capability setuid,
- @{HOME} r,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
- @{HOME}/Mail/ rw,
- @{HOME}/Mail/* klrw,
- @{HOME}/Mail/.imap/** klrw,
- @{HOME}/mail/ rw,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/imap mr,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.imap>
Index: profiles/apparmor.d/usr.lib.dovecot.imap-login
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.imap-login.orig 2012-04-05 23:51:17.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-26 15:48:52.228261212 +0100
@@ -1,4 +1,14 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/imap-login {
Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.managesieve-login.orig 2011-07-14 14:57:57.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-26 15:48:52.228261212 +0100
@@ -1,6 +1,19 @@
-# Author: Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# ------------------------------------------------------------------
+#
+# Copyright (c) 2009 Dulmandakh Sukhbaatar <dulmandakh@gmail.com>
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2014 Christian Wittmer
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/managesieve-login {
#include <abstractions/base>
#include <abstractions/ssl_certs>
@@ -11,6 +24,7 @@
capability sys_chroot,
network inet stream,
+ network inet6 stream,
/usr/lib/dovecot/managesieve-login mr,
/{,var/}run/dovecot/login/ r,
Index: profiles/apparmor.d/usr.lib.dovecot.pop3
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.pop3.orig 2011-08-27 01:12:10.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.pop3 2014-01-26 15:48:52.228261212 +0100
@@ -1,6 +1,18 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+#include <tunables/dovecot>
+
/usr/lib/dovecot/pop3 {
#include <abstractions/base>
#include <abstractions/nameservice>
@@ -8,13 +20,10 @@
capability setgid,
capability setuid,
- /var/mail/* klrw,
- /var/spool/mail/* klrw,
- @{HOME} r,
- @{HOME}/mail/* klrw,
- @{HOME}/mail/.imap/** klrw,
- @{HOME}/Maildir/ rw,
- @{HOME}/Maildir/** klrw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwkl,
+
+ @{HOME} r, # ???
/usr/lib/dovecot/pop3 mr,
# Site-specific additions and overrides. See local/README for details.
Index: profiles/apparmor.d/usr.lib.dovecot.pop3-login
===================================================================
--- profiles/apparmor.d/usr.lib.dovecot.pop3-login.orig 2011-07-14 14:57:57.000000000 +0200
+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-26 15:48:52.228261212 +0100
@@ -1,6 +1,17 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/lib/dovecot/pop3-login {
#include <abstractions/base>
#include <abstractions/nameservice>
Index: profiles/apparmor.d/usr.sbin.dovecot
===================================================================
--- profiles/apparmor.d/usr.sbin.dovecot.orig 2011-10-12 13:05:00.000000000 +0200
+++ profiles/apparmor.d/usr.sbin.dovecot 2014-01-26 16:09:40.262068251 +0100
@@ -1,37 +1,61 @@
-# Author: Kees Cook <kees@ubuntu.com>
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2009-2013 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
#include <tunables/global>
+
/usr/sbin/dovecot {
#include <abstractions/authentication>
#include <abstractions/base>
+ #include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/ssl_keys>
capability chown,
+ capability dac_override,
+ capability fsetid,
+ capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
- capability fsetid,
/etc/dovecot/** r,
/etc/mtab r,
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/[0-9]*/mounts r,
+ @{PROC}/filesystems r,
+ /usr/bin/doveconf rix,
+ /usr/lib/dovecot/anvil Px,
+ /usr/lib/dovecot/auth Px,
+ /usr/lib/dovecot/config Px,
+ /usr/lib/dovecot/dict Px,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
+ /usr/lib/dovecot/lmtp Px,
+ /usr/lib/dovecot/log Px,
+ /usr/lib/dovecot/managesieve Px,
+ /usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 Px,
/usr/lib/dovecot/pop3-login Pxmr,
- # temporarily commented out while testing
- #/usr/lib/dovecot/managesieve Px,
- /usr/lib/dovecot/managesieve-login Pxmr,
- /usr/lib/dovecot/ssl-build-param ixr,
- /usr/sbin/dovecot mr,
+ /usr/lib/dovecot/ssl-build-param rix,
+ /usr/lib/dovecot/ssl-params Px,
+ /usr/sbin/dovecot mrix,
/var/lib/dovecot/ w,
- /var/lib/dovecot/* krw,
+ /var/lib/dovecot/* rwkl,
+ /var/spool/postfix/private/auth w,
+ /var/spool/postfix/private/dovecot-lmtp w,
/{,var/}run/dovecot/ rw,
/{,var/}run/dovecot/** rw,
link /{,var/}run/dovecot/** -> /var/lib/dovecot/**,

2
apparmor-samba-include-permissions-for-shares.diff
View File

@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000
+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000
@@ -51,6 +51,10 @@
@@ -47,6 +47,10 @@
@{HOMEDIRS}/** lrwk,

