pool/apparmor
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 453537 from security:apparmor

Browse Source 
TL;DR: update AppArmor to 2.11, split off libapparmor package/spec, move libapparmor to /usr


Details:

- add upstream-changes-r3616..3628.diff:
  - update abstractions/base, abstractions/apache2-common and dovecot profiles
  - merge ask_the_questions() of aa-logprof and aa-mergeprof
  - pass LDFLAGS when building parser, libapparmor perl bindings and pam_apparmor
- adjust deleting the cache in profiles %post to the new cache location
- silence errors when deleting the cache (boo#976914)

- split libapparmor into separate spec to get rid of build loop
  involving mariadb, systemd, apparmor, libapr and mariadb again
  (see the discussion in SR 448871 for details)
- libapparmor.spec is based on the AppArmor 2.11 apparmor.spec, but
  with minimum BuildRequires

- update to AppArmor 2.11.0
  - apparmor_parser now supports parallel compiles and loads
  - add full support for dbus, ptrace and signal rules and events to the
    utils
  - full rewrite of the file rule handling in the utils
  - lots of improvements and fixes
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the
    detailed changelog
- patches:
  - add sshd-profile-drop-local-include-r3615.diff to fix 'make check'
  - drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed
  - refresh apparmor-abstractions-no-multiline.diff
  - refresh apparmor-samba-include-permissions-for-shares.diff
- spec changes:
  - aa-unconfined switched to using ss (from iproute2), adjust Recommends:
  - move libapparmor to /usr/lib*/
  - drop %if %suse_version checks for 12.x
  - change several Obsoletes from %version to < 2.9. Those package names
    weren't used since years, and 2.9 is still a careful choice
  - include apparmor.service independent of %suse_version
  - techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires
    - drop latex2html, texlive-* and w3m BuildRequires
    - techdoc.txt and techdoc.html not included, drop them from the package
  - run most of utils/ make check (some tests expect /etc/apparmor.d/ and
    /sbin/apparmor_parser to exist, skip them)
  - BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests)
  - drop sed'ing python3 into aa-* shebang (upstreamed)
  - build binutils
    - aa-exec is now written in C and lives in /usr/bin/, move it to the
      apparmor_parser package and create a compability symlink in /usr/sbin/
    - aa-exec manpage moved to section 1
    - aa-enabled is a small new tool to find out if AppArmor is enabled
  - package new aa_stack_profile(2) manpage

OBS-URL: https://build.opensuse.org/request/show/453537
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=98
This commit is contained in:
Dominique Leuenberger 2017-02-11 00:33:45 +00:00 committed by Git OBS Bridge
commit 6d997a3d70
13 changed files with 1441 additions and 298 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
aa-unconfined-fix-netstat-call-2.10r3380.diff
View File

@ -1,39 +0,0 @@
------------------------------------------------------------
revno: 3380
committer: Steve Beattie <sbeattie@ubuntu.com>
branch nick: 2.10
timestamp: Mon 2017-01-09 09:22:58 -0800
message:
Subject: utils/aa-unconfined: fix netstat invocation regression
It was reported that converting the netstat command to examine
processes bound to ipv6 addresses broke on OpenSUSE due to the version
of nettools not supporting the short -4 -6 arguments.
This patch fixes the invocation of netstat to use the "--protocol
inet,inet6" arguments instead, which should return the same results
as the short options.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Christian Boltz <apparmor@cboltz.de>
=== modified file 'utils/aa-unconfined'
--- utils/aa-unconfined 2016-12-05 09:21:27 +0000
+++ utils/aa-unconfined 2017-01-09 17:22:58 +0000
@@ -46,10 +46,10 @@
regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)")
import subprocess
if sys.version_info < (3, 0):
- output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n")
+ output = subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True).split("\n")
else:
#Python3 needs to translate a stream of bytes to string with specified encoding
- output = str(subprocess.check_output("LANG=C netstat -nlp46", shell=True), encoding='utf8').split("\n")
+ output = str(subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True), encoding='utf8').split("\n")
for line in output:
match = regex_tcp_udp.search(line)
vim:ft=diff

3
apparmor-2.10.2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c253656820a2e6b0127af0ba8ceda36ffec1ae5c9dc0ee8793c3fe97121feac3
size 4497918

