pool/apparmor
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 792967 from home:goldwynr:branches:security:apparmor

Browse Source 
bsc1168306 - Add /etc/mdns.allow

OBS-URL: https://build.opensuse.org/request/show/792967
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=264
This commit is contained in:
Christian Boltz 2020-04-10 16:39:59 +00:00 committed by Git OBS Bridge
parent eb47f5e85c
commit 3d58d48604
3 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch Normal file
View File

@ -0,0 +1,31 @@
From eeac8c11c935edf9eea2bed825af6c57e9fb52e3 Mon Sep 17 00:00:00 2001
From: Rich McAllister <Nopublic@address.provided>
Date: Tue, 31 Mar 2020 21:01:21 -0700
Subject: [PATCH] abstractions: add /etc/mdns.allow to /etc/apparmor.d/abstractions/mdns
References: bsc#1168306
In focal users of mdns get denials in apparmor confined applications.
An exampel can be found in the original bug below.
It seems it is a common pattern, see
https://github.com/lathiat/nss-mdns#etcmdnsallow
Therefore I'm asking to add
/etc/mdns.allow r,
to the file
/etc/apparmor.d/abstractions/mdns"
by default.
---
profiles/apparmor.d/abstractions/mdns | 1 +
1 file changed, 1 insertion(+)
--- a/profiles/apparmor.d/abstractions/mdns
+++ b/profiles/apparmor.d/abstractions/mdns
@@ -9,5 +9,6 @@
# ------------------------------------------------------------------
# mdnsd
+ /etc/mdns.allow r,
/etc/nss_mdns.conf r,
/{,var/}run/mdnsd w,

6
apparmor.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Apr 9 18:56:09 UTC 2020 - Goldwyn Rodrigues <rgoldwyn@suse.com>
- Add abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch
(bsc#1168306)
-------------------------------------------------------------------
Sat Mar 28 21:46:48 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>

4
apparmor.spec
View File

@ -80,6 +80,9 @@ Patch13: make-4.3-capabilities.diff
# fix build with make 4.3 - fix apparmor.vim capability rules (submitted upstream 2020-03-29 https://gitlab.com/apparmor/apparmor/-/merge_requests/463, not in 2.13.x, boo#1167953)
Patch14: make-4.3-capabilities-vim.diff
#Bug 1168306 - apparmor prevents the resolver from reading /etc/mdns.allow, and therefore forbids using any custom domain name
Patch15: abstractions-add-etc-mdns.allow-to-etc-apparmor.d-abstractions-mdns.patch
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apparmor_bin_prefix /lib/apparmor
@ -373,6 +376,7 @@ SubDomain.
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%build
%define _lto_cflags %{nil}