diff --git a/apparmor-2.5.1-edirectory-profile b/apparmor-2.5.1-edirectory-profile index 787c434..a85f3b8 100644 --- a/apparmor-2.5.1-edirectory-profile +++ b/apparmor-2.5.1-edirectory-profile @@ -15,9 +15,11 @@ Signed-off-by: Jeff Mahoney profiles/apparmor.d/abstractions/novell-edirectory | 13 +++++++++++++ 2 files changed, 16 insertions(+) ---- a/profiles/apparmor.d/abstractions/nameservice -+++ b/profiles/apparmor.d/abstractions/nameservice -@@ -70,6 +70,9 @@ +Index: profiles/apparmor.d/abstractions/nameservice +=================================================================== +--- profiles/apparmor.d/abstractions/nameservice.orig 2014-09-03 21:21:31.000000000 +0200 ++++ profiles/apparmor.d/abstractions/nameservice 2014-09-07 17:53:18.412834868 +0200 +@@ -81,6 +81,9 @@ # kerberos #include @@ -27,8 +29,10 @@ Signed-off-by: Jeff Mahoney # TCP/UDP network access network inet stream, network inet6 stream, ---- /dev/null -+++ b/profiles/apparmor.d/abstractions/novell-edirectory +Index: profiles/apparmor.d/abstractions/novell-edirectory +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ profiles/apparmor.d/abstractions/novell-edirectory 2014-09-07 17:53:18.412834868 +0200 @@ -0,0 +1,13 @@ +# $Id$ +# ------------------------------------------------------------------ diff --git a/apparmor-2.8.2-nm-dnsmasq-config.patch b/apparmor-2.8.2-nm-dnsmasq-config.patch deleted file mode 100644 index 5437cbf..0000000 --- a/apparmor-2.8.2-nm-dnsmasq-config.patch +++ /dev/null @@ -1,16 +0,0 @@ -Index: profiles/apparmor.d/usr.sbin.dnsmasq -=================================================================== ---- profiles/apparmor.d/usr.sbin.dnsmasq.orig -+++ profiles/apparmor.d/usr.sbin.dnsmasq -@@ -55,6 +55,11 @@ - /{,var/}run/nm-dns-dnsmasq.conf r, - /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w, - /{,var/}run/NetworkManager/dnsmasq.conf r, -+ # new dnsmasq config path (as of 2012-11-05) -+ /{,var/}run/NetworkManager/dnsmasq.pid w, -+ # dnsmasq supplemental config directory -+ /etc/NetworkManager/dnsmasq.d/ r, -+ /etc/NetworkManager/dnsmasq.d/* r, - - # Site-specific additions and overrides. See local/README for details. - #include diff --git a/apparmor-2.8.3.tar.gz b/apparmor-2.8.3.tar.gz deleted file mode 100644 index 5b253a6..0000000 --- a/apparmor-2.8.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:84c2ca7fb6d170e5bb56270f01c9b78e78a991b9eee7fa53a9e6409ef0845c7e -size 1534245 diff --git a/apparmor-2.8.3.tar.gz.asc b/apparmor-2.8.3.tar.gz.asc deleted file mode 100644 index 2422c91..0000000 --- a/apparmor-2.8.3.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.14 (GNU/Linux) - -iEYEABECAAYFAlMBmasACgkQgTeYuayTEnEGUgCffqcl+7dchiLlbXj75UnVwayv -qcwAnjsArLD0+9UwU4f/VKgWTo1pJSMo -=SGfh ------END PGP SIGNATURE----- diff --git a/apparmor-2.8.96.tar.gz b/apparmor-2.8.96.tar.gz new file mode 100644 index 0000000..a3f0a32 --- /dev/null +++ b/apparmor-2.8.96.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5950255fc0a6989a5123a46ec58ba0a7ef03eb0d28731e38aae55d0cd10ed0a1 +size 2332645 diff --git a/apparmor-2.8.96.tar.gz.asc b/apparmor-2.8.96.tar.gz.asc new file mode 100644 index 0000000..6d7bc28 --- /dev/null +++ b/apparmor-2.8.96.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlQI2pMACgkQgTeYuayTEnEALACgtB68bFa+u0F1KBSarph9lfB7 +0V8AnRVmXpaq+dzhKmcspVoR+bzYn4GM +=VwGt +-----END PGP SIGNATURE----- diff --git a/apparmor-init.py-gsoc.diff b/apparmor-init.py-gsoc.diff deleted file mode 100644 index 44ea4e9..0000000 --- a/apparmor-init.py-gsoc.diff +++ /dev/null @@ -1,37 +0,0 @@ -to make testing Kshitij's new tools easier, merge his code in -utils/apparmor/__init__.py - that's the only filename conflict (at -least in the 2.8 branch). If we do this, we can ship his new tools -in a testing package that can be installed on top of the 2.8.x packages -without problems - - -=== modified file 'utils/apparmor/__init__.py' ---- utils/apparmor/__init__.py 2012-05-08 05:37:48 +0000 -+++ utils/apparmor/__init__.py 2013-09-12 15:10:50 +0000 -@@ -1,9 +1,25 @@ - # ------------------------------------------------------------------ - # - # Copyright (C) 2011-2012 Canonical Ltd. -+# Copyright (C) 2013 Kshitij Gupta - # - # This program is free software; you can redistribute it and/or - # modify it under the terms of version 2 of the GNU General Public - # License published by the Free Software Foundation. - # - # ------------------------------------------------------------------ -+ -+import gettext -+import locale -+ -+def init_localisation(): -+ locale.setlocale(locale.LC_ALL, '') -+ #If a correct locale has been provided set filename else let an IOError be raised -+ filename = '/usr/share/locale/%s/LC_MESSAGES/apparmor-utils.mo' % locale.getlocale()[0] -+ try: -+ trans = gettext.GNUTranslations(open(filename, 'rb')) -+ except IOError: -+ trans = gettext.NullTranslations() -+ trans.install() -+ -+init_localisation() - diff --git a/apparmor-profile-editor.desktop b/apparmor-profile-editor.desktop deleted file mode 100644 index 4d03fe1..0000000 --- a/apparmor-profile-editor.desktop +++ /dev/null @@ -1,10 +0,0 @@ -[Desktop Entry] -Encoding=UTF-8 -Name=AppArmor Profile Editor -Comment=Edit AppArmor profiles -Exec=profileeditor %f -Terminal=false -Type=Application -Icon=apparmor-profile-editor -Categories=Utility;TextEditor; -X-KDE-SubstituteUID=true diff --git a/apparmor-profile-editor.png b/apparmor-profile-editor.png deleted file mode 100644 index 8edd2e6..0000000 --- a/apparmor-profile-editor.png +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:99e35156e4b59d83f418dc348626ea88651e548d9d734c7316d89b500adcce41 -size 3754 diff --git a/apparmor-profiles-clustered-samba.diff b/apparmor-profiles-clustered-samba.diff deleted file mode 100644 index 8cfff88..0000000 --- a/apparmor-profiles-clustered-samba.diff +++ /dev/null @@ -1,10 +0,0 @@ -=== modified file 'profiles/apparmor.d/abstractions/samba' ---- profiles/apparmor.d/abstractions/samba 2013-12-23 21:15:47 +0000 -+++ profiles/apparmor.d/abstractions/samba 2014-07-04 10:03:10 +0000 -@@ -20,3 +20,5 @@ - /{,var/}run/samba/ w, - /{,var/}run/samba/*.tdb rw, - -+ # required for clustering -+ /var/lib/ctdb/** rwk, - diff --git a/apparmor-profiles-dnsmasq-iface-mtu.patch b/apparmor-profiles-dnsmasq-iface-mtu.patch index 14797aa..183472f 