16
apparmor-2.10.2.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQI3BAABCgAhBQJYcxByGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
5k49NmS7KLcQAKNtJ8N81T/oOL05bZ6M1g4kjYZ1vIyTx8tFj8iBNBnxWGrWfIMj
EJJeaGFUwbAN9LeTxlbwaGHHukLzQa4rihXPgpmQZl3tYWqwMzMtgtzbjWFIRtGA
cZunTA0i5kOm0N/IEl1hR2JbDMopPgOWEyV7lZxklKYUavo5+8jrYloXKaSzbQGi
KMIms8RF7v4ANOGoqvl6vv3y11JMvvV2VZniPf+myVDcmHjk8jzdzdGEOFRcHvoY
Zg7ZMXbPjPh1VQYbzgdpK95SEXDM9X+4fJtcL2A0ofZQrO9rmFWOrtjxSz88DgWi
qdfepwIGN7uMBLeL2UMlp8OJVOgcsjY2E9XHzVaSUJYRVuPFa/z3fKzEkMh96HQa
xYnsicuQe6HUXxbRoXd/J12Rzla1Bkkvq2NYOwmh4kpZczGGaUK17GxlUryz7C/1
VodpZd7pFzKmPuoCinKtO0VsQkDJ4qfKUiMSZOutDMR8eHyNxtVS6Qb5GycViLiF
mtHiTipqv0q1HIFZVj3bpbq8Jji9pNHJWI1pwiafYEAqh1hyfGtWGkH3muMROQgL
Qmjuoaw2x2VgPk+nnBSFwgOv4TUO/xVa95VD8HwCFjEHulpzlo8lx6k/9t5fZO6T
kaS6NBQWIQ8hunIKMifKgi+8fFk2FTaUhgZJUP91MiUm5rwPU0y48RY3
=l0m2
-----END PGP SIGNATURE-----

3
apparmor-2.11.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b1c489ea11e7771b8e6b181532cafbf9ebe6603e3cb00e2558f21b7a5bdd739a
size 5013297

16
apparmor-2.11.0.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQI3BAABCgAhBQJYcxbLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
5k49NmS7Nh4P/Rf1b8NugcYkrXBA3LMS47KF4+fig+4j4jcAsUqY+aDgj02UYcEv
S6XpbzkTJykM0CJ2BLNHHfwUpbVrUDyfABhgh/m9aH0Y52zkteVfYt9tVNxz7OaH
s4M977g5HPvlOIsS2EXyk1g0IZ8WJ830sZpOZIKpgwptgSJeHKiFQJsCINzOzv7z
MKATzhnrnvb4KBwCC3MoUHhCheGvUmQlArn4+/LwCMERHxrrSYr/kl/nDxhqE7HZ
1wdO8TdrG+R595Yc/t0OO+LOCv7TBU5K7TLiN+1wqenrEfR+9RaxpLB2N8a5+LQ0
kphfS07ht22oWhySG14WL76FrrvN0WBcRBc6hkxgbizCwb+XLLGBUfk50MIabBPu
GQJVnMtTEvlVdpvw0snG4RID8o7Tjv+2NsMi+67fR7dkksHO51jeQBlWeim1ZX+6
GZPmEtWAuF0cZybnv66sfY7qokBXUaqP6Z9wYUXOVscJTK6XEmVGXinuistR1cJa
O2e0Gji+cxBBejB7QWyHCcssXYo26rHW5kT94hcshqn0Qx1ThH+yTV+PqYiEjsNA
R1AYgDMVCltu/UwuzHmtYo2es1W9Mcsk6htKhDLmT0ze3y+0f7Y463B8afs6RzWW
W28mpt5/PPoFLkWstj+B00GnwO1x2rDbLoq+zvCD5WasZWa8uNV24nRg
=aq9P
-----END PGP SIGNATURE-----