4
apparmor-utils-string-split
View File

@ -6,8 +6,8 @@ Subject: AppArmor.pm: Split long string
utils/Immunix/AppArmor.pm | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
--- a/deprecated/utils/Immunix/AppArmor.pm
+++ b/deprecated/utils/Immunix/AppArmor.pm
@@ -6335,7 +6335,12 @@ sub check_qualifiers($) {
if ($cfg->{qualifiers}{$program}) {

38
apparmor-utils-subdomain-compat
View File

@ -1,38 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Add Immunix::SubDomain alias
This patch adds an alias so that 'use Immunix::SubDomain;' works with older
code.
Acked-by: Jeff Mahoney <jeffm@suse.com>
Also patch utils/Makefile to actually install SubDomain.pm
The SubDomain compat module is only needed by openSUSE, therefore this patch
will not be upstreamed.
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
---
utils/Immunix/SubDomain.pm | 5 +++++
1 file changed, 5 insertions(+)
--- /dev/null
+++ b/utils/Immunix/SubDomain.pm
@@ -0,0 +1,5 @@
+# Use of Immunix::SubDomain is deprecated.
+# Use Immunix::AppArmor directly instead.
+use Immunix::AppArmor;
+*Immunix::SubDomain:: = *Immunix::AppArmor::;
+1;
--- a/utils/Makefile 2011-05-27 21:08:50.000000000 +0200
+++ b/utils/Makefile 2011-09-10 17:57:55.000000000 +0200
@@ -31,7 +31,7 @@ PERLTOOLS = aa-genprof aa-logprof aa-aut
aa-unconfined aa-notify aa-disable aa-exec
TOOLS = ${PERLTOOLS} aa-decode aa-status
MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \
- ${MODDIR}/Config.pm ${MODDIR}/Severity.pm
+ ${MODDIR}/Config.pm ${MODDIR}/Severity.pm ${MODDIR}/SubDomain.pm
PYTOOLS = aa-easyprof
PYSETUP = python-tools-setup.py

50
apparmor.changes
View File

@ -1,3 +1,53 @@
-------------------------------------------------------------------
Sat Sep 6 22:08:57 UTC 2014 - opensuse@cboltz.de
- update to AppArmor 2.8.96 (aka 2.9 beta2 aka r2652)
- add unix abstract sockets, ptrace, and signal policy generation
- several bugfixes in the python tools and elsewhere
- move program-chunks/postfix-common to abstractions/
- drop upstreamed patches:
- apparmor-profiles-clustered-samba.diff
- perl-apparmor-fix-bare-network-keyword-handling.diff
- perl-apparmor-handle-bare-capability-keyword.diff
- perl-apparmor-properly-handle-bare-file-keyword.diff
- re-enable installation of perl modules
- move python modules to python3-apparmor package
- create symlinks without aa- prefix only for tools existing in 2.8.x,
but not for new tools added in 2.9
- make utils filelist explicit to ensure we have the right set of files
without aa- prefix in sbindir
- switch easyprof python module location to python3
- drop unused defines APPARMOR_DOC_DIR and JNI_SO
- refresh patches:
- apparmor-utils-string-split (file moved)
- apparmor-profiles-dnsmasq-iface-mtu.patch
- apparmor-2.5.1-edirectory-profile
-------------------------------------------------------------------
Fri Sep 5 12:34:56 UTC 2014 - opensuse@cboltz.de
(prepared Thu Mar 20 23:35:03 UTC 2014 in home project)
- update to AppArmor 2.8.95 (aka 2.9 beta1)
- complete rewrite of the aa-* tools in python
- new tools: aa-cleanprof, aa-mergeprof
- extra profiles moved to /usr/share/apparmor/extra-profiles/ (bnc#713647)
- and much more, but there's no upstream changelog yet
- drop upstreamed patches and files:
- usr.sbin.winbindd
- usr.lib.dovecot.*, tunables-dovecot, apparmor-profiles-dovecot-bnc851984.diff
- apparmor-init.py-gsoc.diff
- apparmor-2.8.2-nm-dnsmasq-config.patch
- add %bcond_with perl and disable the perl subpackage temporarily (the perl
modules will be back in beta2)
- drop the apparmorapplet-gnome, apparmor-dbus and profile-editor subpackages
(they were disabled since a long time, and upstream no longer ships their code)
and the apparmor-profile-editor.desktop and apparmor-profile-editor.png files
- drop apparmor-utils-subdomain-compat patch (was only included for <= 12.1)
- remove libimmunix Provides/Obsoletes (libimmunix was a compat wrapper
and got finally dropped)
- refresh apparmor-samba-include-permissions-for-shares.diff and
apparmor-2.5.1-edirectory-profile
-------------------------------------------------------------------
Thu Sep 4 11:39:40 MDT 2014 - jfehlig@suse.com