100644 --- a/apparmor-profiles-dnsmasq-iface-mtu.patch +++ b/apparmor-profiles-dnsmasq-iface-mtu.patch @@ -17,7 +17,7 @@ Index: apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq =================================================================== --- apparmor-2.8.3.orig/profiles/apparmor.d/usr.sbin.dnsmasq +++ apparmor-2.8.3/profiles/apparmor.d/usr.sbin.dnsmasq -@@ -38,6 +38,10 @@ +@@ -44,6 +44,10 @@ /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage diff --git a/apparmor-profiles-dovecot-bnc851984.diff b/apparmor-profiles-dovecot-bnc851984.diff deleted file mode 100644 index 8fdfd71..0000000 --- a/apparmor-profiles-dovecot-bnc851984.diff +++ /dev/null @@ -1,313 +0,0 @@ -Index: profiles/apparmor.d/usr.lib.dovecot.deliver -=================================================================== ---- profiles/apparmor.d/usr.lib.dovecot.deliver.orig 2012-01-06 17:34:44.000000000 +0100 -+++ profiles/apparmor.d/usr.lib.dovecot.deliver 2014-01-26 15:48:52.227261272 +0100 -@@ -1,6 +1,19 @@ --# Author: Dulmandakh Sukhbaatar -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2009 Dulmandakh Sukhbaatar -+# Copyright (C) 2009-2012 Canonical Ltd. -+# Copyright (C) 2011-2013 Christian Boltz -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim: ft=apparmor - - #include -+#include -+ - /usr/lib/dovecot/deliver { - #include - #include -@@ -8,20 +21,16 @@ - capability setgid, - capability setuid, - -+ @{DOVECOT_MAILSTORE}/ rw, -+ @{DOVECOT_MAILSTORE}/** rwkl, -+ - # http://www.postfix.org/SASL_README.html#server_dovecot - /etc/dovecot/dovecot.conf r, - /etc/dovecot/{auth,conf}.d/*.conf r, -- /etc/dovecot/dovecot-postfix.conf r, -+ /etc/dovecot/dovecot-postfix.conf r, # ??? - -- @{HOME} r, -- @{HOME}/Maildir/ rw, -- @{HOME}/Maildir/** klrw, -- @{HOME}/mail/ rw, -- @{HOME}/mail/* klrw, -- @{HOME}/mail/.imap/** klrw, -+ @{HOME} r, # ??? - /usr/lib/dovecot/deliver mr, -- /var/mail/* klrw, -- /var/spool/mail/* klrw, - - # Site-specific additions and overrides. See local/README for details. - #include -Index: profiles/apparmor.d/usr.lib.dovecot.dovecot-auth -=================================================================== ---- profiles/apparmor.d/usr.lib.dovecot.dovecot-auth.orig 2011-08-27 03:51:03.000000000 +0200 -+++ profiles/apparmor.d/usr.lib.dovecot.dovecot-auth 2014-01-26 15:48:52.227261272 +0100 -@@ -1,6 +1,17 @@ --# Author: Kees Cook -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2009-2013 Canonical Ltd. -+# Copyright (C) 2013 Christian Boltz -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim: ft=apparmor - - #include -+ - /usr/lib/dovecot/dovecot-auth { - #include - #include -Index: profiles/apparmor.d/usr.lib.dovecot.imap -=================================================================== ---- profiles/apparmor.d/usr.lib.dovecot.imap.orig 2011-08-27 01:12:10.000000000 +0200 -+++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-01-26 15:48:52.227261272 +0100 -@@ -1,6 +1,18 @@ --# Author: Kees Cook -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2009-2010 Canonical Ltd. -+# Copyright (C) 2011-2013 Christian Boltz -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim: ft=apparmor - - #include -+#include -+ - /usr/lib/dovecot/imap { - #include - #include -@@ -8,18 +20,11 @@ - capability setgid, - capability setuid, - -- @{HOME} r, -- @{HOME}/Maildir/ rw, -- @{HOME}/Maildir/** klrw, -- @{HOME}/Mail/ rw, -- @{HOME}/Mail/* klrw, -- @{HOME}/Mail/.imap/** klrw, -- @{HOME}/mail/ rw, -- @{HOME}/mail/* klrw, -- @{HOME}/mail/.imap/** klrw, -+ @{DOVECOT_MAILSTORE}/ rw, -+ @{DOVECOT_MAILSTORE}/** rwkl, -+ -+ @{HOME} r, # ??? - /usr/lib/dovecot/imap mr, -- /var/mail/* klrw, -- /var/spool/mail/* klrw, - - # Site-specific additions and overrides. See local/README for details. - #include -Index: profiles/apparmor.d/usr.lib.dovecot.imap-login -=================================================================== ---- profiles/apparmor.d/usr.lib.dovecot.imap-login.orig 2012-04-05 23:51:17.000000000 +0200 -+++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-01-26 15:48:52.228261212 +0100 -@@ -1,4 +1,14 @@ --# Author: Kees Cook -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2009-2011 Canonical Ltd. -+# Copyright (C) 2013 Christian Boltz -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim: ft=apparmor - - #include - /usr/lib/dovecot/imap-login { -Index: profiles/apparmor.d/usr.lib.dovecot.managesieve-login -=================================================================== ---- profiles/apparmor.d/usr.lib.dovecot.managesieve-login.orig 2011-07-14 14:57:57.000000000 +0200 -+++ profiles/apparmor.d/usr.lib.dovecot.managesieve-login 2014-01-26 15:48:52.228261212 +0100 -@@ -1,6 +1,19 @@ --# Author: Dulmandakh Sukhbaatar -+# ------------------------------------------------------------------ -+# -+# Copyright (c) 2009 Dulmandakh Sukhbaatar -+# Copyright (C) 2009-2011 Canonical Ltd. -+# Copyright (C) 2013 Christian Boltz -+# Copyright (C) 2014 Christian Wittmer -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim: ft=apparmor - - #include -+ - /usr/lib/dovecot/managesieve-login { - #include - #include -@@ -11,6 +24,7 @@ - capability sys_chroot, - - network inet stream, -+ network inet6 stream, - - /usr/lib/dovecot/managesieve-login mr, - /{,var/}run/dovecot/login/ r, -Index: profiles/apparmor.d/usr.lib.dovecot.pop3 -=================================================================== ---- profiles/apparmor.d/usr.lib.dovecot.pop3.orig 2011-08-27 01:12:10.000000000 +0200 -+++ profiles/apparmor.d/usr.lib.dovecot.pop3 2014-01-26 15:48:52.228261212 +0100 -@@ -1,6 +1,18 @@ --# Author: Kees Cook -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2009-2010 Canonical Ltd. -+# Copyright (C) 2011-2013 Christian Boltz -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim: ft=apparmor - - #include -+#include -+ - /usr/lib/dovecot/pop3 { - #include - #include -@@ -8,13 +20,10 @@ - capability setgid, - capability setuid, - -- /var/mail/* klrw, -- /var/spool/mail/* klrw, -- @{HOME} r, -- @{HOME}/mail/* klrw, -- @{HOME}/mail/.imap/** klrw, -- @{HOME}/Maildir/ rw, -- @{HOME}/Maildir/** klrw, -+ @{DOVECOT_MAILSTORE}/ rw, -+ @{DOVECOT_MAILSTORE}/** rwkl, -+ -+ @{HOME} r, # ??? - /usr/lib/dovecot/pop3 mr, - - # Site-specific additions and overrides. See