Accepting request 536620 from home:cboltz
apparmor: - update to AppArmor 2.11.1 - add permissions to several profiles and abstractions (including lp#1650827 and boo#1057900) - several fixes in the aa-* tools (including lp#1689667, lp#1628286, lp#1661766 and boo#1062667) - fix downgrading/converting of 'unix' rules (will be supported in kernel 4.15) to 'network unix' rules in apparmor_parser (boo#1061195) - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for upstream changelog - remove upstream(ed) patches - upstream-changes-r3616..3628.diff - upstream-changes-r3629..3648.diff - parser-tests-dbus-duplicated-conditionals.diff - apparmor-fix-podsyntax.patch - sshd-profile-drop-local-include-r3615.diff - refresh apparmor-yast-cleanup.patch - add utils-fix-sorted-save_profiles-regression.diff to fix a regression in displaying the "changed profiles" list in aa-logprof Also add bugzilla reference to the previous change: - add nameservice-libtirpc.diff to fix NIS/YP logins (boo#1062244) libapparmor: - update to AppArmor 2.11.1 - mostly test-related changes in libapparmor - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for upstream changelog OBS-URL: https://build.opensuse.org/request/show/536620 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=190
This commit is contained in:
parent
365c3b08fa
commit
3a01d74522
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:b1c489ea11e7771b8e6b181532cafbf9ebe6603e3cb00e2558f21b7a5bdd739a
|
||||
size 5013297
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQI3BAABCgAhBQJYcxbLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
|
||||
5k49NmS7Nh4P/Rf1b8NugcYkrXBA3LMS47KF4+fig+4j4jcAsUqY+aDgj02UYcEv
|
||||
S6XpbzkTJykM0CJ2BLNHHfwUpbVrUDyfABhgh/m9aH0Y52zkteVfYt9tVNxz7OaH
|
||||
s4M977g5HPvlOIsS2EXyk1g0IZ8WJ830sZpOZIKpgwptgSJeHKiFQJsCINzOzv7z
|
||||
MKATzhnrnvb4KBwCC3MoUHhCheGvUmQlArn4+/LwCMERHxrrSYr/kl/nDxhqE7HZ
|
||||
1wdO8TdrG+R595Yc/t0OO+LOCv7TBU5K7TLiN+1wqenrEfR+9RaxpLB2N8a5+LQ0
|
||||
kphfS07ht22oWhySG14WL76FrrvN0WBcRBc6hkxgbizCwb+XLLGBUfk50MIabBPu
|
||||
GQJVnMtTEvlVdpvw0snG4RID8o7Tjv+2NsMi+67fR7dkksHO51jeQBlWeim1ZX+6
|
||||
GZPmEtWAuF0cZybnv66sfY7qokBXUaqP6Z9wYUXOVscJTK6XEmVGXinuistR1cJa
|
||||
O2e0Gji+cxBBejB7QWyHCcssXYo26rHW5kT94hcshqn0Qx1ThH+yTV+PqYiEjsNA
|
||||
R1AYgDMVCltu/UwuzHmtYo2es1W9Mcsk6htKhDLmT0ze3y+0f7Y463B8afs6RzWW
|
||||
W28mpt5/PPoFLkWstj+B00GnwO1x2rDbLoq+zvCD5WasZWa8uNV24nRg
|
||||
=aq9P
|
||||
-----END PGP SIGNATURE-----
|
3
apparmor-2.11.1.tar.gz
Normal file
3
apparmor-2.11.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:e8e2b22c18e6b6741c1f96942398923b97316b53d86408629f922d5689ec3507
|
||||
size 5017646
|
16
apparmor-2.11.1.tar.gz.asc
Normal file
16
apparmor-2.11.1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQI3BAABCgAhBQJZ6G0zGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
|
||||
5k49NmS7OPgP/1sdG9m/DZrgBz3BFHhe15u8K5BRXbrsOkoT3yLwH8gXY1bwlbSU
|
||||
