pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 317972 from security:apparmor

Browse Source 
- update to AppArmor 2.10 (trunk r3205)
  - profile names can now contain variables
  - improved profile compile time in apparmor_parser
  - lots of improvements, refactoring and bugfixes in the aa-* tools
  - new apis for managing and loading profile caches into the kernel in
    libapparmor
  - lots of profile updates
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10 for the
    complete changelog with more details
- add new apparmor_private.h and the aa_query_label(2), aa_features(3),
  aa_kernel_interface(3), aa_policy_cache(3), aa_splitcon(3) manpages
  to libapparmor-devel
- drop apparmor-2.5.1-edirectory-profile patch - it's most probably
  no longer needed (see boo#621394 for details)
- drop upstreamed samba-4.2-profiles.diff
- refresh apparmor-samba-include-permissions-for-shares.diff (forwarded request 317971 from cboltz)

OBS-URL: https://build.opensuse.org/request/show/317972
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=87
This commit is contained in:
Stephan Kulow 2015-07-24 07:57:46 +00:00 committed by Git OBS Bridge
commit 2f3ae566a5
9 changed files with 50 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apparmor-2.10.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4d0e224257a29671b694bd9054edf0dd213aa690fd02844ecf3329b86ac506f4
size 2421759

17
apparmor-2.10.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCgAGBQJVpZFnAAoJEGaJ5k49NmS7XD8P/jjvjD5MmrpLxbfBLeuMBc41
z7Up38fcwVpzs7FcPHPQZKjoz0HUyWkINlHC2wg1VBBAy8uvsbGF2ndfGcH33WJG
BvjXu1RSkkZ0ouc/611ro8V+7gIMK0qkmuFlDf0yYcu7xkUzGsCKPOe9hcuyIkhW
xoK9WUxTDlaOzCEfjIOc9R/A5yLCKIbsbCy+lw7nCk3iZaesroMQBvHPx2+TSFtQ
0Dl+llWp3yEFwugzXaAl8/BXdBBwvSdgNyMcXU+4Cvr+WqrrcQZdL1aN/WkkH3nN
yeVc72kLjsYyLjRjl9bSty61W+PBcxG4uopakl7LMpHL5EGPB0uITUae7Y0BJBxq
kyKs0ufl/qNw+FyqQIchOpaHuyfw/TjxwOFiAQQ1+jrG4cljiAzcoNzjQscs1qxK
Z/uxCD8W+AneqQH1BV7ruYG2pTQISUIHRFm/O9JhyhSl/xBZlNgGca06VckHose+
xRuGqYUo70VjIzNdht9x+kuFJpGpoRyL9+tgr0cl6Z2OU/H69FF8CURMwn30iELR
J29VflgyfaBW9S41dYB7oF5/AfEKZKvVk/2Cqi6iLvdnDBIwBIi6Q7xLcI2vZPVK
HpDNODeW9YSMNEJCpdkc8vyav/CUS7s1SOMR3T4sUoS8lq7DfsJOMcNB2RkfIzqL
efE4Pn9Z0HNWhYL0hvZa
=p6Nx
-----END PGP SIGNATURE-----

49
apparmor-2.5.1-edirectory-profile
View File

@ -1,49 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-profiles: Add support for eDirectory calls from nscd
References: bnc#621394
eDirectory hooks into nscd and provides its own libraries. In order for
this to operate properly with AppArmor, it needs to be told about these
libraries.
This patch adds a new abstract profile and includes it in the nameservice
profile.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor.d/abstractions/nameservice | 3 +++
profiles/apparmor.d/abstractions/novell-edirectory | 13 +++++++++++++
2 files changed, 16 insertions(+)
Index: profiles/apparmor.d/abstractions/nameservice
===================================================================
--- profiles/apparmor.d/abstractions/nameservice.orig 2014-09-03 21:21:31.000000000 +0200
+++ profiles/apparmor.d/abstractions/nameservice 2014-09-07 17:53:18.412834868 +0200
@@ -81,6 +81,9 @@
# kerberos
#include <abstractions/kerberosclient>
+ # Novell eDirectory
+ #include <abstractions/novell-edirectory>
+
# TCP/UDP network access
network inet stream,
network inet6 stream,
Index: profiles/apparmor.d/abstractions/novell-edirectory
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ profiles/apparmor.d/abstractions/novell-edirectory 2014-09-07 17:53:18.412834868 +0200
@@ -0,0 +1,13 @@
+# $Id$
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /opt/novell/eDirectory/lib/lib*so* r,
+ /opt/novell/eDirectory/lib64/lib*so* r,

3
apparmor-2.9.2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d01156e1ec50deada519fd4e8821677274b1d43418fda3bc4b25f1d38ea75ed5
size 2336566

17
apparmor-2.9.2.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCgAGBQJVOV6LAAoJEGaJ5k49NmS7yj8P/Am7QAfhveBAfHy1xbUTHdWy
Y/LRsM0x4uebNr7ZK1Zy31WqecJLhzXhli58SPf4lvrfb2fOTp9txI3YHYrmB5Lg
Mn3DhyRcr8Cov6WqPdYmG3dj/fUZSrs1wz6Ryt0zg9SMxu1CGiaZvD34QS0dGBbs
1JB5PhjqbM54JfsjsMtmqZKviVq7k9+k4Wojzb1MIXD9w70uUj1PiJHJ5nryHFy5
2KdBNxVTbG9QJCFeBqpchbW6VvunG7NQIRovpRYqEMOJF/UCcBRGdBRLWETCSdfu
pDy+Sj30VJ9ik7cxRkxB0kn1U1UqGwUMHekjtdSX4Dm8LCSYQR0Wa9KAoiyoh787
o2cSeeonI0uF5xXzEqLvaVrWsGPucdWfokN1SjuppWPHrSY50Tgtl1791gnTWTw+
CbLeOP6fVq2iwJ8jPVDdGL3T8xZ7yBGH44XOB4r5rUbNSw8pau86RC+pSf/McHQ7
WmShsVNDAfWxuLBDvfr9bGCSPL3Hk7SrSgOM5CZS2OspABllFmqXdIn6fuySO73I
AyCDwr9qGAbQMIvNGn1DmF4GyVc1LPRctBRwz91j6//hjVewSpgtRT45BYdRp3mO
cy/5XWdXbVFg/srctH91YNeUt0/F/fepEbqLR7MQ55q8cCQNo28/9PfL0JEovu1x
tnGkNHea0o2YNxv2NZfK
=gIwg
-----END PGP SIGNATURE-----

2
apparmor-samba-include-permissions-for-shares.diff
View File

@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
=== modified file 'profiles/apparmor.d/usr.sbin.smbd' === modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000 --- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000
+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000 +++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000
@@ -47,6 +47,10 @@ @@ -46,6 +46,10 @@
@{HOMEDIRS}/** lrwk, @{HOMEDIRS}/** lrwk,

20
apparmor.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Thu Jul 16 20:51:00 UTC 2015 - opensuse@cboltz.de
- update to AppArmor 2.10 (trunk r3205)
- profile names can now contain variables
- improved profile compile time in apparmor_parser
- lots of improvements, refactoring and bugfixes in the aa-* tools
- new apis for managing and loading profile caches into the kernel in
libapparmor
- lots of profile updates
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10 for the
complete changelog with more details
- add new apparmor_private.h and the aa_query_label(2), aa_features(3),
aa_kernel_interface(3), aa_policy_cache(3), aa_splitcon(3) manpages
to libapparmor-devel
- drop apparmor-2.5.1-edirectory-profile patch - it's most probably
no longer needed (see boo#621394 for details)
- drop upstreamed samba-4.2-profiles.diff
- refresh apparmor-samba-include-permissions-for-shares.diff
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jun 15 22:13:21 UTC 2015 - opensuse@cboltz.de Mon Jun 15 22:13:21 UTC 2015 - opensuse@cboltz.de