local/README for details. -Index: profiles/apparmor.d/usr.lib.dovecot.pop3-login -=================================================================== ---- profiles/apparmor.d/usr.lib.dovecot.pop3-login.orig 2011-07-14 14:57:57.000000000 +0200 -+++ profiles/apparmor.d/usr.lib.dovecot.pop3-login 2014-01-26 15:48:52.228261212 +0100 -@@ -1,6 +1,17 @@ --# Author: Kees Cook -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2009-2011 Canonical Ltd. -+# Copyright (C) 2013 Christian Boltz -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim: ft=apparmor - - #include -+ - /usr/lib/dovecot/pop3-login { - #include - #include -Index: profiles/apparmor.d/usr.sbin.dovecot -=================================================================== ---- profiles/apparmor.d/usr.sbin.dovecot.orig 2011-10-12 13:05:00.000000000 +0200 -+++ profiles/apparmor.d/usr.sbin.dovecot 2014-01-26 16:09:40.262068251 +0100 -@@ -1,37 +1,61 @@ --# Author: Kees Cook -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2009-2013 Canonical Ltd. -+# Copyright (C) 2011-2013 Christian Boltz -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim: ft=apparmor - - #include -+ - /usr/sbin/dovecot { - #include - #include -+ #include - #include - #include - #include - - capability chown, -+ capability dac_override, -+ capability fsetid, -+ capability kill, - capability net_bind_service, - capability setgid, - capability setuid, - capability sys_chroot, -- capability fsetid, - - /etc/dovecot/** r, - /etc/mtab r, - /etc/lsb-release r, - /etc/SuSE-release r, - @{PROC}/[0-9]*/mounts r, -+ @{PROC}/filesystems r, -+ /usr/bin/doveconf rix, -+ /usr/lib/dovecot/anvil Px, -+ /usr/lib/dovecot/auth Px, -+ /usr/lib/dovecot/config Px, -+ /usr/lib/dovecot/dict Px, - /usr/lib/dovecot/dovecot-auth Pxmr, - /usr/lib/dovecot/imap Pxmr, - /usr/lib/dovecot/imap-login Pxmr, -+ /usr/lib/dovecot/lmtp Px, -+ /usr/lib/dovecot/log Px, -+ /usr/lib/dovecot/managesieve Px, -+ /usr/lib/dovecot/managesieve-login Pxmr, - /usr/lib/dovecot/pop3 Px, - /usr/lib/dovecot/pop3-login Pxmr, -- # temporarily commented out while testing -- #/usr/lib/dovecot/managesieve Px, -- /usr/lib/dovecot/managesieve-login Pxmr, -- /usr/lib/dovecot/ssl-build-param ixr, -- /usr/sbin/dovecot mr, -+ /usr/lib/dovecot/ssl-build-param rix, -+ /usr/lib/dovecot/ssl-params Px, -+ /usr/sbin/dovecot mrix, - /var/lib/dovecot/ w, -- /var/lib/dovecot/* krw, -+ /var/lib/dovecot/* rwkl, -+ /var/spool/postfix/private/auth w, -+ /var/spool/postfix/private/dovecot-lmtp w, - /{,var/}run/dovecot/ rw, - /{,var/}run/dovecot/** rw, - link /{,var/}run/dovecot/** -> /var/lib/dovecot/**, diff --git a/apparmor-samba-include-permissions-for-shares.diff b/apparmor-samba-include-permissions-for-shares.diff index e9820c1..ba34685 100644 --- a/apparmor-samba-include-permissions-for-shares.diff +++ b/apparmor-samba-include-permissions-for-shares.diff @@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz === modified file 'profiles/apparmor.d/usr.sbin.smbd' --- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000 +++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000 -@@ -51,6 +51,10 @@ +@@ -47,6 +47,10 @@ @{HOMEDIRS}/** lrwk, diff --git a/apparmor-utils-string-split b/apparmor-utils-string-split index d29f3fb..7d39919 100644 --- a/apparmor-utils-string-split +++ b/apparmor-utils-string-split @@ -6,8 +6,8 @@ Subject: AppArmor.pm: Split long string utils/Immunix/AppArmor.pm | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) ---- a/utils/Immunix/AppArmor.pm -+++ b/utils/Immunix/AppArmor.pm +--- a/deprecated/utils/Immunix/AppArmor.pm ++++ b/deprecated/utils/Immunix/AppArmor.pm @@ -6335,7 +6335,12 @@ sub check_qualifiers($) { if ($cfg->{qualifiers}{$program}) { diff --git a/apparmor-utils-subdomain-compat b/apparmor-utils-subdomain-compat deleted file mode 100644 index 6dce1b6..0000000 --- a/apparmor-utils-subdomain-compat +++ /dev/null @@ -1,38 +0,0 @@ -From: Jeff Mahoney -Subject: apparmor-utils: Add Immunix::SubDomain alias - - This patch adds an alias so that 'use Immunix::SubDomain;' works with older - code. - -Acked-by: Jeff Mahoney - -Also patch utils/Makefile to actually install SubDomain.pm - -The SubDomain compat module is only needed by openSUSE, therefore this patch -will not be upstreamed. - -Signed-off-by: Christian Boltz ---- - - utils/Immunix/SubDomain.pm | 5 +++++ - 1 file changed, 5 insertions(+) - ---- /dev/null -+++ b/utils/Immunix/SubDomain.pm -@@ -0,0 +1,5 @@ -+# Use of Immunix::SubDomain is deprecated. -+# Use Immunix::AppArmor directly instead. -+use Immunix::AppArmor; -+*Immunix::SubDomain:: = *Immunix::AppArmor::; -+1; ---- a/utils/Makefile 2011-05-27 21:08:50.000000000 +0200 -+++ b/utils/Makefile 2011-09-10 17:57:55.000000000 +0200 -@@ -31,7 +31,7 @@ PERLTOOLS = aa-genprof aa-logprof aa-aut - aa-unconfined aa-notify aa-disable aa-exec - TOOLS = ${PERLTOOLS} aa-decode aa-status - MODULES = ${MODDIR}/AppArmor.pm ${MODDIR}/Repository.pm \ -- ${MODDIR}/Config.pm ${MODDIR}/Severity.pm -+ ${MODDIR}/Config.pm ${MODDIR}/Severity.pm ${MODDIR}/SubDomain.pm - PYTOOLS = aa-easyprof - PYSETUP = python-tools-setup.py - diff --git a/apparmor.changes b/apparmor.changes index 3e79469..e904190 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,53 @@ +------------------------------------------------------------------- +Sat Sep 6 22:08:57 UTC 2014 - opensuse@cboltz.de + +- update to AppArmor 2.8.96 (aka 2.9 beta2 aka r2652) + - add unix abstract sockets, ptrace, and signal policy generation + - several bugfixes in the python tools and elsewhere + - move program-chunks/postfix-common to abstractions/ + - drop upstreamed patches: + - apparmor-profiles-clustered-samba.diff + - perl-apparmor-fix-bare-network-keyword-handling.diff + - perl-apparmor-handle-bare-capability-keyword.diff + - perl-apparmor-properly-handle-bare-file-keyword.diff +- re-enable installation of perl modules +- move python modules to python3-apparmor package +- create symlinks without aa- prefix only for tools existing in 2.8.x, + but not for new tools added in 2.9 +- make utils filelist explicit to ensure we have the right set of files + without aa- prefix in sbindir +- switch easyprof python module location to python3 +- drop unused defines APPARMOR_DOC_DIR and JNI_SO +- refresh patches: + - apparmor-utils-string-split (file moved) + - apparmor-profiles-dnsmasq-iface-mtu.patch + - apparmor-2.5.1-edirectory-profile + +------------------------------------------------------------------- +Fri Sep 5 12:34:56 UTC 2014 - opensuse@cboltz.de + +(prepared Thu Mar 20 23:35:03 UTC 2014 in home project) +- update to AppArmor 2.8.95 (aka 2.9 beta1) + - complete rewrite of the aa-* tools in python + - new tools: aa-cleanprof, aa-mergeprof + - extra profiles moved to /usr/share/apparmor/extra-profiles/ (bnc#713647) + - and much more, but there's no upstream changelog yet +- drop upstreamed patches and files: + - usr.sbin.winbindd + - usr.lib.dovecot.