H1bnz5itktyxapwae9Lyq1Qdr9eDpjgbQ1l2VbN34psLeuHH/6Q+R0ONYEktnWXs
|
||||
RSHIPYxZwDbnMIDKdTyGaF7VefNFRMGp+AM6n1NQVKdo0ycKuNFo9tlMW2iWLueq
|
||||
rng6vgTfyWbm9SbDSra8AjRPapxJznEUpV4fdl0OUDkrs4fsyOMcMStxKm6b4GvD
|
||||
LOcV+XGMugyR8as8P1BT+BOYtt3n+itJg0L0g31IkpPTduALb7VPuIG/RnPOrZV4
|
||||
o2tN+zqQLbbWoomSRj8kH319UIfgDxrSk2CM50WPYPIvWuqt0PZJXc8+36W6Gg5H
|
||||
Mxagz78lb94pJLD6HhBL7R4xGEI2T4aLGdOADYfkZaE+y1T4KrW1J1XPVhnIGiSg
|
||||
Kj6lIIkUxsYn39BczeWfCHTmmS5M1J08abAER14o7K8Y5jHKFl34Fmbq/MKnZTju
|
||||
/quiIbwUFe/wjFf6MZk9fyz0V/Gt/9MypwhKBA4eGj7qXiW/O9hzSxrf/B0ABvva
|
||||
2AXwtsCLyRH1a9ZzezDpnf6zLRq4qiJZY81nNxJPkKXQg1w7obl6NR9pbfoXtVhZ
|
||||
BkACyjgmwf0SZRlWnUrEfGriH8V40yLSvUMx4Lax7pLKCfNBlJJUXlrF
|
||||
=vKvS
|
||||
-----END PGP SIGNATURE-----
|
@ -1,37 +0,0 @@
|
||||
Author: Jamie Strandboge <jamie@canonical.com>
|
||||
Description: update aa-status.pod for updated podchecker
|
||||
Bug-Ubuntu: https://launchpad.net/bugs/1707614
|
||||
Forwarded: yes
|
||||
Index: apparmor-2.11.0/utils/aa-status.pod
|
||||
===================================================================
|
||||
--- apparmor-2.11.0.orig/utils/aa-status.pod
|
||||
+++ apparmor-2.11.0/utils/aa-status.pod
|
||||
@@ -102,23 +102,23 @@ following values:
|
||||
|
||||
=over 4
|
||||
|
||||
-=item 0
|
||||
+=item B<0>
|
||||
|
||||
if apparmor is enabled and policy is loaded.
|
||||
|
||||
-=item 1
|
||||
+=item B<1>
|
||||
|
||||
if apparmor is not enabled/loaded.
|
||||
|
||||
-=item 2
|
||||
+=item B<2>
|
||||
|
||||
if apparmor is enabled but no policy is loaded.
|
||||
|
||||
-=item 3
|
||||
+=item B<3>
|
||||
|
||||
if the apparmor control files aren't available under /sys/kernel/security/.
|
||||
|
||||
-=item 4
|
||||
+=item B<4>
|
||||
|
||||
if the user running the script doesn't have enough privileges to read
|
||||
the apparmor control files.
|
@ -179,7 +179,7 @@ index 141c20dd..6db4b277 100644
|
||||
finishing = False
|
||||
# Check for finished
|
||||
save_profiles()
|
||||
@@ -1958,78 +1876,50 @@ def save_profiles():
|
||||
@@ -1958,80 +1876,52 @@ def save_profiles():
|
||||
changed_list = sorted(changed.keys())
|
||||
|
||||
if changed_list:
|
||||
@ -188,13 +188,15 @@ index 141c20dd..6db4b277 100644
|
||||
+ q.explanation = _('The following local profiles were changed. Would you like to save them?')
|
||||
+ q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT']
|
||||
+ q.default = 'CMD_VIEW_CHANGES'
|
||||
+ q.options = changed
|
||||
+ q.selected = 0
|
||||
+ ans = ''
|
||||
+ arg = None
|
||||
+ while ans != 'CMD_SAVE_CHANGES':
|
||||
+ if not changed:
|
||||
+ return
|
||||
+
|
||||
+ q.options = sorted(changed.keys())
|
||||
+
|
||||
+ ans, arg = q.promptUser()
|
||||
+ if ans == 'CMD_SAVE_SELECTED':
|
||||
+ profile_name = list(changed.keys())[arg]
|
||||
@ -233,13 +235,15 @@ index 141c20dd..6db4b277 100644
|
||||
- q.explanation = _('The following local profiles were changed. Would you like to save them?')
