Accepting request 1142649 from home:cboltz

- Add dovecot-unix_chkpwd.diff to allow dovecot-auth to execute unix_chkpwd, and add a profile for unix_chkpwd. This is needed for PAM 1.6 (boo#1219139) - Refresh apparmor.keyring - the key was renewed OBS-URL: https://build.opensuse.org/request/show/1142649 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=388
2024-01-29 21:22:57 +00:00 · 2024-01-29 21:22:57 +00:00 · 4d639e7be3
commit 4d639e7be3
parent d4f95baf8b
5 changed files with 119 additions and 29 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jan 29 20:56:13 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>
+
+- Add dovecot-unix_chkpwd.diff to allow dovecot-auth to execute
+  unix_chkpwd, and add a profile for unix_chkpwd. This is needed
+  for PAM 1.6 (boo#1219139)
+- Refresh apparmor.keyring - the key was renewed
+
 -------------------------------------------------------------------
 Wed Nov  8 18:19:36 UTC 2023 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.keyring
+++ b/apparmor.keyring
@ -1,5 +1,4 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2

 mQINBFUwHrABEADZVFn6TF2SxrpMiknHVeUHW7l4mOjHcxtULlEOQ3yaxyNxA0iE
 GFWnbP7ek2cjzrfNIA1HNiS0FNsKipRAd5EfRUvJO3lrVfPBRBMLExeyA5h8vXtc
@ -38,28 +37,53 @@ AC0AGHHsBcijFLzsSn9hOve8DSo/Jwjgvb1Rx1wl8RsmegATOik7FnWRsU+2OM9f
 /BU3sLXuKWRQFXiVHsEpRO+vKVFVtcdu7BGzuFBnLS26SNP2jKRYIWJ1ea177w82
 vcjX5URSTBSQef0ABuYgzcV3CmTkKmpDmy49X+bpLQjYwX26XVh4Fm8yULTXT+Wc
 pyDNf4itO8VSQpzrecBBcNJnyYvKBOuV0ASs4bZ0/ghmfGNHENk18ZQHZQ0pI1vX
-eNk5l60Ensk0WWA/sz1732WzhTtRuQINBFUwHrABEACzq2cDh5gGH419PwIGmkxY
-rZWyVglmXPI/4sf/dAqyrr/FRkSNW+VZzw/yLVfA4zW9ttYReJsmFKqXpSoF8ci5
-RfZf1fba9xv4I5x4WBGNcaUZzdKm7vMW/reJRDsNw7f6zvL9VlUUtlL8lSnsObbE
-yCrI8oMUwJzu8ojFMiUfRfmQ0IQrYC8hFgmMkknsG6gQTrKSX3xDmFPeAaN11TA1
-9thm+GrcEbKvDMiS5RGG924Lmz+67C+hmKc6HRvDPkNp6prDmiMiLkCun6qQQC5b
-jdO3yKlEuhxeNcNAxKIEpv5Syy9gEXXT8DeLQmutSHHb1SYSMB6mzX7b+3wtka+E
-uCwWk3VrutpOHD0HCJMMtxbLrtlyq8v+3m8v9tyfNBVaeFyR7IEt9ciGiIe5eNw8
-R3E3BRGEIW7ABs55rnA47mmVO6nBGq8VMriLCeVSO7I/D+9enSvcTng78PK99iBW
-7e6gbGtGUXLpvx/bu61HpQrnG4DWVJ7jk6W2bbSLclT8DwJDQiN+poamNuoQjqAW
-xrxsYPNRsc6/Ro0LJMXAkc0xQqShtXl2pdCdJroj8gXq3i3HpQfDZrjzNbW02gMN
-HSCR5QpmGS4UrL8ex+3DYnGUZh/SxMVVVbRQ4dPbO5yTbwDdaQkAenA6Faj4lM7S
-jv4ToiG6Ld6c6UMU1B5CVQARAQABiQIlBBgBCgAPBQJVMB6wAhsMBQkPCZwAAAoJ
-EGaJ5k49NmS7LfwP/0M+kTh5bviy4rr6OtCUnd/qCob/DBLkbCbHrEZz/+2yUQa1
