pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 991157 from home:cboltz

Browse Source 
- update to AppArmor 3.0.5
  - several additions to profiles and abstractions
  - bugfixes in parser and utils
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.5
    for the detailed upstream changelog
- remove upstream(ed) patchs:
  - apparmor-setuptools61-mr897.patch
  - dovecot-profiles-boo1199535-mr881.diff
  - php8-fpm-mr876.patch
  - python310-help-mr848.patch
  - samba-new-dcerpcd.patch
  - samba_deny_net_admin.patch
  - update-samba-bgqd.diff
  - update-usr-sbin-smbd.diff
- apparmor-samba-include-permissions-for-shares.diff: remove
  upstreamed part
- add dirtest-sort-mr900.diff to fix random test failures
- change apache-extra-profile-include-if-exists.diff to the post-mv
  path (new quilt executes mv)
- stop disabling lto (fixed upstream) (boo#1133091)
- package profile-load script in -parser

OBS-URL: https://build.opensuse.org/request/show/991157
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=342
This commit is contained in:
Christian Boltz 2022-07-25 21:54:59 +00:00 committed by Git OBS Bridge
parent 629457566e
commit 4312257819
18 changed files with 109 additions and 602 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apache-extra-profile-include-if-exists.diff
View File

@ -8,10 +8,10 @@ profile at its new location (extra profiles directory)
Fixes https://bugzilla.opensuse.org/show_bug.cgi?id=1178527
Index: profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
Index: profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2
===================================================================
--- profiles/apparmor.d//usr.lib.apache2.mpm-prefork.apache2.orig 2020-12-02 12:01:37.000000000 +0100
+++ profiles/apparmor.d//usr.lib.apache2.mpm-prefork.apache2 2021-01-22 12:19:45.964708670 +0100
--- profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2.orig 2020-12-02 12:01:37.000000000 +0100
+++ profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2 2021-01-22 12:19:45.964708670 +0100
@@ -75,7 +75,7 @@ include <tunables/global>
# This directory contains web application
# package-specific apparmor files.

3
apparmor-3.0.4.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:09bf48d7a171f9790c39a1404bad105a788934cfe77b7490c7f5c63c2576b725
size 7796852

17
apparmor-3.0.4.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmIEYPoaHGFwcGFybW9y
QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLsuXRAAwUfR2mTa8T1f9JKDV9oI
VyHMNPx4UQ8UGHPjdggPZpgU8tdLgIeTzrVB9IFmUNxREmeQURyr12lWJiL7rUjp
uICigANNZPtfYDB8PNF6OPbwZ61A44RZ26SZJauKQg/iP1c/m3NH24TReUqB2UgC
Zrjx4KBH30m0+wc2Ca5f017CRDRL6oPjbUnCdY6S8XdVzbbd4x/4K0yoaS8mNLde
GUbs4cMJnuMndVPhNVIiKvRt/qmYl2nB3HBzU9VXmq/GBR9wDpb1G6N3IuB7Oaak
WrB32ymgllwi5av3L1vXQhisZ1LAaH7GNElCX5c4rJa/6Bsfru5kTecEXSIJXf2H
P8XmwUkdrl7idfAbSg/jW1h02uD99WTymii2SCwYWhNX9s0BRuSMPASA9TgrYOZN
oTshsA8lYaAafdAU6OboaeS91WL65hTr3GUcGgYl+qYcYTdyU6IG4MooCwATM2st
SHt7HPOJLNntMt8CGcPx1Q9UA8ta3kNlcf6YSycWCqWvPEvCkpex23gVUVIXzVKr
bs2tvJO59BsCxiL6umsksv5otIXDrm4yay1QaYl+KUEOvU051SUyXey7pQ/qO0LY
leifVmldlLfPosAKiJqiQ3RAKp7Zr/YrvKLLxeLj5MrKUmSR2UQ5xC8aXfYYhDqh
+PPpcMO9Io9UyHHofXB7dlA=
=rXSS
-----END PGP SIGNATURE-----

3
