Accepting request 842314 from home:cboltz

- update to AppArmor 2.13.5 - add missing permissions to several profiles and abstractions - bugfixes in parser and tools - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.5 for the detailed upstream changelog - remove upstream(ed) patches - changes-since-2.13.4.diff - abstractions-X-xauth-mr582.diff - sevdb-caps-mr589.diff - libvirt-leaseshelper.patch - cap_checkpoint_restore.diff - add libapparmor-so-number.diff to fix libapparmor so version (!658) libapparmor: - update to AppArmor 2.13.5 - fix two potential build failures - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.5 for the detailed upstream changelog - add libapparmor-so-number.diff to fix libapparmor so version (!658) OBS-URL: https://build.opensuse.org/request/show/842314 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=279
2020-10-17 16:56:14 +00:00 · 2020-10-17 16:56:14 +00:00 · 4c6d64a169
commit 4c6d64a169
parent 9c5c1e5926
14 changed files with 96 additions and 1764 deletions
--- a/abstractions-X-xauth-mr582.diff
+++ b/abstractions-X-xauth-mr582.diff
@ -1,31 +0,0 @@
 commit 02b9090edab82021f5e2ecc7f2f4a5fc877949db
 Author: Christian Boltz <apparmor@cboltz.de>
 Date:   Mon Jul 20 20:35:41 2020 +0200
    abstractions/X: add another xauth path
    Future sddm version will use $XDG_RUNTIME_DIR/xauth_XXXXXX
    References:
    - https://bugzilla.opensuse.org/show_bug.cgi?id=1174290
    - https://bugzilla.suse.com/show_bug.cgi?id=1174293
    - https://github.com/sddm/sddm/pull/1230
    - https://github.com/jonls/redshift/issues/763
    This is the 2.13 version of 35f033ca7c0dbd03111a54ea50b3f2713b9d5584 /
    https://gitlab.com/apparmor/apparmor/-/merge_requests/581
    The difference is that this commit avoids using the @{run} variable.
 diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X
 index 1eca218d..e903861a 100644
 --- a/profiles/apparmor.d/abstractions/X
 +++ b/profiles/apparmor.d/abstractions/X
@@ -24,6 +24,7 @@
   owner /{,var/}run/lightdm/*/xauthority r,
   owner /{,var/}run/user/*/gdm/Xauthority r,
   owner /{,var/}run/user/*/X11/Xauthority r,
 +  owner /{,var/}run/user/*/xauth_* r,
   # the unix socket to use to connect to the display
   /tmp/.X11-unix/* rw,
--- a/apparmor-2.13.4.tar.gz
+++ b/apparmor-2.13.4.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:90bf86c07ffbe2c22be46d75c7345fad12d5911653c59750a37d59c63ad5d10e
 size 7390179
--- a/apparmor-2.13.4.tar.gz.asc
+++ b/apparmor-2.13.4.tar.gz.asc
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl5qHBQaHGFwcGFybW9y
 QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLuB+BAAgKn0XnskA42OHiVxKty+
 lA2Bez6BKdbFWlqzMWw2uisNtCOr8bt0yvU3JWGb5CzrNbCVqBv6rqJeuLIBLZ3u
 70Ldfnno962kFi57mOehVVQ2yaDKY2EpPBC6HnDdsb4Tf95aiE2c9gGvvfxjUZ/7
 eHNUrPrpKvvpdnrL1+O7qmWPh68DVArceFpSt/M1Yz49V00XhaGemMVDvk/iPB2/
 tyJ0XETzjHQYeJ5IHsXrd5qe3nDOQ4YycpgyQKqiGSgO8jbwFdVyFb7nG2BGfvXG
 80wUrHc4qTv3rYYwlW+6aN2MVOKNm0T8mES+PAWJ5IVNkwsWg8VafkwLVZy0JhyW
 QY2eI5cQGVfEKl6MiXXEy6HL/CJT2MfVDj6oSD/6thFTokTyJoowvcZcsbZVvhEM
 pdh4foe7pPYavqBErQ15S9YOXeYUDH0mmdzvH0Qj1A/l4MGpio86XTOpihkfq6GR
 yZy0TMy6ZYPBxfKdcfusUHEf9YUO+ag2WRwkmIYXAKn4jTYMVjeEPQmHpZYWJ+t3
 yOlHo5+1/oyMTQXTK/5o7v/44ah2wxHszqtAHF9/ykfVCouxzBUrpbJ/NhWi32aX
 OvdNPzZWcLqogOcuL+GuPMfXv/uw9nfc+BcniR9TBJG4jq5aMe2BLBWinRNPPnJP
 nfHrUWYuwo2ADEN/STz5Bgw=
 =+xo5
 -----END PGP SIGNATURE-----
--- a/apparmor-2.13.5.tar.gz
+++ b/apparmor-2.13.5.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:637e2a14d844e53e0f0b31dc8fe8821f7bb36908c709ccc23e29033053caa717
 size 7399437
--- a/apparmor-2.13.5.tar.gz.asc
+++ b/apparmor-2.13.5.tar.gz.asc