299
apparmor.spec
View File

@ -23,6 +23,7 @@
%bcond_with tomcat
%bcond_without pam
%bcond_without apache
%bcond_without perl
%if 0%{?suse_version} > 0 && 0%{?suse_version} <= 1210
# disable python and ruby bindings on openSUSE <= 12.1 to avoid problems with rb_sitearch and python_sitearch
%bcond_with python
@ -40,13 +41,10 @@
%bcond_without ruby
%endif
%endif
%bcond_with gnome
%bcond_with dbus
%bcond_with editor
%define CATALINA_HOME /usr/share/tomcat6
%define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
%define JNI_SO libJNIChangeHat.so
#define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
#define JNI_SO libJNIChangeHat.so
%define JAR_FILE changeHatValve.jar
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
@ -62,7 +60,7 @@ Name: apparmor
%if ! %{?distro:1}0
%define distro suse
%endif
Version: 2.8.3
Version: 2.8.96
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0+
@ -71,27 +69,10 @@ Source0: apparmor-%{version}.tar.gz
Source1: apparmor-%{version}.tar.gz.asc
Source2: %{name}.keyring
Source3: %{name}-profile-editor.png
Source4: %{name}-profile-editor.desktop
Source5: update-trans.sh
Source6: baselibs.conf
Source7: apparmor-rpmlintrc
# profile for winbindd (bnc#748499, submitted upstream 2012-11-06, trunk r2078)
Source10: usr.sbin.winbindd
# profiles for dovecot 2.x (bnc#851984) - commited upstream trunk r2354, r2355, r2356, updated version commited trunk r2360, r2370
Source20: usr.lib.dovecot.anvil
Source21: usr.lib.dovecot.auth
Source22: usr.lib.dovecot.config
Source23: usr.lib.dovecot.dict
Source24: usr.lib.dovecot.dovecot-lda
Source25: usr.lib.dovecot.lmtp
Source26: usr.lib.dovecot.log
Source27: usr.lib.dovecot.managesieve
Source28: usr.lib.dovecot.ssl-params
Source29: tunables-dovecot
# enable caching of profiles (= massive performance speedup when loading profiles)
Patch1: apparmor-enable-profile-cache.diff
@ -101,37 +82,12 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
Patch5: apparmor-utils-string-split
# make apparmor/__init__.py ready for the new tools developed in GSoC. Submitted upstream 2013-09-12
Patch6: apparmor-init.py-gsoc.diff
# Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
Patch12: apparmor-2.5.1-edirectory-profile
# update dovecot profiles for dovecot 2.x (bnc#851984 - commited upstream trunk r2354, r2356, [updated patch] r2359, [updated patch] r2549)
Patch17: apparmor-profiles-dovecot-bnc851984.diff
# create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 - bnc#720617 #c7
Patch21: apparmor-utils-subdomain-compat
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
Patch22: ruby-2_0-mkmf-destdir.patch
# dnsmasq - allow to read config created by recent NetworkManager
# commited upstream trunk r2323, 2.8 branch r2110 - updated version commited trunk r2385, 2.8 r2123
Patch23: apparmor-2.8.2-nm-dnsmasq-config.patch
# Permit clustered Samba access to CTDB socket and databases (bnc#885317, commited upstream trunk r2556 - TODO: merge into 2.8 branch)
Patch24: apparmor-profiles-clustered-samba.diff
# perl-apparmor: Fix handling of network (or network all) (bnc#889650) (commited upstream trunk r2571, 2.8 r2135)
Patch25: perl-apparmor-fix-bare-network-keyword-handling.diff
# perl-apparmor: Fix handling of capability keyword (bnc#889651) (commited upstream trunk r2572, 2.8 r2136)
Patch26: perl-apparmor-handle-bare-capability-keyword.diff
# perl-apparmor: Properly handle bare file keyword (bnc#889652) (commited upstream trunk r2573, 2.8 r2137)
Patch27: perl-apparmor-properly-handle-bare-file-keyword.diff
# allow dnsmasq to read access to IPv6 config (bnc#892374) (commited upstream trunk r2657, 2.8 branch r2140)
Patch28: apparmor-profiles-dnsmasq-iface-mtu.patch