128
apparmor-abstractions-no-multiline.diff
View File

@ -35,11 +35,11 @@ Index: profiles/apparmor.d/abstractions/dbus-accessibility-strict
+ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
Index: profiles/apparmor.d/abstractions/dbus-session-strict
===================================================================
--- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/dbus-session-strict 2014-10-18 13:11:31.098494805 +0200
@@ -13,16 +13,9 @@
/etc/machine-id r,
--- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2017-01-11 21:20:01.381935015 +0100
+++ profiles/apparmor.d/abstractions/dbus-session-strict 2017-01-11 21:20:07.641905170 +0100
@@ -14,16 +14,9 @@
/var/lib/dbus/machine-id r,
owner /run/user/*/bus rw,
- unix (connect, receive, send)
- type=stream
@ -71,92 +71,42 @@ Index: profiles/apparmor.d/abstractions/dbus-strict
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
- peer=(name=org.freedesktop.DBus),
+ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
Index: profiles/apparmor.d/abstractions/fcitx-strict
===================================================================
--- profiles/apparmor.d/abstractions/fcitx-strict.orig 2017-01-11 21:44:55.726947350 +0100
+++ profiles/apparmor.d/abstractions/fcitx-strict 2017-01-11 21:45:02.830914856 +0100
@@ -11,11 +11,6 @@
#include <abstractions/dbus-session-strict>
- dbus send
- bus=fcitx
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
- peer=(name=org.freedesktop.DBus),
+ dbus send bus=fcitx path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
owner @{HOME}/.config/fcitx/dbus/* r,
Index: profiles/apparmor.d/abstractions/libpam-systemd
===================================================================
--- profiles/apparmor.d/abstractions/libpam-systemd.orig 2017-01-11 21:47:13.814315855 +0100
+++ profiles/apparmor.d/abstractions/libpam-systemd 2017-01-11 21:47:19.490289904 +0100
@@ -12,8 +12,4 @@
#include <abstractions/dbus-strict>
# libpam-systemd notifies systemd-logind about session logins/logouts
- dbus send
- bus=system
- path=/org/freedesktop/login1
- interface=org.freedesktop.login1.Manager
- member={CreateSession,ReleaseSession},
+ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession},
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base
===================================================================
--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2014-10-18 13:11:18.497652337 +0200
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2014-10-18 13:11:31.098494805 +0200
@@ -16,41 +16,16 @@
#include <abstractions/gnome>
# Allow connecting to session bus and where to connect to services
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=Hello
- peer=(name=org.freedesktop.DBus),
- dbus (send)
- bus=session
- path=/org/freedesktop/{db,DB}us
- interface=org.freedesktop.DBus
- member={Add,Remove}Match
- peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=GetNameOwner
- peer=(name=org.freedesktop.DBus),
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=NameHasOwner
- peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus),
# Allow starting services on the session bus (actual communications with
# the service are mediated elsewhere)
- dbus (send)
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=StartServiceByName
- peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus),
# Allow connecting to system bus and where to connect to services. Put these
# here so we don't need to repeat these rules in multiple places (actual
@@ -58,108 +36,47 @@
# allow apps to brute-force enumerate system services, but our system
# services aren't a secret.
/{,var/}run/dbus/system_bus_socket rw,
- dbus (send)
- bus=system
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=Hello
- peer=(name=org.freedesktop.DBus),
- dbus (send)
- bus=system
- path=/org/freedesktop/{db,DB}us
- interface=org.freedesktop.DBus
- member={Add,Remove}Match
- peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus),
# NameHasOwner and GetNameOwner could leak running processes and apps
# depending on how services are implemented
- dbus (send)
- bus=system
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=GetNameOwner
- peer=(name=org.freedesktop.DBus),
- dbus (send)
- bus=system
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member=NameHasOwner
- peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus),
+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus),
--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2017-01-11 21:20:07.641905170 +0100
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2017-01-11 21:20:52.197692834 +0100
@@ -21,78 +21,37 @@
#
# Access required for connecting to/communication with Unity HUD
#
@ -282,7 +232,7 @@ Index: profiles/apparmor.d/abstractions/gnome
===================================================================
--- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200
+++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200
@@ -91,6 +91,4 @@
@@ -93,6 +93,4 @@
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
# rules)

2
apparmor-samba-include-permissions-for-shares.diff
View File

@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000
+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000
@@ -47,6 +47,10 @@
@@ -53,6 +53,10 @@
@{HOMEDIRS}/** lrwk,

