From 854f9b32a96b748d756570358cce519ee35efdeb5b5e2652e172d0b6abd12ec7 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Tue, 26 Feb 2019 20:52:01 +0000 Subject: [PATCH 1/2] Accepting request 679592 from home:cboltz - add dnsmasq-revert-alternation.diff: revert path alternation in dnsmasq profile to avoid breaking libvirtd (boo#1127073) OBS-URL: https://build.opensuse.org/request/show/679592 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=235 --- apparmor.changes | 6 ++++++ apparmor.spec | 4 ++++ dnsmasq-revert-alternation.diff | 27 +++++++++++++++++++++++++++ 3 files changed, 37 insertions(+) create mode 100644 dnsmasq-revert-alternation.diff diff --git a/apparmor.changes b/apparmor.changes index 821012b..e71a8da 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Feb 26 20:13:19 UTC 2019 - Christian Boltz + +- add dnsmasq-revert-alternation.diff: revert path alternation in + dnsmasq profile to avoid breaking libvirtd (boo#1127073) + ------------------------------------------------------------------- Thu Jan 24 21:13:43 UTC 2019 - Christian Boltz diff --git a/apparmor.spec b/apparmor.spec index d1a959e..641505b 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -75,6 +75,9 @@ Patch10: apparmor-lessopen-nfs-workaround.diff # add peer=libvirtd to dnsmasq profile (from upstream 20fe099cede7cb5ec7dcf62a5427936766a6d4e4) Patch11: dnsmasq-libvirtd.diff +# revert path alternation in dnsmasq profile to avoid breaking libvirtd (boo#1127073, submitted upstream 2019-02-26 as https://gitlab.com/apparmor/apparmor/merge_requests/346) +Patch12: dnsmasq-revert-alternation.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix /lib/apparmor @@ -366,6 +369,7 @@ SubDomain. %patch9 -p1 %patch10 %patch11 -p1 +%patch12 -p1 %build export SUSE_ASNEEDED=0 diff --git a/dnsmasq-revert-alternation.diff b/dnsmasq-revert-alternation.diff new file mode 100644 index 0000000..dec1a54 --- /dev/null +++ b/dnsmasq-revert-alternation.diff @@ -0,0 +1,27 @@ +commit f0eb077d9644ce426e5af34660d4d619b1fa5774 +Author: Christian Boltz +Date: Tue Feb 26 21:05:16 2019 +0100 + + Revert /usr/{bin,sbin}/ alternation in dnsmasq profile + + Even if we expected it to stay compatible with peer=/usr/sbin/dnsmasq in + the libvirtd profile, practise shows that we were wrong. + + This patch reverts the profile name to /usr/sbin/dnsmasq to avoid + breaking libvirtd. + + References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073 + +diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq +index 3f66a17e..eaf8de97 100644 +--- a/profiles/apparmor.d/usr.sbin.dnsmasq ++++ b/profiles/apparmor.d/usr.sbin.dnsmasq +@@ -12,7 +12,7 @@ + @{TFTP_DIR}=/var/tftp /srv/tftpboot + + #include +-/usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { ++/usr/sbin/dnsmasq flags=(attach_disconnected) { + #include + #include + #include From 4a792e87540107b3d0fd2023c6be0509b47306c41f5394aca4c4068178520d5a Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 27 Feb 2019 19:30:05 +0000 Subject: [PATCH 2/2] Accepting request 679944 from home:cboltz update dnsmasq-revert-alternation.diff from upstream merge request OBS-URL: https://build.opensuse.org/request/show/679944 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=236 --- apparmor.changes | 5 +++-- dnsmasq-revert-alternation.diff | 19 +++++++++++++++---- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/apparmor.changes b/apparmor.changes index e71a8da..5842824 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,8 +1,9 @@ ------------------------------------------------------------------- -Tue Feb 26 20:13:19 UTC 2019 - Christian Boltz +Wed Feb 27 19:28:14 UTC 2019 - Christian Boltz - add dnsmasq-revert-alternation.diff: revert path alternation in - dnsmasq profile to avoid breaking libvirtd (boo#1127073) + dnsmasq profile and re-add peer=/usr/sbin/libvirtd rules to avoid + breaking libvirtd (boo#1127073) ------------------------------------------------------------------- Thu Jan 24 21:13:43 UTC 2019 - Christian Boltz diff --git a/dnsmasq-revert-alternation.diff b/dnsmasq-revert-alternation.diff index dec1a54..689d734 100644 --- a/dnsmasq-revert-alternation.diff +++ b/dnsmasq-revert-alternation.diff @@ -1,4 +1,4 @@ -commit f0eb077d9644ce426e5af34660d4d619b1fa5774 +commit 4b9a07eb9be98c56a622379ba2055f0f9d5dce30 Author: Christian Boltz Date: Tue Feb 26 21:05:16 2019 +0100 @@ -7,13 +7,13 @@ Date: Tue Feb 26 21:05:16 2019 +0100 Even if we expected it to stay compatible with peer=/usr/sbin/dnsmasq in the libvirtd profile, practise shows that we were wrong. - This patch reverts the profile name to /usr/sbin/dnsmasq to avoid - breaking libvirtd. + This patch reverts the profile name to /usr/sbin/dnsmasq, and re-adds + the libvirtd peer name /usr/sbin/libvirtd to avoid breaking libvirtd. References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073 diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq -index 3f66a17e..eaf8de97 100644 +index 3f66a17e..2dc8902e 100644 --- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -12,7 +12,7 @@ @@ -25,3 +25,14 @@ index 3f66a17e..eaf8de97 100644 #include #include #include +@@ -28,8 +28,10 @@ + network inet6 raw, + + signal (receive) peer=/usr/{bin,sbin}/libvirtd, ++ signal (receive) peer=/usr/sbin/libvirtd, + signal (receive) peer=libvirtd, + ptrace (readby) peer=/usr/{bin,sbin}/libvirtd, ++ ptrace (readby) peer=/usr/sbin/libvirtd, + ptrace (readby) peer=libvirtd, + + owner /dev/tty rw,