apparmor-3.0.5.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8c01879f60bf7e11028e2177981971f8288ce0a6f20ce8c12fd7cb111da1a624
size 7946342

17
apparmor-3.0.5.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmLeRbsaHGFwcGFybW9y
QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLsAKQ//b3RWTRdJM/S1b49RQd6p
/gltAIlOD2Ne3jBUVXeKiGlsNEN8Os37D+3t9wMfXphoM+JbrUO/2gm52M/7w4Ov
xZJOVGC1SA72R2h6CObNZ3gqsc6/HuOW+/NLahFikZWdKs4mHwKhSlKkZU8g1bVS
KA3hrwyct4oO2XSQARc+V9n6a6y8shvBolUbB7Jm2HSomMjHkiW11wfHECroW4v+
YZv4JwwojOvYE0J+1WEJeOhv1SfzQMnYAn2BdtoSbO3pYHTXmblVXKpiB30cHtJ7
Rbm+a2FbRsH1giTtq48cvBl7euBEXP27uM7cQSSbqukEJtWkIJTRpnJxGV5bUS+a
tI3J4uneuicJxc6snAmO58PXnp1O9WGeHVtPg3ERYZQQ5UoaYpxlEpMFQJV44M4U
s7g2iTZ6+z0I4gcjnfm/uKcdLyYN2KJSQTD/bgQv6C5t94ofoZ1HCt7Ra/VHIG+Q
0pSDN/RSu2LI3tJdDq2/KFU1e0YzElSaHNb+sUn+rQOrpMB0FJZK1KzrBn0TxjTj
JONny5WnVaTmbBfdjIvGbpWMMbKX/3Ob5kHmgY8TYuo/Bllgr2l6rWURK1MTHO64
narFxIqOBj0Kb+kJPhA8+55R7gA1ioW6JtQQLlbz2NgRMaOeBWiprmaxRv1xY9e3
NYdyzQRgu/zOEM5v/J5VecQ=
=FsDG
-----END PGP SIGNATURE-----

28
apparmor-samba-include-permissions-for-shares.diff
View File

@ -1,15 +1,21 @@
Samba generates a profile sniplet with permissions for all shares at
Samba generates a profile sniplet with permissions for all shares at
start using the update-apparmor-samba-profile script.
This patch includes the autogenerated profile sniplet it in the smbd
profile. It also creates a dummy profile sniplet to avoid "file not
found" errors when AppArmor is started before samba was started.
After the include rules were upstreamed in AppArmor 3.0.5 (MR 838), this
patch was shortened. Now it "only" creates a dummy profile sniplet
because update-apparmor-samba-profiles on Leap 15.3 and 15.4 aborts if
the local/ sniplet doesn't exist.
Tumbleweed does not rely on a pre-existing local/usr.sbin.smbd-shares
anymore, therefore the patch gets skipped there in the spec.
References: https://bugzilla.novell.com/show_bug.cgi?id=688040
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
=== added file 'profiles/apparmor.d/local/usr.sbin.smbd-shares'
--- profiles/apparmor.d/local/usr.sbin.smbd-shares 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/local/usr.sbin.smbd-shares 2011-10-19 09:40:05 +0000
@ -17,18 +23,4 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
+# This file will be replaced by rules for all samba shares at samba start.
+# Do not edit!
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000
+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000
@@ -59,6 +59,10 @@
@{HOMEDIRS}/** lrwk,
/var/lib/samba/usershares/{,**} lrwk,
+ # permissions for all configured shares
+ # autogenerated by update-apparmor-samba-profile at samba start
+ include <local/usr.sbin.smbd-shares>
+
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.smbd>
}

136
apparmor-setuptools61-mr897.patch
View File

@ -1,136 +0,0 @@
Index: apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.am
===================================================================
--- apparmor-3.0.4.orig/libraries/libapparmor/swig/python/test/Makefile.am
+++ apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.am
@@ -10,8 +10,7 @@ test_python.py: test_python.py.in $(top_
CLEANFILES = test_python.py
-# bah, how brittle is this?
-PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")'
+PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)'
TESTS = test_python.py
TESTS_ENVIRONMENT = \
Index: apparmor-3.0.4/libraries/libapparmor/swig/python/test/testbuildpath.py
===================================================================
--- /dev/null
+++ apparmor-3.0.4/libraries/libapparmor/swig/python/test/buildpath.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python3
+# the build path has changed in setuptools 61.2
+import sys
+import sysconfig
+import setuptools
+if tuple(map(int,setuptools.__version__.split("."))) >= (61, 2):
+ identifier = sys.implementation.cache_tag
+else:
+ identifier = "%d.%d" % sys.version_info[:2]
+print("lib.%s-%s" % (sysconfig.get_platform(), identifier))
Index: apparmor-3.0.4/utils/test/Makefile
===================================================================
--- apparmor-3.0.4.orig/utils/test/Makefile
+++ apparmor-3.0.4/utils/test/Makefile
@@ -27,8 +27,8 @@ ifdef USE_SYSTEM
BASEDIR=
PARSER=
else
- # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
- PYTHON_DIST_BUILD_PATH = ../../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")
+ # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/buildpath.py
+ PYTHON_DIST_BUILD_PATH = ../../libraries/libapparmor/swig/python/build/$$($(PYTHON) ../../libraries/libapparmor/swig/python/test/buildpath.py)
LIBAPPARMOR_PATH=../../libraries/libapparmor/src/.libs/
LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
PYTHONPATH=..:$(PYTHON_DIST_BUILD_PATH)
Index: apparmor-3.0.4/utils/test/README.md
===================================================================
--- apparmor-3.0.4.orig/utils/test/README.md
+++ apparmor-3.0.4/utils/test/README.md
@@ -7,7 +7,7 @@ For more information, refer to the [unit
Make sure to set the environment variables pointing to the in-tree apparmor modules, and the in-tree libapparmor and its python wrapper:
```bash
-$ export PYTHONPATH=..:../../libraries/libapparmor/swig/python/build/$(/usr/bin/python3 -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")
+$ export PYTHONPATH=..:../../libraries/libapparmor/swig/python/build/$(/usr/bin/python3 ../../libraries/libapparmor/swig/python/test/buildpath.py)
$ export __AA_CONFDIR=.
```
@@ -15,4 +15,4 @@ To execute the test individually, run:
```bash
$ python3 ./test-tile.py ClassFoo.test_bar
-```
\ No newline at end of file
+```
Index: apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.in
===================================================================
--- apparmor-3.0.4.orig/libraries/libapparmor/swig/python/test/Makefile.in
+++ apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.5 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2021 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -301,6 +301,7 @@ am__set_TESTS_bases = \
bases='$(TEST_LOGS)'; \
bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
bases=`echo $$bases`
+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
RECHECK_LOGS = $(TEST_LOGS)
AM_RECURSIVE_TARGETS = check recheck
TEST_SUITE_LOG = test-suite.log
@@ -336,8 +337,9 @@ AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
-CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
@@ -348,8 +350,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
+ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
+FILECMD = @FILECMD@
GREP = @GREP@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
@@ -470,9 +474,7 @@ top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
@HAVE_PYTHON_TRUE@CLEANFILES = test_python.py
-
-# bah, how brittle is this?
-@HAVE_PYTHON_TRUE@PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")'
+@HAVE_PYTHON_TRUE@PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)'
@HAVE_PYTHON_TRUE@TESTS = test_python.py
@HAVE_PYTHON_TRUE@TESTS_ENVIRONMENT = \
@HAVE_PYTHON_TRUE@ LD_LIBRARY_PATH='$(top_builddir)/src/.libs:$(PYTHON_DIST_BUILD_PATH)' \
@@ -631,7 +633,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \
fi; \
echo "$${col}$$br$${std}"; \
- echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \
+ echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \
echo "$${col}$$br$${std}"; \
create_testsuite_report --maybe-color; \
echo "$$col$$br$$std"; \
@@ -686,7 +688,6 @@ test_python.py.log: test_python.py
@am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \
@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT)
-
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am

25
apparmor.changes
View File

@ -1,3 +1,28 @@
-------------------------------------------------------------------
Mon Jul 25 18:18:04 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
- update to AppArmor 3.0.5
- several additions to profiles and abstractions
- bugfixes in parser and utils
- see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.5
for the detailed upstream changelog
- remove upstream(ed) patchs:
- apparmor-setuptools61-mr897.patch
- dovecot-profiles-boo1199535-mr881.diff
- php8-fpm-mr876.patch
- python310-help-mr848.patch
- samba-new-dcerpcd.patch
- samba_deny_net_admin.patch
- update-samba-bgqd.diff
- update-usr-sbin-smbd.diff
- apparmor-samba-include-permissions-for-shares.diff: remove