-IS93BjKrU2umD/CcMEU0F6yltHr7QtFufWEkcz1HvfRru2H1B3rrNxr1cab0ek7K
-+456gN5Os2/jP/1L4BsAjAPii1wthpH59z8m333L2uDnkkd8cUTaIW+TBPG2wN2C
-OJ+Pgyd9SAaqpVFmO0CoLhWixyK42OJTbm12SyeUq2VlVX+v+S2rql64RZJI9Kcn
-N/36kWAgMdDuCpa8XEhJP2DxC8QcFyduP7/ZdYJZNWuiny6VP+HKblP6Imnc6xjz
-HXSQauDsp5hUuxz+aLaAJSS1yBA23lfdhf+Yfu4ruMGFICdHXAkRXBt2JFIVskt3
-cL/tBrNEkDi0JG6FzYAS9gLJIyvlJlElgXXF0OZl60kjh254xRDEH5Q8/spBDdzw
-0FkHS3hPWjM3sDSSZuX9YAZDzw0wQGM6sl4y+BX8I2JerhF9SIS606NAaT+06kOH
-5wa4S51u6XN+UdXoXa6XSo/fqhVHt/5Mu1A90gMkA65ji0X+Xu/Yoo3Ui1Tx584t
-qtHJFnDQa4wJbmjB7uzqbpkk7xKFII1vgLayS8MkFvg+lnmjvgr/ve0hoHZnVCSz
-md9kZgGkKQfTaGFIZRc24D44tcIL1K20B+cskRqhpee7EGaba7sazdpVk3A0
-=dwg6
+eNk5l60Ensk0WWA/sz1732WzhTtRiQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYC
+AwEAAh4BAheAFiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmRRDVUFCRECIiUACgkQ
+ZonmTj02ZLsLKg/9FOHsQ9aab5nZd3UfHxT3YTC73wkRIkKtoO1Y3Sv4pHzMr3CP
+AV9Z+5YA8rUGyaSB14AFyVKjCswv3Rymd3IV+i2UYO9RwUpv3nM+adumIRga/mXp
+yMwARcsRhlrrsUQL0H8R868Z/Pmq7yQw60/0jUXC/O+BJwD0xtTe/oIOwc7oyCDL
+oOX8R0XcuVcnoDn0Mc27hFV1xK3iz5c0LtqTLLW20I3YqIVPdiF52SAwFo57xNZ7
+ntIvhntEHvhTzSD/BtiTNolhxf3C/pm/tmkgZ1CbkZn/TmXGEibHauP6Q9l1T7y9
+HkrPrq89c6kRVDnl6k3/W8f38ocat6U2xBcRQYtcLPvns3VpLIcLge1E2k0C7pYT
+KxhyCo3Oc8WGpNX7ta/i3umUk0JlNl2vKiqjFilDWiu2ygXzzucmcQCkYQElrmUC
+qGMBDnZWAi6qR1yMDiOdeIHni6V8GAjRUGVUhrqzMRNF091Szthxn4EQGOoZSBZl
+9MkKm02hlj95eE+7UtSk/tAtLNxnIhwsz4OYxQxKh/kmj7AD8D2mD4ImQKaoCIPv
+YJOXt6fHSLWZGNOSAn6oOWgAb4yMfausgJsE+USEsYphAyE/gfyPEqM3h7RzWmFi
+u6UHYeKGpEzi6r66x/+WBH7VwJDM0Zg3KfDPXznyq3ZSUjpplQQI56UXttG5Ag0E
+VTAesAEQALOrZwOHmAYfjX0/AgaaTFitlbJWCWZc8j/ix/90CrKuv8VGRI1b5VnP
+D/ItV8DjNb221hF4myYUqpelKgXxyLlF9l/V9tr3G/gjnHhYEY1xpRnN0qbu8xb+
+t4lEOw3Dt/rO8v1WVRS2UvyVKew5tsTIKsjygxTAnO7yiMUyJR9F+ZDQhCtgLyEW
+CYySSewbqBBOspJffEOYU94Bo3XVMDX22Gb4atwRsq8MyJLlEYb3bgubP7rsL6GY
+pzodG8M+Q2nqmsOaIyIuQK6fqpBALluN07fIqUS6HF41w0DEogSm/lLLL2ARddPw
+N4tCa61IcdvVJhIwHqbNftv7fC2Rr4S4LBaTdWu62k4cPQcIkwy3Fsuu2XKry/7e
+by/23J80FVp4XJHsgS31yIaIh7l43DxHcTcFEYQhbsAGznmucDjuaZU7qcEarxUy
+uIsJ5VI7sj8P716dK9xOeDvw8r32IFbt7qBsa0ZRcum/H9u7rUelCucbgNZUnuOT
+pbZttItyVPwPAkNCI36mhqY26hCOoBbGvGxg81Gxzr9GjQskxcCRzTFCpKG1eXal
+0J0muiPyBereLcelB8NmuPM1tbTaAw0dIJHlCmYZLhSsvx7H7cNicZRmH9LExVVV
+tFDh09s7nJNvAN1pCQB6cDoVqPiUztKO/hOiIbot3pzpQxTUHkJVABEBAAGJAiUE
+GAEKAA8FAlUwHrACGwwFCQ8JnAAACgkQZonmTj02ZLst/A//Qz6ROHlu+LLiuvo6
+0JSd3+oKhv8MEuRsJsesRnP/7bJRBrUhL3cGMqtTa6YP8JwwRTQXrKW0evtC0W59
+YSRzPUe99Gu7YfUHeus3GvVxpvR6Tsr7jnqA3k6zb+M//UvgGwCMA+KLXC2Gkfn3
+Pybffcva4OeSR3xxRNohb5ME8bbA3YI4n4+DJ31IBqqlUWY7QKguFaLHIrjY4lNu
+bXZLJ5SrZWVVf6/5LauqXrhFkkj0pyc3/fqRYCAx0O4KlrxcSEk/YPELxBwXJ24/
+v9l1glk1a6KfLpU/4cpuU/oiadzrGPMddJBq4OynmFS7HP5otoAlJLXIEDbeV92F
+/5h+7iu4wYUgJ0dcCRFcG3YkUhWyS3dwv+0Gs0SQOLQkboXNgBL2AskjK+UmUSWB
+dcXQ5mXrSSOHbnjFEMQflDz+ykEN3PDQWQdLeE9aMzewNJJm5f1gBkPPDTBAYzqy
+XjL4FfwjYl6uEX1IhLrTo0BpP7TqQ4fnBrhLnW7pc35R1ehdrpdKj9+qFUe3/ky7
+UD3SAyQDrmOLRf5e79iijdSLVPHnzi2q0ckWcNBrjAluaMHu7OpumSTvEoUgjW+A
+trJLwyQW+D6WeaO+Cv+97SGgdmdUJLOZ32RmAaQpB9NoYUhlFzbgPji1wgvUrbQH
+5yyRGqGl57sQZptruxrN2lWTcDSJAjwEGAEKACYCGwwWIQQ+zcul+zTSVJYcxT9m
+ieZOPTZkuwUCZFENowUJEQIicwAKCRBmieZOPTZku47eEAC2yveESIGTnAcyJW04
+6igIK4NRwdfF89TDO5rJa8ZrKhbPw2Qk6CNf575cLj4/CMo6oJV3zv4a4CXztZ2B
+8ObJ83pWX8AErQxA4dZdd2J+wl+5bPfeXI1Rm7FmOm32IrJfBI5hRSCq8/GBagaF
+xnX5BTmnnWiDRKviodZ3kb9JVl4r1Nj4ELfC2eWpkp9KsAtrP48vK7DD7wP2uc/Z
+ngCVzzSiWRLFOsUyVssYjgKZlFGYZ0w0kcTJoeoCTXU1/YvudFjeYb9vHBCJIoDU
+NZi4Szxww6bnhgeCldP7Hr9rqwuPk8ReVcvbQOThORubY79oGdCp+ZmmoMFqAlDL
+PektIdi0ZoP1a/u/d7qWTutLfkSHL2xwITtjVQtYY3wsuf9FVua8sksohSXuYW+d
+DvP76y5EHZjituhykWm1SB74vy7XwxTJqhwTUgjdjc6Mwm4wu2eGCarfSTPrEin3
+X6oFB7TUFddDc8gADKmPsy+Q2ts7RAZzl1dPQEmHBhwbH9ifXtahQjlg7XKYN7A6
+ByfDxcono0VHBte5gTHIoi9k7CwEIHqjlHphpCORnzFemu52kdSN49gwrqK5hGTr
+uv0BfG/LcYu2px9O2b65QTcR4nF1Zr07XfzL3pMUHsDquYBS67L2FnyXwOEfxRnX
+EC34BZpyVkv7QfB5AuuQGbIeFQ==
+=QOb0
 -----END PGP PUBLIC KEY BLOCK-----
--- a/apparmor.spec
+++ b/apparmor.spec
@ -1,8 +1,8 @@
 #
 # spec file for package apparmor
 #
-# Copyright (c) 2023 SUSE LLC
-# Copyright (c) 2011-2022 Christian Boltz
+# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2011-2024 Christian Boltz
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -97,6 +97,9 @@ Patch7:         apparmor-enable-precompiled-cache.diff
 # Upstream MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1121 (merged 2023-11-08 into master, 3.1 and 3.0)
 Patch8:         apparmor-systemd-sessions.patch

+# allow dovecot-auth to execute unix_chkpwd, and add a profile for unix_chkpwd. This is needed for PAM 1.6 (boo#1219139)
+Patch9:         dovecot-unix_chkpwd.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
@ -365,6 +368,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch7
 %endif
 %patch8 -p1
+%patch9 -p1

 %build