54
apparmor.changes
View File

@ -1,3 +1,57 @@
-------------------------------------------------------------------
Mon Jan 30 21:37:48 UTC 2017 - suse-beta@cboltz.de
- add upstream-changes-r3616..3628.diff:
- update abstractions/base, abstractions/apache2-common and dovecot profiles
- merge ask_the_questions() of aa-logprof and aa-mergeprof
- pass LDFLAGS when building parser, libapparmor perl bindings and pam_apparmor
- adjust deleting the cache in profiles %post to the new cache location
- silence errors when deleting the cache (boo#976914)
-------------------------------------------------------------------
Sat Jan 28 21:40:11 UTC 2017 - suse-beta@cboltz.de
- split libapparmor into separate spec to get rid of build loop
involving mariadb, systemd, apparmor, libapr and mariadb again
(see the discussion in SR 448871 for details)
-------------------------------------------------------------------
Fri Jan 27 20:08:03 UTC 2017 - suse-beta@cboltz.de
- update to AppArmor 2.11.0
- apparmor_parser now supports parallel compiles and loads
- add full support for dbus, ptrace and signal rules and events to the
utils
- full rewrite of the file rule handling in the utils
- lots of improvements and fixes
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the
detailed changelog
- patches:
- add sshd-profile-drop-local-include-r3615.diff to fix 'make check'
- drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed
- refresh apparmor-abstractions-no-multiline.diff
- refresh apparmor-samba-include-permissions-for-shares.diff
- spec changes:
- aa-unconfined switched to using ss (from iproute2), adjust Recommends:
- move libapparmor to /usr/lib*/
- drop %if %suse_version checks for 12.x
- change several Obsoletes from %version to < 2.9. Those package names
weren't used since years, and 2.9 is still a careful choice
- include apparmor.service independent of %suse_version
- techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires
- drop latex2html, texlive-* and w3m BuildRequires
- techdoc.txt and techdoc.html not included, drop them from the package
- run most of utils/ make check (some tests expect /etc/apparmor.d/ and
/sbin/apparmor_parser to exist, skip them)
- BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests)
- drop sed'ing python3 into aa-* shebang (upstreamed)
- build binutils
- aa-exec is now written in C and lives in /usr/bin/, move it to the
apparmor_parser package and create a compability symlink in /usr/sbin/
- aa-exec manpage moved to section 1
- aa-enabled is a small new tool to find out if AppArmor is enabled
- package new aa_stack_profile(2) manpage
-------------------------------------------------------------------
Tue Jan 24 13:40:30 UTC 2017 - suse-beta@cboltz.de