upstreamed part
- add dirtest-sort-mr900.diff to fix random test failures
- change apache-extra-profile-include-if-exists.diff to the post-mv
path (new quilt executes mv)
- stop disabling lto (fixed upstream) (boo#1133091)
- package profile-load script in -parser
-------------------------------------------------------------------
Fri Jul 15 23:01:42 UTC 2022 - Ben Greiner <code@bnavigator.de>

52
apparmor.spec
View File

@ -45,7 +45,7 @@
%define JAR_FILE changeHatValve.jar
Name: apparmor
Version: 3.0.4
Version: 3.0.5
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0-or-later
@ -63,7 +63,8 @@ Source7: apparmor-rpmlintrc
# and set cache-loc in parser.conf and apparmor.service accordingly
Patch1: apparmor-enable-profile-cache.diff
# include autogenerated profile sniplet for samba shares (bnc#688040) - upstreamed as part of https://gitlab.com/apparmor/apparmor/-/merge_requests/838 2022-02-16 (master + 3.0 branch)
# include autogenerated profile sniplet for samba shares (bnc#688040) - include rule upstreamed in 3.0.5 (MR 838), now "just" creates the local/ sniplet
# (technically only needed in Leap 15.x, the samba script in Tumbleweed also works if the local/ sniplet doesn't exist - but dropping the local/ sniplet will move existing autogenerated sniplets to *.rpmsave)
Patch2: apparmor-samba-include-permissions-for-shares.diff
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
@ -78,41 +79,12 @@ Patch5: apparmor-lessopen-nfs-workaround.diff
# make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
Patch6: apache-extra-profile-include-if-exists.diff
# bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd
# merged upstream 3.0+master 2022-03-14 https://gitlab.com/apparmor/apparmor/-/merge_requests/860
# bsc#1195463 add rule to allow reading of openssl.cnf
# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862
Patch7: update-samba-bgqd.diff
# bsc#1195463 add rule to allow reading of openssl.cnf
# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862
Patch8: update-usr-sbin-smbd.diff
# add zgrep and xzgrep profile (merged upstream 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + merged upstream 2022-04-18 https://gitlab.com/apparmor/apparmor/-/merge_requests/873
# + 2022-06-28 https://gitlab.com/apparmor/apparmor/-/merge_requests/892 - master only)
# + merged upstream 2022-06-29 https://gitlab.com/apparmor/apparmor/-/merge_requests/892 - master only)
Patch9: zgrep-profile-mr870.diff
# squash noisy setsockopt calls - merged upstream master+3.0 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/867
# bsc#1196850
Patch10: samba_deny_net_admin.patch
# support for new dcerpcd subsytem in >= samba-4.16
# merged upstream 2022-04-15 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/871
# merged upstream 2022-05-11 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/880
# bsc#1198309
Patch11: samba-new-dcerpcd.patch
# allow php8 php-fpm to read its config (from upstream master+3.0 https://gitlab.com/apparmor/apparmor/-/merge_requests/876)
Patch12: php8-fpm-mr876.patch
# allow python 3.10 --help output (from the branch-3.0 backport of https://gitlab.com/apparmor/apparmor/-/merge_requests/848)
Patch13: python310-help-mr848.patch
# extend dovecot profiles for latest dovecot (boo 1199535, submitted upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/881)
Patch14: dovecot-profiles-boo1199535-mr881.diff
# https://gitlab.com/apparmor/apparmor/-/merge_requests/897
Patch15: apparmor-setuptools61-mr897.patch
# dirtest.sh: sort output to avoid random test failures (from upstream, merged 3.0+master 2022-07-25 https://gitlab.com/apparmor/apparmor/-/merge_requests/900)
Patch10: dirtest-sort-mr900.diff
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -371,8 +343,6 @@ SubDomain.
%setup -q
# very loose profile that doesn't even match the apache2 binary path in openSUSE. Move it away instead of confusing people (boo#872984)
# (patch to change <apache.d> include to "include if exists" needs to be applied before moving the file to avoid breaking quilt)
%patch6
mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/profiles/extras/
%patch1
@ -380,18 +350,11 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
%patch3 -p1
%patch4
%patch5
%patch7 -p1
%patch8 -p1
%patch6
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%build
%define _lto_cflags %{nil}
export SUSE_ASNEEDED=0
# libapparmor:
@ -575,6 +538,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
%dir %attr(-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix}/rc.apparmor.functions
%{apparmor_bin_prefix}/apparmor.systemd
%{apparmor_bin_prefix}/profile-load
%doc %{_mandir}/man1/aa-enabled.1.gz
%doc %{_mandir}/man1/aa-exec.1.gz
%doc %{_mandir}/man1/aa-features-abi.1.gz

42
dirtest-sort-mr900.diff Normal file
View File

@ -0,0 +1,42 @@
From c0815d0e0f1c68397b8ce04d81c48940e4b2c63b Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@boum.org>
Date: Mon, 25 Jul 2022 10:04:13 +0000
Subject: [PATCH] dirtest.sh: don't rely on apparmor_parser -N's output sort
order to be deterministic
I've seen this test fail because "apparmor_parser -N" returned the expected
lines, but in a different order than what's expected (dirtest.out).
