Accepting request 482764 from home:cboltz

- add upstream-changes-r-3629..3648.diff:
  - preserve unknown profiles when reloading apparmor.service
    (CVE-2017-6507, lp#1668892, boo#1029696)
  - add aa-remove-unknown utility to unload unknown profiles (lp#1668892)
  - update nvidia abstraction for newer nvidia drivers
  - don't enforce ordering of dbus rule attributes in utils (lp#1628286)
  - add --parser, --base and --Include option to aa-easyprof to allow
    non-standard paths (useful for tests) (lp#1521031)
  - move initialization code in apparmor.aa to init_aa(). This allows to
    run all utils tests even if /etc/apparmor.d/ or /sbin/apparmor_parser
    don't exist.
  - several improvements in the utils tests
- drop upstreamed python3-drop-re-locale.patch
- no longer delete/skip some of the utils tests (to allow this, add
  parser-tests-dbus-duplicated-conditionals.diff)
- add var.mount dependeny to apparmor.service (boo#1016259#c34)

OBS-URL: https://build.opensuse.org/request/show/482764
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=174
This commit is contained in:
Christian Boltz 2017-03-26 18:43:45 +00:00 committed by Git OBS Bridge
parent bba6e7bef6
commit 454b681e13
6 changed files with 1786 additions and 32 deletions

View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Sat Mar 25 21:42:10 UTC 2017 - suse-beta@cboltz.de
- add upstream-changes-r-3629..3648.diff:
- preserve unknown profiles when reloading apparmor.service
(CVE-2017-6507, lp#1668892, boo#1029696)
- add aa-remove-unknown utility to unload unknown profiles (lp#1668892)
- update nvidia abstraction for newer nvidia drivers
- don't enforce ordering of dbus rule attributes in utils (lp#1628286)
- add --parser, --base and --Include option to aa-easyprof to allow
non-standard paths (useful for tests) (lp#1521031)
- move initialization code in apparmor.aa to init_aa(). This allows to
run all utils tests even if /etc/apparmor.d/ or /sbin/apparmor_parser
don't exist.
- several improvements in the utils tests
- drop upstreamed python3-drop-re-locale.patch
- no longer delete/skip some of the utils tests (to allow this, add
parser-tests-dbus-duplicated-conditionals.diff)
- add var.mount dependeny to apparmor.service (boo#1016259#c34)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Mar 16 20:13:00 UTC 2017 - kukuk@suse.com Thu Mar 16 20:13:00 UTC 2017 - kukuk@suse.com

View File

@ -3,7 +3,7 @@ Description=Load AppArmor profiles
DefaultDependencies=no DefaultDependencies=no
Before=sysinit.target Before=sysinit.target
After=systemd-journald-audit.socket After=systemd-journald-audit.socket
After=var-lib.mount After=var.mount var-lib.mount
ConditionSecurity=apparmor ConditionSecurity=apparmor
[Service] [Service]

View File

@ -75,8 +75,11 @@ Patch8: sshd-profile-drop-local-include-r3615.diff
# upstream changes (trunk r3616..3628) # upstream changes (trunk r3616..3628)
Patch9: upstream-changes-r3616..3628.diff Patch9: upstream-changes-r3616..3628.diff
# drop deprecated re.LOCALE flag from regexps # upstream changes (trunk r3629..3648)
Patch10: python3-drop-re-locale.patch Patch10: upstream-changes-r3629..3648.diff
# add some exceptions to utils/test/test-parser-simple-tests.py (submitted upstream 2017-03-25)
Patch11: parser-tests-dbus-duplicated-conditionals.diff
PreReq: sed PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -377,9 +380,10 @@ SubDomain.
%patch7 -p1 %patch7 -p1
%patch8 %patch8
%patch9 %patch9
%if %{with python3} %patch10
%patch10 -p1 # patch10 (upstream-changes-r3629..3648.diff) fails to create empty files, do it manually
%endif touch libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err
%patch11
# search for left-over multiline rules # search for left-over multiline rules
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
@ -457,17 +461,6 @@ make check -C binutils
# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory) # also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
(cd profiles && make check-parser) (cd profiles && make check-parser)
# these tests fail if /etc/apparmor.d/abstractions/* or /sbin/apparmor_parser don't exist
# (aa.py doesn't allow to inject in-tree paths early enough)
rm -v utils/test/test-aa.py
rm -v utils/test/test-aa-easyprof.py
rm -v utils/test/test-libapparmor-test_multi.py
rm -v utils/test/test-mount_parse.py
rm -v utils/test/test-parser-simple-tests.py
rm -v utils/test/test-pivot_root_parse.py
rm -v utils/test/test-regex_matches.py
rm -v utils/test/test-unix_parse.py
make check -C utils make check -C utils
%install %install

View File

@ -0,0 +1,20 @@
=== modified file 'utils/test/test-parser-simple-tests.py'
--- utils/test/test-parser-simple-tests.py 2017-03-03 12:14:03 +0000
+++ utils/test/test-parser-simple-tests.py 2017-03-25 20:45:42 +0000
@@ -49,6 +49,15 @@
'change_profile/onx_conflict_unsafe1.sd',
'change_profile/onx_conflict_unsafe2.sd',
+ # duplicated conditionals aren't detected by the tools
+ 'generated_dbus/duplicated-conditionals-45127.sd',
+ 'generated_dbus/duplicated-conditionals-45131.sd',
+ 'generated_dbus/duplicated-conditionals-45124.sd',
+ 'generated_dbus/duplicated-conditionals-45130.sd',
+ 'generated_dbus/duplicated-conditionals-45125.sd',
+ 'generated_dbus/duplicated-conditionals-45128.sd',
+ 'generated_dbus/duplicated-conditionals-45129.sd',
+
'dbus/bad_modifier_2.sd',
'dbus/bad_regex_01.sd',
'dbus/bad_regex_02.sd',

View File

@ -1,15 +0,0 @@
Index: apparmor-2.11.0/utils/apparmor/ui.py
===================================================================
--- apparmor-2.11.0.orig/utils/apparmor/ui.py
+++ apparmor-2.11.0/utils/apparmor/ui.py
@@ -64,8 +64,8 @@ def get_translated_hotkey(translated, cm
msg = 'PromptUser: ' + _('Invalid hotkey for')
# Originally (\S) was used but with translations it would not work :(
- if re.search('\((\S+)\)', translated, re.LOCALE):
- return re.search('\((\S+)\)', translated, re.LOCALE).groups()[0]
+ if re.search('\((\S+)\)', translated):
+ return re.search('\((\S+)\)', translated).groups()[0]
else:
if cmsg:
raise AppArmorException(cmsg)

File diff suppressed because it is too large Load Diff