From fcc884a7e3f5f0c2f54ef12fc051aa5570afa72d1c5498efc0688f50e8708ffa Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sat, 28 Jan 2017 12:45:16 +0000 Subject: [PATCH 1/2] Accepting request 453151 from home:cboltz - update to AppArmor 2.11.0 - apparmor_parser now supports parallel compiles and loads - add full support for dbus, ptrace and signal rules and events to the utils - full rewrite of the file rule handling in the utils - lots of improvements and fixes - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the detailed changelog - patches: - add sshd-profile-drop-local-include-r3615.diff to fix 'make check' - drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed - refresh apparmor-abstractions-no-multiline.diff - refresh apparmor-samba-include-permissions-for-shares.diff - spec changes: - aa-unconfined switched to using ss (from iproute2), adjust Recommends: - move libapparmor to /usr/lib*/ - drop %if %suse_version checks for 12.x - change several Obsoletes from %version to < 2.9. Those package names weren't used since years, and 2.9 is still a careful choice - include apparmor.service independent of %suse_version - techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires - drop latex2html, texlive-* and w3m BuildRequires - techdoc.txt and techdoc.html not included, drop them from the package - run most of utils/ make check (some tests expect /etc/apparmor.d/ and /sbin/apparmor_parser to exist, skip them) - BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests) - drop sed'ing python3 into aa-* shebang (upstreamed) - build binutils - aa-exec is now written in C and lives in /usr/bin/, move it to the apparmor_parser package and create a compability symlink in /usr/sbin/ - aa-exec manpage moved to section 1 - aa-enabled is a small new tool to find out if AppArmor is enabled - package new aa_stack_profile(2) manpage OBS-URL: https://build.opensuse.org/request/show/453151 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=165 --- aa-unconfined-fix-netstat-call-2.10r3380.diff | 39 ----- apparmor-2.10.2.tar.gz | 3 - apparmor-2.10.2.tar.gz.asc | 16 -- apparmor-2.11.0.tar.gz | 3 + apparmor-2.11.0.tar.gz.asc | 16 ++ apparmor-abstractions-no-multiline.diff | 128 +++++--------- ...-samba-include-permissions-for-shares.diff | 2 +- apparmor.changes | 37 ++++ apparmor.spec | 160 +++++++----------- sshd-profile-drop-local-include-r3615.diff | 30 ++++ 10 files changed, 190 insertions(+), 244 deletions(-) delete mode 100644 aa-unconfined-fix-netstat-call-2.10r3380.diff delete mode 100644 apparmor-2.10.2.tar.gz delete mode 100644 apparmor-2.10.2.tar.gz.asc create mode 100644 apparmor-2.11.0.tar.gz create mode 100644 apparmor-2.11.0.tar.gz.asc create mode 100644 sshd-profile-drop-local-include-r3615.diff diff --git a/aa-unconfined-fix-netstat-call-2.10r3380.diff b/aa-unconfined-fix-netstat-call-2.10r3380.diff deleted file mode 100644 index b23de6d..0000000 --- a/aa-unconfined-fix-netstat-call-2.10r3380.diff +++ /dev/null @@ -1,39 +0,0 @@ ------------------------------------------------------------- -revno: 3380 -committer: Steve Beattie -branch nick: 2.10 -timestamp: Mon 2017-01-09 09:22:58 -0800 -message: - Subject: utils/aa-unconfined: fix netstat invocation regression - - It was reported that converting the netstat command to examine - processes bound to ipv6 addresses broke on OpenSUSE due to the version - of nettools not supporting the short -4 -6 arguments. - - This patch fixes the invocation of netstat to use the "--protocol - inet,inet6" arguments instead, which should return the same results - as the short options. - - Signed-off-by: Steve Beattie - Acked-by: Christian Boltz - - -=== modified file 'utils/aa-unconfined' ---- utils/aa-unconfined 2016-12-05 09:21:27 +0000 -+++ utils/aa-unconfined 2017-01-09 17:22:58 +0000 -@@ -46,10 +46,10 @@ - regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)") - import subprocess - if sys.version_info < (3, 0): -- output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n") -+ output = subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True).split("\n") - else: - #Python3 needs to translate a stream of bytes to string with specified encoding -- output = str(subprocess.check_output("LANG=C netstat -nlp46", shell=True), encoding='utf8').split("\n") -+ output = str(subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True), encoding='utf8').split("\n") - - for line in output: - match = regex_tcp_udp.search(line) - - -vim:ft=diff diff --git a/apparmor-2.10.2.tar.gz b/apparmor-2.10.2.tar.gz deleted file mode 100644 index 4a4bae7..0000000 --- a/apparmor-2.10.