diff --git a/apache-extra-profile-include-if-exists.diff b/apache-extra-profile-include-if-exists.diff index 747e868..b1bb018 100644 --- a/apache-extra-profile-include-if-exists.diff +++ b/apache-extra-profile-include-if-exists.diff @@ -8,10 +8,10 @@ profile at its new location (extra profiles directory) Fixes https://bugzilla.opensuse.org/show_bug.cgi?id=1178527 -Index: profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 +Index: profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2 =================================================================== ---- profiles/apparmor.d//usr.lib.apache2.mpm-prefork.apache2.orig 2020-12-02 12:01:37.000000000 +0100 -+++ profiles/apparmor.d//usr.lib.apache2.mpm-prefork.apache2 2021-01-22 12:19:45.964708670 +0100 +--- profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2.orig 2020-12-02 12:01:37.000000000 +0100 ++++ profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2 2021-01-22 12:19:45.964708670 +0100 @@ -75,7 +75,7 @@ include # This directory contains web application # package-specific apparmor files. diff --git a/apparmor-3.0.4.tar.gz b/apparmor-3.0.4.tar.gz deleted file mode 100644 index 40eb16b..0000000 --- a/apparmor-3.0.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:09bf48d7a171f9790c39a1404bad105a788934cfe77b7490c7f5c63c2576b725 -size 7796852 diff --git a/apparmor-3.0.4.tar.gz.asc b/apparmor-3.0.4.tar.gz.asc deleted file mode 100644 index 1ae2376..0000000 --- a/apparmor-3.0.4.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmIEYPoaHGFwcGFybW9y -QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLsuXRAAwUfR2mTa8T1f9JKDV9oI -VyHMNPx4UQ8UGHPjdggPZpgU8tdLgIeTzrVB9IFmUNxREmeQURyr12lWJiL7rUjp -uICigANNZPtfYDB8PNF6OPbwZ61A44RZ26SZJauKQg/iP1c/m3NH24TReUqB2UgC -Zrjx4KBH30m0+wc2Ca5f017CRDRL6oPjbUnCdY6S8XdVzbbd4x/4K0yoaS8mNLde -GUbs4cMJnuMndVPhNVIiKvRt/qmYl2nB3HBzU9VXmq/GBR9wDpb1G6N3IuB7Oaak -WrB32ymgllwi5av3L1vXQhisZ1LAaH7GNElCX5c4rJa/6Bsfru5kTecEXSIJXf2H -P8XmwUkdrl7idfAbSg/jW1h02uD99WTymii2SCwYWhNX9s0BRuSMPASA9TgrYOZN -oTshsA8lYaAafdAU6OboaeS91WL65hTr3GUcGgYl+qYcYTdyU6IG4MooCwATM2st -SHt7HPOJLNntMt8CGcPx1Q9UA8ta3kNlcf6YSycWCqWvPEvCkpex23gVUVIXzVKr -bs2tvJO59BsCxiL6umsksv5otIXDrm4yay1QaYl+KUEOvU051SUyXey7pQ/qO0LY -leifVmldlLfPosAKiJqiQ3RAKp7Zr/YrvKLLxeLj5MrKUmSR2UQ5xC8aXfYYhDqh -+PPpcMO9Io9UyHHofXB7dlA= -=rXSS ------END PGP SIGNATURE----- diff --git a/apparmor-3.0.5.tar.gz b/apparmor-3.0.5.tar.gz new file mode 100644 index 0000000..0bf6d39 --- /dev/null +++ b/apparmor-3.0.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8c01879f60bf7e11028e2177981971f8288ce0a6f20ce8c12fd7cb111da1a624 +size 7946342 diff --git a/apparmor-3.0.5.tar.gz.asc b/apparmor-3.0.5.tar.gz.asc new file mode 100644 index 0000000..0ecc46a --- /dev/null +++ b/apparmor-3.0.5.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmLeRbsaHGFwcGFybW9y +QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLsAKQ//b3RWTRdJM/S1b49RQd6p +/gltAIlOD2Ne3jBUVXeKiGlsNEN8Os37D+3t9wMfXphoM+JbrUO/2gm52M/7w4Ov +xZJOVGC1SA72R2h6CObNZ3gqsc6/HuOW+/NLahFikZWdKs4mHwKhSlKkZU8g1bVS +KA3hrwyct4oO2XSQARc+V9n6a6y8shvBolUbB7Jm2HSomMjHkiW11wfHECroW4v+ +YZv4JwwojOvYE0J+1WEJeOhv1SfzQMnYAn2BdtoSbO3pYHTXmblVXKpiB30cHtJ7 +Rbm+a2FbRsH1giTtq48cvBl7euBEXP27uM7cQSSbqukEJtWkIJTRpnJxGV5bUS+a +tI3J4uneuicJxc6snAmO58PXnp1O9WGeHVtPg3ERYZQQ5UoaYpxlEpMFQJV44M4U +s7g2iTZ6+z0I4gcjnfm/uKcdLyYN2KJSQTD/bgQv6C5t94ofoZ1HCt7Ra/VHIG+Q +0pSDN/RSu2LI3tJdDq2/KFU1e0YzElSaHNb+sUn+rQOrpMB0FJZK1KzrBn0TxjTj +JONny5WnVaTmbBfdjIvGbpWMMbKX/3Ob5kHmgY8TYuo/Bllgr2l6rWURK1MTHO64 +narFxIqOBj0Kb+kJPhA8+55R7gA1ioW6JtQQLlbz2NgRMaOeBWiprmaxRv1xY9e3 +NYdyzQRgu/zOEM5v/J5VecQ= +=FsDG +-----END PGP SIGNATURE----- diff --git a/apparmor-samba-include-permissions-for-shares.diff b/apparmor-samba-include-permissions-for-shares.diff index 88c9bab..43e8c9c 100644 --- a/apparmor-samba-include-permissions-for-shares.diff +++ b/apparmor-samba-include-permissions-for-shares.diff @@ -1,15 +1,21 @@ -Samba generates a profile sniplet with permissions for all