From 4677ecc2c8bf57e2529139e03b82997f5ce43a4afd396548750594b8d8770f02 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 11 Jun 2023 16:08:52 +0000 Subject: [PATCH] Accepting request 1092349 from home:cboltz - update to AppArmor 3.1.5 - fix handling of mount rules in apparmor_parser - minor additions to abstractions/base and snap_browsers - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.5 for the full upstream changelog - remove upstreamed aa-status-fix-json-mr1046.patch - split off apparmor-enable-precompiled-cache.diff from apparmor-enable-profile-cache.diff so that the precompiled cache path doesn't get added in parser.conf for Tumbleweed builds. This prevents a warning about the non-existing directory when loading profiles. OBS-URL: https://build.opensuse.org/request/show/1092349 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=372 --- aa-status-fix-json-mr1046.patch | 27 -------------------------- apparmor-3.1.4.tar.gz | 3 --- apparmor-3.1.4.tar.gz.asc | 17 ---------------- apparmor-3.1.5.tar.gz | 3 +++ apparmor-3.1.5.tar.gz.asc | 17 ++++++++++++++++ apparmor-enable-precompiled-cache.diff | 26 +++++++++++++++++++++++++ apparmor-enable-profile-cache.diff | 11 +---------- apparmor.changes | 15 ++++++++++++++ apparmor.spec | 10 ++++++---- libapparmor.spec | 2 +- 10 files changed, 69 insertions(+), 62 deletions(-) delete mode 100644 aa-status-fix-json-mr1046.patch delete mode 100644 apparmor-3.1.4.tar.gz delete mode 100644 apparmor-3.1.4.tar.gz.asc create mode 100644 apparmor-3.1.5.tar.gz create mode 100644 apparmor-3.1.5.tar.gz.asc create mode 100644 apparmor-enable-precompiled-cache.diff diff --git a/aa-status-fix-json-mr1046.patch b/aa-status-fix-json-mr1046.patch deleted file mode 100644 index b76d4e4..0000000 --- a/aa-status-fix-json-mr1046.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 29b21b09d43955f20c75a5f09cc5455e2c9fafcc Mon Sep 17 00:00:00 2001 -From: Christian Boltz -Date: Tue, 6 Jun 2023 23:29:14 +0200 -Subject: [PATCH] Fix invalid aa-status --json - -The previous patch changed the final }} to } - which is correct in -master, but breaks the code in the 3.x branches. ---- - binutils/aa_status.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/binutils/aa_status.c b/binutils/aa_status.c -index 40a854beb..092bee55b 100644 ---- a/binutils/aa_status.c -+++ b/binutils/aa_status.c -@@ -548,7 +548,7 @@ static int detailed_output(FILE *json) { - if (need_finish > 0) { - fprintf(json, "]"); - } -- fprintf(json, "}\n"); -+ fprintf(json, "}}\n"); - } - - exit: --- -GitLab - diff --git a/apparmor-3.1.4.tar.gz b/apparmor-3.1.4.tar.gz deleted file mode 100644 index 93b6a7a..0000000 --- a/apparmor-3.1.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6bee0c3941836dae2c635fe82f09b666123fcac16563aa0fedf4a63c22b91f40 -size 7965268 diff --git a/apparmor-3.1.4.tar.gz.asc b/apparmor-3.1.4.tar.gz.asc deleted file mode 100644 index 063384d..0000000 --- a/apparmor-3.1.4.