Accepting request 482764 from home:cboltz
- add upstream-changes-r-3629..3648.diff: - preserve unknown profiles when reloading apparmor.service (CVE-2017-6507, lp#1668892, boo#1029696) - add aa-remove-unknown utility to unload unknown profiles (lp#1668892) - update nvidia abstraction for newer nvidia drivers - don't enforce ordering of dbus rule attributes in utils (lp#1628286) - add --parser, --base and --Include option to aa-easyprof to allow non-standard paths (useful for tests) (lp#1521031) - move initialization code in apparmor.aa to init_aa(). This allows to run all utils tests even if /etc/apparmor.d/ or /sbin/apparmor_parser don't exist. - several improvements in the utils tests - drop upstreamed python3-drop-re-locale.patch - no longer delete/skip some of the utils tests (to allow this, add parser-tests-dbus-duplicated-conditionals.diff) - add var.mount dependeny to apparmor.service (boo#1016259#c34) OBS-URL: https://build.opensuse.org/request/show/482764 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=174
This commit is contained in:
parent
bba6e7bef6
commit
454b681e13
@ -1,3 +1,23 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Mar 25 21:42:10 UTC 2017 - suse-beta@cboltz.de
|
||||||
|
|
||||||
|
- add upstream-changes-r-3629..3648.diff:
|
||||||
|
- preserve unknown profiles when reloading apparmor.service
|
||||||
|
(CVE-2017-6507, lp#1668892, boo#1029696)
|
||||||
|
- add aa-remove-unknown utility to unload unknown profiles (lp#1668892)
|
||||||
|
- update nvidia abstraction for newer nvidia drivers
|
||||||
|
- don't enforce ordering of dbus rule attributes in utils (lp#1628286)
|
||||||
|
- add --parser, --base and --Include option to aa-easyprof to allow
|
||||||
|
non-standard paths (useful for tests) (lp#1521031)
|
||||||
|
- move initialization code in apparmor.aa to init_aa(). This allows to
|
||||||
|
run all utils tests even if /etc/apparmor.d/ or /sbin/apparmor_parser
|
||||||
|
don't exist.
|
||||||
|
- several improvements in the utils tests
|
||||||
|
- drop upstreamed python3-drop-re-locale.patch
|
||||||
|
- no longer delete/skip some of the utils tests (to allow this, add
|
||||||
|
parser-tests-dbus-duplicated-conditionals.diff)
|
||||||
|
- add var.mount dependeny to apparmor.service (boo#1016259#c34)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Mar 16 20:13:00 UTC 2017 - kukuk@suse.com
|
Thu Mar 16 20:13:00 UTC 2017 - kukuk@suse.com
|
||||||
|
|
||||||
|
@ -3,7 +3,7 @@ Description=Load AppArmor profiles
|
|||||||
DefaultDependencies=no
|
DefaultDependencies=no
|
||||||
Before=sysinit.target
|
Before=sysinit.target
|
||||||
After=systemd-journald-audit.socket
|
After=systemd-journald-audit.socket
|
||||||
After=var-lib.mount
|
After=var.mount var-lib.mount
|
||||||
ConditionSecurity=apparmor
|
ConditionSecurity=apparmor
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
@ -75,8 +75,11 @@ Patch8: sshd-profile-drop-local-include-r3615.diff
|
|||||||
# upstream changes (trunk r3616..3628)
|
# upstream changes (trunk r3616..3628)
|
||||||
Patch9: upstream-changes-r3616..3628.diff
|
Patch9: upstream-changes-r3616..3628.diff
|
||||||
|
|
||||||
# drop deprecated re.LOCALE flag from regexps
|
# upstream changes (trunk r3629..3648)
|
||||||
Patch10: python3-drop-re-locale.patch
|
Patch10: upstream-changes-r3629..3648.diff
|
||||||
|
|
||||||
|
# add some exceptions to utils/test/test-parser-simple-tests.py (submitted upstream 2017-03-25)
|
||||||
|
Patch11: parser-tests-dbus-duplicated-conditionals.diff
|
||||||
|
|
||||||
PreReq: sed
|
PreReq: sed
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
@ -377,9 +380,10 @@ SubDomain.