To fix this, sort both the expected and actual output.
---
parser/tst/dirtest.sh | 3 ++-
parser/tst/dirtest/dirtest.out | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/parser/tst/dirtest.sh b/parser/tst/dirtest.sh
index 8c94dbd68..95c108371 100755
--- a/parser/tst/dirtest.sh
+++ b/parser/tst/dirtest.sh
@@ -31,8 +31,9 @@ do_tst() {
shift 2
#global tmpdir
- ${APPARMOR_PARSER} "$@" > "$tmpdir/out" 2>/dev/null
+ ${APPARMOR_PARSER} "$@" > "$tmpdir/out.unsorted" 2>/dev/null
rc=$?
+ LC_ALL=C sort "$tmpdir/out.unsorted" > "$tmpdir/out"
if [ $rc -ne 0 ] && [ "$expected" != "fail" ] ; then
echo "failed: expected \"$expected\" but parser returned error"
return 1
diff --git a/parser/tst/dirtest/dirtest.out b/parser/tst/dirtest/dirtest.out
index e82188b84..5b4cc30aa 100644
--- a/parser/tst/dirtest/dirtest.out
+++ b/parser/tst/dirtest/dirtest.out
@@ -1,3 +1,3 @@
-good_target
a_profile
b_profile
+good_target
--
GitLab

54
dovecot-profiles-boo1199535-mr881.diff
View File

@ -1,54 +0,0 @@
From https://gitlab.com/apparmor/apparmor/-/merge_requests/881
From ad8df7f88fdac5cf230da07bb0f45761a22202b3 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sun, 15 May 2022 20:53:35 +0200
Subject: [PATCH] Add missing permissions for dovecot-{imap,lmtp,pop3}
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1199535
---
profiles/apparmor.d/usr.lib.dovecot.imap | 1 +
profiles/apparmor.d/usr.lib.dovecot.lmtp | 2 ++
profiles/apparmor.d/usr.lib.dovecot.pop3 | 1 +
3 files changed, 4 insertions(+)
diff --git a/profiles/apparmor.d/usr.lib.dovecot.imap b/profiles/apparmor.d/usr.lib.dovecot.imap
index ade0e4157..8ee2d5a4e 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.imap
+++ b/profiles/apparmor.d/usr.lib.dovecot.imap
@@ -35,6 +35,7 @@ profile dovecot-imap /usr/lib/dovecot/imap {
owner /tmp/dovecot.imap.* rw,
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
+ @{PROC}/@{pid}/stat r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/imap mrix,
/usr/share/dovecot/** r,
diff --git a/profiles/apparmor.d/usr.lib.dovecot.lmtp b/profiles/apparmor.d/usr.lib.dovecot.lmtp
index 7b2e5599b..ad26eff3e 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.lmtp
+++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp
@@ -31,6 +31,8 @@ profile dovecot-lmtp /usr/lib/dovecot/lmtp {
@{HOME}/.dovecot.svbin r,
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
+ owner @{PROC}/@{pid}/io r,
+ owner @{PROC}/@{pid}/stat r,
@{PROC}/*/mounts r,
/tmp/dovecot.lmtp.* rw,
/usr/lib/dovecot/lmtp mr,
diff --git a/profiles/apparmor.d/usr.lib.dovecot.pop3 b/profiles/apparmor.d/usr.lib.dovecot.pop3
index a593d6b1a..ed010ddaf 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.pop3
+++ b/profiles/apparmor.d/usr.lib.dovecot.pop3
@@ -26,6 +26,7 @@ profile dovecot-pop3 /usr/lib/dovecot/pop3 {
@{DOVECOT_MAILSTORE}/** rwkl,
@{HOME} r, # ???
+ @{PROC}/@{pid}/stat r,
/usr/lib/dovecot/pop3 mr,
# Site-specific additions and overrides. See local/README for details.
--
GitLab

3
libapparmor.spec
View File

@ -18,7 +18,7 @@
Name: libapparmor
Version: 3.0.4
Version: 3.0.5
Release: 0
Summary: Utility library for AppArmor
License: LGPL-2.1-or-later
@ -66,7 +66,6 @@ AppArmor API.
%setup -q -n apparmor-%{version}
%build
%define _lto_cflags %{nil}
(
cd ./libraries/libapparmor
%configure \

46
php8-fpm-mr876.patch
View File

@ -1,46 +0,0 @@
From c946f0bf75f9529014c79ff591d6f953ce56b416 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Mon, 18 Apr 2022 20:49:22 +0200
Subject: [PATCH] Allow reading all of /etc/php[578]/** in abstractions/php
... and with that, make a rule in the php-fpm profile (which missed
php8) superfluous.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/229
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11
---
profiles/apparmor.d/abstractions/php | 3 +--
profiles/apparmor.d/php-fpm | 2 --
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/profiles/apparmor.d/abstractions/php b/profiles/apparmor.d/abstractions/php
index ddafb0770..6bf0dc798 100644
--- a/profiles/apparmor.d/abstractions/php
+++ b/profiles/apparmor.d/abstractions/php
@@ -13,8 +13,7 @@
abi <abi/3.0>,
# shared snippets for config files
- /etc/php{,5,7,8}/**/ r,
- /etc/php{,5,7,8}/**.ini r,
+ /etc/php{,5,7,8}/** r,
# Xlibs
/usr/X11R6/lib{,32,64}/lib*.so* mr,
diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm
index b25762c50..14b3c7195 100644
--- a/profiles/apparmor.d/php-fpm
+++ b/profiles/apparmor.d/php-fpm
@@ -16,8 +16,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
# read the system certificates
include <abstractions/ssl_certs>
- /etc/php{,5,7}/** r,
-
capability net_admin,
# change user/group of a pool
capability setuid,
--
GitLab

57
python310-help-mr848.patch
View File

@ -1,57 +0,0 @@
From 8a21472175501823303a8af270bd38a60ff4ac9c Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Tue, 15 Feb 2022 19:17:30 +0000
Subject: [PATCH] Merge make test-aa-notify test_help_contents () less strict
Python 3.10 generates a slightly different --help output.
Fixes https://gitlab.com/apparmor/apparmor/-/issues/220
Closes #220
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/848
Acked-by: Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit ba14227bb51a76b416a8da46c241a8d07506badc)
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
utils/test/test-aa-notify.py | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/utils/test/test-aa-notify.py b/utils/test/test-aa-notify.py
index 2484c7f97..cfb5fa5a8 100644
--- a/utils/test/test-aa-notify.py
+++ b/utils/test/test-aa-notify.py
@@ -148,13 +148,15 @@ Feb 4 13:40:38 XPS-13-9370 kernel: [128552.880347] audit: type=1400 audit({epoc
'''Test output of help text'''
expected_return_code = 0
- expected_output_is = \
+ expected_output_1 = \
'''usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v]
[-u USER] [-w NUM] [--debug]
Display AppArmor notifications or messages for DENIED entries.