@ -186,27 +142,6 @@ BuildRequires: java-devel >= 1.6.0
BuildRequires: tomcat6
%endif
%if %{with editor}
BuildRequires: gcc-c++
BuildRequires: update-desktop-files
BuildRequires: wxGTK-devel
%endif
%if %{with gnome}
BuildRequires: gnome-common
BuildRequires: pkgconfig(dbus-1)
BuildRequires: pkgconfig(gtk+-2.0)
BuildRequires: pkgconfig(libgnome-2.0)
BuildRequires: pkgconfig(libpanelapplet-2.0)
%endif
%if %{with dbus}
BuildRequires: audit-devel
BuildRequires: libapparmor-devel
BuildRequires: pkg-config
BuildRequires: pkgconfig(dbus-1)
%endif
%package parser
Summary: AppArmor userlevel parser utility
License: GPL-2.0+
@ -275,9 +210,9 @@ Obsoletes: libapparmor-64bit < %{version}
Provides: libapparmor-64bit = %{version}
%endif
Provides: libapparmor = %{version}
Provides: libimmunix = %{version}
#Provides: libimmunix = %{version}
Obsoletes: libapparmor < %{version}
Obsoletes: libimmunix < %{version}
#Obsoletes: libimmunix < %{version}
%description -n libapparmor1
This package provides the libapparmor library, which contains the
@ -295,6 +230,8 @@ Provides: libapparmor:/usr/include/sys/apparmor.h
These libraries are needed for developing software that makes use of the
AppArmor API.
%if %{with perl}
%package -n perl-apparmor
Summary: Perl interface for libapparmor functions
License: GPL-2.0 and LGPL-2.1+
@ -314,6 +251,8 @@ Obsoletes: perl-libapparmor < 2.5
This package provides the perl interface to AppArmor. It is used for perl
applications interfacing with AppArmor, including the AppArmor utilities.
%endif
%if %{with python}
%package -n python-apparmor
@ -388,8 +327,16 @@ Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profi
License: GPL-2.0 and LGPL-2.1+
Group: Productivity/Security
Requires: libapparmor1 = %{version}
# some of the tools are still perl-based (aa-decode, aa-exec and aa-notify)
Requires: perl = %{perl_version}
Requires: perl-apparmor = %{version}
%if %{with python3}
Requires: python3-apparmor = %{version}
Requires: python3-base
%else
Requires: python-apparmor = %{version}
Requires: python-base
%endif
# aa-unconfined needs netstat
Recommends: net-tools
# aa-notify -p needs notify-send
@ -440,44 +387,6 @@ policy.
%endif
%if %{with dbus}
%package dbus
Summary: Audit dispatcher for sending AppArmor events over DBUS
License: GPL-2.0 and LGPL-2.1+
Group: System/Monitoring
%description dbus
An audit dispatcher for sending AppArmor events over the DBUS system
bus.
%endif
%if %{with editor}
%package profile-editor
Summary: AppArmor profile editor
License: GPL-2.0 and LGPL-2.1+
Group: Productivity/Editors/Other
%description profile-editor
A syntax highlighting editor for AppArmor profiles.
%endif
%if %{with gnome}
%package -n apparmorapplet-gnome
Summary: An AppArmor event notification applet for GNOME
License: GPL-2.0 and LGPL-2.1+
Group: System/GUI/GNOME
%description -n apparmorapplet-gnome
This taskbar applet receives AppArmor events over DBUS, and notifies
the user when AppArmor prevents an application from functioning.
%endif
%description
The AppArmor Parser is a userlevel program that is used to load in
program profiles to the AppArmor Security kernel module.
@ -487,52 +396,22 @@ SubDomain.
%lang_package -n apparmor-utils
%lang_package -n apparmor-parser
%if %{with gnome}
%lang_package -n apparmorapplet-gnome
%endif
%prep
%{?gpg_verify: %gpg_verify %{S:1} }
%setup -q
%patch1 -p1
%patch2
%patch5 -p1
%patch6
%patch12 -p1
%patch17
# only create Immunix::SubDomain perl module for openSUSE <= 12.1
%if 0%{?suse_version}
%if 0%{?suse_version} <= 1210
%patch21 -p1
%endif
%endif
%patch5 -p1
%patch12
# Ruby 2.0 mkmf prefixes every path with $(DESTDIR)
%if 0%{?suse_version} > 1230