|
|||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8
|
%patch8
|
||||||
%patch9
|
%patch9
|
||||||
%if %{with python3}
|
%patch10
|
||||||
%patch10 -p1
|
# patch10 (upstream-changes-r3629..3648.diff) fails to create empty files, do it manually
|
||||||
%endif
|
touch libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err
|
||||||
|
%patch11
|
||||||
|
|
||||||
# search for left-over multiline rules
|
# search for left-over multiline rules
|
||||||
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
|
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
|
||||||
@ -457,17 +461,6 @@ make check -C binutils
|
|||||||
# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
|
# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
|
||||||
(cd profiles && make check-parser)
|
(cd profiles && make check-parser)
|
||||||
|
|
||||||
# these tests fail if /etc/apparmor.d/abstractions/* or /sbin/apparmor_parser don't exist
|
|
||||||
# (aa.py doesn't allow to inject in-tree paths early enough)
|
|
||||||
rm -v utils/test/test-aa.py
|
|
||||||
rm -v utils/test/test-aa-easyprof.py
|
|
||||||
rm -v utils/test/test-libapparmor-test_multi.py
|
|
||||||
rm -v utils/test/test-mount_parse.py
|
|
||||||
rm -v utils/test/test-parser-simple-tests.py
|
|
||||||
rm -v utils/test/test-pivot_root_parse.py
|
|
||||||
rm -v utils/test/test-regex_matches.py
|
|
||||||
rm -v utils/test/test-unix_parse.py
|
|
||||||
|
|
||||||
make check -C utils
|
make check -C utils
|
||||||
|
|
||||||
%install
|
%install
|
||||||
|
20
parser-tests-dbus-duplicated-conditionals.diff
Normal file
20
parser-tests-dbus-duplicated-conditionals.diff
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
=== modified file 'utils/test/test-parser-simple-tests.py'
|
||||||
|
--- utils/test/test-parser-simple-tests.py 2017-03-03 12:14:03 +0000
|
||||||
|
+++ utils/test/test-parser-simple-tests.py 2017-03-25 20:45:42 +0000
|
||||||
|
@@ -49,6 +49,15 @@
|
||||||
|
'change_profile/onx_conflict_unsafe1.sd',
|
||||||
|
'change_profile/onx_conflict_unsafe2.sd',
|
||||||
|
|
||||||
|
+ # duplicated conditionals aren't detected by the tools
|
||||||
|
+ 'generated_dbus/duplicated-conditionals-45127.sd',
|
||||||
|
+ 'generated_dbus/duplicated-conditionals-45131.sd',
|
||||||
|
+ 'generated_dbus/duplicated-conditionals-45124.sd',
|
||||||
|
+ 'generated_dbus/duplicated-conditionals-45130.sd',
|
||||||
|
+ 'generated_dbus/duplicated-conditionals-45125.sd',
|
||||||
|
+ 'generated_dbus/duplicated-conditionals-45128.sd',
|
||||||
|
+ 'generated_dbus/duplicated-conditionals-45129.sd',
|
||||||
|
+
|
||||||
|
'dbus/bad_modifier_2.sd',
|
||||||
|
'dbus/bad_regex_01.sd',
|
||||||
|
'dbus/bad_regex_02.sd',
|
||||||
|
|
@ -1,15 +0,0 @@
|
|||||||
Index: apparmor-2.11.0/utils/apparmor/ui.py
|
|
||||||
===================================================================
|
|
||||||
--- apparmor-2.11.0.orig/utils/apparmor/ui.py
|
|
||||||
+++ apparmor-2.11.0/utils/apparmor/ui.py
|
|
||||||
@@ -64,8 +64,8 @@ def get_translated_hotkey(translated, cm
|
|
||||||
msg = 'PromptUser: ' + _('Invalid hotkey for')
|
|
||||||
|
|
||||||
# Originally (\S) was used but with translations it would not work :(
|
|
||||||
- if re.search('\((\S+)\)', translated, re.LOCALE):
|
|
||||||
- return re.search('\((\S+)\)', translated, re.LOCALE).groups()[0]
|
|
||||||
+ if re.search('\((\S+)\)', translated):
|
|
||||||
+ return re.search('\((\S+)\)', translated).groups()[0]
|
|
||||||
else:
|
|
||||||
if cmsg:
|
|
||||||
raise AppArmorException(cmsg)
|
|
1736
upstream-changes-r3629..3648.diff
Normal file
1736
upstream-changes-r3629..3648.diff
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user