*, tunables-dovecot, apparmor-profiles-dovecot-bnc851984.diff + - apparmor-init.py-gsoc.diff + - apparmor-2.8.2-nm-dnsmasq-config.patch +- add %bcond_with perl and disable the perl subpackage temporarily (the perl + modules will be back in beta2) +- drop the apparmorapplet-gnome, apparmor-dbus and profile-editor subpackages + (they were disabled since a long time, and upstream no longer ships their code) + and the apparmor-profile-editor.desktop and apparmor-profile-editor.png files +- drop apparmor-utils-subdomain-compat patch (was only included for <= 12.1) +- remove libimmunix Provides/Obsoletes (libimmunix was a compat wrapper + and got finally dropped) +- refresh apparmor-samba-include-permissions-for-shares.diff and + apparmor-2.5.1-edirectory-profile + ------------------------------------------------------------------- Thu Sep 4 11:39:40 MDT 2014 - jfehlig@suse.com diff --git a/apparmor.spec b/apparmor.spec index a25cbfd..09c3363 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -23,6 +23,7 @@ %bcond_with tomcat %bcond_without pam %bcond_without apache +%bcond_without perl %if 0%{?suse_version} > 0 && 0%{?suse_version} <= 1210 # disable python and ruby bindings on openSUSE <= 12.1 to avoid problems with rb_sitearch and python_sitearch %bcond_with python @@ -40,13 +41,10 @@ %bcond_without ruby %endif %endif -%bcond_with gnome -%bcond_with dbus -%bcond_with editor %define CATALINA_HOME /usr/share/tomcat6 -%define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/ -%define JNI_SO libJNIChangeHat.so +#define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/ +#define JNI_SO libJNIChangeHat.so %define JAR_FILE changeHatValve.jar %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) @@ -62,7 +60,7 @@ Name: apparmor %if ! %{?distro:1}0 %define distro suse %endif -Version: 2.8.3 +Version: 2.8.96 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0+ @@ -71,27 +69,10 @@ Source0: apparmor-%{version}.tar.gz Source1: apparmor-%{version}.tar.gz.asc Source2: %{name}.keyring -Source3: %{name}-profile-editor.png -Source4: %{name}-profile-editor.desktop Source5: update-trans.sh Source6: baselibs.conf Source7: apparmor-rpmlintrc -# profile for winbindd (bnc#748499, submitted upstream 2012-11-06, trunk r2078) -Source10: usr.sbin.winbindd - -# profiles for dovecot 2.x (bnc#851984) - commited upstream trunk r2354, r2355, r2356, updated version commited trunk r2360, r2370 -Source20: usr.lib.dovecot.anvil -Source21: usr.lib.dovecot.auth -Source22: usr.lib.dovecot.config -Source23: usr.lib.dovecot.dict -Source24: usr.lib.dovecot.dovecot-lda -Source25: usr.lib.dovecot.lmtp -Source26: usr.lib.dovecot.log -Source27: usr.lib.dovecot.managesieve -Source28: usr.lib.dovecot.ssl-params -Source29: tunables-dovecot - # enable caching of profiles (= massive performance speedup when loading profiles) Patch1: apparmor-enable-profile-cache.diff @@ -101,37 +82,12 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. Patch5: apparmor-utils-string-split -# make apparmor/__init__.py ready for the new tools developed in GSoC. Submitted upstream 2013-09-12 -Patch6: apparmor-init.py-gsoc.diff - # Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions Patch12: apparmor-2.5.1-edirectory-profile -# update dovecot profiles for dovecot 2.x (bnc#851984 - commited upstream trunk r2354, r2356, [updated patch] r2359, [updated patch] r2549) -Patch17: apparmor-profiles-dovecot-bnc851984.diff - -# create Immunix::SubDomain perl module - only included for openSUSE <= 12.1 - bnc#720617 #c7 -Patch21: apparmor-utils-subdomain-compat - # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de Patch22: ruby-2_0-mkmf-destdir.patch -# dnsmasq - allow to read config created by recent NetworkManager -# commited upstream trunk r2323, 2.8 branch r2110 - updated version commited trunk r2385, 2.8 r2123 -Patch23: apparmor-2.8.2-nm-dnsmasq-config.patch - -# Permit clustered Samba access to CTDB socket and databases (bnc#885317, commited upstream trunk r2556 - TODO: merge into 2.8 branch) -Patch24: apparmor-profiles-clustered-samba.diff - -# perl-apparmor: Fix handling of network (or network all) (bnc#889650) (commited upstream trunk r2571, 2.8 r2135) -Patch25: perl-apparmor-fix-bare-network-keyword-handling.diff - -# perl-apparmor: Fix handling of capability keyword (bnc#889651) (commited upstream trunk r2572, 2.8 r2136) -Patch26: perl-apparmor-handle-bare-capability-keyword.diff - -# perl-apparmor: Properly handle bare file keyword (bnc#889652) (commited upstream trunk r2573, 2.8 r2137) -Patch27: perl-apparmor-properly-handle-bare-file-keyword.diff - # allow dnsmasq to read access to IPv6 config (bnc#892374) (commited upstream trunk r2657, 2.8 branch r2140) Patch28: apparmor-profiles-dnsmasq-iface-mtu.patch @@ -186,27 +142,6 @@ BuildRequires: java-devel >= 1.6.0 BuildRequires: tomcat6 %endif -%if %{with editor} -BuildRequires: gcc-c++ -BuildRequires: update-desktop-files -BuildRequires: wxGTK-devel -%endif - -%if %{with gnome} -BuildRequires: gnome-common -BuildRequires: pkgconfig(dbus-1) -BuildRequires: pkgconfig(gtk+-2.0) -BuildRequires: pkgconfig(libgnome-2.0) -BuildRequires: pkgconfig(libpanelapplet-2.0) -%endif - -%if %{with dbus} -BuildRequires: audit-devel -BuildRequires: libapparmor-devel -BuildRequires: pkg-config -BuildRequires: pkgconfig(dbus-1) -%endif - %package parser Summary: AppArmor userlevel parser utility License: GPL-2.0+ @@ -275,9 +210,9 @@ Obsoletes: libapparmor-64bit < %{version} Provides: libapparmor-64bit = %{version} %endif Provides: libapparmor = %{version} -Provides: libimmunix = %{version} +#Provides: libimmunix = %{version} Obsoletes: libapparmor < %{version} -Obsoletes: libimmunix < %{version} +#Obsoletes: libimmunix < %{version} %description -n libapparmor1 This package provides the libapparmor library, which contains the @@ -295,6 +230,8 @@ Provides: libapparmor:/usr/include/sys/apparmor.h These libraries are needed for developing software that makes use of the AppArmor API. +%if %{with perl} + %package -n perl-apparmor Summary: Perl interface for libapparmor functions License: GPL-2.0 and LGPL-2.1+ @@ -314,6 +251,8 @@ Obsoletes: perl-libapparmor < 2.5 This package provides the perl interface to AppArmor. It is used for perl applications interfacing with AppArmor, including the AppArmor utilities. +%endif + %if %{with python} %package -n python-apparmor @@ -388,8 +327,16 @@ Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profi License: GPL-2.0 and LGPL-2.1+ Group: Productivity/Security Requires: libapparmor1 = %{version} +# some of the tools are still perl-based (aa-decode, aa-exec and aa-notify) Requires: perl = %{perl_version} Requires: perl-apparmor = %{version} +%if %{with python3} +Requires: python3-apparmor = %{version} +Requires: python3-base +%else +Requires: python-apparmor = %{version} +Requires: python-base +%endif # aa-unconfined needs netstat Recommends: net-tools # aa-notify -p needs notify-send @@ -440,44 +387,6 @@ policy. %endif -%if %{with dbus} - -%package dbus -Summary: Audit dispatcher for sending AppArmor events over DBUS -License: GPL-2.0 and LGPL-2.1+ -Group: System/Monitoring - -%description dbus -An audit dispatcher for sending AppArmor events over the DBUS system -bus. - -%endif - -%if %{with editor} - -%package profile-editor -Summary: AppArmor profile editor -License: GPL-2.0 and LGPL-2.1+ -Group: Productivity/Editors/Other - -%description profile-editor -A syntax highlighting editor for AppArmor profiles. - -%endif - -%if %{with gnome} - -%package -n apparmorapplet-gnome -Summary: An AppArmor event notification applet for GNOME -License: GPL-2.0 and LGPL-2.1+ -Group: System/GUI/GNOME - -%description -n apparmorapplet-gnome -This taskbar applet receives AppArmor events over DBUS, and notifies -the user when AppArmor prevents an application from functioning. - -%endif - %description The AppArmor Parser is a userlevel program that is used to load in program profiles to the AppArmor Security kernel module. @@ -487,52 +396,22 @@ SubDomain. %lang_package -n apparmor-utils %lang_package -n apparmor-parser -%if %{with gnome} -%lang_package -n apparmorapplet-gnome -%endif %prep %{?gpg_verify: %gpg_verify %{S:1} } %setup -q %patch1 -p1 %patch2 -%patch5 -p1 -%patch6 -%patch12 -p1 -%patch17 - -# only create Immunix::SubDomain perl module for openSUSE <= 12.1 -%if 0%{?suse_version} -%if 0%{?suse_version} <= 1210 -%patch21 -p1 -%endif -%endif +%patch5 -p1 +%patch12 # Ruby 2.0 mkmf prefixes every path with $(DESTDIR) %if 0%{?suse_version} > 1230 %patch22 -p1 %endif -# affected NM is shipped since openSUSE >= 13.1 -%if 0%{?suse_version} > 1310 -%patch23 -%endif - -%patch24 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 %patch28 -p1 -# profile for winbindd (bnc#748499, commited upstream trunk r2078, updated in trunk r2328) -test ! -e profiles/apparmor.d/usr.sbin.winbindd -cp %{SOURCE10} profiles/apparmor.d/ - -# profiles for dovecot 2.x (bnc#851984) -test ! -e profiles/apparmor.d/tunables/dovecot -cp %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27} %{SOURCE28} profiles/apparmor.d/ -cp %{SOURCE29} profiles/apparmor.d/tunables/dovecot - %build echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 @@ -550,7 +429,10 @@ export PYTHON=/usr/bin/python3 ( cd ./libraries/libapparmor sh ./autogen.sh - %configure --with-perl \ + %configure \ +%if %{with perl} + --with-perl \ +%endif %if %{with python}%{with python3} --with-python \ %else @@ -570,6 +452,11 @@ export PYTHON=/usr/bin/python3 make -C utils # make -C utils check +# deprecated/utils (perl modules still needed by YaST) +%if %{with perl} +make -C deprecated/utils +%endif + # parser: make -C parser V=1 # techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough @@ -595,17 +482,13 @@ make -C profiles %if %{with tomcat} make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME} %endif -%if %{with gnome} -#--with-gnome \ -%endif -%if %{with dbus} -#--with-dbus \ -%endif -%if %{with editor} -#--with-profileeditor \ -%endif %install + +%if %{with python3} +export PYTHON=/usr/bin/python3 +%endif + # libapparmor # override pkgconfigdir for now - TODO: don't redefine libdir when packaging AppArmor 3.0 %makeinstall -C libraries/libapparmor pkgconfigdir=/usr/%{_lib}/pkgconfig/ @@ -614,7 +497,19 @@ make -C profiles # utilities %makeinstall -C utils +test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568 mkdir -p %{buildroot}%{_localstatedir}/log/apparmor +%if %{with python3} + # enforce usage of python3 + for file in %{buildroot}/%{_sbindir}/aa-* ; do + sed -i '1s,^#! /usr/bin/env python$,#! /usr/bin/env python3,' "$file" + done +%endif + +# deprecated/utils (perl modules still needed by YaST) +%if %{with perl} +%makeinstall -C deprecated/utils +%endif %makeinstall -C profiles @@ -640,33 +535,31 @@ mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor find %{buildroot} -name .packlist -exec rm -f {} \; find %{buildroot} -name perllocal.pod -exec rm -f {} \; -# Re-create the links to the old names +# Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm]. +# Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do - d=$(dirname $file) - f=$(basename $file) - if [ "${f#aa-}" != "$f" ]; then - ln -s $f $d/${f#aa-} - fi + d=$(dirname $file) + f=$(basename $file) + case "${f#aa-}" in + audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \ + audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.8* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* ) + if [ "${f#aa-}" != "$f" ]; then + ln -s $f $d/${f#aa-} + fi + ;; + esac done mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8} mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8} rm -f %{buildroot}%{_mandir}/man8/decode.8 -%if %{with editor} -%suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor -%endif - -%if %{with gnome} -%find_lang apparmorapplet-gnome -%endif - for pkg in apparmor-utils apparmor-parser; do - %find_lang $pkg + %find_lang $pkg done # remove *.la files -rm -fv %{buildroot}%{_libdir}/libapparmor.la %{buildroot}%{_libdir}/libimmunix.la +rm -fv %{buildroot}%{_libdir}/libapparmor.la echo ------------------------------------------------------------------- #find -ls @@ -721,14 +614,11 @@ fi %files -n libapparmor1 %defattr(-,root,root) %{_libdir}/libapparmor.so.