%patch22 -p1
%endif
# affected NM is shipped since openSUSE >= 13.1
%if 0%{?suse_version} > 1310
%patch23
%endif
%patch24
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
# profile for winbindd (bnc#748499, commited upstream trunk r2078, updated in trunk r2328)
test ! -e profiles/apparmor.d/usr.sbin.winbindd
cp %{SOURCE10} profiles/apparmor.d/
# profiles for dovecot 2.x (bnc#851984)
test ! -e profiles/apparmor.d/tunables/dovecot
cp %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27} %{SOURCE28} profiles/apparmor.d/
cp %{SOURCE29} profiles/apparmor.d/tunables/dovecot
%build
echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1
@ -550,7 +429,10 @@ export PYTHON=/usr/bin/python3
(
cd ./libraries/libapparmor
sh ./autogen.sh
%configure --with-perl \
%configure \
%if %{with perl}
--with-perl \
%endif
%if %{with python}%{with python3}
--with-python \
%else
@ -570,6 +452,11 @@ export PYTHON=/usr/bin/python3
make -C utils
# make -C utils check
# deprecated/utils (perl modules still needed by YaST)
%if %{with perl}
make -C deprecated/utils
%endif
# parser:
make -C parser V=1
# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough
@ -595,17 +482,13 @@ make -C profiles
%if %{with tomcat}
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
%endif
%if %{with gnome}
#--with-gnome \
%endif
%if %{with dbus}
#--with-dbus \
%endif
%if %{with editor}
#--with-profileeditor \
%endif
%install
%if %{with python3}
export PYTHON=/usr/bin/python3
%endif
# libapparmor
# override pkgconfigdir for now - TODO: don't redefine libdir when packaging AppArmor 3.0
%makeinstall -C libraries/libapparmor pkgconfigdir=/usr/%{_lib}/pkgconfig/
@ -614,7 +497,19 @@ make -C profiles
# utilities
%makeinstall -C utils
test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568
mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
%if %{with python3}
# enforce usage of python3
for file in %{buildroot}/%{_sbindir}/aa-* ; do
sed -i '1s,^#! /usr/bin/env python$,#! /usr/bin/env python3,' "$file"
done
%endif
# deprecated/utils (perl modules still needed by YaST)
%if %{with perl}
%makeinstall -C deprecated/utils
%endif
%makeinstall -C profiles
@ -640,33 +535,31 @@ mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
find %{buildroot} -name .packlist -exec rm -f {} \;
find %{buildroot} -name perllocal.pod -exec rm -f {} \;
# Re-create the links to the old names
# Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm].
# Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix
for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do
d=$(dirname $file)
f=$(basename $file)
if [ "${f#aa-}" != "$f" ]; then
ln -s $f $d/${f#aa-}
fi
d=$(dirname $file)
f=$(basename $file)
case "${f#aa-}" in
audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \
audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.8* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* )
if [ "${f#aa-}" != "$f" ]; then
ln -s $f $d/${f#aa-}
fi
;;
esac
done
mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8}
mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8}
rm -f %{buildroot}%{_mandir}/man8/decode.8
%if %{with editor}
%suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor
%endif
%if %{with gnome}
%find_lang apparmorapplet-gnome
%endif
for pkg in apparmor-utils apparmor-parser; do
%find_lang $pkg
%find_lang $pkg
done
# remove *.la files
rm -fv %{buildroot}%{_libdir}/libapparmor.la %{buildroot}%{_libdir}/libimmunix.la
rm -fv %{buildroot}%{_libdir}/libapparmor.la
echo -------------------------------------------------------------------
#find -ls
@ -721,14 +614,11 @@ fi
%files -n libapparmor1
%defattr(-,root,root)
%{_libdir}/libapparmor.so.*
