Accepting request 536620 from home:cboltz

apparmor:
- update to AppArmor 2.11.1
  - add permissions to several profiles and abstractions (including
    lp#1650827 and boo#1057900)
  - several fixes in the aa-* tools (including lp#1689667, lp#1628286,
    lp#1661766 and boo#1062667)
  - fix downgrading/converting of 'unix' rules (will be supported in
    kernel 4.15) to 'network unix' rules in apparmor_parser (boo#1061195)
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for
    upstream changelog
- remove upstream(ed) patches
  - upstream-changes-r3616..3628.diff
  - upstream-changes-r3629..3648.diff
  - parser-tests-dbus-duplicated-conditionals.diff
  - apparmor-fix-podsyntax.patch
  - sshd-profile-drop-local-include-r3615.diff
- refresh apparmor-yast-cleanup.patch
- add utils-fix-sorted-save_profiles-regression.diff to fix a regression
  in displaying the "changed profiles" list in aa-logprof

Also add bugzilla reference to the previous change:
- add nameservice-libtirpc.diff to fix NIS/YP logins (boo#1062244)


libapparmor:
- update to AppArmor 2.11.1
  - mostly test-related changes in libapparmor
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for
    upstream changelog

OBS-URL: https://build.opensuse.org/request/show/536620
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=190
This commit is contained in:
Christian Boltz 2017-10-25 21:04:37 +00:00 committed by Git OBS Bridge
parent 365c3b08fa
commit 3a01d74522
15 changed files with 99 additions and 2975 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b1c489ea11e7771b8e6b181532cafbf9ebe6603e3cb00e2558f21b7a5bdd739a
size 5013297

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQI3BAABCgAhBQJYcxbLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
5k49NmS7Nh4P/Rf1b8NugcYkrXBA3LMS47KF4+fig+4j4jcAsUqY+aDgj02UYcEv
S6XpbzkTJykM0CJ2BLNHHfwUpbVrUDyfABhgh/m9aH0Y52zkteVfYt9tVNxz7OaH
s4M977g5HPvlOIsS2EXyk1g0IZ8WJ830sZpOZIKpgwptgSJeHKiFQJsCINzOzv7z
MKATzhnrnvb4KBwCC3MoUHhCheGvUmQlArn4+/LwCMERHxrrSYr/kl/nDxhqE7HZ
1wdO8TdrG+R595Yc/t0OO+LOCv7TBU5K7TLiN+1wqenrEfR+9RaxpLB2N8a5+LQ0
kphfS07ht22oWhySG14WL76FrrvN0WBcRBc6hkxgbizCwb+XLLGBUfk50MIabBPu
GQJVnMtTEvlVdpvw0snG4RID8o7Tjv+2NsMi+67fR7dkksHO51jeQBlWeim1ZX+6
GZPmEtWAuF0cZybnv66sfY7qokBXUaqP6Z9wYUXOVscJTK6XEmVGXinuistR1cJa
O2e0Gji+cxBBejB7QWyHCcssXYo26rHW5kT94hcshqn0Qx1ThH+yTV+PqYiEjsNA
R1AYgDMVCltu/UwuzHmtYo2es1W9Mcsk6htKhDLmT0ze3y+0f7Y463B8afs6RzWW
W28mpt5/PPoFLkWstj+B00GnwO1x2rDbLoq+zvCD5WasZWa8uNV24nRg
=aq9P
-----END PGP SIGNATURE-----

3
apparmor-2.11.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e8e2b22c18e6b6741c1f96942398923b97316b53d86408629f922d5689ec3507
size 5017646

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQI3BAABCgAhBQJZ6G0zGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
5k49NmS7OPgP/1sdG9m/DZrgBz3BFHhe15u8K5BRXbrsOkoT3yLwH8gXY1bwlbSU
H1bnz5itktyxapwae9Lyq1Qdr9eDpjgbQ1l2VbN34psLeuHH/6Q+R0ONYEktnWXs
RSHIPYxZwDbnMIDKdTyGaF7VefNFRMGp+AM6n1NQVKdo0ycKuNFo9tlMW2iWLueq
rng6vgTfyWbm9SbDSra8AjRPapxJznEUpV4fdl0OUDkrs4fsyOMcMStxKm6b4GvD
LOcV+XGMugyR8as8P1BT+BOYtt3n+itJg0L0g31IkpPTduALb7VPuIG/RnPOrZV4
o2tN+zqQLbbWoomSRj8kH319UIfgDxrSk2CM50WPYPIvWuqt0PZJXc8+36W6Gg5H
Mxagz78lb94pJLD6HhBL7R4xGEI2T4aLGdOADYfkZaE+y1T4KrW1J1XPVhnIGiSg
Kj6lIIkUxsYn39BczeWfCHTmmS5M1J08abAER14o7K8Y5jHKFl34Fmbq/MKnZTju
/quiIbwUFe/wjFf6MZk9fyz0V/Gt/9MypwhKBA4eGj7qXiW/O9hzSxrf/B0ABvva
2AXwtsCLyRH1a9ZzezDpnf6zLRq4qiJZY81nNxJPkKXQg1w7obl6NR9pbfoXtVhZ
BkACyjgmwf0SZRlWnUrEfGriH8V40yLSvUMx4Lax7pLKCfNBlJJUXlrF
=vKvS
-----END PGP SIGNATURE-----