* -%{_libdir}/libimmunix.so.* %files -n libapparmor-devel %defattr(-,root,root) %{_libdir}/libapparmor.a -%{_libdir}/libimmunix.a %{_libdir}/libapparmor.so -%{_libdir}/libimmunix.so /usr/%{_lib}/pkgconfig/libapparmor.pc %doc %{_mandir}/man2/aa_change_hat.2.gz %doc %{_mandir}/man2/change_hat.2.gz @@ -738,10 +628,6 @@ fi %{_includedir}/sys/apparmor.h %{_includedir}/aalogparse/* -# hrm, still need to enumerate each directory in these paths in files :( -# %define extras_dir %{_sysconfdir}/apparmor/profiles/extras/ -# %define profiles_dir %{_sysconfdir}/apparmor.d/ - %files profiles %defattr(644,root,root,755) %dir %{_sysconfdir}/apparmor.d/ @@ -755,13 +641,10 @@ fi %config(noreplace) %{_sysconfdir}/apparmor.d/usr.* %dir %{_sysconfdir}/apparmor.d/local %config(noreplace) %{_sysconfdir}/apparmor.d/local/* -%dir %{_sysconfdir}/apparmor.d/program-chunks -%config(noreplace) %{_sysconfdir}/apparmor.d/program-chunks/* %dir %{_sysconfdir}/apparmor.d/tunables %config(noreplace) %{_sysconfdir}/apparmor.d/tunables/* %dir %{_sysconfdir}/apparmor/ -%dir %{_sysconfdir}/apparmor/profiles -%config %{_sysconfdir}/apparmor/profiles/extras/ +/usr/share/apparmor/extra-profiles/ %files utils %defattr(-,root,root) @@ -770,13 +653,21 @@ fi %config(noreplace) %{_sysconfdir}/apparmor/logprof.conf %config(noreplace) %{_sysconfdir}/apparmor/notify.conf %config(noreplace) %{_sysconfdir}/apparmor/severity.db -%{_sbindir}/* +%{_sbindir}/aa-* +%{_sbindir}/apparmor_status +%{_sbindir}/audit +%{_sbindir}/autodep +%{_sbindir}/complain +%{_sbindir}/decode +%{_sbindir}/disable +%{_sbindir}/enforce +%{_sbindir}/exec +%{_sbindir}/genprof +%{_sbindir}/logprof +%{_sbindir}/notify +%{_sbindir}/status +%{_sbindir}/unconfined %{_bindir}/aa-easyprof -# easyprof python modules are installed into py2 directories -#{python3_sitelib}/apparmor-%{version}-py%{py3_ver}.egg-info -#{python3_sitelib}/apparmor/ -%{python_sitelib}/apparmor-%{version}-py%{python_version}.egg-info -%{python_sitelib}/apparmor/ %dir %{_datadir}/apparmor %{_datadir}/apparmor/easyprof/ %dir %{_localstatedir}/log/apparmor @@ -800,11 +691,13 @@ fi %files utils-lang -f apparmor-utils.lang +%if %{with perl} %files -n perl-apparmor %defattr(-,root,root) %{perl_vendorlib}/Immunix %{perl_vendorarch}/auto/LibAppArmor/ %{perl_vendorarch}/LibAppArmor.pm +%endif %if %{with python} @@ -815,7 +708,8 @@ fi %{python_sitearch}/LibAppArmor/_LibAppArmor.so %{python_sitearch}/LibAppArmor/__init__.py %{python_sitearch}/LibAppArmor/__init__.pyc - +%{python_sitelib}/apparmor/ +%{python_sitelib}/apparmor-%{version}-py%{python_version}.egg-info %endif %if %{with python3} @@ -828,7 +722,8 @@ fi %{python3_sitearch}/LibAppArmor/_LibAppArmor.cpython-*.so %{python3_sitearch}/LibAppArmor/__pycache__/__init__.cpython-*.pyc %{python3_sitearch}/LibAppArmor/__init__.py - +%{python3_sitelib}/apparmor/ +%{python3_sitelib}/apparmor-%{version}-py*.egg-info %endif %if %{with ruby} @@ -862,38 +757,6 @@ fi %doc %{_mandir}/man8/mod_apparmor.8.gz %endif -%if %{with dbus} - -%files dbus -%defattr(0750, root, root) -%{_bindir}/apparmor-dbus -%endif - -%if %{with editor} - -%files profile-editor -%defattr(-, root, root) -%{_datadir}/applications/%{name}-profile-editor.desktop -%{_datadir}/pixmaps/%{name}-profile-editor.png -%{_bindir}/profileeditor -%{_docdir}/profileeditor/AppArmorProfileEditor.htb -%if 0 -%{_datadir}/doc/profileeditor/AppArmorProfileEditor.htb -%endif -%dir %{_datadir}/doc/profileeditor -%endif - -%if %{with gnome} - -%files -n apparmorapplet-gnome -%defattr(-, root, root) -%{_libdir}/bonobo/servers/*.server -%{_prefix}/lib/apparmorapplet -%{_datadir}/pixmaps/* - -%files -n apparmorapplet-gnome-lang -f apparmorapplet-gnome.lang -%endif - %post parser %if %{distro} == "suse" # SUSE uses insserv diff --git a/perl-apparmor-fix-bare-network-keyword-handling.diff b/perl-apparmor-fix-bare-network-keyword-handling.diff deleted file mode 100644 index d936662..0000000 --- a/perl-apparmor-fix-bare-network-keyword-handling.diff +++ /dev/null @@ -1,34 +0,0 @@ -From: Jeff Mahoney -Subject: perl-apparmor: Fix bare 'network' keyword handling -References: bnc#889650 - -The 'network' bare keyword was being printed as "audit network all" due to -two different bugs: - -1) {audit}{all} was always being set to 1, regardless of whether the audit - keyword was used -2) {rule} eq 'all' is the wrong test - it should be {rule}{all} - -With these fixed, 'network' is properly handled. - -Signed-off-by: Jeff Mahoney ---- a/utils/Immunix/AppArmor.pm -+++ b/utils/Immunix/AppArmor.pm -@@ -5353,7 +5368,7 @@ - $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{$fam} = $audit; - } else { - $profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{all} = 1; -- $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = 1; -+ $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = $audit; - } - } elsif (/^\s*(tcp_connect|tcp_accept|udp_send|udp_receive)/) { - # just ignore and drop old style network -@@ -5708,7 +5729,7 @@ - # dump out the netdomain entries... - if (exists $profile_data->{$allow}{netdomain}) { - if ( $profile_data->{$allow}{netdomain}{rule} && -- $profile_data->{$allow}{netdomain}{rule} eq 'all') { -+ $profile_data->{$allow}{netdomain}{rule}{all}) { - $audit = "audit " if $profile_data->{$allow}{netdomain}{audit}{all}; - push @data, "${pre}${audit}network,"; - } else { diff --git a/perl-apparmor-handle-bare-capability-keyword.diff b/perl-apparmor-handle-bare-capability-keyword.diff deleted file mode 100644 index e18fc13..0000000 --- a/perl-apparmor-handle-bare-capability-keyword.diff +++ /dev/null @@ -1,43 +0,0 @@ -From: Jeff Mahoney -Subject: perl-apparmor: Handle bare 'capability' keyword -References: bnc#889651 - -Specifying 'capability' implies all capabilities, but the perl code didn't -recognize it. - -Signed-off-by: Jeff Mahoney ---- a/utils/Immunix/AppArmor.pm -+++ b/utils/Immunix/AppArmor.pm -@@ -5151,7 +5151,7 @@ - - $initial_comment = ""; - -- } elsif (m/^\s*(audit\s+)?