pool/apparmor
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 530988 from home:goldwynr:branches:security:apparmor

Browse Source 
added the temporary fix to profiles abstractions/nameservice

OBS-URL: https://build.opensuse.org/request/show/530988
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=185
This commit is contained in:
Christian Boltz 2017-10-04 11:33:29 +00:00 committed by Git OBS Bridge
parent 4f49cf147b
commit 5958c64a3e
3 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apparmor.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Tue Oct 3 16:28:52 UTC 2017 - rgoldwyn@suse.com
- profiles-sockets-temporary-fix.patch to cater to nameservices
with the new sockets mediation, until unix rules are upstreamed.
-------------------------------------------------------------------
Sun Sep 24 09:14:02 UTC 2017 - coolo@suse.com

4
apparmor.spec
View File

@ -88,6 +88,9 @@ Patch13: apparmor-json-support.patch
# https://marc.info/?l=apparmor-dev&m=150151113011870&q=p7
Patch14: apparmor-fix-podsyntax.patch
#boo 1061195
Patch15: profiles-sockets-temporary-fix.patch
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apparmor_bin_prefix /lib/apparmor
@ -395,6 +398,7 @@ touch libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
# search for left-over multiline rules
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"

39
profiles-sockets-temporary-fix.patch Normal file
View File

@ -0,0 +1,39 @@
Subject: [PATCH] Temporarily fix socket mediation in nameservice
References: bsc#1061195
As per the conversation on IRC:
cboltz: ah yes, the upstreamed version fixes a couple
holes in the old patch suse carried
One of these "holes" were unix events, which explains the denials you noticed (and that I also see now after installing 4.14rc2).
The final solution will be to add some "unix" rules - but that's hard at the moment because 4.14 doesn't log all details needed for unix rules.
Instead, I'll add a temporary patch for abstractions/nameservice that adds
network unix dgram,
network unix stream,
(including a TODO note to replace it as soon as support for unix rules
was upstreamed, probably 4.15). These rules are broader than needed,
but should avoid user-visible breakage - and at least with 4.14, unix
rules would get downgraded to network unix anyway ;-)
---
profiles/apparmor.d/abstractions/nameservice | 6 ++++++
1 file changed, 6 insertions(+)
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -92,5 +92,11 @@
# Netlink raw needed for nscd
network netlink raw,
+ # This is a temporary fix for nameservices with the new socket
+ # mediations in 4.14-rc2
+ # TODO: To be replaced once unix rules are upstreamed
+ network unix dgram,
+ network unix stream,
+
# interface details
@{PROC}/@{pid}/net/route r,