19
apparmor.spec
View File

@ -60,7 +60,7 @@ Name: apparmor
%if ! %{?distro:1}0 %if ! %{?distro:1}0
%define distro suse %define distro suse
%endif %endif
Version: 2.9.2 Version: 2.10
Release: 0 Release: 0
Summary: AppArmor userlevel parser utility Summary: AppArmor userlevel parser utility
License: GPL-2.0+ License: GPL-2.0+
@ -82,11 +82,6 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
Patch3: apparmor-utils-string-split Patch3: apparmor-utils-string-split
# Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
# as discussed with Jeff on #apparmor 2015-03-16, disable when packaging the next major release
# (Is this really needed in abstractions/nameservice or only in the nscd profile? bnc#621394 only shows nscd.)
Patch4: apparmor-2.5.1-edirectory-profile
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
Patch5: ruby-2_0-mkmf-destdir.patch Patch5: ruby-2_0-mkmf-destdir.patch
@ -97,10 +92,6 @@ Patch6: apparmor-abstractions-no-multiline.diff
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch7: apparmor-lessopen-profile.patch Patch7: apparmor-lessopen-profile.patch
# update samba (winbindd and nmb) profiles for samba 4.2 (boo#921098, boo#923201)
# commited upstream trunk r3038, 2.9 r2917 (2.9 commit doesn't include the /var/lib/samba/... cleanup in the winbindd profile)
Patch10: samba-4.2-profiles.diff
Url: https://launchpad.net/apparmor Url: https://launchpad.net/apparmor
PreReq: sed PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -437,7 +428,6 @@ SubDomain.
%patch1 -p1 %patch1 -p1
%patch2 %patch2
%patch3 -p1 %patch3 -p1
%patch4
# Ruby 2.0 mkmf prefixes every path with $(DESTDIR) # Ruby 2.0 mkmf prefixes every path with $(DESTDIR)
%if 0%{?suse_version} > 1230 %if 0%{?suse_version} > 1230
@ -446,7 +436,6 @@ SubDomain.
%patch6 %patch6
%patch7 -p1 %patch7 -p1
%patch10
# search for left-over multiline rules # search for left-over multiline rules
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
@ -671,8 +660,14 @@ fi
%doc %{_mandir}/man2/change_hat.2.gz %doc %{_mandir}/man2/change_hat.2.gz
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz %doc %{_mandir}/man2/aa_find_mountpoint.2.gz
%doc %{_mandir}/man2/aa_getcon.2.gz %doc %{_mandir}/man2/aa_getcon.2.gz
%doc %{_mandir}/man2/aa_query_label.2.gz
%doc %{_mandir}/man3/aa_features.3.gz
%doc %{_mandir}/man3/aa_kernel_interface.3.gz
%doc %{_mandir}/man3/aa_policy_cache.3.gz
%doc %{_mandir}/man3/aa_splitcon.3.gz
%dir %{_includedir}/aalogparse %dir %{_includedir}/aalogparse
%{_includedir}/sys/apparmor.h %{_includedir}/sys/apparmor.h
%{_includedir}/sys/apparmor_private.h
%{_includedir}/aalogparse/* %{_includedir}/aalogparse/*
%files abstractions %files abstractions

40
samba-4.2-profiles.diff
View File

@ -1,40 +0,0 @@
Index: profiles/apparmor.d/abstractions/samba
===================================================================
--- profiles/apparmor.d/abstractions/samba.orig 2014-07-04 12:09:58.000000000 +0200
+++ profiles/apparmor.d/abstractions/samba 2015-04-17 21:24:22.463107165 +0200
@@ -13,7 +13,7 @@
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
/var/cache/samba/ w,
- /var/lib/samba/**.tdb rwk,
+ /var/lib/samba/** rwk,
/var/log/samba/cores/ rw,
/var/log/samba/cores/** rw,
/var/log/samba/log.* w,
Index: profiles/apparmor.d/usr.sbin.winbindd
===================================================================
--- profiles/apparmor.d/usr.sbin.winbindd.orig 2014-04-21 22:10:51.000000000 +0200
+++ profiles/apparmor.d/usr.sbin.winbindd 2015-04-17 21:26:56.262142786 +0200
@@ -10,8 +10,12 @@
capability ipc_lock,
capability setuid,
+ /etc/samba/netlogon_creds_cli.tdb rwk,
/etc/samba/passdb.tdb{,.tmp} rwk,
/etc/samba/secrets.tdb rwk,
+ /etc/samba/smbd.tmp/ rw,
+ /etc/samba/smbd.tmp/msg/ rw,
+ /etc/samba/smbd.tmp/msg/* rw,
@{PROC}/sys/kernel/core_pattern r,
/tmp/.winbindd/ w,
/tmp/krb5cc_* rwk,
@@ -21,9 +25,6 @@
/usr/sbin/winbindd mr,
/var/cache/krb5rcache/* rw,
/var/cache/samba/*.tdb rwk,
- /var/lib/samba/smb_krb5/krb5.conf.* rw,
- /var/lib/samba/smb_tmp_krb5.* rw,
- /var/lib/samba/winbindd_cache.tdb* rwk,
/var/log/samba/log.winbindd rw,
/{var/,}run/samba/winbindd.pid rwk,
/{var/,}run/samba/winbindd/ rw,