+'''
-optional arguments:
+ expected_output_2 = \
+'''
-h, --help show this help message and exit
-p, --poll poll AppArmor logs and display notifications
--display DISPLAY set the DISPLAY environment variable (might be needed if
@@ -174,8 +176,9 @@ optional arguments:
return_code, output = cmd([aanotify_bin, '--help'])
result = 'Got return code %d, expected %d\n' % (return_code, expected_return_code)
self.assertEqual(expected_return_code, return_code, result + output)
- result = 'Got output "%s", expected "%s"\n' % (output, expected_output_is)
- self.assertEqual(expected_output_is, output, result + output)
+
+ self.assertIn(expected_output_1, output)
+ self.assertIn(expected_output_2, output)
def test_entries_since_100_days(self):
'''Test showing log entries since 100 days'''
--
GitLab

179
samba-new-dcerpcd.patch
View File

@ -1,179 +0,0 @@
Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
===================================================================
--- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd
+++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
@@ -39,6 +39,7 @@ profile smbd /usr/{bin,sbin}/smbd {
/usr/lib*/samba/gensec/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
/usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
+ /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd,
/usr/lib*/samba/{lowcase,upcase,valid}.dat r,
/usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
/usr/lib/@{multiarch}/samba/**/ r,
Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd
===================================================================
--- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.winbindd
+++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd
@@ -26,6 +26,7 @@ profile winbindd /usr/{bin,sbin}/winbind
/usr/lib*/samba/idmap/*.so mr,
/usr/lib*/samba/nss_info/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
+ /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd,
/usr/{bin,sbin}/winbindd mr,
/var/cache/krb5rcache/* rwk,
/var/cache/samba/*.tdb rwk,
Index: apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd
===================================================================
--- /dev/null
+++ apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd
@@ -0,0 +1,31 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2022 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-dcerpcd /usr/lib*/samba/samba-dcerpcd {
+ include <abstractions/samba-rpcd>
+
+ @{run}/samba/samba-dcerpcd.pid wk,
+
+ /usr/lib*/samba/samba-dcerpcd m,
+
+ /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
+ /usr/lib*/samba/rpcd_classic Px -> samba-rpcd-classic,
+ /usr/lib*/samba/rpcd_spoolss Px -> samba-rpcd-spoolss,
+
+ @{run}/samba/ncalrpc/ rw,
+ @{run}/samba/ncalrpc/** rw,
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/samba-dcerpcd>
+}
Index: apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd
===================================================================
--- /dev/null
+++ apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd
@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2022 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+# This file contains basic permissions for samba rpcd_xyz services
+
+ abi <abi/3.0>,
+
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/samba>
+
+ capability setgid,
+ capability setuid,
+
+ signal receive set=term peer=smbd,
+
+ @{PROC}/sys/kernel/core_pattern r,
+ owner @{PROC}/@{pid}/fd/ r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/samba-rpcd.d>
+
Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd
===================================================================
--- /dev/null
+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2022 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
+ include <abstractions/samba-rpcd>
+ /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} m,
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/samba-rpcd>
+}
Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic
===================================================================
--- /dev/null
+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2022 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd-classic /usr/lib*/samba/rpcd_classic {
+ include <abstractions/samba-rpcd>
+ include <abstractions/wutmp>
+
+ /usr/lib*/samba/rpcd_classic m,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/samba-rpcd-classic>
+}
Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss
===================================================================
--- /dev/null
+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2022 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd-spoolss /usr/lib*/samba/rpcd_spoolss {
+ include <abstractions/samba-rpcd>
+
+ /usr/lib*/samba/rpcd_spoolss m,
+ /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/samba-rpcd-spoolss>
+}

12
samba_deny_net_admin.patch
View File

@ -1,12 +0,0 @@
Index: apparmor-3.0.4/profiles/apparmor.d/abstractions/samba
===================================================================
--- apparmor-3.0.4.orig/profiles/apparmor.d/abstractions/samba
+++ apparmor-3.0.4/profiles/apparmor.d/abstractions/samba
@@ -34,5 +34,7 @@
# required for clustering
/var/lib/ctdb/** rwk,
+ deny capability net_admin, # noisy setsockopt() calls from systemd
+
# Include additions to the abstraction
include if exists <abstractions/samba.d>

19
update-samba-bgqd.diff
View File

@ -1,19 +0,0 @@
Index: apparmor-3.0.4/profiles/apparmor.d/samba-bgqd
===================================================================
--- apparmor-3.0.4.orig/profiles/apparmor.d/samba-bgqd
+++ apparmor-3.0.4/profiles/apparmor.d/samba-bgqd
@@ -6,11 +6,14 @@ profile samba-bgqd /usr/lib*/samba/samba
include <abstractions/base>
include <abstractions/cups-client>
include <abstractions/nameservice>
+ include <abstractions/openssl>
include <abstractions/samba>
signal receive set=term peer=smbd,
@{PROC}/sys/kernel/core_pattern r,
+ owner @{PROC}/@{pid}/fd/ r,
+
@{run}/samba/samba-bgqd.pid wk,
/usr/lib*/samba/samba-bgqd m,

12
update-usr-sbin-smbd.diff
View File

@ -1,12 +0,0 @@
Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
===================================================================
--- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd
+++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
@@ -8,6 +8,7 @@ profile smbd /usr/{bin,sbin}/smbd {
include <abstractions/consoles>
include <abstractions/cups-client>
include <abstractions/nameservice>
+ include <abstractions/openssl>
include <abstractions/samba>
include <abstractions/user-tmp>
include <abstractions/wutmp>