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmRtkDEaHGFwcGFybW9y -QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLvHLQ//bQLpZLUN5tk61ViS59Uu -evN3ZpGlQ14KRY3vA5YHyrerLOqN0s0xv/jpBxdwryXrE9t9tmWQoU1d6RdaSZpb -+SptQodED5M9bg+B1JmVSmN6Mb6r717NYFsnC20Osz9cpWP+vmD7XBDyPFVZ40gn -jsEu4h/gVm/LTxcBuo36c2e3qZHQg8tDjoY3wZ8mtIcG7DnEUsF8wKpU8mdylEY+ -8FP99o92EjZVu0oVh6ziZvW/VIVrA75XdnTwFSjFHMDz3Yj4fvDQkLqWnKx/TnxF -qzRPZnWlPKFkw8J11qERzUjXnXGRkuSokYtN7pdxGX7pVItQRFIJiwmM9HoNOah2 -hpztepuSaE4+eNDus5+sa8mDOu7XqN3fXyxZ/OxjluOBfwzXw4PFDiaDoc/WF7nJ -O9WdRfZc89+I2J/AtpjPJYzqG6TwLZ6ougZt1O7LAg+rSB/BWNfNYJ3Ur+A6zqbH -dzp1P7IaueBbeWj3ZkZzzB1Wh+2ItTbrZhA1e9MPv4u1nhKBZOYtoOOPTqK21BlQ -HxDhJhvvNWwILe1EdCPs7ZAOvdwYh5lyUKdNzPgcFJODIuUmZkR7SkuD0MNS8d0B -A3N03YNJtKaLHVxlovmkJweApHU5+KkdXSsCOEVWn5WcTo5bpAD/FrQuYWFxNQIG -nV9NCl16zd74Y0qI25k+Nho= -=gA0X ------END PGP SIGNATURE----- diff --git a/apparmor-3.1.5.tar.gz b/apparmor-3.1.5.tar.gz new file mode 100644 index 0000000..2b18a24 --- /dev/null +++ b/apparmor-3.1.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a7cf4b792dd88eb1ac18104b246529662a8a66b733c3392daa2b384bbfa064f8 +size 7965686 diff --git a/apparmor-3.1.5.tar.gz.asc b/apparmor-3.1.5.tar.gz.asc new file mode 100644 index 0000000..7caf243 --- /dev/null +++ b/apparmor-3.1.5.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmSCy4gaHGFwcGFybW9y +QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLt4HRAAizIl7wOoP9ULvfpSYTXD +2hs0s0Mel/kO1ZMe33F/AC3D73lQ+sClVfnBeIBfk9rvcKwhcNKhmwVTZr+Rqgcp +EWen0xJ/h9RG13G8SCjyEN6er7ZwpHkEYO3FcWJQBdMy6KfiH1iyhpkXf37GMPQS +wSpGL7VD47B5OJq1kad4pOxx/ikvRvBcRxStEFcfUpMmvZAWnlk/MBXdo98yYbUj +RfgVpjSMTcPWAO/2aKA1WTRqJyPsacnWgDbeoHThSNV+QVopXX0Cxeh6lhgWLq7e +d6/wPlKWscCr7A4iI1I40U3mLWxi8HXYy5NReVkpHfjOZIjqSphthFc7WCaA6ASg +2scmWV56kEO+Xyrbki1MgRjL+/KAgyyPkru4yQH2ACnNzyos+ABDQi8eTz4Iy/FQ +DDjUo858jPrSFcfP+E4KgYZas4I1SB+KjfwlWH31X6BAOqNBc/sOcviToOpo5OoP +fZMZD7Leakwto5y61AXjYwgjD+VLGXafYspnLCSCqwZL5JWR8yidrFHRZ7fNMjgX +wlx66Y3ATzK7YOtz9ol2evrdmLCC3firXyiwoG7ADknZnOiEdwB8xUxL6duHZlOC +6ToNR96rUx+5xIH5VkOCtxoU0IBltodqZbsmqI2ES9kcAqjuVoR1s6rOYT65CFr5 +7/WI6tQXdFVok+GpqKZAaIQ= +=p4cf +-----END PGP SIGNATURE----- diff --git a/apparmor-enable-precompiled-cache.diff b/apparmor-enable-precompiled-cache.diff new file mode 100644 index 0000000..ceb6b1f --- /dev/null +++ b/apparmor-enable-precompiled-cache.diff @@ -0,0 +1,26 @@ +Set the cache location to /var/cache/apparmor/ (writeable) and +/usr/share/apparmor/cache/ (packaged precompiled cache). + +See boo#1069906 and boo#1074429 + +Note that Tumbleweed packages don't include precompiled profile cache on +Tumbleweed as long as it's purely validated based on timestamps (boo#1205659) + + +Signed-off by: Christian Boltz + +Index: parser/parser.conf +=================================================================== +--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200 ++++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200 +@@ -31,6 +31,9 @@ + + ## Turn creating/updating of the cache on by default + write-cache ++ ++# cache location (cache writes go to the first directory in the list) ++cache-loc /var/cache/apparmor,/usr/share/apparmor/cache + + ## Show cache hits + #show-cache + diff --git a/apparmor-enable-profile-cache.diff b/apparmor-enable-profile-cache.diff index d29dd01..2b5e162 100644 --- a/apparmor-enable-profile-cache.diff +++ b/apparmor-enable-profile-cache.diff @@ -8,27 +8,18 @@ writeable at the time profiles are loaded in Ubuntu. See also bnc#689458 -Also set the cache location to /var/cache/apparmor/ (writeable) and -/usr/share/apparmor/cache/ (packaged precompiled cache). - -See boo#1069906 and boo#1074429 - - Signed-off by: Christian Boltz Index: parser/parser.conf =================================================================== --- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200 +++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200 -@@ -31,7 +31,10 @@ +@@ -31,7 +31,7 @@ # match-string "pattern=aadfa audit perms=crwxamlk/ user::other" ## Turn creating/updating of the cache on by default -#write-cache +write-cache -+ -+# cache location (cache writes go to the first directory in the list) -+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache ## Show cache hits #show-cache diff --git a/apparmor.changes b/apparmor.changes index abeebf1..31a6569 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Sun Jun 11 14:13:18 UTC 2023 - Christian Boltz + +- update to AppArmor 3.1.5 + - fix handling of mount rules in apparmor_parser + - minor additions to abstractions/base and snap_browsers + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.5 + for the full upstream changelog +- remove upstreamed aa-status-fix-json-mr1046.patch +- split off apparmor-enable-precompiled-cache.diff from + apparmor-enable-profile-cache.diff so that the precompiled cache + path doesn't get added in parser.conf for Tumbleweed builds. + This prevents a warning about the non-existing directory when + loading profiles. + ------------------------------------------------------------------- Tue Jun 6 21:39:15 UTC 2023 - Christian Boltz diff --git a/apparmor.spec b/apparmor.spec index 3202b1a..eb72b7d 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -54,7 +54,7 @@ %define JAR_FILE changeHatValve.jar Name: apparmor -Version: 3.1.4 +Version: 3.1.5 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0-or-later @@ -88,8 +88,8 @@ Patch5: apparmor-lessopen-nfs-workaround.diff # make include in apache extra profile optional to make openQA happy (boo#1178527) Patch6: apache-extra-profile-include-if-exists.diff -# fix aa-status --json / --pretty-json output (merged upstream 2023-06-06 for 3.0 and 3.1 branch [not needed/suiting for master] - https://gitlab.com/apparmor/apparmor/-/merge_requests/1046) -Patch10: aa-status-fix-json-mr1046.patch +# add path for precompiled cache (only done/applied if precompiled_cache is enabled) +Patch7: apparmor-enable-precompiled-cache.diff PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -355,7 +355,9 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/ %patch4 %patch5 %patch6 -%patch10 -p1 +%if %{with precompiled_cache} +%patch7 +%endif %build export SUSE_ASNEEDED=0 diff --git a/libapparmor.spec b/libapparmor.spec index eace6a3..0509ffa 100644 --- a/libapparmor.spec +++ b/libapparmor.spec @@ -18,7 +18,7 @@ Name: libapparmor -Version: 3.1.4 +Version: 3.1.5 Release: 0 Summary: Utility library for AppArmor License: LGPL-2.1-or-later