Accepting request 546471 from home:goldwynr:branches:security:apparmor

bsc#1069346 OBS-URL: https://build.opensuse.org/request/show/546471 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=192
2017-12-03 12:44:51 +00:00
parent 3a01d74522
commit 51c20bdc0e
3 changed files with 44 additions and 0 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Nov 29 15:26:48 UTC 2017 - rgoldwyn@suse.com
+
+- read_inactive_profile-exactly-once.patch (bsc#1069346)
+  Perform reading of inactive profiles exactly once.
+
 -------------------------------------------------------------------
 Wed Oct 25 19:36:55 UTC 2017 - suse-beta@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@@ -84,6 +84,9 @@ Patch16:        nameservice-libtirpc.diff
 # Fix sorted() regression in save_profiles() - submitted upstream 2017-10-22
 Patch17:        utils-fix-sorted-save_profiles-regression.diff

+# bsc#1069346
+Patch18:        read_inactive_profile-exactly-once.patch
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@@ -384,6 +387,7 @@ SubDomain.
 %patch15 -p1
 %patch16
 %patch17
+%patch18 -p1

 # search for left-over multiline rules
 test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
--- a/read_inactive_profile-exactly-once.patch
+++ b/read_inactive_profile-exactly-once.patch
@@ -0,0 +1,34 @@
+commit b307e535fa26bff0abffb6bfd1aeab5d6c7c3622
+Author: Christian Boltz <apparmor@cboltz.de>
+Date:   Tue Nov 28 21:46:36 2017 +0100
+
+    Let read_inactive_profiles() do nothing when calling it the second time
+    
+    autodep() calls read_inactive_profiles() each time it's called (= for
+    each binary). The result is a "Conflicting profile" error (showing the
+    same filename twice) if autodep() runs more than once. This can easily
+    happen when using "aa-autodep /usr/bin/*".
+    
+    This patch adds an attribute to read_inactive_profiles() that lets the
+    function return without doing anything if was called before.
+
+---
+ utils/apparmor/aa.py |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
+@@ -2107,6 +2107,13 @@ def read_profiles():
+                 read_profile(profile_dir + '/' + file, True)
+ 
+ def read_inactive_profiles():
+    if hasattr(read_inactive_profiles, 'already_read'):
+        # each autodep() run calls read_inactive_profiles, but that's a) superfluous and b) triggers a conflict because the inactive profiles are already loaded
+        # therefore don't do anything if the inactive profiles were already loaded
+        return
+
+    read_inactive_profiles.already_read = True
+
+     if not os.path.exists(extra_profile_dir):
+         return None
+     try: