Accepting request 1154197 from security:apparmor

- Remove workaround for boo#853019 in %postun parser -
  apparmor.service contains a more safe workaround.
  This also fixes boo#1220708 (missing daemon-reload).

- Add smbd-unix_chkpwd.diff to allow smbd to execute
  unix_chkpwd and fix other pam related denies; (boo#1220032).

- Only run utils and profiles make check if kernel LSM is enabled
  (bsc#1220084)

OBS-URL: https://build.opensuse.org/request/show/1154197
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=204

apparmor.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Mar  1 20:54:12 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>
+
+- Remove workaround for boo#853019 in %postun parser -
+  apparmor.service contains a more safe workaround.
+  This also fixes boo#1220708 (missing daemon-reload).
+
+-------------------------------------------------------------------
+Tue Feb 27 14:26:58 UTC 2024 - Noel Power <nopower@suse.com>
+
+- Add smbd-unix_chkpwd.diff to allow smbd to execute
+  unix_chkpwd and fix other pam related denies; (boo#1220032).
+
 -------------------------------------------------------------------
 Mon Feb 26 17:25:58 UTC 2024 - Ludwig Nussel <lnussel@suse.com>
 
@@ -8,6 +21,12 @@ Tue Feb 20 10:16:27 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 
 - Use %patch -P N instead of deprecated %patchN.
 
+-------------------------------------------------------------------
+Tue Feb 20 02:41:09 UTC 2024 - David Disseldorp <ddiss@suse.com>
+
+- Only run utils and profiles make check if kernel LSM is enabled
+  (bsc#1220084)
+
 -------------------------------------------------------------------
 Thu Feb  8 05:20:26 UTC 2024 - David Disseldorp <ddiss@suse.com>
 

apparmor.spec

@@ -98,6 +98,10 @@ Patch9:         dovecot-unix_chkpwd.diff
 # abstractions/openssl: allow version specific engdef & engines paths (boo#1219571)
 Patch10:        apparmor-abstractions-openssl-allow-version-specific-en.patch
 
+# allow smbd to execute unix_chkpwd (boo#1220032)
+# https://gitlab.com/apparmor/apparmor/-/merge_requests/1159
+Patch11:        smbd-unix_chkpwd.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
@@ -367,6 +371,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %endif
 %patch -P 9 -p1
 %patch -P 10 -p1
+%patch -P 11 -p1
 
 %build
 export SUSE_ASNEEDED=0
@@ -429,17 +434,24 @@ make check -C libraries/libapparmor
 make check -C parser
 make check -C binutils
 
-# profiles make check fails for the utils (they expect /sbin/apparmor_parser to exist), therefore only do parser-based check
-make -C profiles check-parser
+# some tests depend on kernel LSM (e.g. access /proc/PID/attr/apparmor/current)
+if grep -q apparmor /sys/kernel/security/lsm; then
+	# profiles make check fails for the utils (they expect
+	# /sbin/apparmor_parser to exist), therefore only do parser-based check
+	make -C profiles check-parser
 
-# test for a few files that should exist in the cache
 %if %{with precompiled_cache}
-test -f profiles/cache/*/bin.ping
-test -f profiles/cache/*/.features
+	# test for a few files that should exist in the cache
+	test -f profiles/cache/*/bin.ping
+	test -f profiles/cache/*/.features
 %endif
 
-# run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121
-make check -o check_lint -C utils
+	# run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121
+	make check -o check_lint -C utils
+else
+	# clear grep status to avoid flagging check failure
+	true
+fi
 
 %install
 # libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec
@@ -736,13 +748,9 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
 %service_del_preun apparmor.service
 
 %postun parser
-# don't call try-restart, see bnc#853019
-%if 0%{?suse_version} <= 1500
-export DISABLE_RESTART_ON_UPDATE="yes"
+# bnc#853019 aka boo#853019 is still a thing, but in the meantime apparmor.service has ExecStop=/bin/true (= do nothing),
+# which means that 'systemctl restart apparmor' is safe now
 %service_del_postun apparmor.service
-%else
-%service_del_postun_without_restart apparmor.service
-%endif
 
 %posttrans abstractions
 # workaround for bnc#904620#c8 / lp#1392042

smbd-unix_chkpwd.diff

@@ -0,0 +1,31 @@
+Index: apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd
+===================================================================
+--- apparmor-3.1.7.orig/profiles/apparmor.d/usr.sbin.smbd
++++ apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd
+@@ -33,6 +33,9 @@ profile smbd /usr/{bin,sbin}/smbd {
+   /etc/samba/* rwk,
+   @{PROC}/@{pid}/mounts r,
+   @{PROC}/sys/kernel/core_pattern r,
++  /usr/etc/environment r,
++  /usr/etc/security/limits.d/ r,
++  /usr/etc/security/limits.d/*.conf  r,
+   /usr/lib*/samba/vfs/*.so mr,
+   /usr/lib*/samba/auth/*.so mr,
+   /usr/lib*/samba/charset/*.so mr,
+@@ -47,6 +50,7 @@ profile smbd /usr/{bin,sbin}/smbd {
+   /usr/share/samba/** r,
+   /usr/{bin,sbin}/smbd mr,
+   /usr/{bin,sbin}/smbldap-useradd Px,
++  /usr/sbin/unix_chkpwd Px,
+   /var/cache/samba/** rwk,
+   /var/{cache,lib}/samba/printing/printers.tdb mrw,
+   /var/lib/nscd/netgroup r,
+@@ -59,6 +63,8 @@ profile smbd /usr/{bin,sbin}/smbd {
+   @{run}/samba/ncalrpc/** rw,
+   /var/spool/samba/** rw,
+ 
++  owner /proc/@{pid}/loginuid r,
++
+   @{HOMEDIRS}/** lrwk,
+   /var/lib/samba/usershares/{,**} lrwk,
+