Accepting request 1154197 from security:apparmor

- Remove workaround for boo#853019 in %postun parser - apparmor.service contains a more safe workaround. This also fixes boo#1220708 (missing daemon-reload). - Add smbd-unix_chkpwd.diff to allow smbd to execute unix_chkpwd and fix other pam related denies; (boo#1220032). - Only run utils and profiles make check if kernel LSM is enabled (bsc#1220084) OBS-URL: https://build.opensuse.org/request/show/1154197 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=204
2024-03-02 22:23:23 +00:00
parent b5360557b2 d108d92e93
commit 54cd803dd8
3 changed files with 71 additions and 13 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,16 @@
 -------------------------------------------------------------------
 Fri Mar  1 20:54:12 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>
 - Remove workaround for boo#853019 in %postun parser -
  apparmor.service contains a more safe workaround.
  This also fixes boo#1220708 (missing daemon-reload).
 -------------------------------------------------------------------
 Tue Feb 27 14:26:58 UTC 2024 - Noel Power <nopower@suse.com>
 - Add smbd-unix_chkpwd.diff to allow smbd to execute
  unix_chkpwd and fix other pam related denies; (boo#1220032).
 -------------------------------------------------------------------
 Mon Feb 26 17:25:58 UTC 2024 - Ludwig Nussel <lnussel@suse.com>
@@ -8,6 +21,12 @@ Tue Feb 20 10:16:27 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 - Use %patch -P N instead of deprecated %patchN.
 -------------------------------------------------------------------
 Tue Feb 20 02:41:09 UTC 2024 - David Disseldorp <ddiss@suse.com>
 - Only run utils and profiles make check if kernel LSM is enabled
  (bsc#1220084)
 -------------------------------------------------------------------
 Thu Feb  8 05:20:26 UTC 2024 - David Disseldorp <ddiss@suse.com>
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -98,6 +98,10 @@ Patch9:         dovecot-unix_chkpwd.diff
 # abstractions/openssl: allow version specific engdef & engines paths (boo#1219571)
 Patch10:        apparmor-abstractions-openssl-allow-version-specific-en.patch
 # allow smbd to execute unix_chkpwd (boo#1220032)
 # https://gitlab.com/apparmor/apparmor/-/merge_requests/1159
 Patch11:        smbd-unix_chkpwd.diff
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
@@ -367,6 +371,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %endif
 %patch -P 9 -p1
 %patch -P 10 -p1
 %patch -P 11 -p1
 %build
 export SUSE_ASNEEDED=0
@@ -429,17 +434,24 @@ make check -C libraries/libapparmor
 make check -C parser
 make check -C binutils
-# profiles make check fails for the utils (they expect /sbin/apparmor_parser to exist), therefore only do parser-based check
+# some tests depend on kernel LSM (e.g. access /proc/PID/attr/apparmor/current)
-make -C profiles check-parser
+if grep -q apparmor /sys/kernel/security/lsm; then
 	# profiles make check fails for the utils (they expect
 	# /sbin/apparmor_parser to exist), therefore only do parser-based check
 	make -C profiles check-parser
 # test for a few files that should exist in the cache
 %if %{with precompiled_cache}
-test -f profiles/cache/*/bin.ping
+	# test for a few files that should exist in the cache
-test -f profiles/cache/*/.features
+	test -f profiles/cache/*/bin.ping
 	test -f profiles/cache/*/.features
 %endif
-# run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121
+	# run checks in utils except linting -- https://gitlab.com/apparmor/apparmor/-/issues/121
-make check -o check_lint -C utils
+	make check -o check_lint -C utils
 else
 	# clear grep status to avoid flagging check failure
 	true
 fi
 %install
 # libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec
@@ -736,13 +748,9 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
 %service_del_preun apparmor.service
 %postun parser
-# don't call try-restart, see bnc#853019
+# bnc#853019 aka boo#853019 is still a thing, but in the meantime apparmor.service has ExecStop=/bin/true (= do nothing),
-%if 0%{?suse_version} <= 1500
+# which means that 'systemctl restart apparmor' is safe now
 export DISABLE_RESTART_ON_UPDATE="yes"
 %service_del_postun apparmor.service
 %else
 %service_del_postun_without_restart apparmor.service
 %endif
 %posttrans abstractions
 # workaround for bnc#904620#c8 / lp#1392042
--- a/smbd-unix_chkpwd.diff
+++ b/smbd-unix_chkpwd.diff
@@ -0,0 +1,31 @@
 Index: apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd
 ===================================================================
 --- apparmor-3.1.7.orig/profiles/apparmor.d/usr.sbin.smbd
 +++ apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd
@@ -33,6 +33,9 @@ profile smbd /usr/{bin,sbin}/smbd {
   /etc/samba/* rwk,
   @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/kernel/core_pattern r,
 +  /usr/etc/environment r,
 +  /usr/etc/security/limits.d/ r,
 +  /usr/etc/security/limits.d/*.conf  r,
   /usr/lib*/samba/vfs/*.so mr,
   /usr/lib*/samba/auth/*.so mr,
   /usr/lib*/samba/charset/*.so mr,
@@ -47,6 +50,7 @@ profile smbd /usr/{bin,sbin}/smbd {
   /usr/share/samba/** r,
   /usr/{bin,sbin}/smbd mr,
   /usr/{bin,sbin}/smbldap-useradd Px,
 +  /usr/sbin/unix_chkpwd Px,
   /var/cache/samba/** rwk,
   /var/{cache,lib}/samba/printing/printers.tdb mrw,
   /var/lib/nscd/netgroup r,
@@ -59,6 +63,8 @@ profile smbd /usr/{bin,sbin}/smbd {
   @{run}/samba/ncalrpc/** rw,
   /var/spool/samba/** rw,
 +  owner /proc/@{pid}/loginuid r,
 +
   @{HOMEDIRS}/** lrwk,
   /var/lib/samba/usershares/{,**} lrwk,