%{_libdir}/libimmunix.so.*
%files -n libapparmor-devel
%defattr(-,root,root)
%{_libdir}/libapparmor.a
%{_libdir}/libimmunix.a
%{_libdir}/libapparmor.so
%{_libdir}/libimmunix.so
/usr/%{_lib}/pkgconfig/libapparmor.pc
%doc %{_mandir}/man2/aa_change_hat.2.gz
%doc %{_mandir}/man2/change_hat.2.gz
@ -738,10 +628,6 @@ fi
%{_includedir}/sys/apparmor.h
%{_includedir}/aalogparse/*
# hrm, still need to enumerate each directory in these paths in files :(
# %define extras_dir %{_sysconfdir}/apparmor/profiles/extras/
# %define profiles_dir %{_sysconfdir}/apparmor.d/
%files profiles
%defattr(644,root,root,755)
%dir %{_sysconfdir}/apparmor.d/
@ -755,13 +641,10 @@ fi
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
%dir %{_sysconfdir}/apparmor.d/local
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
%dir %{_sysconfdir}/apparmor.d/program-chunks
%config(noreplace) %{_sysconfdir}/apparmor.d/program-chunks/*
%dir %{_sysconfdir}/apparmor.d/tunables
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/*
%dir %{_sysconfdir}/apparmor/
%dir %{_sysconfdir}/apparmor/profiles
%config %{_sysconfdir}/apparmor/profiles/extras/
/usr/share/apparmor/extra-profiles/
%files utils
%defattr(-,root,root)
@ -770,13 +653,21 @@ fi
%config(noreplace) %{_sysconfdir}/apparmor/logprof.conf
%config(noreplace) %{_sysconfdir}/apparmor/notify.conf
%config(noreplace) %{_sysconfdir}/apparmor/severity.db
%{_sbindir}/*
%{_sbindir}/aa-*
%{_sbindir}/apparmor_status
%{_sbindir}/audit
%{_sbindir}/autodep
%{_sbindir}/complain
%{_sbindir}/decode
%{_sbindir}/disable
%{_sbindir}/enforce
%{_sbindir}/exec
%{_sbindir}/genprof
%{_sbindir}/logprof
%{_sbindir}/notify
%{_sbindir}/status
%{_sbindir}/unconfined
%{_bindir}/aa-easyprof
# easyprof python modules are installed into py2 directories
#{python3_sitelib}/apparmor-%{version}-py%{py3_ver}.egg-info
#{python3_sitelib}/apparmor/
%{python_sitelib}/apparmor-%{version}-py%{python_version}.egg-info
%{python_sitelib}/apparmor/
%dir %{_datadir}/apparmor
%{_datadir}/apparmor/easyprof/
%dir %{_localstatedir}/log/apparmor
@ -800,11 +691,13 @@ fi
%files utils-lang -f apparmor-utils.lang
%if %{with perl}
%files -n perl-apparmor
%defattr(-,root,root)
%{perl_vendorlib}/Immunix
%{perl_vendorarch}/auto/LibAppArmor/
%{perl_vendorarch}/LibAppArmor.pm
%endif
%if %{with python}
@ -815,7 +708,8 @@ fi
%{python_sitearch}/LibAppArmor/_LibAppArmor.so
%{python_sitearch}/LibAppArmor/__init__.py
%{python_sitearch}/LibAppArmor/__init__.pyc
%{python_sitelib}/apparmor/
%{python_sitelib}/apparmor-%{version}-py%{python_version}.egg-info
%endif
%if %{with python3}
@ -828,7 +722,8 @@ fi
%{python3_sitearch}/LibAppArmor/_LibAppArmor.cpython-*.so
%{python3_sitearch}/LibAppArmor/__pycache__/__init__.cpython-*.pyc
%{python3_sitearch}/LibAppArmor/__init__.py
%{python3_sitelib}/apparmor/
%{python3_sitelib}/apparmor-%{version}-py*.egg-info
%endif
%if %{with ruby}
@ -862,38 +757,6 @@ fi
%doc %{_mandir}/man8/mod_apparmor.8.gz
%endif
%if %{with dbus}
%files dbus
%defattr(0750, root, root)
%{_bindir}/apparmor-dbus
%endif
%if %{with editor}
%files profile-editor
%defattr(-, root, root)
%{_datadir}/applications/%{name}-profile-editor.desktop
%{_datadir}/pixmaps/%{name}-profile-editor.png
%{_bindir}/profileeditor
%{_docdir}/profileeditor/AppArmorProfileEditor.htb
%if 0
%{_datadir}/doc/profileeditor/AppArmorProfileEditor.htb
%endif
%dir %{_datadir}/doc/profileeditor
%endif
%if %{with gnome}
%files -n apparmorapplet-gnome
%defattr(-, root, root)
%{_libdir}/bonobo/servers/*.server
%{_prefix}/lib/apparmorapplet
%{_datadir}/pixmaps/*
%files -n apparmorapplet-gnome-lang -f apparmorapplet-gnome.lang
%endif
%post parser
%if %{distro} == "suse"
# SUSE uses insserv