View File

@ -1,37 +0,0 @@
Author: Jamie Strandboge <jamie@canonical.com>
Description: update aa-status.pod for updated podchecker
Bug-Ubuntu: https://launchpad.net/bugs/1707614
Forwarded: yes
Index: apparmor-2.11.0/utils/aa-status.pod
===================================================================
--- apparmor-2.11.0.orig/utils/aa-status.pod
+++ apparmor-2.11.0/utils/aa-status.pod
@@ -102,23 +102,23 @@ following values:
=over 4
-=item 0
+=item B<0>
if apparmor is enabled and policy is loaded.
-=item 1
+=item B<1>
if apparmor is not enabled/loaded.
-=item 2
+=item B<2>
if apparmor is enabled but no policy is loaded.
-=item 3
+=item B<3>
if the apparmor control files aren't available under /sys/kernel/security/.
-=item 4
+=item B<4>
if the user running the script doesn't have enough privileges to read
the apparmor control files.

View File

@ -179,7 +179,7 @@ index 141c20dd..6db4b277 100644
finishing = False finishing = False
# Check for finished # Check for finished
save_profiles() save_profiles()
@@ -1958,78 +1876,50 @@ def save_profiles(): @@ -1958,80 +1876,52 @@ def save_profiles():
changed_list = sorted(changed.keys()) changed_list = sorted(changed.keys())
if changed_list: if changed_list:
@ -188,13 +188,15 @@ index 141c20dd..6db4b277 100644
+ q.explanation = _('The following local profiles were changed. Would you like to save them?') + q.explanation = _('The following local profiles were changed. Would you like to save them?')
+ q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT'] + q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT']
+ q.default = 'CMD_VIEW_CHANGES' + q.default = 'CMD_VIEW_CHANGES'
+ q.options = changed
+ q.selected = 0 + q.selected = 0
+ ans = '' + ans = ''
+ arg = None + arg = None
+ while ans != 'CMD_SAVE_CHANGES': + while ans != 'CMD_SAVE_CHANGES':
+ if not changed: + if not changed:
+ return + return
+
+ q.options = sorted(changed.keys())
+
+ ans, arg = q.promptUser() + ans, arg = q.promptUser()
+ if ans == 'CMD_SAVE_SELECTED': + if ans == 'CMD_SAVE_SELECTED':
+ profile_name = list(changed.keys())[arg] + profile_name = list(changed.keys())[arg]
@ -233,13 +235,15 @@ index 141c20dd..6db4b277 100644
- q.explanation = _('The following local profiles were changed. Would you like to save them?') - q.explanation = _('The following local profiles were changed. Would you like to save them?')
- q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT'] - q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT']
- q.default = 'CMD_VIEW_CHANGES' - q.default = 'CMD_VIEW_CHANGES'
- q.options = changed
- q.selected = 0 - q.selected = 0
- ans = '' - ans = ''
- arg = None - arg = None
- while ans != 'CMD_SAVE_CHANGES': - while ans != 'CMD_SAVE_CHANGES':
- if not changed: - if not changed:
- return - return
-
- q.options = sorted(changed.keys())
-
- ans, arg = q.promptUser() - ans, arg = q.promptUser()
- if ans == 'CMD_SAVE_SELECTED': - if ans == 'CMD_SAVE_SELECTED':
- profile_name = list(changed.keys())[arg] - profile_name = list(changed.keys())[arg]