shares at +Samba generates a profile sniplet with permissions for all shares at start using the update-apparmor-samba-profile script. -This patch includes the autogenerated profile sniplet it in the smbd -profile. It also creates a dummy profile sniplet to avoid "file not -found" errors when AppArmor is started before samba was started. +After the include rules were upstreamed in AppArmor 3.0.5 (MR 838), this +patch was shortened. Now it "only" creates a dummy profile sniplet +because update-apparmor-samba-profiles on Leap 15.3 and 15.4 aborts if +the local/ sniplet doesn't exist. + +Tumbleweed does not rely on a pre-existing local/usr.sbin.smbd-shares +anymore, therefore the patch gets skipped there in the spec. + References: https://bugzilla.novell.com/show_bug.cgi?id=688040 Signed-off-by: Christian Boltz + === added file 'profiles/apparmor.d/local/usr.sbin.smbd-shares' --- profiles/apparmor.d/local/usr.sbin.smbd-shares 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/local/usr.sbin.smbd-shares 2011-10-19 09:40:05 +0000 @@ -17,18 +23,4 @@ Signed-off-by: Christian Boltz +# This file will be replaced by rules for all samba shares at samba start. +# Do not edit! -=== modified file 'profiles/apparmor.d/usr.sbin.smbd' ---- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000 -+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000 -@@ -59,6 +59,10 @@ - @{HOMEDIRS}/** lrwk, - /var/lib/samba/usershares/{,**} lrwk, - -+ # permissions for all configured shares -+ # autogenerated by update-apparmor-samba-profile at samba start -+ include -+ - # Site-specific additions and overrides. See local/README for details. - include if exists - } diff --git a/apparmor-setuptools61-mr897.patch b/apparmor-setuptools61-mr897.patch deleted file mode 100644 index b943e69..0000000 --- a/apparmor-setuptools61-mr897.patch +++ /dev/null @@ -1,136 +0,0 @@ -Index: apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.am -=================================================================== ---- apparmor-3.0.4.orig/libraries/libapparmor/swig/python/test/Makefile.am -+++ apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.am -@@ -10,8 +10,7 @@ test_python.py: test_python.py.in $(top_ - - CLEANFILES = test_python.py - --# bah, how brittle is this? --PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")' -+PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)' - - TESTS = test_python.py - TESTS_ENVIRONMENT = \ -Index: apparmor-3.0.4/libraries/libapparmor/swig/python/test/testbuildpath.py -=================================================================== ---- /dev/null -+++ apparmor-3.0.4/libraries/libapparmor/swig/python/test/buildpath.py -@@ -0,0 +1,10 @@ -+#!/usr/bin/env python3 -+# the build path has changed in setuptools 61.2 -+import sys -+import sysconfig -+import setuptools -+if tuple(map(int,setuptools.__version__.split("."))) >= (61, 2): -+ identifier = sys.implementation.cache_tag -+else: -+ identifier = "%d.%d" % sys.version_info[:2] -+print("lib.%s-%s" % (sysconfig.get_platform(), identifier)) -Index: apparmor-3.0.4/utils/test/Makefile -=================================================================== ---- apparmor-3.0.4.orig/utils/test/Makefile -+++ apparmor-3.0.4/utils/test/Makefile -@@ -27,8 +27,8 @@ ifdef USE_SYSTEM - BASEDIR= - PARSER= - else -- # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am -- PYTHON_DIST_BUILD_PATH = ../../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))") -+ # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/buildpath.py -+ PYTHON_DIST_BUILD_PATH = ../../libraries/libapparmor/swig/python/build/$$($(PYTHON) ../../libraries/libapparmor/swig/python/test/buildpath.py) - LIBAPPARMOR_PATH=../../libraries/libapparmor/src/.libs/ - LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH) - PYTHONPATH=..:$(PYTHON_DIST_BUILD_PATH) -Index: apparmor-3.0.4/utils/test/README.md -=================================================================== ---- apparmor-3.0.4.orig/utils/test/README.md -+++ apparmor-3.0.4/utils/test/README.md -@@ -7,7 +7,7 @@ For more information, refer to the [unit - Make sure to set the environment variables pointing to the in-tree apparmor modules, and the in-tree libapparmor and its python wrapper: - - ```bash --$ export PYTHONPATH=..:../../libraries/libapparmor/swig/python/build/$(/usr/bin/python3 -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))") -+$ export PYTHONPATH=..:../../libraries/libapparmor/swig/python/build/$(/usr/bin/python3 ../../libraries/libapparmor/swig/python/test/buildpath.py) - $ export __AA_CONFDIR=. - ``` - -@@ -15,4 +15,4 @@ To execute the test individually, run: - - ```bash - $ python3 ./test-tile.py ClassFoo.test_bar --``` -\ No newline at end of file -+``` -Index: apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.in -=================================================================== ---- apparmor-3.0.4.orig/libraries/libapparmor/swig/python/test/Makefile.in -+++ apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.in -@@ -1,7 +1,7 @@ --# Makefile.in generated by automake 1.16.1 from Makefile.am. -+# Makefile.in generated by automake 1.16.5 from Makefile.am. - # @configure_input@ - --# Copyright (C) 1994-2018 Free Software Foundation, Inc. -+# Copyright (C) 1994-2021 Free Software Foundation, Inc. - - # This Makefile.in is free software; the Free Software Foundation - # gives unlimited permission to copy and/or distribute it, -@@ -301,6 +301,7 @@ am__set_TESTS_bases = \ - bases='$(TEST_LOGS)'; \ - bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ - bases=`echo $$bases` -+AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' - RECHECK_LOGS = $(TEST_LOGS) - AM_RECURSIVE_TARGETS = check recheck - TEST_SUITE_LOG = test-suite.log -@@ -336,8 +337,9 @@ AWK = @AWK@ - CC = @CC@ - CCDEPMODE = @CCDEPMODE@ - CFLAGS = @CFLAGS@ --CPP = @CPP@ - CPPFLAGS = @CPPFLAGS@ -+CSCOPE = @CSCOPE@ -+CTAGS = @CTAGS@ - CYGPATH_W = @CYGPATH_W@ - DEFS = @DEFS@ - DEPDIR = @DEPDIR@ -@@ -348,8 +350,10 @@ ECHO_C = @ECHO_C@ - ECHO_N = @ECHO_N@ - ECHO_T = @ECHO_T@ - EGREP = @EGREP@ -+ETAGS = @ETAGS@ - EXEEXT = @EXEEXT@ - FGREP = @FGREP@ -+FILECMD = @FILECMD@ - GREP = @GREP@ - INSTALL = @INSTALL@ - INSTALL_DATA = @INSTALL_DATA@ -@@ -470,9 +474,7 @@ top_build_prefix = @top_build_prefix@ - top_builddir = @top_builddir@ - top_srcdir = @top_srcdir@ - @HAVE_PYTHON_TRUE@CLEANFILES = test_python.py -- --# bah, how brittle is this? --@HAVE_PYTHON_TRUE@PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")' -+@HAVE_PYTHON_TRUE@PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)' - @HAVE_PYTHON_TRUE@TESTS = test_python.py - @HAVE_PYTHON_TRUE@TESTS_ENVIRONMENT = \ - @HAVE_PYTHON_TRUE@ LD_LIBRARY_PATH='$(top_builddir)/src/.libs:$(PYTHON_DIST_BUILD_PATH)' \ -@@ -631,7 +633,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS) - test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ - fi; \ - echo "$${col}$$br$${std}"; \ -- echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ -+ echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ - echo "$${col}$$br$${std}"; \ - create_testsuite_report --maybe-color; \ - echo "$$col$$br$$std"; \ -@@ -686,7 +688,6 @@ test_python.py.log: test_python.py - @am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \ - @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ - @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) -- - distdir: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) distdir-am - diff --git a/apparmor.changes b/apparmor.changes index bba01c1..a8dae8a 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Mon Jul 25 18:18:04 UTC 2022 - Christian Boltz + +- update to AppArmor 3.0.5 + - several additions to profiles and abstractions + - bugfixes in parser and utils + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.5 + for the detailed upstream changelog +- remove upstream(ed) patchs: + - apparmor-setuptools61-mr897.patch + - dovecot-profiles-boo1199535-mr881.diff + - php8-fpm-mr876.patch + - python310-help-mr848.patch + - samba-new-dcerpcd.patch + - samba_deny_net_admin.patch + - update-samba-bgqd.diff + - update-usr-sbin-smbd.diff +- apparmor-samba-include-permissions-for-shares.diff: remove + upstreamed part +- add dirtest-sort-mr900.diff to fix random test failures +- change apache-extra-profile-include-if-exists.diff to the post-mv + path (new quilt executes mv) +- stop disabling lto (fixed upstream) (boo#1133091) +- package profile-load script in -parser + ------------------------------------------------------------------- Fri Jul 15 23:01:42 UTC 2022 - Ben Greiner diff --git a/apparmor.spec b/apparmor.spec index 59b5062..84bb546 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -45,7 +45,7 @@ %define JAR_FILE changeHatValve.jar Name: apparmor -Version: 3.0.4 +Version: 3.0.5 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0-or-later @@ -63,7 +63,8 @@ Source7: apparmor-rpmlintrc # and set cache-loc in parser.conf and apparmor.service accordingly Patch1: apparmor-enable-profile-cache.diff -# include autogenerated profile sniplet for samba shares (bnc#688040) - upstreamed as part of https://gitlab.com/apparmor/apparmor/-/merge_requests/838 2022-02-16 (master + 3.0 branch) +# include autogenerated profile sniplet for samba shares (bnc#688040) - include rule upstreamed in 3.0.5 (MR 838), now "just" creates the local/ sniplet +# (technically only needed in Leap 15.x, the samba script in Tumbleweed also works if the local/ sniplet doesn't exist - but dropping the local/ sniplet will move existing autogenerated sniplets to *.rpmsave) Patch2: apparmor-samba-include-permissions-for-shares.diff # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de @@ -78,41 +79,12 @@ Patch5: apparmor-lessopen-nfs-workaround.diff # make include in apache extra profile optional to make openQA happy (boo#1178527) Patch6: apache-extra-profile-include-if-exists.diff -# bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd -# merged upstream 3.0+master 2022-03-14 https://gitlab.com/apparmor/apparmor/-/merge_requests/860 -# bsc#1195463 add rule to allow reading of openssl.cnf -# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862 -Patch7: update-samba-bgqd.diff - -# bsc#1195463 add rule to allow reading of openssl.cnf -# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862 -Patch8: update-usr-sbin-smbd.diff - # add zgrep and xzgrep profile (merged upstream 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + merged upstream 2022-04-18 https://gitlab.com/apparmor/apparmor/-/merge_requests/873 -# + 2022-06-28 https://gitlab.com/apparmor/apparmor/-/merge_requests/892 - master only) +# + merged upstream 2022-06-29 https://gitlab.com/apparmor/apparmor/-/merge_requests/892 - master only) Patch9: zgrep-profile-mr870.diff -# squash noisy setsockopt calls - merged upstream master+3.0 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/867 -# bsc#1196850 -Patch10: samba_deny_net_admin.patch - -# support for new dcerpcd subsytem in >= samba-4.16 -# merged upstream 2022-04-15 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/871 -# merged upstream 2022-05-11 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/880 -# bsc#1198309 -Patch11: samba-new-dcerpcd.patch - -# allow php8 php-fpm to read its config (from upstream master+3.0 https://gitlab.com/apparmor/apparmor/-/merge_requests/876) -Patch12: php8-fpm-mr876.patch - -# allow python 3.10 --help output (from the branch-3.0 backport of https://gitlab.com/apparmor/apparmor/-/merge_requests/848) -Patch13: python310-help-mr848.patch - -# extend dovecot profiles for latest dovecot (boo 1199535, submitted upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/881) -Patch14: dovecot-profiles-boo1199535-mr881.diff - -# https://gitlab.com/apparmor/apparmor/-/merge_requests/897 -Patch15: apparmor-setuptools61-mr897.patch +# dirtest.sh: sort output to avoid random test failures (from upstream, merged 3.0+master 2022-07-25 