(deny\s+)?capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry -+ } elsif (m/^\s*(audit\s+)?(deny\s+)?capability(\s+(\S+))?\s*,\s*(#.*)?$/) { # capability entry - if (not $profile) { - die sprintf(gettext('%s contains syntax errors.'), $file) . "\n"; - } -@@ -5159,7 +5159,7 @@ - my $audit = $1 ? 1 : 0; - my $allow = $2 ? 'deny' : 'allow'; - $allow = 'deny' if ($2); -- my $capability = $3; -+ my $capability = $3 ? $3 : 'all'; - $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{set} = 1; - $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{audit} = $audit; - } elsif (m/^\s*set capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry -@@ -5675,7 +5690,13 @@ - - my @data; - if (exists $profile_data->{$allow}{capability}) { -- for my $cap (sort keys %{$profile_data->{$allow}{capability}}) { -+ my $audit; -+ if (exists $profile_data->{$allow}{capability}{all}) { -+ $audit = ($profile_data->{$allow}{capability}{all}{audit}) ? 'audit ' : ''; -+ push @data, "${pre}${audit}${allowstr}capability,"; -+ } -+ for my $cap (sort keys %{$profile_data->{$allow}{capability}}) { -+ next if ($cap eq "all"); - my $audit = ($profile_data->{$allow}{capability}{$cap}{audit}) ? 'audit ' : ''; - if ($profile_data->{$allow}{capability}{$cap}{set}) { - push @data, "${pre}${audit}${allowstr}capability ${cap},"; diff --git a/perl-apparmor-properly-handle-bare-file-keyword.diff b/perl-apparmor-properly-handle-bare-file-keyword.diff deleted file mode 100644 index b3a6511..0000000 --- a/perl-apparmor-properly-handle-bare-file-keyword.diff +++ /dev/null @@ -1,73 +0,0 @@ -From: Jeff Mahoney -Subject: perl-apparmor: Properly handle bare 'file' keyword -References: bnc#889652 - -The bare file keyword is a shortcut for /{**,}. There are also implied -permissions that go with it. - -This patch accepts the file keyword as well as allowing for missing mode -specifiers. - -Signed-off-by: Jeff Mahoney ---- - - utils/Immunix/AppArmor.pm | 27 ++++++++++++++++++++++++--- - 1 file changed, 24 insertions(+), 3 deletions(-) - ---- a/utils/Immunix/AppArmor.pm -+++ b/utils/Immunix/AppArmor.pm -@@ -5252,7 +5252,7 @@ - } elsif (m/^\s*if\s+(not\s+)?(\$\{?[[:alpha:]][[:alnum:]_]*\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean - } elsif (m/^\s*if\s+(not\s+)?defined\s+(@\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- variable defined - } elsif (m/^\s*if\s+(not\s+)?defined\s+(\$\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean defined -- } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?([\"\@\/].*?)\s+(\S+)(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry -+ } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?(file|([\"\@\/].*?)\s+(\S+))(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry - if (not $profile) { - die sprintf(gettext('%s contains syntax errors.'), $file) . "\n"; - } -@@ -5260,7 +5260,19 @@ - my $audit = $1 ? 1 : 0; - my $allow = $2 ? 'deny' : 'allow'; - my $user = $3 ? 1 : 0; -- my ($path, $mode, $nt_name) = ($4, $5, $7); -+ my ($path, $mode, $nt_name) = ($5, $6, $8); -+ my $file_keyword = 0; -+ my $use_mode = 1; -+ -+ if ($4 eq "file") { -+ $path = "/{**,}"; -+ $file_keyword = 1; -+ if (!$mode) { -+ # what the parser uses, but we don't care -+ $mode = "rwixlka"; -+ $use_mode = 0; -+ } -+ } - - # strip off any trailing spaces. - $path =~ s/\s+$//; -@@ -5281,6 +5293,9 @@ - fatal_error(sprintf(gettext('Profile %s contains invalid mode %s.'), $file, $mode)); - } - -+ $profile_data->{$profile}{$hat}{$allow}{path}{$path}{use_mode} = $use_mode; -+ $profile_data->{$profile}{$hat}{$allow}{path}{$path}{file_keyword} = 1 if $file_keyword; -+ - my $tmpmode; - if ($user) { - $tmpmode = str_to_mode("${mode}::"); -@@ -5838,7 +5859,13 @@ - } - $tmpmode &= ~$tmpaudit; - } -- if ($tmpmode) { -+ my $kw = $profile_data->{$allow}{path}{$path}{file_keyword}; -+ my $use_mode = $profile_data->{$allow}{path}{$path}{use_mode}; -+ if ($kw) { -+ my $modestr = ""; -+ $modestr = " " . mode_to_str($tmpmode) if $use_mode; -+ push @data, "${pre}${allowstr}${ownerstr}file${modestr}${tail},"; -+ } elsif ($tmpmode) { - my $modestr = mode_to_str($tmpmode); - if ($path =~ /\s/) { - push @data, "${pre}${allowstr}${ownerstr}\"$path\" ${modestr}${tail},"; diff --git a/tunables-dovecot b/tunables-dovecot deleted file mode 100644 index 05feee8..0000000 --- a/tunables-dovecot +++ /dev/null @@ -1,20 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2013 Christian Boltz -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# vim:ft=apparmor - -# @{DOVECOT_MAILSTORE} is a space-separated list of all directories -# where dovecot is allowed to store and read mails -# -# The default value is quite broad to avoid breaking existing setups. -# Please change @{DOVECOT_MAILSTORE} to (only) contain the directory -# you use, and remove everything else. - -@{DOVECOT_MAILSTORE}=@{HOME}/Maildir/ @{HOME}/mail/ @{HOME}/Mail/ /var/vmail/ /var/mail/ /var/spool/mail/ - diff --git a/usr.lib.dovecot.anvil b/usr.lib.dovecot.anvil deleted file mode 100644 index 8cfaf69..0000000 --- a/usr.lib.dovecot.anvil +++ /dev/null @@ -1,25 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2013 Christian Boltz -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# vim: ft=apparmor - -#include - -/usr/lib/dovecot/anvil { - #include - - capability setgid, - capability setuid, - capability sys_chroot, - - /usr/lib/dovecot/anvil mr, - - # Site-specific additions and overrides. See local/README for details. - #include -} diff --git a/usr.lib.dovecot.auth b/usr.lib.dovecot.auth deleted file mode 100644 index d677c2d..0000000 --- a/usr.lib.dovecot.auth +++ /dev/null @@ -1,43 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2013 Christian Boltz -# Copyright (C) 2014 Christian Wittmer -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# vim: ft=apparmor - -#include - -/usr/lib/dovecot/auth { - #include - #include - #include - #include - #include - - deny capability block_suspend, - - capability audit_write, - capability setgid, - capability setuid, - - /etc/my.cnf r, - /etc/my.cnf.d/ r, - /etc/my.cnf.d/*.cnf r, - - /etc/dovecot/* r, - /usr/lib/dovecot/auth mr, - - # kerberos replay cache - /var/tmp/imap_* rw, - /var/tmp/pop_* rw, - /var/tmp/sieve_* rw, - /var/tmp/smtp_* rw, - - # Site-specific additions and overrides. See