 export SUSE_ASNEEDED=0
@ -599,6 +603,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
 %config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd
 %config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd
 %config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-*
+%config(noreplace) %{_sysconfdir}/apparmor.d/unix-chkpwd
 %config(noreplace) %{_sysconfdir}/apparmor.d/zgrep
 %config(noreplace) %{_sysconfdir}/apparmor.d/local/*
 %dir /usr/share/apparmor/
--- a/dovecot-unix_chkpwd.diff
+++ b/dovecot-unix_chkpwd.diff
@ -0,0 +1,53 @@
+Index: apparmor-3.1.6/profiles/apparmor.d/unix-chkpwd
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ apparmor-3.1.6/profiles/apparmor.d/unix-chkpwd	2024-01-29 21:53:27.234254724 +0100
+@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+# The apparmor.d project comes with several variables and abstractions
+# that are not part of upstream AppArmor yet. Therefore this profile was
+# adopted to use abstractions and variables that are available.
+# Copyright (C) Christian Boltz 2024
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+
+  # To write records to the kernel auditing log.
+  capability audit_write,
+
+  network netlink raw,
+
+  /{,usr/}{,s}bin/unix_chkpwd mr,
+
+  /etc/shadow r,
+
+  # file_inherit
+  owner /dev/tty[0-9]* rw,
+
+  include if exists <local/unix-chkpwd>
+}
+Index: apparmor-3.1.6/profiles/apparmor.d/usr.lib.dovecot.auth
+===================================================================
+--- apparmor-3.1.6.orig/profiles/apparmor.d/usr.lib.dovecot.auth	2023-06-21 23:13:41.000000000 +0200
+++ apparmor-3.1.6/profiles/apparmor.d/usr.lib.dovecot.auth	2024-01-29 21:45:32.528140518 +0100
+@@ -52,8 +52,12 @@ profile dovecot-auth /usr/lib/dovecot/au
+   @{run}/dovecot/stats-user rw,
+   @{run}/dovecot/anvil-auth-penalty rw,
+ 
+  owner /proc/@{pid}/loginuid r,
+
+   /var/spool/postfix/private/auth rw,
+ 
+  /usr/sbin/unix_chkpwd Px,
+
+   # Site-specific additions and overrides. See local/README for details.
+   include if exists <local/usr.lib.dovecot.auth>
+ }
--- a/libapparmor.spec
+++ b/libapparmor.spec
@ -1,8 +1,8 @@
 #
 # spec file for package libapparmor
 #
-# Copyright (c) 2023 SUSE LLC
-# Copyright (c) 2011-2022 Christian Boltz
+# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2011-2024 Christian Boltz
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed