Accepting request 941697 from security:apparmor

-  Modify add-samba-bgqd.diff: Add new rule to fix new "DENIED
   operation="file_mmap" violation in SLE15-SP4; (bsc#1192336).

OBS-URL: https://build.opensuse.org/request/show/941697
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=161

add-samba-bgqd.diff

@@ -14,12 +14,11 @@ Date:   Fri Oct 15 22:02:36 2021 +0200
     
     Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
 
-diff --git a/profiles/apparmor.d/samba-bgqd b/profiles/apparmor.d/samba-bgqd
+Index: apparmor-3.0.3/profiles/apparmor.d/samba-bgqd
-new file mode 100644
+===================================================================
-index 00000000..c81c64f1
 --- /dev/null
-+++ b/profiles/apparmor.d/samba-bgqd
++++ apparmor-3.0.3/profiles/apparmor.d/samba-bgqd
-@@ -0,0 +1,18 @@
+@@ -0,0 +1,20 @@
 +abi <abi/3.0>,
 +
 +include <tunables/global>
@@ -35,13 +34,15 @@ index 00000000..c81c64f1
 +  @{PROC}/sys/kernel/core_pattern r,
 +  @{run}/samba/samba-bgqd.pid wk,
 +
++  /usr/lib*/samba/samba-bgqd m,
++
 +  # Site-specific additions and overrides. See local/README for details.
 +  include if exists <local/samba-bgqd>
 +}
-diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd
+Index: apparmor-3.0.3/profiles/apparmor.d/usr.sbin.smbd
-index 92305564..b8fdad15 100644
+===================================================================
---- a/profiles/apparmor.d/usr.sbin.smbd
+--- apparmor-3.0.3.orig/profiles/apparmor.d/usr.sbin.smbd
-+++ b/profiles/apparmor.d/usr.sbin.smbd
++++ apparmor-3.0.3/profiles/apparmor.d/usr.sbin.smbd
 @@ -24,6 +24,8 @@ profile smbd /usr/{bin,sbin}/smbd {
    capability sys_resource,
    capability sys_tty_config,

apparmor.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Dec 20 11:01:50 UTC 2021 - Noel Power <nopower@suse.com>
+
+-  Modify add-samba-bgqd.diff: Add new rule to fix new "DENIED
+   operation="file_mmap" violation in SLE15-SP4; (bsc#1192336).
+
 -------------------------------------------------------------------
 Sun Dec 19 21:42:54 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
 

apparmor.spec

@@ -81,7 +81,8 @@ Patch6:         apache-extra-profile-include-if-exists.diff
 # update abstractions/python and profiles for python 3.10 (submitted upstream 2021-08-11 https://gitlab.com/apparmor/apparmor/-/merge_requests/783)
 Patch7:         profiles-python-3.10-mr783.diff
 
-# add samba-bgqd profile (submitted upstream 2021-10-15 https://gitlab.com/apparmor/apparmor/-/merge_requests/807)
+# add samba-bgqd profile (accepted upstream 2021-10-15 https://gitlab.com/apparmor/apparmor/-/merge_requests/807)
+# updated for boo#1192336 (merged upstream 2021-12-20 https://gitlab.com/apparmor/apparmor/-/merge_requests/819 in 3.0 and master)
 Patch8:         add-samba-bgqd.diff
 
 # aa-notify: Add support for reading s390x and aarch64 wtmp file (boo#1181155) (merged upstream 2021-11-08 in master and 3.0 branch - https://gitlab.com/apparmor/apparmor/-/merge_requests/809)