https://gitlab.com/apparmor/apparmor/-/merge_requests/900) +Patch10: dirtest-sort-mr900.diff PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -371,8 +343,6 @@ SubDomain. %setup -q # very loose profile that doesn't even match the apache2 binary path in openSUSE. Move it away instead of confusing people (boo#872984) -# (patch to change include to "include if exists" needs to be applied before moving the file to avoid breaking quilt) -%patch6 mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/profiles/extras/ %patch1 @@ -380,18 +350,11 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/ %patch3 -p1 %patch4 %patch5 -%patch7 -p1 -%patch8 -p1 +%patch6 %patch9 -p1 %patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 %build -%define _lto_cflags %{nil} export SUSE_ASNEEDED=0 # libapparmor: @@ -575,6 +538,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions %{apparmor_bin_prefix}/apparmor.systemd +%{apparmor_bin_prefix}/profile-load %doc %{_mandir}/man1/aa-enabled.1.gz %doc %{_mandir}/man1/aa-exec.1.gz %doc %{_mandir}/man1/aa-features-abi.1.gz diff --git a/dirtest-sort-mr900.diff b/dirtest-sort-mr900.diff new file mode 100644 index 0000000..00bd8c0 --- /dev/null +++ b/dirtest-sort-mr900.diff @@ -0,0 +1,42 @@ +From c0815d0e0f1c68397b8ce04d81c48940e4b2c63b Mon Sep 17 00:00:00 2001 +From: intrigeri +Date: Mon, 25 Jul 2022 10:04:13 +0000 +Subject: [PATCH] dirtest.sh: don't rely on apparmor_parser -N's output sort + order to be deterministic + +I've seen this test fail because "apparmor_parser -N" returned the expected +lines, but in a different order than what's expected (dirtest.out). + +To fix this, sort both the expected and actual output. +--- + parser/tst/dirtest.sh | 3 ++- + parser/tst/dirtest/dirtest.out | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/parser/tst/dirtest.sh b/parser/tst/dirtest.sh +index 8c94dbd68..95c108371 100755 +--- a/parser/tst/dirtest.sh ++++ b/parser/tst/dirtest.sh +@@ -31,8 +31,9 @@ do_tst() { + shift 2 + #global tmpdir + +- ${APPARMOR_PARSER} "$@" > "$tmpdir/out" 2>/dev/null ++ ${APPARMOR_PARSER} "$@" > "$tmpdir/out.unsorted" 2>/dev/null + rc=$? ++ LC_ALL=C sort "$tmpdir/out.unsorted" > "$tmpdir/out" + if [ $rc -ne 0 ] && [ "$expected" != "fail" ] ; then + echo "failed: expected \"$expected\" but parser returned error" + return 1 +diff --git a/parser/tst/dirtest/dirtest.out b/parser/tst/dirtest/dirtest.out +index e82188b84..5b4cc30aa 100644 +--- a/parser/tst/dirtest/dirtest.out ++++ b/parser/tst/dirtest/dirtest.out +@@ -1,3 +1,3 @@ +-good_target + a_profile + b_profile ++good_target +-- +GitLab + diff --git a/dovecot-profiles-boo1199535-mr881.diff b/dovecot-profiles-boo1199535-mr881.diff deleted file mode 100644 index 6693e49..0000000 --- a/dovecot-profiles-boo1199535-mr881.diff +++ /dev/null @@ -1,54 +0,0 @@ -From https://gitlab.com/apparmor/apparmor/-/merge_requests/881 - -From ad8df7f88fdac5cf230da07bb0f45761a22202b3 Mon Sep 17 00:00:00 2001 -From: Christian Boltz -Date: Sun, 15 May 2022 20:53:35 +0200 -Subject: [PATCH] Add missing permissions for dovecot-{imap,lmtp,pop3} - -References: https://bugzilla.opensuse.org/show_bug.cgi?id=1199535 ---- - profiles/apparmor.d/usr.lib.dovecot.imap | 1 + - profiles/apparmor.d/usr.lib.dovecot.lmtp | 2 ++ - profiles/apparmor.d/usr.lib.dovecot.pop3 | 1 + - 3 files changed, 4 insertions(+) - -diff --git a/profiles/apparmor.d/usr.lib.dovecot.imap b/profiles/apparmor.d/usr.lib.dovecot.imap -index ade0e4157..8ee2d5a4e 100644 ---- a/profiles/apparmor.d/usr.lib.dovecot.imap -+++ b/profiles/apparmor.d/usr.lib.dovecot.imap -@@ -35,6 +35,7 @@ profile dovecot-imap /usr/lib/dovecot/imap { - - owner /tmp/dovecot.imap.* rw, - @{PROC}/@{pid}/attr/{apparmor/,}current rw, -+ @{PROC}/@{pid}/stat r, - /usr/bin/doveconf rix, - /usr/lib/dovecot/imap mrix, - /usr/share/dovecot/** r, -diff --git a/profiles/apparmor.d/usr.lib.dovecot.lmtp b/profiles/apparmor.d/usr.lib.dovecot.lmtp -index 7b2e5599b..ad26eff3e 100644 ---- a/profiles/apparmor.d/usr.lib.dovecot.lmtp -+++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp -@@ -31,6 +31,8 @@ profile dovecot-lmtp /usr/lib/dovecot/lmtp { - - @{HOME}/.dovecot.svbin r, - @{PROC}/@{pid}/attr/{apparmor/,}current rw, -+ owner @{PROC}/@{pid}/io r, -+ owner @{PROC}/@{pid}/stat r, - @{PROC}/*/mounts r, - /tmp/dovecot.lmtp.