214
apparmor.spec
View File

@ -24,23 +24,9 @@
%bcond_without pam
%bcond_without apache
%bcond_without perl
%if 0%{?suse_version} > 0 && 0%{?suse_version} <= 1210
# disable python and ruby bindings on openSUSE <= 12.1 to avoid problems with rb_sitearch and python_sitearch
%bcond_with python
%bcond_with python3
%bcond_with ruby
%else
%if 0%{?suse_version} == 1220
# swig for python3 is broken on 12.2 - probably http://sourceforge.net/p/swig/bugs/1257/ - build python2 bindings instead
%bcond_without python
%bcond_with python3
%bcond_without ruby
%else
%bcond_with python
%bcond_without python3
%bcond_without ruby
%endif
%endif
%bcond_with python
%bcond_without python3
%bcond_without ruby
%define CATALINA_HOME /usr/share/tomcat6
#define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
@ -60,11 +46,12 @@ Name: apparmor
%if ! %{?distro:1}0
%define distro suse
%endif
Version: 2.10.2
Version: 2.11.0
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0+
Group: Productivity/Networking/Security
Url: https://launchpad.net/apparmor
Source0: apparmor-%{version}.tar.gz
Source1: apparmor-%{version}.tar.gz.asc
Source2: %{name}.keyring
@ -82,9 +69,6 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
Patch3: apparmor-utils-string-split
# fix regression in aa-unconfined netstat call (taken from upstream 2.10 branch r3380)
Patch4: aa-unconfined-fix-netstat-call-2.10r3380.diff
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
Patch5: ruby-2_0-mkmf-destdir.patch
@ -95,7 +79,12 @@ Patch6: apparmor-abstractions-no-multiline.diff
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch7: apparmor-lessopen-profile.patch
Url: https://launchpad.net/apparmor
# drop local/ include from sshd profile to prevent failure in "make check" (taken from upstream bzr trunk r3615)
Patch8: sshd-profile-drop-local-include-r3615.diff
# upstream changes (trunk r3616..3628)
Patch9: upstream-changes-r3616..3628.diff
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if %{distro} == "suse"
@ -104,19 +93,14 @@ PreReq: aaa_base
%endif
%define apparmor_bin_prefix /lib/apparmor
BuildRequires: bison
BuildRequires: dejagnu
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: latex2html
BuildRequires: pcre-devel
BuildRequires: pkg-config
BuildRequires: python
BuildRequires: python3-pyflakes
BuildRequires: perl(Locale::gettext)
%if 0%{?suse_version} > 1220
BuildRequires: texlive-amsfonts
BuildRequires: texlive-cm-super
%endif
BuildRequires: texlive-latex
BuildRequires: w3m
BuildRequires: swig
@ -149,12 +133,12 @@ BuildRequires: tomcat6
Summary: AppArmor userlevel parser utility
License: GPL-2.0+
Group: Productivity/Networking/Security
Obsoletes: libimnxcert < %{version}
Obsoletes: subdomain-leaf-cert < %{version}
Obsoletes: subdomain-parser < %{version}
Obsoletes: subdomain-parser-common < %{version}
Obsoletes: subdomain-parser-demo < %{version}
Obsoletes: subdomain_parser < %{version}
Obsoletes: libimnxcert < 2.9
Obsoletes: subdomain-leaf-cert < 2.9
Obsoletes: subdomain-parser < 2.9
Obsoletes: subdomain-parser-common < 2.9
Obsoletes: subdomain-parser-demo < 2.9
Obsoletes: subdomain_parser < 2.9
Provides: libimnxcert = %{version}
Provides: subdomain-leaf-cert = %{version}
Provides: subdomain-parser = %{version}
@ -166,10 +150,8 @@ Provides: apparmor-parser(CAP_SYSLOG)
# initscript needs /lib/lsb/init-functions from insserv/insserv-compat
Requires: insserv
%if 0%{?suse_version} > 1320
BuildRequires: systemd-rpm-macros
%{?systemd_requires}
%endif
%description parser
The AppArmor Parser is a userlevel program that is used to load in
@ -209,35 +191,6 @@ The documentation is in the apparmor-admin_en package.
%endif
%package -n libapparmor1
Summary: Utility library for AppArmor
License: LGPL-2.1+
Group: Development/Libraries/C and C++
%ifarch ppc64
Obsoletes: libapparmor-64bit < %{version}
Provides: libapparmor-64bit = %{version}
%endif
Provides: libapparmor = %{version}
#Provides: libimmunix = %{version}
Obsoletes: libapparmor < %{version}
#Obsoletes: libimmunix < %{version}
%description -n libapparmor1
This package provides the libapparmor library, which contains the
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages.
%package -n libapparmor-devel
Summary: Development headers and libraries for libapparmor
License: LGPL-2.1+
Group: Development/Libraries/C and C++
Requires: libapparmor1 = %{version}
Provides: libapparmor:/usr/include/sys/apparmor.h
%description -n libapparmor-devel
These libraries are needed for developing software that makes use of the
AppArmor API.
%if %{with perl}
%package -n perl-apparmor
@ -338,7 +291,7 @@ License: GPL-2.0 and LGPL-2.1+
Group: Productivity/Security
Requires: apparmor-abstractions >= %{version}
Requires: apparmor-parser(CAP_SYSLOG)
Obsoletes: subdomain-profiles < %{version}
Obsoletes: subdomain-profiles < 2.9
Provides: subdomain-profiles = %{version}
BuildArch: noarch
