Accepting request 482764 from home:cboltz
- add upstream-changes-r-3629..3648.diff: - preserve unknown profiles when reloading apparmor.service (CVE-2017-6507, lp#1668892, boo#1029696) - add aa-remove-unknown utility to unload unknown profiles (lp#1668892) - update nvidia abstraction for newer nvidia drivers - don't enforce ordering of dbus rule attributes in utils (lp#1628286) - add --parser, --base and --Include option to aa-easyprof to allow non-standard paths (useful for tests) (lp#1521031) - move initialization code in apparmor.aa to init_aa(). This allows to run all utils tests even if /etc/apparmor.d/ or /sbin/apparmor_parser don't exist. - several improvements in the utils tests - drop upstreamed python3-drop-re-locale.patch - no longer delete/skip some of the utils tests (to allow this, add parser-tests-dbus-duplicated-conditionals.diff) - add var.mount dependeny to apparmor.service (boo#1016259#c34) OBS-URL: https://build.opensuse.org/request/show/482764 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=174
This commit is contained in:
parent
bba6e7bef6
commit
454b681e13
@ -1,3 +1,23 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat Mar 25 21:42:10 UTC 2017 - suse-beta@cboltz.de
|
||||
|
||||
- add upstream-changes-r-3629..3648.diff:
|
||||
- preserve unknown profiles when reloading apparmor.service
|
||||
(CVE-2017-6507, lp#1668892, boo#1029696)
|
||||
- add aa-remove-unknown utility to unload unknown profiles (lp#1668892)
|
||||
- update nvidia abstraction for newer nvidia drivers
|
||||
- don't enforce ordering of dbus rule attributes in utils (lp#1628286)
|
||||
- add --parser, --base and --Include option to aa-easyprof to allow
|
||||
non-standard paths (useful for tests) (lp#1521031)
|
||||
- move initialization code in apparmor.aa to init_aa(). This allows to
|
||||
run all utils tests even if /etc/apparmor.d/ or /sbin/apparmor_parser
|
||||
don't exist.
|
||||
- several improvements in the utils tests
|
||||
- drop upstreamed python3-drop-re-locale.patch
|
||||
- no longer delete/skip some of the utils tests (to allow this, add
|
||||
parser-tests-dbus-duplicated-conditionals.diff)
|
||||
- add var.mount dependeny to apparmor.service (boo#1016259#c34)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 16 20:13:00 UTC 2017 - kukuk@suse.com
|
||||
|
||||
|
@ -3,7 +3,7 @@ Description=Load AppArmor profiles
|
||||
DefaultDependencies=no
|
||||
Before=sysinit.target
|
||||
After=systemd-journald-audit.socket
|
||||
After=var-lib.mount
|
||||
After=var.mount var-lib.mount
|
||||
ConditionSecurity=apparmor
|
||||
|
||||
[Service]
|
||||
|
@ -75,8 +75,11 @@ Patch8: sshd-profile-drop-local-include-r3615.diff
|
||||
# upstream changes (trunk r3616..3628)
|
||||
Patch9: upstream-changes-r3616..3628.diff
|
||||
|
||||
# drop deprecated re.LOCALE flag from regexps
|
||||
Patch10: python3-drop-re-locale.patch
|
||||
# upstream changes (trunk r3629..3648)
|
||||
Patch10: upstream-changes-r3629..3648.diff
|
||||
|
||||
# add some exceptions to utils/test/test-parser-simple-tests.py (submitted upstream 2017-03-25)
|
||||
Patch11: parser-tests-dbus-duplicated-conditionals.diff
|
||||
|
||||
PreReq: sed
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -377,9 +380,10 @@ SubDomain.
|
||||
%patch7 -p1
|
||||
%patch8
|
||||
%patch9
|
||||
%if %{with python3}
|
||||
%patch10 -p1
|
||||
%endif
|
||||
%patch10
|
||||
# patch10 (upstream-changes-r3629..3648.diff) fails to create empty files, do it manually
|
||||
touch libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err
|
||||
%patch11
|
||||
|
||||
# search for left-over multiline rules
|
||||
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
|
||||
@ -457,17 +461,6 @@ make check -C binutils
|
||||
# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
|
||||
(cd profiles && make check-parser)
|
||||
|
||||
# these tests fail if /etc/apparmor.d/abstractions/* or /sbin/apparmor_parser don't exist
|
||||
# (aa.py doesn't allow to inject in-tree paths early enough)
|
||||
rm -v utils/test/test-aa.py
|
||||
rm -v utils/test/test-aa-easyprof.py
|
||||
rm -v utils/test/test-libapparmor-test_multi.py
|
||||
rm -v utils/test/test-mount_parse.py
|
||||
rm -v utils/test/test-parser-simple-tests.py
|
||||
rm -v utils/test/test-pivot_root_parse.py
|
||||
rm -v utils/test/test-regex_matches.py
|
||||
rm -v utils/test/test-unix_parse.py
|
||||
|
||||
make check -C utils
|
||||
|
||||
%install
|
||||
|
20
parser-tests-dbus-duplicated-conditionals.diff
Normal file
20
parser-tests-dbus-duplicated-conditionals.diff
Normal file
@ -0,0 +1,20 @@
|
||||
=== modified file 'utils/test/test-parser-simple-tests.py'
|
||||
--- utils/test/test-parser-simple-tests.py 2017-03-03 12:14:03 +0000
|
||||
+++ utils/test/test-parser-simple-tests.py 2017-03-25 20:45:42 +0000
|
||||
@@ -49,6 +49,15 @@
|
||||
'change_profile/onx_conflict_unsafe1.sd',
|
||||
'change_profile/onx_conflict_unsafe2.sd',
|
||||
|
||||
+ # duplicated conditionals aren't detected by the tools
|
||||
+ 'generated_dbus/duplicated-conditionals-45127.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45131.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45124.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45130.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45125.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45128.sd',
|
||||
+ 'generated_dbus/duplicated-conditionals-45129.sd',
|
||||
+
|
||||
'dbus/bad_modifier_2.sd',
|
||||
'dbus/bad_regex_01.sd',
|
||||
'dbus/bad_regex_02.sd',
|
||||
|
@ -1,15 +0,0 @@
|
||||
Index: apparmor-2.11.0/utils/apparmor/ui.py
|
||||
===================================================================
|
||||
--- apparmor-2.11.0.orig/utils/apparmor/ui.py
|
||||
+++ apparmor-2.11.0/utils/apparmor/ui.py
|
||||
@@ -64,8 +64,8 @@ def get_translated_hotkey(translated, cm
|
||||
msg = 'PromptUser: ' + _('Invalid hotkey for')
|
||||
|
||||
# Originally (\S) was used but with translations it would not work :(
|
||||
- if re.search('\((\S+)\)', translated, re.LOCALE):
|
||||
- return re.search('\((\S+)\)', translated, re.LOCALE).groups()[0]
|
||||
+ if re.search('\((\S+)\)', translated):
|
||||
+ return re.search('\((\S+)\)', translated).groups()[0]
|
||||
else:
|
||||
if cmsg:
|
||||
raise AppArmorException(cmsg)
|
1736
upstream-changes-r3629..3648.diff
Normal file
1736
upstream-changes-r3629..3648.diff
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user