View File

@ -1,7 +1,29 @@
-------------------------------------------------------------------
Wed Oct 25 19:36:55 UTC 2017 - suse-beta@cboltz.de
- update to AppArmor 2.11.1
- add permissions to several profiles and abstractions (including
lp#1650827 and boo#1057900)
- several fixes in the aa-* tools (including lp#1689667, lp#1628286,
lp#1661766 and boo#1062667)
- fix downgrading/converting of 'unix' rules (will be supported in
kernel 4.15) to 'network unix' rules in apparmor_parser (boo#1061195)
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for
upstream changelog
- remove upstream(ed) patches
- upstream-changes-r3616..3628.diff
- upstream-changes-r3629..3648.diff
- parser-tests-dbus-duplicated-conditionals.diff
- apparmor-fix-podsyntax.patch
- sshd-profile-drop-local-include-r3615.diff
- refresh apparmor-yast-cleanup.patch
- add utils-fix-sorted-save_profiles-regression.diff to fix a regression
in displaying the "changed profiles" list in aa-logprof
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Oct 17 21:42:38 UTC 2017 - suse-beta@cboltz.de Tue Oct 17 21:42:38 UTC 2017 - suse-beta@cboltz.de
- add nameservice-libtirpc.diff to fix NIS/YP logins - add nameservice-libtirpc.diff to fix NIS/YP logins (boo#1062244)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Oct 3 16:28:52 UTC 2017 - rgoldwyn@suse.com Tue Oct 3 16:28:52 UTC 2017 - rgoldwyn@suse.com

View File

@ -35,7 +35,7 @@
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
Name: apparmor Name: apparmor
Version: 2.11.0 Version: 2.11.1
Release: 0 Release: 0
Summary: AppArmor userlevel parser utility Summary: AppArmor userlevel parser utility
License: GPL-2.0+ License: GPL-2.0+
@ -50,6 +50,7 @@ Source6: baselibs.conf
Source7: apparmor-rpmlintrc Source7: apparmor-rpmlintrc
Source8: apparmor.service Source8: apparmor.service
Source9: apparmor.systemd Source9: apparmor.systemd
# enable caching of profiles (= massive performance speedup when loading profiles) # enable caching of profiles (= massive performance speedup when loading profiles)
Patch1: apparmor-enable-profile-cache.diff Patch1: apparmor-enable-profile-cache.diff
@ -69,32 +70,20 @@ Patch6: apparmor-abstractions-no-multiline.diff
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch7: apparmor-lessopen-profile.patch Patch7: apparmor-lessopen-profile.patch
# drop local/ include from sshd profile to prevent failure in "make check" (taken from upstream bzr trunk r3615)
Patch8: sshd-profile-drop-local-include-r3615.diff
# upstream changes (trunk r3616..3628)
Patch9: upstream-changes-r3616..3628.diff
# upstream changes (trunk r3629..3648)
Patch10: upstream-changes-r3629..3648.diff
# add some exceptions to utils/test/test-parser-simple-tests.py (submitted upstream 2017-03-25)
Patch11: parser-tests-dbus-duplicated-conditionals.diff
# add JSON support to aa-logprof and aa-genprof (will be in upstream 2.12) # add JSON support to aa-logprof and aa-genprof (will be in upstream 2.12)
Patch12: apparmor-yast-cleanup.patch Patch12: apparmor-yast-cleanup.patch
Patch13: apparmor-json-support.patch Patch13: apparmor-json-support.patch
# https://marc.info/?l=apparmor-dev&m=150151113011870&q=p7
Patch14: apparmor-fix-podsyntax.patch
# temporary solution for unix dgram and unix stream - boo#1061195 (sent for upstream review, but will probably stay openSUSE only) # temporary solution for unix dgram and unix stream - boo#1061195 (sent for upstream review, but will probably stay openSUSE only)
# TODO: replace with proper unix rules when Kernel 4.15 arrives # TODO: replace with proper unix rules when Kernel 4.15 arrives
Patch15: profiles-sockets-temporary-fix.patch Patch15: profiles-sockets-temporary-fix.patch
# fix NIS/YP logins - libtirpc needs to read /etc/netconfig # fix NIS/YP logins - libtirpc needs to read /etc/netconfig - commited upstream 2017-10-20 (trunk r3716, 2.11 r3682, 2.10 r3408, 2.9 r3069)
Patch16: nameservice-libtirpc.diff Patch16: nameservice-libtirpc.diff
# Fix sorted() regression in save_profiles() - submitted upstream 2017-10-22
Patch17: utils-fix-sorted-save_profiles-regression.diff
PreReq: sed PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apparmor_bin_prefix /lib/apparmor %define apparmor_bin_prefix /lib/apparmor
@ -387,23 +376,14 @@ SubDomain.
%patch1 -p1 %patch1 -p1
%patch2 %patch2
%patch3 -p1 %patch3 -p1
# Ruby 2.0 mkmf prefixes every path with $(DESTDIR)
%patch5 -p1 %patch5 -p1
%patch6 %patch6
%patch7 -p1 %patch7 -p1
%patch8
%patch9
%patch10
# patch10 (upstream-changes-r3629..3648.diff) fails to create empty files, do it manually
touch libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err
%patch11
%patch12 -p1 %patch12 -p1
%patch13 -p1 %patch13 -p1
%patch14 -p1
%patch15 -p1 %patch15 -p1
%patch16 %patch16
%patch17
# search for left-over multiline rules # search for left-over multiline rules
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Oct 25 19:36:55 UTC 2017 - suse-beta@cboltz.de
- update to AppArmor 2.11.1
- mostly test-related changes in libapparmor
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for
upstream changelog
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Feb 11 11:33:16 UTC 2017 - jengelh@inai.de Sat Feb 11 11:33:16 UTC 2017 - jengelh@inai.de