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl+IIdIaHGFwcGFybW9y
 QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLvg3A//aLD6j+QfyQws0vgP502C
 u806LuXLugkXJIYF2ITO2hiBHkrEDwMQchKggFDnDT15x7we6iOfSiZPyD7ltGap
 Kruwx3pkfwM/NHtBU2Q+eZiJbxkOnKquRMx6YKeJtnUNPOb8q+QK/KO+bkG8dBjA
 3uHIC0ytp+OvKSVjPfOj2N0KoKVYep+HjARkZBqeFstjXggGMD4yJDvkFmlSDho6
 Tq9Bx5jFkckiBKrQRI2j+0pKAmkp3eGdguSButRNohq01DAvfT+1SIZC7aye1T8F
 by8sXZBDkEJbDjaAW4mdzzfk/XX5xOjstNJlaT4Ld2WiiXtipQ502ibrvBjLKANi
 5Wa9gmcHa830ak9n7aRraq7AJ5DgcjXa+5XjHFjdDdRtYMDcImeopg9EttJkBosp
 D9ZhmiLXVb2GBFj5thc1h8ZQ5Y2gBKzUSO37DyReIRBRo0PqLQNzjObaQWg5mXf1
 EIhU2+mEplKKwpO2k0Xb14vnwfUTmJv+aKcx7oPjgeBypT+s0M2GaYOMrXKBH+Ky
 VTo/Y4ZzrOCqLKSE64ziH+1LH6eaQhPf7vnd9kjhcD/kjotDHrEGNiHHwDMH5hPd
 1KD/i+0aYdBsNoqGEfEhMjut2DmL+Tn8PYXORtVUWksOIlvoirGKzA/V/dscSxuM
 QF5dHbSaF1/Uy5jtKgurV7Q=
 =Yxgq
 -----END PGP SIGNATURE-----
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Sat Oct 17 15:46:01 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
 - update to AppArmor 2.13.5
  - add missing permissions to several profiles and abstractions
  - bugfixes in parser and tools
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.5
    for the detailed upstream changelog
 - remove upstream(ed) patches
  - changes-since-2.13.4.diff
  - abstractions-X-xauth-mr582.diff
  - sevdb-caps-mr589.diff
  - libvirt-leaseshelper.patch
  - cap_checkpoint_restore.diff
 - add libapparmor-so-number.diff to fix libapparmor so version (!658)
 -------------------------------------------------------------------
 Wed Oct 14 12:16:52 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
--- a/apparmor.spec
+++ b/apparmor.spec
@ -2,7 +2,7 @@
 # spec file for package apparmor
 #
 # Copyright (c) 2020 SUSE LLC
-# Copyright (c) 2011-2019 Christian Boltz
+# Copyright (c) 2011-2020 Christian Boltz
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -35,7 +35,7 @@
 %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
 Name:           apparmor
-Version:        2.13.4
+Version:        2.13.5
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@ -65,24 +65,11 @@ Patch4:         apparmor-lessopen-profile.patch
 # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
 Patch5:         apparmor-lessopen-nfs-workaround.diff
 # changes and fixes since the 2.13.4 Release (v2.13.4 (= df0ac742)..5f61bd4c
 Patch9:         changes-since-2.13.4.diff
 # update abstractions/base and nameservice for /usr/etc (submitted upstream 2020-01-25 https://gitlab.com/apparmor/apparmor/merge_requests/447, only merged to master, not 2.13.x)
 Patch10:        ./usr-etc-abstractions-base-nameservice.diff
-# allow /{,var/}run/user/*/xauth_* r, in abstractions/X (submitted upstream 2020-07-20 https://gitlab.com/apparmor/apparmor/-/merge_requests/581 (master), https://gitlab.com/apparmor/apparmor/-/merge_requests/582 (2.11..2.13))
+# fix libapparmor so version (submitted upstream 2020-10-17 https://gitlab.com/apparmor/apparmor/-/merge_requests/658)
-Patch11:        abstractions-X-xauth-mr582.diff
+Patch11:        libapparmor-so-number.diff
 # add CAP_BPF and CAP_PERFMON to severity.db (merged upstream 2020-08-07 https://gitlab.com/apparmor/apparmor/-/merge_requests/589 (2.11..master))
 Patch12:        sevdb-caps-mr589.diff
 # add /usr/libexec as a path for libvirt_leaseshelper script, jsc#SLE-14253
 # needs to go upstream
 Patch13:        libvirt-leaseshelper.patch
 # add CAP_CHECKPOINT_RESTORE to severity.db (https://gitlab.com/apparmor/apparmor/-/merge_requests/656, submitted upstream 2020-10-14 for 2.10..master)
 Patch14:        cap_checkpoint_restore.diff
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -372,7 +359,6 @@ SubDomain.