|
||||
- q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT']
|
||||
- q.default = 'CMD_VIEW_CHANGES'
|
||||
- q.options = changed
|
||||
- q.selected = 0
|
||||
- ans = ''
|
||||
- arg = None
|
||||
- while ans != 'CMD_SAVE_CHANGES':
|
||||
- if not changed:
|
||||
- return
|
||||
-
|
||||
- q.options = sorted(changed.keys())
|
||||
-
|
||||
- ans, arg = q.promptUser()
|
||||
- if ans == 'CMD_SAVE_SELECTED':
|
||||
- profile_name = list(changed.keys())[arg]
|
||||
|
@ -1,7 +1,29 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 25 19:36:55 UTC 2017 - suse-beta@cboltz.de
|
||||
|
||||
- update to AppArmor 2.11.1
|
||||
- add permissions to several profiles and abstractions (including
|
||||
lp#1650827 and boo#1057900)
|
||||
- several fixes in the aa-* tools (including lp#1689667, lp#1628286,
|
||||
lp#1661766 and boo#1062667)
|
||||
- fix downgrading/converting of 'unix' rules (will be supported in
|
||||
kernel 4.15) to 'network unix' rules in apparmor_parser (boo#1061195)
|
||||
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for
|
||||
upstream changelog
|
||||
- remove upstream(ed) patches
|
||||
- upstream-changes-r3616..3628.diff
|
||||
- upstream-changes-r3629..3648.diff
|
||||
- parser-tests-dbus-duplicated-conditionals.diff
|
||||
- apparmor-fix-podsyntax.patch
|
||||
- sshd-profile-drop-local-include-r3615.diff
|
||||
- refresh apparmor-yast-cleanup.patch
|
||||
- add utils-fix-sorted-save_profiles-regression.diff to fix a regression
|
||||
in displaying the "changed profiles" list in aa-logprof
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 17 21:42:38 UTC 2017 - suse-beta@cboltz.de
|
||||
|
||||
- add nameservice-libtirpc.diff to fix NIS/YP logins
|
||||
- add nameservice-libtirpc.diff to fix NIS/YP logins (boo#1062244)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 3 16:28:52 UTC 2017 - rgoldwyn@suse.com
|
||||
|
@ -35,7 +35,7 @@
|
||||
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
|
||||
|
||||
Name: apparmor
|
||||
Version: 2.11.0
|
||||
Version: 2.11.1
|
||||
Release: 0
|
||||
Summary: AppArmor userlevel parser utility
|
||||
License: GPL-2.0+
|
||||
@ -50,6 +50,7 @@ Source6: baselibs.conf
|
||||
Source7: apparmor-rpmlintrc
|
||||
Source8: apparmor.service
|
||||
Source9: apparmor.systemd
|
||||
|
||||
# enable caching of profiles (= massive performance speedup when loading profiles)
|
||||
Patch1: apparmor-enable-profile-cache.diff
|
||||
|
||||
@ -69,32 +70,20 @@ Patch6: apparmor-abstractions-no-multiline.diff
|
||||
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
|
||||
Patch7: apparmor-lessopen-profile.patch
|
||||
|
||||
# drop local/ include from sshd profile to prevent failure in "make check" (taken from upstream bzr trunk r3615)
|
||||
Patch8: sshd-profile-drop-local-include-r3615.diff
|
||||
|
||||
# upstream changes (trunk r3616..3628)
|
||||
Patch9: upstream-changes-r3616..3628.diff
|
||||
|
||||
# upstream changes (trunk r3629..3648)
|
||||
Patch10: upstream-changes-r3629..3648.diff
|
||||
|
||||
# add some exceptions to utils/test/test-parser-simple-tests.py (submitted upstream 2017-03-25)
|
||||
Patch11: parser-tests-dbus-duplicated-conditionals.diff
|
||||
|
||||
# add JSON support to aa-logprof and aa-genprof (will be in upstream 2.12)
|
||||
Patch12: apparmor-yast-cleanup.patch
|
||||
Patch13: apparmor-json-support.patch
|
||||
|
||||
# https://marc.info/?l=apparmor-dev&m=150151113011870&q=p7
|
||||
Patch14: apparmor-fix-podsyntax.patch
|
||||
|
||||
# temporary solution for unix dgram and unix stream - boo#1061195 (sent for upstream review, but will probably stay openSUSE only)
|
||||
# TODO: replace with proper unix rules when Kernel 4.15 arrives
|
||||
Patch15: profiles-sockets-temporary-fix.patch
|
||||
|
||||
# fix NIS/YP logins - libtirpc needs to read /etc/netconfig
|
||||
# fix NIS/YP logins - libtirpc needs to read /etc/netconfig - commited upstream 2017-10-20 (trunk r3716, 2.11 r3682, 2.10 r3408, 2.9 r3069)
|
||||
Patch16: nameservice-libtirpc.diff
|
||||
|
||||
# Fix sorted() regression in save_profiles() - submitted upstream 2017-10-22
|
||||
Patch17: utils-fix-sorted-save_profiles-regression.diff
|
||||
|
||||
PreReq: sed
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%define apparmor_bin_prefix /lib/apparmor
|
||||
@ -387,23 +376,14 @@ SubDomain.
