Accepting request 317972 from security:apparmor

- update to AppArmor 2.10 (trunk r3205) - profile names can now contain variables - improved profile compile time in apparmor_parser - lots of improvements, refactoring and bugfixes in the aa-* tools - new apis for managing and loading profile caches into the kernel in libapparmor - lots of profile updates - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10 for the complete changelog with more details - add new apparmor_private.h and the aa_query_label(2), aa_features(3), aa_kernel_interface(3), aa_policy_cache(3), aa_splitcon(3) manpages to libapparmor-devel - drop apparmor-2.5.1-edirectory-profile patch - it's most probably no longer needed (see boo#621394 for details) - drop upstreamed samba-4.2-profiles.diff - refresh apparmor-samba-include-permissions-for-shares.diff (forwarded request 317971 from cboltz) OBS-URL: https://build.opensuse.org/request/show/317972 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=87
2015-07-24 07:57:46 +00:00 · 2015-07-24 07:57:46 +00:00 · 2f3ae566a5
commit 2f3ae566a5
parent 9f9f59ced5 7f772258a8
9 changed files with 50 additions and 124 deletions
--- a/apparmor-2.10.tar.gz
+++ b/apparmor-2.10.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4d0e224257a29671b694bd9054edf0dd213aa690fd02844ecf3329b86ac506f4
+size 2421759
--- a/apparmor-2.10.tar.gz.asc
+++ b/apparmor-2.10.tar.gz.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAABCgAGBQJVpZFnAAoJEGaJ5k49NmS7XD8P/jjvjD5MmrpLxbfBLeuMBc41
+z7Up38fcwVpzs7FcPHPQZKjoz0HUyWkINlHC2wg1VBBAy8uvsbGF2ndfGcH33WJG
+BvjXu1RSkkZ0ouc/611ro8V+7gIMK0qkmuFlDf0yYcu7xkUzGsCKPOe9hcuyIkhW
+xoK9WUxTDlaOzCEfjIOc9R/A5yLCKIbsbCy+lw7nCk3iZaesroMQBvHPx2+TSFtQ
+0Dl+llWp3yEFwugzXaAl8/BXdBBwvSdgNyMcXU+4Cvr+WqrrcQZdL1aN/WkkH3nN
+yeVc72kLjsYyLjRjl9bSty61W+PBcxG4uopakl7LMpHL5EGPB0uITUae7Y0BJBxq
+kyKs0ufl/qNw+FyqQIchOpaHuyfw/TjxwOFiAQQ1+jrG4cljiAzcoNzjQscs1qxK
+Z/uxCD8W+AneqQH1BV7ruYG2pTQISUIHRFm/O9JhyhSl/xBZlNgGca06VckHose+
+xRuGqYUo70VjIzNdht9x+kuFJpGpoRyL9+tgr0cl6Z2OU/H69FF8CURMwn30iELR
+J29VflgyfaBW9S41dYB7oF5/AfEKZKvVk/2Cqi6iLvdnDBIwBIi6Q7xLcI2vZPVK
+HpDNODeW9YSMNEJCpdkc8vyav/CUS7s1SOMR3T4sUoS8lq7DfsJOMcNB2RkfIzqL
+efE4Pn9Z0HNWhYL0hvZa
+=p6Nx
+-----END PGP SIGNATURE-----
--- a/apparmor-2.5.1-edirectory-profile
+++ b/apparmor-2.5.1-edirectory-profile
@ -1,49 +0,0 @@
-From: Jeff Mahoney <jeffm@suse.com>
-Subject: apparmor-profiles: Add support for eDirectory calls from nscd
-References: bnc#621394
-
- eDirectory hooks into nscd and provides its own libraries. In order for
- this to operate properly with AppArmor, it needs to be told about these
- libraries.
-
- This patch adds a new abstract profile and includes it in the nameservice
- profile.
-
-Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
- profiles/apparmor.d/abstractions/nameservice       |    3 +++
- profiles/apparmor.d/abstractions/novell-edirectory |   13 +++++++++++++
- 2 files changed, 16 insertions(+)
-
-Index: profiles/apparmor.d/abstractions/nameservice
-===================================================================
--- profiles/apparmor.d/abstractions/nameservice.orig	2014-09-03 21:21:31.000000000 +0200
-+++ profiles/apparmor.d/abstractions/nameservice	2014-09-07 17:53:18.412834868 +0200
-@@ -81,6 +81,9 @@
-   # kerberos
-   #include <abstractions/kerberosclient>
- 
-+  # Novell eDirectory
-+  #include <abstractions/novell-edirectory>
-+
-   # TCP/UDP network access
-   network inet  stream,
-   network inet6 stream,
-Index: profiles/apparmor.d/abstractions/novell-edirectory
-===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ profiles/apparmor.d/abstractions/novell-edirectory	2014-09-07 17:53:18.412834868 +0200
-@@ -0,0 +1,13 @@
-+# $Id$
-+# ------------------------------------------------------------------
-+#
-+#    Copyright (C) 2010 Novell/SUSE
-+#
-+#    This program is free software; you can redistribute it and/or
-+#    modify it under the terms of version 2 of the GNU General Public
-+#    License published by the Free Software Foundation.
-+#
-+# ------------------------------------------------------------------
-+
-+  /opt/novell/eDirectory/lib/lib*so* r,
-+  /opt/novell/eDirectory/lib64/lib*so* r,
--- a/apparmor-2.9.2.tar.gz
+++ b/apparmor-2.9.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d01156e1ec50deada519fd4e8821677274b1d43418fda3bc4b25f1d38ea75ed5
-size 2336566
--- a/apparmor-2.9.2.tar.gz.asc
+++ b/apparmor-2.9.2.tar.gz.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQIcBAABCgAGBQJVOV6LAAoJEGaJ5k49NmS7yj8P/Am7QAfhveBAfHy1xbUTHdWy
-Y/LRsM0x4uebNr7ZK1Zy31WqecJLhzXhli58SPf4lvrfb2fOTp9txI3YHYrmB5Lg
-Mn3DhyRcr8Cov6WqPdYmG3dj/fUZSrs1wz6Ryt0zg9SMxu1CGiaZvD34QS0dGBbs
-1JB5PhjqbM54JfsjsMtmqZKviVq7k9+k4Wojzb1MIXD9w70uUj1PiJHJ5nryHFy5
-2KdBNxVTbG9QJCFeBqpchbW6VvunG7NQIRovpRYqEMOJF/UCcBRGdBRLWETCSdfu
-pDy+Sj30VJ9ik7cxRkxB0kn1U1UqGwUMHekjtdSX4Dm8LCSYQR0Wa9KAoiyoh787
-o2cSeeonI0uF5xXzEqLvaVrWsGPucdWfokN1SjuppWPHrSY50Tgtl1791gnTWTw+
-CbLeOP6fVq2iwJ8jPVDdGL3T8xZ7yBGH44XOB4r5rUbNSw8pau86RC+pSf/McHQ7
-WmShsVNDAfWxuLBDvfr9bGCSPL3Hk7SrSgOM5CZS2OspABllFmqXdIn6fuySO73I
-AyCDwr9qGAbQMIvNGn1DmF4GyVc1LPRctBRwz91j6//hjVewSpgtRT45BYdRp3mO
-cy/5XWdXbVFg/srctH91YNeUt0/F/fepEbqLR7MQ55q8cCQNo28/9PfL0JEovu1x
-tnGkNHea0o2YNxv2NZfK
-=gIwg
-----END PGP SIGNATURE-----
--- a/apparmor-samba-include-permissions-for-shares.diff
+++ b/apparmor-samba-include-permissions-for-shares.diff
@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
 === modified file 'profiles/apparmor.d/usr.sbin.smbd'
 --- profiles/apparmor.d/usr.sbin.smbd	2011-08-27 18:50:42 +0000
 +++ profiles/apparmor.d/usr.sbin.smbd	2011-10-19 09:37:04 +0000
-@@ -47,6 +47,10 @@
+@@ -46,6 +46,10 @@
 