View File

@ -18,7 +18,7 @@
Name: libapparmor Name: libapparmor
Version: 2.11.0 Version: 2.11.1
Release: 0 Release: 0
Summary: Utility library for AppArmor Summary: Utility library for AppArmor
License: LGPL-2.1+ License: LGPL-2.1+

View File

@ -1,20 +0,0 @@
=== modified file 'utils/test/test-parser-simple-tests.py'
--- utils/test/test-parser-simple-tests.py 2017-03-03 12:14:03 +0000
+++ utils/test/test-parser-simple-tests.py 2017-03-25 20:45:42 +0000
@@ -49,6 +49,15 @@
'change_profile/onx_conflict_unsafe1.sd',
'change_profile/onx_conflict_unsafe2.sd',
+ # duplicated conditionals aren't detected by the tools
+ 'generated_dbus/duplicated-conditionals-45127.sd',
+ 'generated_dbus/duplicated-conditionals-45131.sd',
+ 'generated_dbus/duplicated-conditionals-45124.sd',
+ 'generated_dbus/duplicated-conditionals-45130.sd',
+ 'generated_dbus/duplicated-conditionals-45125.sd',
+ 'generated_dbus/duplicated-conditionals-45128.sd',
+ 'generated_dbus/duplicated-conditionals-45129.sd',
+
'dbus/bad_modifier_2.sd',
'dbus/bad_regex_01.sd',
'dbus/bad_regex_02.sd',

View File

@ -1,30 +0,0 @@
------------------------------------------------------------
revno: 3615
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Thu 2017-01-12 22:01:11 +0100
message:
sshd profile: drop local/ include
The local/ include in the sshd profile in extras causes some trouble:
- it breaks "make check" because the parser can't find the local/ file
- it results in a broken profile if someone uses this profile as
starting point, but doesn't notice it needs the local include
Acked-by: Steve Beattie <steve@nxnw.org>
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
--- profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-12-07 19:00:06 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2017-01-12 21:01:11 +0000
@@ -140,5 +140,5 @@
/usr/lib/openssh/sftp-server PUx,
# Site-specific additions and overrides. See local/README for details.
- #include <local/usr.sbin.sshd>
+ ## include <local/usr.sbin.sshd>
}
vim:ft=diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,34 @@
--- utils/apparmor/aa.py 2017-10-11 21:20:00.789641479 +0200
+++ utils/apparmor/aa.py 2017-10-22 14:15:00.412193634 +0200
@@ -1827,16 +1827,18 @@
if not changed:
return
- q.options = sorted(changed.keys())
+ options = sorted(changed.keys())
+ q.options = options
ans, arg = q.promptUser()
+
+ which = options[arg]
+
if ans == 'CMD_SAVE_SELECTED':
- profile_name = list(changed.keys())[arg]
- write_profile_ui_feedback(profile_name)
- reload_base(profile_name)
+ write_profile_ui_feedback(which)
+ reload_base(which)
elif ans == 'CMD_VIEW_CHANGES':
- which = list(changed.keys())[arg]
oldprofile = None
if aa[which][which].get('filename', False):
oldprofile = aa[which][which]['filename']
@@ -1852,7 +1854,6 @@
display_changes_with_comments(oldprofile, newprofile)
elif ans == 'CMD_VIEW_CHANGES_CLEAN':
- which = list(changed.keys())[arg]
oldprofile = serialize_profile(original_aa[which], which, '')
newprofile = serialize_profile(aa[which], which, '')