@ -356,7 +309,7 @@ Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profi
License: GPL-2.0 and LGPL-2.1+
Group: Productivity/Security
Requires: libapparmor1 = %{version}
# some of the tools are still perl-based (aa-decode, aa-exec and aa-notify)
# some of the tools are still perl-based (aa-decode and aa-notify)
Requires: perl = %{perl_version}
Requires: perl-apparmor = %{version}
%if %{with python3}
@ -366,12 +319,8 @@ Requires: python3-base
Requires: python-apparmor = %{version}
Requires: python-base
%endif
# aa-unconfined needs netstat
%if 0%{?suse_version} > 1320
Recommends: net-tools-deprecated
%else
Recommends: net-tools
%endif
# aa-unconfined needs ss
Recommends: iproute2
# aa-notify -p needs notify-send
Recommends: libnotify-tools
BuildArch: noarch
@ -435,27 +384,20 @@ SubDomain.
%patch1 -p1
%patch2
%patch3 -p1
%patch4
# Ruby 2.0 mkmf prefixes every path with $(DESTDIR)
%if 0%{?suse_version} > 1230
%patch5 -p1
%endif
%patch6
%patch7 -p1
%patch8
%patch9
# search for left-over multiline rules
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
%build
echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1
export SUSE_ASNEEDED=0
# re-define _libdir to /lib or /lib64
%define _libdir /%{_lib}
echo new _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1
%if %{with python3}
export PYTHON=/usr/bin/python3
@ -485,6 +427,9 @@ export PYTHON=/usr/bin/python3
# Utilities:
make -C utils
# binutils
make -C binutils
# deprecated/utils (perl modules still needed by YaST)
%if %{with perl}
make -C deprecated/utils
@ -492,8 +437,6 @@ make -C deprecated/utils
# parser:
make -C parser V=1
# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough
make -C parser V=1 techdoc.txt
# Apache mod_apparmor:
%if %{with apache}
@ -508,8 +451,6 @@ make -C parser V=1 techdoc.txt
# Profiles:
make -C profiles
##configure --disable-static --with-pic \
#--with-perl \
%if %{with tomcat}
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
%endif
@ -522,11 +463,24 @@ export PYTHON_VERSIONS=python3
make check -C libraries/libapparmor
make check -C parser
make check -C binutils
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
(cd profiles && make check-parser)
# utils make check fails if profiles don't exist in /etc/apparmor.d/
# make check -C utils
# these tests fail if /etc/apparmor.d/abstractions/* or /sbin/apparmor_parser don't exist
# (aa.py doesn't allow to inject in-tree paths early enough)
rm -v utils/test/test-aa.py
rm -v utils/test/test-aa-easyprof.py
rm -v utils/test/test-libapparmor-test_multi.py
rm -v utils/test/test-mount_parse.py
rm -v utils/test/test-parser-simple-tests.py
rm -v utils/test/test-pivot_root_parse.py
rm -v utils/test/test-regex_matches.py
rm -v utils/test/test-unix_parse.py
make check -C utils
%install
@ -534,22 +488,17 @@ make check -C parser
export PYTHON=/usr/bin/python3
%endif
# libapparmor
# override pkgconfigdir for now - TODO: don't redefine libdir when packaging AppArmor 3.0
%makeinstall -C libraries/libapparmor pkgconfigdir=/usr/%{_lib}/pkgconfig/
# create symlink for old change_hat(2) manpage
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
# libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec
%makeinstall -C libraries/libapparmor/swig
# utilities
%makeinstall -C utils
test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568
mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
%if %{with python3}
# enforce usage of python3
for file in %{buildroot}/%{_sbindir}/aa-* ; do
sed -i '1s,^#! /usr/bin/env python$,#! /usr/bin/env python3,' "$file"
done
%endif
# binutils
%makeinstall -C binutils
( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec )
# deprecated/utils (perl modules still needed by YaST)
%if %{with perl}
@ -569,7 +518,7 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
%endif
%if %{with pam}
%makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security
%makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}/%{_lib}/security
%endif
%if %{with tomcat}
@ -577,8 +526,8 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
%makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME}
%endif
find %{buildroot} -name .packlist -exec rm -f {} \;
find %{buildroot} -name perllocal.pod -exec rm -f {} \;
find %{buildroot} -name .packlist -exec rm -vf {} \;
find %{buildroot} -name perllocal.pod -exec rm -vf {} \;
# Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm].
# Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix
@ -587,7 +536,7 @@ for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do
f=$(basename $file)
case "${f#aa-}" in
audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \
audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.8* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* )
audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.1* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* )
if [ "${f#aa-}" != "$f" ]; then
ln -s $f $d/${f#aa-}