|
||||
%patch1 -p1
|
||||
%patch2
|
||||
%patch3 -p1
|
||||
|
||||
# Ruby 2.0 mkmf prefixes every path with $(DESTDIR)
|
||||
%patch5 -p1
|
||||
|
||||
%patch6
|
||||
%patch7 -p1
|
||||
%patch8
|
||||
%patch9
|
||||
%patch10
|
||||
# patch10 (upstream-changes-r3629..3648.diff) fails to create empty files, do it manually
|
||||
touch libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err
|
||||
%patch11
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
%patch16
|
||||
%patch17
|
||||
|
||||
# search for left-over multiline rules
|
||||
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
|
||||
|
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 25 19:36:55 UTC 2017 - suse-beta@cboltz.de
|
||||
|
||||
- update to AppArmor 2.11.1
|
||||
- mostly test-related changes in libapparmor
|
||||
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for
|
||||
upstream changelog
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Feb 11 11:33:16 UTC 2017 - jengelh@inai.de
|
||||
|
||||
|
@ -18,7 +18,7 @@
|
||||
|
||||
|
||||
Name: libapparmor
|
||||
Version: 2.11.0
|
||||
Version: 2.11.1
|
||||
Release: 0
|
||||
Summary: Utility library for AppArmor
|
||||
License: LGPL-2.1+
|
||||
|
@ -1,20 +0,0 @@
|
||||
=== modified file 'utils/test/test-parser-simple-tests.py'
|
||||
--- utils/test/test-parser-simple-tests.py 2017-03-03 12:14:03 +0000
|
||||
+++ utils/test/test-parser-simple-tests.py 2017-03-25 20:45:42 +0000
|
||||
@@ -49,6 +49,15 @@
|
||||
'change_profile/onx_conflict_unsafe1.sd',
|
||||
'change_profile/onx_conflict_unsafe2.sd',
|
||||
|
||||
+ # duplicated conditionals aren't detected by the tools
|
||||
+ 'generated_dbus/duplicated-conditionals-45127.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45131.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45124.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45130.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45125.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45128.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45129.sd',
|
||||
+
|
||||
'dbus/bad_modifier_2.sd',
|
||||
'dbus/bad_regex_01.sd',
|
||||
'dbus/bad_regex_02.sd',
|
||||
|
@ -1,30 +0,0 @@
|
||||
------------------------------------------------------------
|
||||
revno: 3615
|
||||
committer: Christian Boltz <apparmor@cboltz.de>
|
||||
branch nick: apparmor
|
||||
timestamp: Thu 2017-01-12 22:01:11 +0100
|
||||
message:
|
||||
sshd profile: drop local/ include
|
||||
|
||||
The local/ include in the sshd profile in extras causes some trouble:
|
||||
- it breaks "make check" because the parser can't find the local/ file
|
||||
- it results in a broken profile if someone uses this profile as
|
||||
starting point, but doesn't notice it needs the local include
|
||||
|
||||
|
||||
Acked-by: Steve Beattie <steve@nxnw.org>
|
||||
|
||||
|
||||
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
|
||||
--- profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-12-07 19:00:06 +0000
|
||||
+++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2017-01-12 21:01:11 +0000
|
||||
@@ -140,5 +140,5 @@
|
||||
/usr/lib/openssh/sftp-server PUx,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
- #include <local/usr.sbin.sshd>
|
||||
+ ## include <local/usr.sbin.sshd>
|
||||
}
|
||||
|
||||
|
||||
vim:ft=diff
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
34
utils-fix-sorted-save_profiles-regression.diff
Normal file
34
utils-fix-sorted-save_profiles-regression.diff
Normal file
@ -0,0 +1,34 @@
|
||||
--- utils/apparmor/aa.py 2017-10-11 21:20:00.789641479 +0200
|
||||
+++ utils/apparmor/aa.py 2017-10-22 14:15:00.412193634 +0200
|
||||
@@ -1827,16 +1827,18 @@
|
||||
if not changed:
|
||||
return
|
||||
|
||||
- q.options = sorted(changed.keys())
|
||||
+ options = sorted(changed.keys())
|
||||
+ q.options = options
|
||||
|
||||
ans, arg = q.promptUser()
|
||||
+
|
||||
+ which = options[arg]
|
||||
+
|
||||
if ans == 'CMD_SAVE_SELECTED':
|
||||
- profile_name = list(changed.keys())[arg]
|
||||
- write_profile_ui_feedback(profile_name)
|
||||
- reload_base(profile_name)
|
||||
+ write_profile_ui_feedback(which)
|
||||
+ reload_base(which)
|
||||
|
||||
elif ans == 'CMD_VIEW_CHANGES':
|
||||
- which = list(changed.keys())[arg]
|
||||
oldprofile = None
|
||||
if aa[which][which].get('filename', False):
|
||||
oldprofile = aa[which][which]['filename']
|
||||
@@ -1852,7 +1854,6 @@
|
||||
display_changes_with_comments(oldprofile, newprofile)
|
||||
|
||||
elif ans == 'CMD_VIEW_CHANGES_CLEAN':
|
||||
- which = list(changed.keys())[arg]
|
||||
oldprofile = serialize_profile(original_aa[which], which, '')
|
||||
newprofile = serialize_profile(aa[which], which, '')
|
||||
|
Loading…
Reference in New Issue
Block a user