   @{HOMEDIRS}/** lrwk,
 
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Thu Jul 16 20:51:00 UTC 2015 - opensuse@cboltz.de
+
+- update to AppArmor 2.10 (trunk r3205)
+  - profile names can now contain variables
+  - improved profile compile time in apparmor_parser
+  - lots of improvements, refactoring and bugfixes in the aa-* tools
+  - new apis for managing and loading profile caches into the kernel in
+    libapparmor
+  - lots of profile updates
+  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10 for the
+    complete changelog with more details
+- add new apparmor_private.h and the aa_query_label(2), aa_features(3),
+  aa_kernel_interface(3), aa_policy_cache(3), aa_splitcon(3) manpages
+  to libapparmor-devel
+- drop apparmor-2.5.1-edirectory-profile patch - it's most probably
+  no longer needed (see boo#621394 for details)
+- drop upstreamed samba-4.2-profiles.diff
+- refresh apparmor-samba-include-permissions-for-shares.diff
+
 -------------------------------------------------------------------
 Mon Jun 15 22:13:21 UTC 2015 - opensuse@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@ -25,7 +25,7 @@
 %bcond_without apache
 %bcond_without perl
 %if 0%{?suse_version} > 0 && 0%{?suse_version} <= 1210
- # disable python and ruby bindings on openSUSE <= 12.1 to avoid problems with rb_sitearch and python_sitearch 
+ # disable python and ruby bindings on openSUSE <= 12.1 to avoid problems with rb_sitearch and python_sitearch
 %bcond_with python
 %bcond_with python3
 %bcond_with ruby
@ -60,7 +60,7 @@ Name:           apparmor
 %if ! %{?distro:1}0
  %define distro suse
 %endif
-Version:        2.9.2
+Version:        2.10
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0+
@ -82,11 +82,6 @@ Patch2:         apparmor-samba-include-permissions-for-shares.diff
 # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
 Patch3:         apparmor-utils-string-split

-# Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
-# as discussed with Jeff on #apparmor 2015-03-16, disable when packaging the next major release
-# (Is this really needed in abstractions/nameservice or only in the nscd profile? bnc#621394 only shows nscd.)
-Patch4:         apparmor-2.5.1-edirectory-profile
-
 # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
 Patch5:         ruby-2_0-mkmf-destdir.patch

@ -97,10 +92,6 @@ Patch6:         apparmor-abstractions-no-multiline.diff
 # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
 Patch7:         apparmor-lessopen-profile.patch

-# update samba (winbindd and nmb) profiles for samba 4.2 (boo#921098, boo#923201)
-# commited upstream trunk r3038, 2.9 r2917 (2.9 commit doesn't include the /var/lib/samba/... cleanup in the winbindd profile)
-Patch10:        samba-4.2-profiles.diff
-
 Url:            https://launchpad.net/apparmor
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -381,7 +372,7 @@ BuildArch:      noarch
 %description utils
 This package provides the aa-logprof, aa-genprof, aa-autodep,
 aa-enforce, and aa-complain tools to assist with profile authoring.
-Besides it provides the aa-unconfined server information tool. 
+Besides it provides the aa-unconfined server information tool.
 It is part of a suite of tools that used to be named SubDomain.

 %if %{with tomcat}
@ -437,7 +428,6 @@ SubDomain.
 %patch1 -p1
 %patch2
 %patch3 -p1
-%patch4

 # Ruby 2.0 mkmf prefixes every path with $(DESTDIR)
 %if 0%{?suse_version} > 1230
@ -446,7 +436,6 @@ SubDomain.

 %patch6
 %patch7 -p1
-%patch10
 # search for left-over multiline rules
 test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"

@ -671,8 +660,14 @@ fi
 %doc %{_mandir}/man2/change_hat.2.gz
 %doc %{_mandir}/man2/aa_find_mountpoint.2.gz
 %doc %{_mandir}/man2/aa_getcon.2.gz
+%doc %{_mandir}/man2/aa_query_label.2.gz
+%doc %{_mandir}/man3/aa_features.3.gz
+%doc %{_mandir}/man3/aa_kernel_interface.3.gz
+%doc %{_mandir}/man3/aa_policy_cache.3.gz
+%doc %{_mandir}/man3/aa_splitcon.3.gz
 %dir %{_includedir}/aalogparse
 %{_includedir}/sys/apparmor.h
+%{_includedir}/sys/apparmor_private.h
 %{_includedir}/aalogparse/*

 %files abstractions
--- a/samba-4.2-profiles.diff
+++ b/samba-4.2-profiles.diff
@ -1,40 +0,0 @@
-Index: profiles/apparmor.d/abstractions/samba
-===================================================================
--- profiles/apparmor.d/abstractions/samba.orig	2014-07-04 12:09:58.000000000 +0200
-+++ profiles/apparmor.d/abstractions/samba	2015-04-17 21:24:22.463107165 +0200
-@@ -13,7 +13,7 @@
-   /usr/share/samba/*.dat r,
-   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
-   /var/cache/samba/ w,
-  /var/lib/samba/**.tdb rwk,
-+  /var/lib/samba/** rwk,
-   /var/log/samba/cores/ rw,
-   /var/log/samba/cores/** rw,
-   /var/log/samba/log.* w,
-Index: profiles/apparmor.d/usr.sbin.winbindd
-===================================================================
--- profiles/apparmor.d/usr.sbin.winbindd.orig	2014-04-21 22:10:51.000000000 +0200
-+++ profiles/apparmor.d/usr.sbin.winbindd	2015-04-17 21:26:56.262142786 +0200
-@@ -10,8 +10,12 @@
-   capability ipc_lock,
-   capability setuid,
- 
-+  /etc/samba/netlogon_creds_cli.tdb rwk,
-   /etc/samba/passdb.tdb{,.tmp} rwk,
-   /etc/samba/secrets.tdb rwk,
-+  /etc/samba/smbd.tmp/ rw,
-+  /etc/samba/smbd.tmp/msg/ rw,
-+  /etc/samba/smbd.tmp/msg/* rw,
-   @{PROC}/sys/kernel/core_pattern r,
-   /tmp/.winbindd/ w,
-   /tmp/krb5cc_* rwk,
-@@ -21,9 +25,6 @@
-   /usr/sbin/winbindd mr,
-   /var/cache/krb5rcache/* rw,
-   /var/cache/samba/*.tdb rwk,
-  /var/lib/samba/smb_krb5/krb5.conf.* rw,
-  /var/lib/samba/smb_tmp_krb5.* rw,
-  /var/lib/samba/winbindd_cache.tdb* rwk,
-   /var/log/samba/log.winbindd rw,
-   /{var/,}run/samba/winbindd.pid rwk,
-   /{var/,}run/samba/winbindd/ rw,