 %patch3 -p1
 %patch4
 %patch5
 %patch9 -p1
 %if 0%{?suse_version} > 1500
 # /usr/etc/ changes in abstractions, apply only to Tumbleweed, but not to Leap 15.x
@ -380,9 +366,6 @@ SubDomain.
 %endif
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
 %build
 %define _lto_cflags %{nil}
--- a/cap_checkpoint_restore.diff
+++ b/cap_checkpoint_restore.diff
@ -1,18 +0,0 @@
 commit 2c2dbdc3a3012ce06371edc1e9be6f58711d8565
 Author: Christian Boltz <apparmor@cboltz.de>
 Date:   Wed Oct 14 14:01:55 2020 +0200
    Add CAP_CHECKPOINT_RESTORE to severity.db
 diff --git a/utils/severity.db b/utils/severity.db
 index 3e07d44e..85b1d5de 100644
 --- a/utils/severity.db
 +++ b/utils/severity.db
@@ -30,6 +30,7 @@
        CAP_SETUID 9
        CAP_FOWNER 9
        CAP_BPF 9
 +       CAP_CHECKPOINT_RESTORE 9
 # Denial of service, bypass audit controls, information leak
        CAP_SYS_TIME 8
        CAP_NET_ADMIN 8
--- a/changes-since-2.13.4.diff
+++ b/changes-since-2.13.4.diff
--- a/libapparmor-so-number.diff
+++ b/libapparmor-so-number.diff
@ -0,0 +1,42 @@
 commit 145136f6041aba4fffbbf8d1a5df368998b81ca1
 Author: Christian Boltz <apparmor@cboltz.de>
 Date:   Sat Oct 17 17:30:39 2020 +0200
    Fix 2.13 libapparmor so version
    ab0f4ab2ed7e734827b143cd32dace4444875e9b increased AA_LIB_REVISION and
    AA_LIB_AGE, with the result that 2.13.5 builds libapparmor.so.0.7.3,
    while 2.13.4 had libapparmor-1.6.2
    This patch reverts the AA_LIB_AGE increase to fix the so name so that
    we'll get libapparmor-1.6.3.
    Note: If you want to apply this fix on top of the 2.13.5 tarball, you'll
    need to also apply the patch to Makefile.in.
 diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am
 index b59b2d1c..6d9c6296 100644
 --- a/libraries/libapparmor/src/Makefile.am
 +++ b/libraries/libapparmor/src/Makefile.am
@@ -28,7 +28,7 @@ INCLUDES = $(all_includes)
 #
 AA_LIB_CURRENT = 7
 AA_LIB_REVISION = 3
 -AA_LIB_AGE = 7
 +AA_LIB_AGE = 6
 SUFFIXES = .pc.in .pc
 diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am
 index b59b2d1c..6d9c6296 100644
 --- a/libraries/libapparmor/src/Makefile.in
 +++ b/libraries/libapparmor/src/Makefile.in
@@ -587,7 +587,7 @@ INCLUDES = $(all_includes)
 #
 AA_LIB_CURRENT = 7
 AA_LIB_REVISION = 3
 -AA_LIB_AGE = 7
 +AA_LIB_AGE = 6
 SUFFIXES = .pc.in .pc
 BUILT_SOURCES = grammar.h scanner.h af_protos.h
 AM_LFLAGS = -v
--- a/libapparmor.changes
+++ b/libapparmor.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Sat Oct 17 15:45:32 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
 - update to AppArmor 2.13.5
  - fix two potential build failures
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.5
    for the detailed upstream changelog
 - add libapparmor-so-number.diff to fix libapparmor so version (!658)
 -------------------------------------------------------------------
 Thu Mar 12 19:30:19 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
--- a/libapparmor.spec
+++ b/libapparmor.spec
@ -18,7 +18,7 @@
 Name:           libapparmor
-Version:        2.13.4
+Version:        2.13.5
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later
@ -32,6 +32,9 @@ BuildRequires:  flex
 BuildRequires:  pkg-config
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 # fix libapparmor so version (submitted upstream 2020-10-17 https://gitlab.com/apparmor/apparmor/-/merge_requests/658
 Patch1:         libapparmor-so-number.diff
 %description
 This package provides the libapparmor library, which contains the
 change_hat(2) symbol, used for sub-process confinement by AppArmor, as
@ -67,6 +70,7 @@ AppArmor API.
 %prep
 %setup -q -n apparmor-%{version}
 %patch1 -p1
 %build
 %define _lto_cflags %{nil}
--- a/libvirt-leaseshelper.patch
+++ b/libvirt-leaseshelper.patch
@ -1,31 +0,0 @@
 profiles: Add /usr/libexec as a path to the libvirt leaseshelper script
 openSUSE recently joined most distros in defining libexecdir as /usr/libexec.
 The SUSE libvirt package, which for a long time has set libexecdir to
 /usr/lib64/libvirt, needs to adopt. Jira SLE-14253 requests libvirt to use
 /usr/libexec. libvirt 6.7.0 will be hitting Factory soon with libexecdir
 set to /usr/libexec. Add it as a path for the libvirt_leaseshelper script.
 Signed-off-by: Jim Fehlig <jfehlig@suse.com>
 Index: apparmor-2.13.4/profiles/apparmor.d/usr.sbin.dnsmasq
 ===================================================================
 --- apparmor-2.13.4.orig/profiles/apparmor.d/usr.sbin.dnsmasq
 +++ apparmor-2.13.4/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -88,7 +88,7 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin
   /{,var/}run/libvirt/network/*.pid rw,
   # libvirt lease helper
 -  /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
 +  /usr/{lib/libvirt,lib64/libvirt,libexec}/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
   # lxc-net pid and lease files
   /{,var/}run/lxc/dnsmasq.pid    rw,
@@ -115,7 +115,7 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin
     /etc/libnl-3/classid r,
 -    /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
 +    /usr/{lib/libvirt,lib64/libvirt,libexec}/libvirt_leaseshelper m,
     owner @{PROC}/@{pid}/net/psched r,
     owner @{PROC}/@{pid}/status r,
--- a/sevdb-caps-mr589.diff
+++ b/sevdb-caps-mr589.diff
@ -1,40 +0,0 @@
 https://gitlab.com/apparmor/apparmor/-/merge_requests/589
 commit ae012502095596df4675555da635c868e3b3c04a
 Author: Christian Boltz <apparmor@cboltz.de>
 Date:   Fri Aug 7 22:37:19 2020 +0200
    Add CAP_BPF and CAP_PERFMON to severity.db
    These capabilities were introduced in Linux 5.8
    References: https://bugs.launchpad.net/bugs/1890547
 diff --git a/utils/severity.db b/utils/severity.db
 index 3c028400..3e07d44e 100644
 --- a/utils/severity.db
 +++ b/utils/severity.db
@@ -2,6 +2,7 @@
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
 #    Copyright (C) 2014 Canonical Ltd.
 +#    Copyright (C) 2020 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -28,6 +29,7 @@
        CAP_SETGID 9
        CAP_SETUID 9
        CAP_FOWNER 9
 +       CAP_BPF 9
 # Denial of service, bypass audit controls, information leak
        CAP_SYS_TIME 8
        CAP_NET_ADMIN 8
@@ -49,6 +51,7 @@
        CAP_BLOCK_SUSPEND 8
        CAP_DAC_READ_SEARCH 7
        CAP_AUDIT_READ 7
 +       CAP_PERFMON 7
 # unused
        CAP_NET_BROADCAST 0