fi
@ -599,16 +548,14 @@ mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8}
mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8}
rm -f %{buildroot}%{_mandir}/man8/decode.8
for pkg in apparmor-utils apparmor-parser; do
for pkg in apparmor-utils apparmor-parser aa-binutils; do
%find_lang $pkg
done
# remove *.la files
rm -fv %{buildroot}%{_libdir}/libapparmor.la
rm -fv %{buildroot}%{_libdir}/libapparmor.la
%if 0%{?suse_version} > 1320
install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
%endif
echo -------------------------------------------------------------------
#find -ls
@ -621,7 +568,7 @@ echo -------------------------------------------------------------------
%doc parser/*.[1-9].html
%doc utils/vim/apparmor.vim.5.html
%doc common/apparmor.css
%doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt
%doc parser/techdoc.pdf
# apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file
%dir %{_datadir}/apparmor
%{_datadir}/apparmor/apparmor.vim
@ -630,6 +577,8 @@ echo -------------------------------------------------------------------
%defattr(-,root,root)
%doc parser/README parser/COPYING.GPL
/sbin/apparmor_parser
%{_bindir}/aa-enabled
%{_bindir}/aa-exec
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
%dir %{_sysconfdir}/apparmor.d
%{_sysconfdir}/apparmor.d/cache
@ -640,14 +589,15 @@ echo -------------------------------------------------------------------
%else
%{_sysconfdir}/init.d/apparmor
%endif
%if 0%{?suse_version} > 1320
%{_unitdir}/apparmor.service
%endif
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
%{_localstatedir}/lib/apparmor
%dir %attr(-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix}/rc.apparmor.functions
%doc %{_mandir}/man1/aa-enabled.1.gz
%doc %{_mandir}/man1/aa-exec.1.gz
%doc %{_mandir}/man1/exec.1.gz
%doc %{_mandir}/man5/apparmor.d.5.gz
%doc %{_mandir}/man5/apparmor.vim.5.gz
%doc %{_mandir}/man5/subdomain.conf.5.gz
@ -658,34 +608,10 @@ echo -------------------------------------------------------------------
if [ -f %{_sysconfdir}/init.d/subdomain ] ; then
chkconfig --del subdomain
fi
%if 0%{?suse_version} > 1320
%service_add_pre apparmor.service
%endif
%files parser-lang -f apparmor-parser.lang
%files -n libapparmor1
%files parser-lang -f apparmor-parser.lang -f aa-binutils.lang
%defattr(-,root,root)
%{_libdir}/libapparmor.so.*
%files -n libapparmor-devel
%defattr(-,root,root)
%{_libdir}/libapparmor.a
%{_libdir}/libapparmor.so
/usr/%{_lib}/pkgconfig/libapparmor.pc
%doc %{_mandir}/man2/aa_change_hat.2.gz
%doc %{_mandir}/man2/change_hat.2.gz
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz
%doc %{_mandir}/man2/aa_getcon.2.gz
%doc %{_mandir}/man2/aa_query_label.2.gz
%doc %{_mandir}/man3/aa_features.3.gz
%doc %{_mandir}/man3/aa_kernel_interface.3.gz
%doc %{_mandir}/man3/aa_policy_cache.3.gz
%doc %{_mandir}/man3/aa_splitcon.3.gz
%dir %{_includedir}/aalogparse
%{_includedir}/sys/apparmor.h
%{_includedir}/sys/apparmor_private.h
%{_includedir}/aalogparse/*
%files abstractions
%defattr(644,root,root,755)
@ -732,7 +658,6 @@ fi
%dir %{_datadir}/apparmor
%{_datadir}/apparmor/easyprof/
%dir %{_localstatedir}/log/apparmor
%doc %{_mandir}/man2/aa_change_profile.2.gz
%doc %{_mandir}/man5/logprof.conf.5.gz
%doc %{_mandir}/man8/apparmor_notify.8.gz
%doc %{_mandir}/man8/aa-*.gz
@ -743,7 +668,6 @@ fi
%doc %{_mandir}/man8/disable.8.gz
%doc %{_mandir}/man8/easyprof.8.gz
%doc %{_mandir}/man8/enforce.8.gz
%doc %{_mandir}/man8/exec.8.gz
%doc %{_mandir}/man8/genprof.8.gz
%doc %{_mandir}/man8/logprof.8.gz
%doc %{_mandir}/man8/unconfined.8.gz
@ -800,7 +724,7 @@ fi
%files -n pam_apparmor
%defattr(444,root,root,755)
%attr(555,root,root) %{_libdir}/security/pam_apparmor.so
%attr(555,root,root) /%{_lib}/security/pam_apparmor.so
%endif
%if %{with tomcat}
@ -853,9 +777,7 @@ fi
fi
%endif
%if 0%{?suse_version} > 1320
%service_add_post apparmor.service
%endif
%preun parser
if [ "$1" = 0 ] ; then
@ -867,9 +789,7 @@ if [ "$1" = 0 ] ; then
%endif
fi
%if 0%{?suse_version} > 1320
%service_del_preun apparmor.service
%endif
%postun parser
%if %{distro} == "suse"
@ -885,11 +805,9 @@ fi
%{insserv_cleanup} || true
%endif
%if 0%{?suse_version} > 1320
# don't call try-restart, see bnc#853019
export DISABLE_RESTART_ON_UPDATE="yes"
%service_del_postun apparmor.service
%endif
%post abstractions
%if %{distro} == "suse"
@ -907,7 +825,7 @@ export DISABLE_RESTART_ON_UPDATE="yes"
%post profiles
%if %{distro} == "suse"
# workaround for bnc#904620#c8 / lp#1392042
rm -f /var/cache/apparmor/*
rm -f /var/lib/apparmor/cache/* 2>/dev/null
#restart_on_update boot.apparmor - but non-broken (bnc#853019)
# (copy&paste from parser postun script)
test -n "$FIRST_ARG" || FIRST_ARG=$1
@ -919,10 +837,6 @@ export DISABLE_RESTART_ON_UPDATE="yes"
fi
%endif
%post -n libapparmor1 -p /sbin/ldconfig
%postun -n libapparmor1 -p /sbin/ldconfig
%if %{with tomcat}
%post -n tomcat_apparmor -p /sbin/ldconfig