* rw, - /usr/lib/dovecot/lmtp mr, -diff --git a/profiles/apparmor.d/usr.lib.dovecot.pop3 b/profiles/apparmor.d/usr.lib.dovecot.pop3 -index a593d6b1a..ed010ddaf 100644 ---- a/profiles/apparmor.d/usr.lib.dovecot.pop3 -+++ b/profiles/apparmor.d/usr.lib.dovecot.pop3 -@@ -26,6 +26,7 @@ profile dovecot-pop3 /usr/lib/dovecot/pop3 { - @{DOVECOT_MAILSTORE}/** rwkl, - - @{HOME} r, # ??? -+ @{PROC}/@{pid}/stat r, - /usr/lib/dovecot/pop3 mr, - - # Site-specific additions and overrides. See local/README for details. --- -GitLab - diff --git a/libapparmor.spec b/libapparmor.spec index af6fa0d..e7bf0cd 100644 --- a/libapparmor.spec +++ b/libapparmor.spec @@ -18,7 +18,7 @@ Name: libapparmor -Version: 3.0.4 +Version: 3.0.5 Release: 0 Summary: Utility library for AppArmor License: LGPL-2.1-or-later @@ -66,7 +66,6 @@ AppArmor API. %setup -q -n apparmor-%{version} %build -%define _lto_cflags %{nil} ( cd ./libraries/libapparmor %configure \ diff --git a/php8-fpm-mr876.patch b/php8-fpm-mr876.patch deleted file mode 100644 index 00e2987..0000000 --- a/php8-fpm-mr876.patch +++ /dev/null @@ -1,46 +0,0 @@ -From c946f0bf75f9529014c79ff591d6f953ce56b416 Mon Sep 17 00:00:00 2001 -From: Christian Boltz -Date: Mon, 18 Apr 2022 20:49:22 +0200 -Subject: [PATCH] Allow reading all of /etc/php[578]/** in abstractions/php - -... and with that, make a rule in the php-fpm profile (which missed -php8) superfluous. - -Fixes: https://gitlab.com/apparmor/apparmor/-/issues/229 - -Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11 ---- - profiles/apparmor.d/abstractions/php | 3 +-- - profiles/apparmor.d/php-fpm | 2 -- - 2 files changed, 1 insertion(+), 4 deletions(-) - -diff --git a/profiles/apparmor.d/abstractions/php b/profiles/apparmor.d/abstractions/php -index ddafb0770..6bf0dc798 100644 ---- a/profiles/apparmor.d/abstractions/php -+++ b/profiles/apparmor.d/abstractions/php -@@ -13,8 +13,7 @@ - abi , - - # shared snippets for config files -- /etc/php{,5,7,8}/**/ r, -- /etc/php{,5,7,8}/**.ini r, -+ /etc/php{,5,7,8}/** r, - - # Xlibs - /usr/X11R6/lib{,32,64}/lib*.so* mr, -diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm -index b25762c50..14b3c7195 100644 ---- a/profiles/apparmor.d/php-fpm -+++ b/profiles/apparmor.d/php-fpm -@@ -16,8 +16,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) { - # read the system certificates - include - -- /etc/php{,5,7}/** r, -- - capability net_admin, - # change user/group of a pool - capability setuid, --- -GitLab - diff --git a/python310-help-mr848.patch b/python310-help-mr848.patch deleted file mode 100644 index 6683f1b..0000000 --- a/python310-help-mr848.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 8a21472175501823303a8af270bd38a60ff4ac9c Mon Sep 17 00:00:00 2001 -From: John Johansen -Date: Tue, 15 Feb 2022 19:17:30 +0000 -Subject: [PATCH] Merge make test-aa-notify test_help_contents () less strict - -Python 3.10 generates a slightly different --help output. - -Fixes https://gitlab.com/apparmor/apparmor/-/issues/220 - -Closes #220 -MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/848 -Acked-by: Approved-by: John Johansen -Merged-by: John Johansen - -(cherry picked from commit ba14227bb51a76b416a8da46c241a8d07506badc) -Signed-off-by: John Johansen ---- - utils/test/test-aa-notify.py | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/utils/test/test-aa-notify.py b/utils/test/test-aa-notify.py -index 2484c7f97..cfb5fa5a8 100644 ---- a/utils/test/test-aa-notify.py -+++ b/utils/test/test-aa-notify.py -@@ -148,13 +148,15 @@ Feb 4 13:40:38 XPS-13-9370 kernel: [128552.880347] audit: type=1400 audit({epoc - '''Test output of help text''' - - expected_return_code = 0 -- expected_output_is = \ -+ expected_output_1 = \ - '''usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v] - [-u USER] [-w NUM] [--debug] - - Display AppArmor notifications or messages for DENIED entries. -+''' - --optional arguments: -+ expected_output_2 = \ -+''' - -h, --help show this help message and exit - -p, --poll poll AppArmor logs and display notifications - --display DISPLAY set the DISPLAY environment variable (might be needed if -@@ -174,8 +176,9 @@ optional arguments: - return_code, output = cmd([aanotify_bin, '--help']) - result = 'Got return code %d, expected %d\n' % (return_code, expected_return_code) - self.assertEqual(expected_return_code, return_code, result + output) -- result = 'Got output "%s", expected "%s"\n' % (output, expected_output_is) -- self.assertEqual(expected_output_is, output, result + output) -+ -+ self.assertIn(expected_output_1, output) -+ self.assertIn(expected_output_2, output) - - def test_entries_since_100_days(self): - '''Test showing log entries since 100 days''' --- -GitLab - diff --git a/samba-new-dcerpcd.patch b/samba-new-dcerpcd.patch deleted file mode 100644 index 6ad840f..0000000 --- a/samba-new-dcerpcd.patch +++ /dev/null @@ -1,179 +0,0 @@ -Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd -=================================================================== ---- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd -+++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd -@@ -39,6 +39,7 @@ profile smbd /usr/{bin,sbin}/smbd { - /usr/lib*/samba/gensec/*.so mr, - /usr/lib*/samba/pdb/*.so mr, - /usr/lib*/samba/samba-bgqd Px -> samba-bgqd, -+ /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd, - /usr/lib*/samba/{lowcase,upcase,valid}.dat r, - /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr, - /usr/lib/@{multiarch}/samba/**/ r, -Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd -=================================================================== ---- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.winbindd -+++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd -@@ -26,6 +26,7 @@ profile winbindd /usr/{bin,sbin}/winbind - /usr/lib*/samba/idmap/*.so mr, - /usr/lib*/samba/nss_info/*.so mr, - /usr/lib*/samba/pdb/*.so mr, -+ /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd, - /usr/{bin,sbin}/winbindd mr, - /var/cache/krb5rcache/* rwk, - /var/cache/samba/*.tdb rwk, -Index: apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd -=================================================================== ---- /dev/null -+++ apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd -@@ -0,0 +1,31 @@ -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2022 SUSE LLC -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim:syntax=apparmor -+ -+abi , -+ -+include -+ -+profile samba-dcerpcd /usr/lib*/samba/samba-dcerpcd { -+ include -+ -+ @{run}/samba/samba-dcerpcd.pid wk, -+ -+ /usr/lib*/samba/samba-dcerpcd m, -+ -+ /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd, -+ /usr/lib*/samba/rpcd_classic Px -> samba-rpcd-classic, -+ /usr/lib*/samba/rpcd_spoolss Px -> samba-rpcd-spoolss, -+ -+ @{run}/samba/ncalrpc/ rw, -+ @{run}/samba/ncalrpc/** rw, -+ # Site-specific additions and overrides. See local/README for details. -+ include if exists -+} -Index: apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd -=================================================================== ---- /dev/null -+++ apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd -@@ -0,0 +1,30 @@ -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2022 SUSE LLC -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim:syntax=apparmor -+ -+# This file contains basic permissions for samba rpcd_xyz services -+ -+ abi , -+ -+ include -+ include -+ include -+ -+ capability setgid, -+ capability setuid, -+ -+ signal receive set=term peer=smbd, -+ -+ @{PROC}/sys/kernel/core_pattern r, -+ owner @{PROC}/@{pid}/fd/ r, -+ -+ # Include additions to the abstraction -+ include if exists -+ -Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd -=================================================================== ---- /dev/null -+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd -@@ -0,0 +1,21 @@ -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2022 SUSE LLC -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim:syntax=apparmor -+ -+abi , -+ -+include -+ -+profile samba-rpcd /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} { -+ include -+ /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} m, -+ # Site-specific additions and overrides. See local/README for details. -+ include if exists -+} -Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic -=================================================================== ---- /dev/null -+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic -@@ -0,0 +1,24 @@ -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2022 SUSE LLC -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim:syntax=apparmor -+ -+abi , -+ -+include -+ -+profile samba-rpcd-classic /usr/lib*/samba/rpcd_classic { -+ include -+ include -+ -+ /usr/lib*/samba/rpcd_classic m, -+ -+ # Site-specific additions and overrides. See local/README for details. -+ include if exists -+} -Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss -=================================================================== ---- /dev/null -+++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss -@@ -0,0 +1,24 @@ -+# ------------------------------------------------------------------ -+# -+# Copyright (C) 2022 SUSE LLC -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of version 2 of the GNU General Public -+# License published by the Free Software Foundation. -+# -+# ------------------------------------------------------------------ -+# vim:syntax=apparmor -+ -+abi , -+ -+include -+ -+profile samba-rpcd-spoolss /usr/lib*/samba/rpcd_spoolss { -+ include -+ -+ /usr/lib*/samba/rpcd_spoolss m, -+ /usr/lib*/samba/samba-bgqd Px -> samba-bgqd, -+ -+ # Site-specific additions and overrides. See local/README for details. -+ include if exists -+} diff --git a/samba_deny_net_admin.patch b/samba_deny_net_admin.patch deleted file mode 100644 index 7e430bd..0000000 --- a/samba_deny_net_admin.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: apparmor-3.0.4/profiles/apparmor.d/abstractions/samba -=================================================================== ---- apparmor-3.0.4.orig/profiles/apparmor.d/abstractions/samba -+++ apparmor-3.0.4/profiles/apparmor.d/abstractions/samba -@@ -34,5 +34,7 @@ - # required for clustering - /var/lib/ctdb/** rwk, - -+ deny capability net_admin, # noisy setsockopt() calls from systemd -+ - # Include additions to the abstraction - include if exists diff --git a/update-samba-bgqd.diff b/update-samba-bgqd.diff deleted file mode 100644 index dfb26e9..0000000 --- a/update-samba-bgqd.diff +++ /dev/null @@ -1,19 +0,0 @@ -Index: apparmor-3.0.4/profiles/apparmor.d/samba-bgqd -=================================================================== ---- apparmor-3.0.4.orig/profiles/apparmor.d/samba-bgqd -+++ apparmor-3.0.4/profiles/apparmor.d/samba-bgqd -@@ -6,11 +6,14 @@ profile samba-bgqd /usr/lib*/samba/samba - include - include - include -+ include - include - - signal receive set=term peer=smbd, - - @{PROC}/sys/kernel/core_pattern r, -+ owner @{PROC}/@{pid}/fd/ r, -+ - @{run}/samba/samba-bgqd.pid wk, - - /usr/lib*/samba/samba-bgqd m, diff --git a/update-usr-sbin-smbd.diff b/update-usr-sbin-smbd.diff deleted file mode 100644 index f21ab05..0000000 --- a/update-usr-sbin-smbd.diff +++ /dev/null @@ -1,12 +0,0 @@ -Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd -=================================================================== ---- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd -+++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd -@@ -8,6 +8,7 @@ profile smbd /usr/{bin,sbin}/smbd { - include - include - include -+ include - include - include - include