local/README for details. - #include -} diff --git a/usr.lib.dovecot.config b/usr.lib.dovecot.config deleted file mode 100644 index f868e30..0000000 --- a/usr.lib.dovecot.config +++ /dev/null @@ -1,32 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2013 Christian Boltz -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# vim: ft=apparmor - -#include - -/usr/lib/dovecot/config { - #include - #include - #include - - deny capability block_suspend, - - capability dac_override, - capability setgid, - - - /etc/dovecot/** r, - /usr/bin/doveconf rix, - /usr/lib/dovecot/config mr, - /usr/lib/dovecot/managesieve Px, - - # Site-specific additions and overrides. See local/README for details. - #include -} diff --git a/usr.lib.dovecot.dict b/usr.lib.dovecot.dict deleted file mode 100644 index bb3b3fe..0000000 --- a/usr.lib.dovecot.dict +++ /dev/null @@ -1,30 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2013 Christian Boltz -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# vim: ft=apparmor - -#include - -/usr/lib/dovecot/dict { - #include - #include - #include - - capability setgid, - capability setuid, - - network inet stream, - - /etc/dovecot/dovecot-database.conf.ext r, - /etc/dovecot/dovecot-dict-sql.conf.ext r, - /usr/lib/dovecot/dict mr, - - # Site-specific additions and overrides. See local/README for details. - #include -} diff --git a/usr.lib.dovecot.dovecot-lda b/usr.lib.dovecot.dovecot-lda deleted file mode 100644 index ac8ade3..0000000 --- a/usr.lib.dovecot.dovecot-lda +++ /dev/null @@ -1,33 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2013 Christian Boltz -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# vim: ft=apparmor - -#include -#include - -/usr/lib/dovecot/dovecot-lda { - #include - #include - - capability setgid, - capability setuid, - - @{DOVECOT_MAILSTORE}/ rw, - @{DOVECOT_MAILSTORE}/** rwkl, - - /etc/dovecot/** r, - /proc/*/mounts r, - /{var/,}run/dovecot/mounts r, - /usr/bin/doveconf mrix, - /usr/lib/dovecot/dovecot-lda mrix, - - # Site-specific additions and overrides. See local/README for details. - #include -} diff --git a/usr.lib.dovecot.lmtp b/usr.lib.dovecot.lmtp deleted file mode 100644 index 7e15040..0000000 --- a/usr.lib.dovecot.lmtp +++ /dev/null @@ -1,35 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2013 Christian Boltz -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# vim: ft=apparmor - -#include -#include - -/usr/lib/dovecot/lmtp { - #include - #include - - deny capability block_suspend, - - capability dac_override, - capability setgid, - capability setuid, - - @{DOVECOT_MAILSTORE}/ rw, - @{DOVECOT_MAILSTORE}/** rwkl, - - /proc/*/mounts r, - /tmp/dovecot.lmtp.* rw, - /usr/lib/dovecot/lmtp mr, - /{var/,}run/dovecot/mounts r, - - # Site-specific additions and overrides. See local/README for details. - #include -} diff --git a/usr.lib.dovecot.log b/usr.lib.dovecot.log deleted file mode 100644 index c60b7e9..0000000 --- a/usr.lib.dovecot.log +++ /dev/null @@ -1,25 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2013 Christian Boltz -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# vim: ft=apparmor - -#include - -/usr/lib/dovecot/log { - #include - - deny capability block_suspend, - - capability setgid, - - /usr/lib/dovecot/log mr, - - # Site-specific additions and overrides. See local/README for details. - #include -} diff --git a/usr.lib.dovecot.managesieve b/usr.lib.dovecot.managesieve deleted file mode 100644 index 6aa98e7..0000000 --- a/usr.lib.dovecot.managesieve +++ /dev/null @@ -1,34 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2013 Christian Boltz -# Copyright (C) 2014 Christian Wittmer -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# vim: ft=apparmor - -#include -#include - -/usr/lib/dovecot/managesieve { - #include - - capability setgid, - capability setuid, - - network inet stream, - network inet6 stream, - - @{DOVECOT_MAILSTORE}/ rw, - @{DOVECOT_MAILSTORE}/** rwkl, - - /etc/dovecot/** r, - /usr/bin/doveconf rix, - /usr/lib/dovecot/managesieve mrix, - - # Site-specific additions and overrides. See local/README for details. - #include -} diff --git a/usr.lib.dovecot.ssl-params b/usr.lib.dovecot.ssl-params deleted file mode 100644 index 62d9d85..0000000 --- a/usr.lib.dovecot.ssl-params +++ /dev/null @@ -1,27 +0,0 @@ -# ------------------------------------------------------------------ -# -# Copyright (C) 2013 Christian Boltz -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# ------------------------------------------------------------------ -# vim: ft=apparmor - -#include - -/usr/lib/dovecot/ssl-params { - #include - - deny capability block_suspend, - - capability setgid, - - /usr/lib/dovecot/ssl-params mr, - /var/lib/dovecot/ssl-parameters.dat rw, - /var/lib/dovecot/ssl-parameters.dat.tmp rwk, - - # Site-specific additions and overrides. See local/README for details. - #include -} diff --git a/usr.sbin.winbindd b/usr.sbin.winbindd deleted file mode 100644 index ed39639..0000000 --- a/usr.sbin.winbindd +++ /dev/null @@ -1,48 +0,0 @@ -#include - -/usr/sbin/winbindd { - #include - #include - #include - - deny capability block_suspend, - - capability ipc_lock, - capability setuid, - - /etc/samba/dhcp.conf r, - /etc/samba/passdb.tdb{,.tmp} rwk, - /etc/samba/secrets.tdb rwk, - /proc/sys/kernel/core_pattern r, - /tmp/.winbindd/ w, - /tmp/krb5cc_* rwk, - /usr/lib*/samba/idmap/*.so mr, - /usr/lib*/samba/nss_info/*.so mr, - /usr/lib*/samba/pdb/*.so mr, - /usr/sbin/winbindd mr, - /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, - /var/cache/krb5rcache/* rw, - /var/cache/samba/*.tdb rwk, - /var/cache/samba/netsamlogon_cache.tdb rw, - - /var/lib/samba/smb_krb5/krb5.conf.* rw, - /var/lib/samba/smb_tmp_krb5.* rw, - /var/lib/samba/**.tdb rwk, - - /var/lib/samba/winbindd_cache.tdb* rwk, - /var/lib/samba/winbindd_privileged/pipe w, - /var/log/samba/cores/ rw, - /var/log/samba/cores/winbindd/ rw, - /var/log/samba/cores/winbindd/** rw, - /var/log/samba/log.wb-* w, - /var/log/samba/log.winbindd rw, - /var/log/samba/log.winbindd-idmap w, - /var/log/samba/log.winbindd-dc-connect a, - /{var/,}run/samba/winbindd.pid rwk, - /{var/,}run/samba/winbindd/ rw, - /{var/,}run/samba/winbindd/pipe w, - - # Site-specific additions and overrides. See local/README for details. - #include - -}