11
libapparmor.changes Normal file
View File

@ -0,0 +1,11 @@
-------------------------------------------------------------------
Sat Jan 28 21:40:11 UTC 2017 - suse-beta@cboltz.de
- split libapparmor into separate spec to get rid of build loop
involving mariadb, systemd, apparmor, libapr and mariadb again
(see the discussion in SR 448871 for details)
- libapparmor.spec is based on the AppArmor 2.11 apparmor.spec, but
with minimum BuildRequires

122
libapparmor.spec Normal file
View File

@ -0,0 +1,122 @@
#
# spec file for package libapparmor
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2011-2017 Christian Boltz
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: libapparmor
Version: 2.11.0
Release: 0
Summary: Utility library for AppArmor
License: LGPL-2.1+
Group: Development/Libraries/C and C++
Url: https://launchpad.net/apparmor
Source0: apparmor-%{version}.tar.gz
Source1: apparmor-%{version}.tar.gz.asc
BuildRequires: bison
BuildRequires: dejagnu
BuildRequires: flex
BuildRequires: pkg-config
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
This package provides the libapparmor library, which contains the
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages.
%package -n libapparmor1
Summary: Utility library for AppArmor
Group: Development/Libraries/C and C++
%ifarch ppc64
Obsoletes: libapparmor-64bit < 2.9
Provides: libapparmor-64bit = %{version}
%endif
Provides: libapparmor = %{version}
Obsoletes: libapparmor < 2.9
%description -n libapparmor1
This package provides the libapparmor library, which contains the
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages.
%package -n libapparmor-devel
Summary: Development headers and libraries for libapparmor
Group: Development/Libraries/C and C++
Requires: libapparmor1 = %{version}
Provides: libapparmor:/usr/include/sys/apparmor.h
%description -n libapparmor-devel
These libraries are needed for developing software that makes use of the
AppArmor API.
%prep
%setup -q -n apparmor-%{version}
%build
(
cd ./libraries/libapparmor
%configure \
--without-perl \
--without-python \
--without-ruby \
make
)
%check
make check -C libraries/libapparmor
%install
%makeinstall -C libraries/libapparmor
# create symlink for old change_hat(2) manpage
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
# remove *.la files
rm -fv %{buildroot}%{_libdir}/libapparmor.la
%post -n libapparmor1 -p /sbin/ldconfig
%postun -n libapparmor1 -p /sbin/ldconfig
%files -n libapparmor1
%defattr(-,root,root)
%{_libdir}/libapparmor.so.*
%files -n libapparmor-devel
%defattr(-,root,root)
%{_libdir}/libapparmor.a
%{_libdir}/libapparmor.so
%{_libdir}/pkgconfig/libapparmor.pc
%doc %{_mandir}/man2/aa_change_hat.2.gz
%doc %{_mandir}/man2/aa_change_profile.2.gz
%doc %{_mandir}/man2/aa_stack_profile.2.gz
%doc %{_mandir}/man2/change_hat.2.gz
%doc %{_mandir}/man2/aa_find_mountpoint.2.gz
%doc %{_mandir}/man2/aa_getcon.2.gz
%doc %{_mandir}/man2/aa_query_label.2.gz
%doc %{_mandir}/man3/aa_features.3.gz
%doc %{_mandir}/man3/aa_kernel_interface.3.gz
%doc %{_mandir}/man3/aa_policy_cache.3.gz
%doc %{_mandir}/man3/aa_splitcon.3.gz
%dir %{_includedir}/aalogparse
%{_includedir}/sys/apparmor.h
%{_includedir}/sys/apparmor_private.h
%{_includedir}/aalogparse/*
%changelog

30
sshd-profile-drop-local-include-r3615.diff Normal file
View File

@ -0,0 +1,30 @@
------------------------------------------------------------
revno: 3615
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: apparmor
timestamp: Thu 2017-01-12 22:01:11 +0100
message:
sshd profile: drop local/ include
The local/ include in the sshd profile in extras causes some trouble:
- it breaks "make check" because the parser can't find the local/ file
- it results in a broken profile if someone uses this profile as
starting point, but doesn't notice it needs the local include
Acked-by: Steve Beattie <steve@nxnw.org>
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
--- profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-12-07 19:00:06 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2017-01-12 21:01:11 +0000
@@ -140,5 +140,5 @@
/usr/lib/openssh/sftp-server PUx,
# Site-specific additions and overrides. See local/README for details.
- #include <local/usr.sbin.sshd>
+ ## include <local/usr.sbin.sshd>
}
vim:ft=diff

1101
upstream-changes-r3616..3628.diff Normal file
View File

File diff suppressed because it is too large Load Diff