From 8cf3c6a617b528934888124d0a3d568f40aa4bc42d58c81bbd935b44231c66f7 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Thu, 29 Feb 2024 20:44:35 +0000 Subject: [PATCH 1/3] Accepting request 1152898 from home:npower:branches:security:apparmor - Add smbd-unix_chkpwd.diff to allow smbd to execute unix_chkpwd and fix other pam related denies; (boo#1220032). OBS-URL: https://build.opensuse.org/request/show/1152898 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=398 --- apparmor.changes | 6 ++++++ apparmor.spec | 5 +++++ smbd-unix_chkpwd.diff | 31 +++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+) create mode 100644 smbd-unix_chkpwd.diff diff --git a/apparmor.changes b/apparmor.changes index 0c6f2ca..c4d370c 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Feb 27 14:26:58 UTC 2024 - Noel Power + +- Add smbd-unix_chkpwd.diff to allow smbd to execute + unix_chkpwd and fix other pam related denies; (boo#1220032). + ------------------------------------------------------------------- Mon Feb 26 17:25:58 UTC 2024 - Ludwig Nussel diff --git a/apparmor.spec b/apparmor.spec index f7f1874..ac1c9d2 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -98,6 +98,10 @@ Patch9: dovecot-unix_chkpwd.diff # abstractions/openssl: allow version specific engdef & engines paths (boo#1219571) Patch10: apparmor-abstractions-openssl-allow-version-specific-en.patch +# allow smbd to execute unix_chkpwd (boo#1220032) +# https://gitlab.com/apparmor/apparmor/-/merge_requests/1159 +Patch11: smbd-unix_chkpwd.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison @@ -367,6 +371,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/ %endif %patch -P 9 -p1 %patch -P 10 -p1 +%patch -P 11 -p1 %build export SUSE_ASNEEDED=0 diff --git a/smbd-unix_chkpwd.diff b/smbd-unix_chkpwd.diff new file mode 100644 index 0000000..6135f01 --- /dev/null +++ b/smbd-unix_chkpwd.diff @@ -0,0 +1,31 @@ +Index: apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd +=================================================================== +--- apparmor-3.1.7.orig/profiles/apparmor.d/usr.sbin.smbd ++++ apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd +@@ -33,6 +33,9 @@ profile smbd /usr/{bin,sbin}/smbd { + /etc/samba/* rwk, + @{PROC}/@{pid}/mounts r, + @{PROC}/sys/kernel/core_pattern r, ++ /usr/etc/environment r, ++ /usr/etc/security/limits.d/ r, ++ /usr/etc/security/limits.d/*.conf r, + /usr/lib*/samba/vfs/*.so mr, + /usr/lib*/samba/auth/*.so mr, + /usr/lib*/samba/charset/*.so mr, +@@ -47,6 +50,7 @@ profile smbd /usr/{bin,sbin}/smbd { + /usr/share/samba/** r, + /usr/{bin,sbin}/smbd mr, + /usr/{bin,sbin}/smbldap-useradd Px, ++ /usr/sbin/unix_chkpwd Px, + /var/cache/samba/** rwk, + /var/{cache,lib}/samba/printing/printers.tdb mrw, + /var/lib/nscd/netgroup r, +@@ -59,6 +63,8 @@ profile smbd /usr/{bin,sbin}/smbd { + @{run}/samba/ncalrpc/** rw, + /var/spool/samba/** rw, + ++ owner /proc/@{pid}/loginuid r, ++ + @{HOMEDIRS}/** lrwk, + /var/lib/samba/usershares/{,**} lrwk, + From 4fb7056ea810640566d7f1a36607905f3ef9f94e710fb5d7a8a26385e863d044 Mon Sep 17 00:00:00 2001 From: Goldwyn Rodrigues Date: Fri, 1 Mar 2024 19:52:43 +0000 Subject: [PATCH 2/3] Accepting request 1148955 from home:dmdiss:aa_multivers_openssl_prof - Only run utils and profiles make check if kernel LSM is enabled (bsc#1220084) OBS-URL: https://build.opensuse.org/request/show/1148955 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=399 --- apparmor.changes | 6 ++++++ apparmor.spec | 21 ++++++++++++++------- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/apparmor.changes b/apparmor.changes index c4d370c..19ee54d 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -14,6 +14,12 @@ Tue Feb 20 10:16:27 UTC 2024 - Dominique Leuenberger - Use %patch -P N instead of deprecated %patchN. +------------------------------------------------------------------- +Tue Feb 20 02:41:09 UTC 2024 - David Disseldorp + +- Only run utils and profiles make check if kernel LSM is enabled + (bsc#1220084) + ------------------------------------------------------------------- Thu Feb 8 05:20:26 UTC 2024 - David Disseldorp diff --git a/apparmor.spec b/apparmor.spec index ac1c9d2..78feaeb 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -434,17 +434,24 @@ make check -C libraries/libapparmor make check -C parser make check -C binutils -# profiles make check fails for the utils (they expect /sbin/apparmor_parser to exist), therefore only do parser-based check -make -C profiles check-parser +# some tests depend on kernel LSM (e.g. access /proc/PID/attr/apparmor/current) +if grep -q apparmor /sys/kernel/security/lsm; then + # profiles make check fails for the utils (they expect + # /sbin/apparmor_parser to exist), therefore only do parser-based check + make -C profiles check-parser -# test for a few files that should exist in the cache %if %{with precompiled_cache} -test -f profiles/cache/*/bin.ping -test -f profiles/cache/*/.features + # test for a few files that should exist in the cache + test -f profiles/cache/*/bin.ping + test -f profiles/cache/*/.features %endif -# run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121 -make check -o check_lint -C utils + # run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121 + make check -o check_lint -C utils +else + # clear grep status to avoid flagging check failure + true +fi %install # libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec From d108d92e935a12f3e71b49b45e3b4aa98f991b958e8b0a432905b765e76b67cd Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Fri, 1 Mar 2024 22:28:16 +0000 Subject: [PATCH 3/3] Accepting request 1154195 from home:cboltz - Remove workaround for boo#853019 in %postun parser - apparmor.service contains a more safe workaround. This also fixes boo#1220708 (missing daemon-reload). OBS-URL: https://build.opensuse.org/request/show/1154195 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=400 --- apparmor.changes | 7 +++++++ apparmor.spec | 8 ++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/apparmor.changes b/apparmor.changes index 19ee54d..49a5e49 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Mar 1 20:54:12 UTC 2024 - Christian Boltz + +- Remove workaround for boo#853019 in %postun parser - + apparmor.service contains a more safe workaround. + This also fixes boo#1220708 (missing daemon-reload). + ------------------------------------------------------------------- Tue Feb 27 14:26:58 UTC 2024 - Noel Power diff --git a/apparmor.spec b/apparmor.spec index 78feaeb..cf88c21 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -748,13 +748,9 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la %service_del_preun apparmor.service %postun parser -# don't call try-restart, see bnc#853019 -%if 0%{?suse_version} <= 1500 -export DISABLE_RESTART_ON_UPDATE="yes" +# bnc#853019 aka boo#853019 is still a thing, but in the meantime apparmor.service has ExecStop=/bin/true (= do nothing), +# which means that 'systemctl restart apparmor' is safe now %service_del_postun apparmor.service -%else -%service_del_postun_without_restart apparmor.service -%endif %posttrans abstractions # workaround for bnc#904620#c8 / lp#1392042