34
perl-apparmor-fix-bare-network-keyword-handling.diff
View File

@ -1,34 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: perl-apparmor: Fix bare 'network' keyword handling
References: bnc#889650
The 'network' bare keyword was being printed as "audit network all" due to
two different bugs:
1) {audit}{all} was always being set to 1, regardless of whether the audit
keyword was used
2) {rule} eq 'all' is the wrong test - it should be {rule}{all}
With these fixed, 'network' is properly handled.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -5353,7 +5368,7 @@
$profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{$fam} = $audit;
} else {
$profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{all} = 1;
- $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = 1;
+ $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = $audit;
}
} elsif (/^\s*(tcp_connect|tcp_accept|udp_send|udp_receive)/) {
# just ignore and drop old style network
@@ -5708,7 +5729,7 @@
# dump out the netdomain entries...
if (exists $profile_data->{$allow}{netdomain}) {
if ( $profile_data->{$allow}{netdomain}{rule} &&
- $profile_data->{$allow}{netdomain}{rule} eq 'all') {
+ $profile_data->{$allow}{netdomain}{rule}{all}) {
$audit = "audit " if $profile_data->{$allow}{netdomain}{audit}{all};
push @data, "${pre}${audit}network,";
} else {

43
perl-apparmor-handle-bare-capability-keyword.diff
View File

@ -1,43 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: perl-apparmor: Handle bare 'capability' keyword
References: bnc#889651
Specifying 'capability' implies all capabilities, but the perl code didn't
recognize it.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -5151,7 +5151,7 @@
$initial_comment = "";
- } elsif (m/^\s*(audit\s+)?(deny\s+)?capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry
+ } elsif (m/^\s*(audit\s+)?(deny\s+)?capability(\s+(\S+))?\s*,\s*(#.*)?$/) { # capability entry
if (not $profile) {
die sprintf(gettext('%s contains syntax errors.'), $file) . "\n";
}
@@ -5159,7 +5159,7 @@
my $audit = $1 ? 1 : 0;
my $allow = $2 ? 'deny' : 'allow';
$allow = 'deny' if ($2);
- my $capability = $3;
+ my $capability = $3 ? $3 : 'all';
$profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{set} = 1;
$profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{audit} = $audit;
} elsif (m/^\s*set capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry
@@ -5675,7 +5690,13 @@
my @data;
if (exists $profile_data->{$allow}{capability}) {
- for my $cap (sort keys %{$profile_data->{$allow}{capability}}) {
+ my $audit;
+ if (exists $profile_data->{$allow}{capability}{all}) {
+ $audit = ($profile_data->{$allow}{capability}{all}{audit}) ? 'audit ' : '';
+ push @data, "${pre}${audit}${allowstr}capability,";
+ }
+ for my $cap (sort keys %{$profile_data->{$allow}{capability}}) {
+ next if ($cap eq "all");
my $audit = ($profile_data->{$allow}{capability}{$cap}{audit}) ? 'audit ' : '';
if ($profile_data->{$allow}{capability}{$cap}{set}) {
push @data, "${pre}${audit}${allowstr}capability ${cap},";

73
perl-apparmor-properly-handle-bare-file-keyword.diff
View File

@ -1,73 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: perl-apparmor: Properly handle bare 'file' keyword
References: bnc#889652
The bare file keyword is a shortcut for /{**,}. There are also implied
permissions that go with it.
This patch accepts the file keyword as well as allowing for missing mode
specifiers.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/Immunix/AppArmor.pm | 27 ++++++++++++++++++++++++---
1 file changed, 24 insertions(+), 3 deletions(-)
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -5252,7 +5252,7 @@
} elsif (m/^\s*if\s+(not\s+)?(\$\{?[[:alpha:]][[:alnum:]_]*\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean
} elsif (m/^\s*if\s+(not\s+)?defined\s+(@\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- variable defined
} elsif (m/^\s*if\s+(not\s+)?defined\s+(\$\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean defined
- } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?([\"\@\/].*?)\s+(\S+)(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry
+ } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?(file|([\"\@\/].*?)\s+(\S+))(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry
if (not $profile) {
die sprintf(gettext('%s contains syntax errors.'), $file) . "\n";
}
@@ -5260,7 +5260,19 @@
my $audit = $1 ? 1 : 0;
my $allow = $2 ? 'deny' : 'allow';
my $user = $3 ? 1 : 0;
- my ($path, $mode, $nt_name) = ($4, $5, $7);
+ my ($path, $mode, $nt_name) = ($5, $6, $8);
+ my $file_keyword = 0;
+ my $use_mode = 1;
+
+ if ($4 eq "file") {
+ $path = "/{**,}";
+ $file_keyword = 1;
+ if (!$mode) {
+ # what the parser uses, but we don't care
+ $mode = "rwixlka";
+ $use_mode = 0;
+ }
+ }
# strip off any trailing spaces.
$path =~ s/\s+$//;
@@ -5281,6 +5293,9 @@
fatal_error(sprintf(gettext('Profile %s contains invalid mode %s.'), $file, $mode));
}
+ $profile_data->{$profile}{$hat}{$allow}{path}{$path}{use_mode} = $use_mode;
+ $profile_data->{$profile}{$hat}{$allow}{path}{$path}{file_keyword} = 1 if $file_keyword;
+
my $tmpmode;
if ($user) {
$tmpmode = str_to_mode("${mode}::");
@@ -5838,7 +5859,13 @@
}
$tmpmode &= ~$tmpaudit;
}
- if ($tmpmode) {
+ my $kw = $profile_data->{$allow}{path}{$path}{file_keyword};
+ my $use_mode = $profile_data->{$allow}{path}{$path}{use_mode};
+ if ($kw) {
+ my $modestr = "";
+ $modestr = " " . mode_to_str($tmpmode) if $use_mode;
+ push @data, "${pre}${allowstr}${ownerstr}file${modestr}${tail},";
+ } elsif ($tmpmode) {
my $modestr = mode_to_str($tmpmode);
if ($path =~ /\s/) {
push @data, "${pre}${allowstr}${ownerstr}\"$path\" ${modestr}${tail},";

20
tunables-dovecot
View File

@ -1,20 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:ft=apparmor
# @{DOVECOT_MAILSTORE} is a space-separated list of all directories
# where dovecot is allowed to store and read mails
#
# The default value is quite broad to avoid breaking existing setups.
# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory
# you use, and remove everything else.
@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/

25
usr.lib.dovecot.anvil
View File

@ -1,25 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/anvil {
#include <abstractions/base>
capability setgid,
capability setuid,
capability sys_chroot,
/usr/lib/dovecot/anvil mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.anvil>
}

43
usr.lib.dovecot.auth
View File

@ -1,43 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
# Copyright (C) 2014 Christian Wittmer
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/auth {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
deny capability block_suspend,
capability audit_write,
capability setgid,
capability setuid,
/etc/my.cnf r,
/etc/my.cnf.d/ r,
/etc/my.cnf.d/*.cnf r,
/etc/dovecot/* r,
/usr/lib/dovecot/auth mr,
# kerberos replay cache
/var/tmp/imap_* rw,
/var/tmp/pop_* rw,
/var/tmp/sieve_* rw,
/var/tmp/smtp_* rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.auth>
}

32
usr.lib.dovecot.config
View File

@ -1,32 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/config {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/ssl_keys>
deny capability block_suspend,
capability dac_override,
capability setgid,
/etc/dovecot/** r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/config mr,
/usr/lib/dovecot/managesieve Px,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.config>
}

30
usr.lib.dovecot.dict
View File

@ -1,30 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/dict {
#include <abstractions/base>
#include <abstractions/mysql>
#include <abstractions/nameservice>
capability setgid,
capability setuid,
network inet stream,
/etc/dovecot/dovecot-database.conf.ext r,
/etc/dovecot/dovecot-dict-sql.conf.ext r,
/usr/lib/dovecot/dict mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.dict>
}

33
usr.lib.dovecot.dovecot-lda
View File

@ -1,33 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
#include <tunables/dovecot>
/usr/lib/dovecot/dovecot-lda {
#include <abstractions/base>
#include <abstractions/nameservice>
capability setgid,
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
/etc/dovecot/** r,
/proc/*/mounts r,
/{var/,}run/dovecot/mounts r,
/usr/bin/doveconf mrix,
/usr/lib/dovecot/dovecot-lda mrix,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.dovecot-lda>
}

35
usr.lib.dovecot.lmtp
View File

@ -1,35 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
#include <tunables/dovecot>
/usr/lib/dovecot/lmtp {
#include <abstractions/base>
#include <abstractions/nameservice>
deny capability block_suspend,
capability dac_override,
capability setgid,
capability setuid,
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
/proc/*/mounts r,
/tmp/dovecot.lmtp.* rw,
/usr/lib/dovecot/lmtp mr,
/{var/,}run/dovecot/mounts r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.lmtp>
}

25
usr.lib.dovecot.log
View File

@ -1,25 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/log {
#include <abstractions/base>
deny capability block_suspend,
capability setgid,
/usr/lib/dovecot/log mr,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.log>
}

34
usr.lib.dovecot.managesieve
View File

@ -1,34 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
# Copyright (C) 2014 Christian Wittmer
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
#include <tunables/dovecot>
/usr/lib/dovecot/managesieve {
#include <abstractions/base>
capability setgid,
capability setuid,
network inet stream,
network inet6 stream,
@{DOVECOT_MAILSTORE}/ rw,
@{DOVECOT_MAILSTORE}/** rwkl,
/etc/dovecot/** r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/managesieve mrix,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.managesieve>
}

27
usr.lib.dovecot.ssl-params
View File

@ -1,27 +0,0 @@
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor
#include <tunables/global>
/usr/lib/dovecot/ssl-params {
#include <abstractions/base>
deny capability block_suspend,
capability setgid,
/usr/lib/dovecot/ssl-params mr,
/var/lib/dovecot/ssl-parameters.dat rw,
/var/lib/dovecot/ssl-parameters.dat.tmp rwk,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.ssl-params>
}

48
usr.sbin.winbindd
View File

@ -1,48 +0,0 @@
#include <tunables/global>
/usr/sbin/winbindd {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/samba>
deny capability block_suspend,
capability ipc_lock,
capability setuid,
/etc/samba/dhcp.conf r,
/etc/samba/passdb.tdb{,.tmp} rwk,
/etc/samba/secrets.tdb rwk,
/proc/sys/kernel/core_pattern r,
/tmp/.winbindd/ w,
/tmp/krb5cc_* rwk,
/usr/lib*/samba/idmap/*.so mr,
/usr/lib*/samba/nss_info/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
/usr/sbin/winbindd mr,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
/var/cache/krb5rcache/* rw,
/var/cache/samba/*.tdb rwk,
/var/cache/samba/netsamlogon_cache.tdb rw,
/var/lib/samba/smb_krb5/krb5.conf.* rw,
/var/lib/samba/smb_tmp_krb5.* rw,
/var/lib/samba/**.tdb rwk,
/var/lib/samba/winbindd_cache.tdb* rwk,
/var/lib/samba/winbindd_privileged/pipe w,
/var/log/samba/cores/ rw,
/var/log/samba/cores/winbindd/ rw,
/var/log/samba/cores/winbindd/** rw,
/var/log/samba/log.wb-* w,
/var/log/samba/log.winbindd rw,
/var/log/samba/log.winbindd-idmap w,
/var/log/samba/log.winbindd-dc-connect a,
/{var/,}run/samba/winbindd.pid rwk,
/{var/,}run/samba/winbindd/ rw,
/{var/,}run/samba/winbindd/pipe w,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.winbindd>
}