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c253656820a2e6b0127af0ba8ceda36ffec1ae5c9dc0ee8793c3fe97121feac3 -size 4497918 diff --git a/apparmor-2.10.2.tar.gz.asc b/apparmor-2.10.2.tar.gz.asc deleted file mode 100644 index cd50488..0000000 --- a/apparmor-2.10.2.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQI3BAABCgAhBQJYcxByGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ -5k49NmS7KLcQAKNtJ8N81T/oOL05bZ6M1g4kjYZ1vIyTx8tFj8iBNBnxWGrWfIMj -EJJeaGFUwbAN9LeTxlbwaGHHukLzQa4rihXPgpmQZl3tYWqwMzMtgtzbjWFIRtGA -cZunTA0i5kOm0N/IEl1hR2JbDMopPgOWEyV7lZxklKYUavo5+8jrYloXKaSzbQGi -KMIms8RF7v4ANOGoqvl6vv3y11JMvvV2VZniPf+myVDcmHjk8jzdzdGEOFRcHvoY -Zg7ZMXbPjPh1VQYbzgdpK95SEXDM9X+4fJtcL2A0ofZQrO9rmFWOrtjxSz88DgWi -qdfepwIGN7uMBLeL2UMlp8OJVOgcsjY2E9XHzVaSUJYRVuPFa/z3fKzEkMh96HQa -xYnsicuQe6HUXxbRoXd/J12Rzla1Bkkvq2NYOwmh4kpZczGGaUK17GxlUryz7C/1 -VodpZd7pFzKmPuoCinKtO0VsQkDJ4qfKUiMSZOutDMR8eHyNxtVS6Qb5GycViLiF -mtHiTipqv0q1HIFZVj3bpbq8Jji9pNHJWI1pwiafYEAqh1hyfGtWGkH3muMROQgL -Qmjuoaw2x2VgPk+nnBSFwgOv4TUO/xVa95VD8HwCFjEHulpzlo8lx6k/9t5fZO6T -kaS6NBQWIQ8hunIKMifKgi+8fFk2FTaUhgZJUP91MiUm5rwPU0y48RY3 -=l0m2 ------END PGP SIGNATURE----- diff --git a/apparmor-2.11.0.tar.gz b/apparmor-2.11.0.tar.gz new file mode 100644 index 0000000..d2b70d2 --- /dev/null +++ b/apparmor-2.11.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b1c489ea11e7771b8e6b181532cafbf9ebe6603e3cb00e2558f21b7a5bdd739a +size 5013297 diff --git a/apparmor-2.11.0.tar.gz.asc b/apparmor-2.11.0.tar.gz.asc new file mode 100644 index 0000000..3aecf82 --- /dev/null +++ b/apparmor-2.11.0.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQI3BAABCgAhBQJYcxbLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ +5k49NmS7Nh4P/Rf1b8NugcYkrXBA3LMS47KF4+fig+4j4jcAsUqY+aDgj02UYcEv +S6XpbzkTJykM0CJ2BLNHHfwUpbVrUDyfABhgh/m9aH0Y52zkteVfYt9tVNxz7OaH +s4M977g5HPvlOIsS2EXyk1g0IZ8WJ830sZpOZIKpgwptgSJeHKiFQJsCINzOzv7z +MKATzhnrnvb4KBwCC3MoUHhCheGvUmQlArn4+/LwCMERHxrrSYr/kl/nDxhqE7HZ +1wdO8TdrG+R595Yc/t0OO+LOCv7TBU5K7TLiN+1wqenrEfR+9RaxpLB2N8a5+LQ0 +kphfS07ht22oWhySG14WL76FrrvN0WBcRBc6hkxgbizCwb+XLLGBUfk50MIabBPu +GQJVnMtTEvlVdpvw0snG4RID8o7Tjv+2NsMi+67fR7dkksHO51jeQBlWeim1ZX+6 +GZPmEtWAuF0cZybnv66sfY7qokBXUaqP6Z9wYUXOVscJTK6XEmVGXinuistR1cJa +O2e0Gji+cxBBejB7QWyHCcssXYo26rHW5kT94hcshqn0Qx1ThH+yTV+PqYiEjsNA +R1AYgDMVCltu/UwuzHmtYo2es1W9Mcsk6htKhDLmT0ze3y+0f7Y463B8afs6RzWW +W28mpt5/PPoFLkWstj+B00GnwO1x2rDbLoq+zvCD5WasZWa8uNV24nRg +=aq9P +-----END PGP SIGNATURE----- diff --git a/apparmor-abstractions-no-multiline.diff b/apparmor-abstractions-no-multiline.diff index 2469a54..1e6b123 100644 --- a/apparmor-abstractions-no-multiline.diff +++ b/apparmor-abstractions-no-multiline.diff @@ -35,11 +35,11 @@ Index: profiles/apparmor.d/abstractions/dbus-accessibility-strict + dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), Index: profiles/apparmor.d/abstractions/dbus-session-strict =================================================================== ---- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2014-10-18 13:11:18.498652324 +0200 -+++ profiles/apparmor.d/abstractions/dbus-session-strict 2014-10-18 13:11:31.098494805 +0200 -@@ -13,16 +13,9 @@ - /etc/machine-id r, +--- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2017-01-11 21:20:01.381935015 +0100 ++++ profiles/apparmor.d/abstractions/dbus-session-strict 2017-01-11 21:20:07.641905170 +0100 +@@ -14,16 +14,9 @@ /var/lib/dbus/machine-id r, + owner /run/user/*/bus rw, - unix (connect, receive, send) - type=stream @@ -71,92 +71,42 @@ Index: profiles/apparmor.d/abstractions/dbus-strict - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus), + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), +Index: profiles/apparmor.d/abstractions/fcitx-strict +=================================================================== +--- profiles/apparmor.d/abstractions/fcitx-strict.orig 2017-01-11 21:44:55.726947350 +0100 ++++ profiles/apparmor.d/abstractions/fcitx-strict 2017-01-11 21:45:02.830914856 +0100 +@@ -11,11 +11,6 @@ + + #include + +- dbus send +- bus=fcitx +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} +- peer=(name=org.freedesktop.DBus), ++ dbus send bus=fcitx path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), + + owner @{HOME}/.config/fcitx/dbus/* r, +Index: profiles/apparmor.d/abstractions/libpam-systemd +=================================================================== +--- profiles/apparmor.d/abstractions/libpam-systemd.orig 2017-01-11 21:47:13.814315855 +0100 ++++ profiles/apparmor.d/abstractions/libpam-systemd 2017-01-11 21:47:19.490289904 +0100 +@@ -12,8 +12,4 @@ + #include + + # libpam-systemd notifies systemd-logind about session logins/logouts +- dbus send +- bus=system +- path=/org/freedesktop/login1 +- interface=org.freedesktop.login1.Manager +- member={CreateSession,ReleaseSession}, ++ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession}, Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base =================================================================== ---- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2014-10-18 13:11:18.497652337 +0200 -+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2014-10-18 13:11:31.098494805 +0200 -@@ -16,41 +16,16 @@ - #include - - # Allow connecting to session bus and where to connect to services -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=Hello -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=session -- path=/org/freedesktop/{db,DB}us -- interface=org.freedesktop.DBus -- member={Add,Remove}Match -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), - # NameHasOwner and GetNameOwner could leak running processes and apps - # depending on how services are implemented -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=GetNameOwner -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=NameHasOwner -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), - - # Allow starting services on the session bus (actual communications with - # the service are mediated elsewhere) -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=StartServiceByName -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), - - # Allow connecting to system bus and where to connect to services. Put these - # here so we don't need to repeat these rules in multiple places (actual -@@ -58,108 +36,47 @@ - # allow apps to brute-force enumerate system services, but our system - # services aren't a secret. - /{,var/}run/dbus/system_bus_socket rw, -- dbus (send) -- bus=system -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=Hello -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=system -- path=/org/freedesktop/{db,DB}us -- interface=org.freedesktop.DBus -- member={Add,Remove}Match -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), - # NameHasOwner and GetNameOwner could leak running processes and apps - # depending on how services are implemented -- dbus (send) -- bus=system -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=GetNameOwner -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=system -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=NameHasOwner -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), - +--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2017-01-11 21:20:07.641905170 +0100 ++++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2017-01-11 21:20:52.197692834 +0100 +@@ -21,78 +21,37 @@ # # Access required for connecting to/communication with Unity HUD # @@ -282,7 +232,7 @@ Index: profiles/apparmor.d/abstractions/gnome =================================================================== --- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200 +++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200 -@@ -91,6 +91,4 @@ +@@ -93,6 +93,4 @@ # Allow connecting to the GNOME vfs socket (still need corresponding DBus # rules) diff --git a/apparmor-samba-include-permissions-for-shares.diff b/apparmor-samba-include-permissions-for-shares.diff index ba34685..ed492b9 100644 --- a/apparmor-samba-include-permissions-for-shares.diff +++ b/apparmor-samba-include-permissions-for-shares.diff @@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz === modified file 'profiles/apparmor.d/usr.sbin.smbd' --- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000 +++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000 -@@ -47,6 +47,10 @@ +@@ -53,6 +53,10 @@ @{HOMEDIRS}/** lrwk, diff --git a/apparmor.changes b/apparmor.changes index 65cbd2d..a8e780d 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,40 @@ +------------------------------------------------------------------- +Fri Jan 27 20:08:03 UTC 2017 - suse-beta@cboltz.de + +- update to AppArmor 2.11.0 + - apparmor_parser now supports parallel compiles and loads + - add full support for dbus, ptrace and signal rules and events to the + utils + - full rewrite of the file rule handling in the utils + - lots of improvements and fixes + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the + detailed changelog +- patches: + - add sshd-profile-drop-local-include-r3615.diff to fix 'make check' + - drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed + - refresh apparmor-abstractions-no-multiline.diff + - refresh apparmor-samba-include-permissions-for-shares.diff +- spec changes: + - aa-unconfined switched to using ss (from iproute2), adjust Recommends: + - move libapparmor to /usr/lib*/ + - drop %if %suse_version checks for 12.x + - change several Obsoletes from %version to < 2.9. Those package names + weren't used since years, and 2.9 is still a careful choice + - include apparmor.service independent of %suse_version + - techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires + - drop latex2html, texlive-* and w3m BuildRequires + - techdoc.txt and techdoc.html not included, drop them from the package + - run most of utils/ make check (some tests expect /etc/apparmor.d/ and + /sbin/apparmor_parser to exist, skip them) + - BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests) + - drop sed'ing python3 into aa-* shebang (upstreamed) + - build binutils + - aa-exec is now written in C and lives in /usr/bin/, move it to the + apparmor_parser package and create a compability symlink in /usr/sbin/ + - aa-exec manpage moved to section 1 + - aa-enabled is a small new tool to find out if AppArmor is enabled + - package new aa_stack_profile(2) manpage + ------------------------------------------------------------------- Tue Jan 24 13:40:30 UTC 2017 - suse-beta@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 6e54282..9fb2d45 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -24,23 +24,9 @@ %bcond_without pam %bcond_without apache %bcond_without perl -%if 0%{?suse_version} > 0 && 0%{?suse_version} <= 1210 - # disable python and ruby bindings on openSUSE <= 12.1 to avoid problems with rb_sitearch and python_sitearch - %bcond_with python - %bcond_with python3 - %bcond_with ruby -%else -%if 0%{?suse_version} == 1220 - # swig for python3 is broken on 12.2 - probably http://sourceforge.net/p/swig/bugs/1257/ - build python2 bindings instead - %bcond_without python - %bcond_with python3 - %bcond_without ruby -%else - %bcond_with python - %bcond_without python3 - %bcond_without ruby -%endif -%endif +%bcond_with python +%bcond_without python3 +%bcond_without ruby %define CATALINA_HOME /usr/share/tomcat6 #define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/ @@ -60,11 +46,12 @@ Name: apparmor %if ! %{?distro:1}0 %define distro suse %endif -Version: 2.10.2 +Version: 2.11.0 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0+ Group: Productivity/Networking/Security +Url: https://launchpad.net/apparmor Source0: apparmor-%{version}.tar.gz Source1: apparmor-%{version}.tar.gz.asc Source2: %{name}.keyring @@ -82,9 +69,6 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. Patch3: apparmor-utils-string-split -# fix regression in aa-unconfined netstat call (taken from upstream 2.10 branch r3380) -Patch4: aa-unconfined-fix-netstat-call-2.10r3380.diff - # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de Patch5: ruby-2_0-mkmf-destdir.patch @@ -95,7 +79,9 @@ Patch6: apparmor-abstractions-no-multiline.diff # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch -Url: https://launchpad.net/apparmor +# drop local/ include from sshd profile to prevent failure in "make check" (taken from upstream bzr trunk r3615) +Patch8: sshd-profile-drop-local-include-r3615.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %{distro} == "suse" @@ -104,19 +90,14 @@ PreReq: aaa_base %endif %define apparmor_bin_prefix /lib/apparmor BuildRequires: bison +BuildRequires: dejagnu BuildRequires: flex BuildRequires: gcc-c++ -BuildRequires: latex2html BuildRequires: pcre-devel BuildRequires: pkg-config BuildRequires: python +BuildRequires: python3-pyflakes BuildRequires: perl(Locale::gettext) -%if 0%{?suse_version} > 1220 -BuildRequires: texlive-amsfonts -BuildRequires: texlive-cm-super -%endif -BuildRequires: texlive-latex -BuildRequires: w3m BuildRequires: swig @@ -149,12 +130,12 @@ BuildRequires: tomcat6 Summary: AppArmor userlevel parser utility License: GPL-2.0+ Group: Productivity/Networking/Security -Obsoletes: libimnxcert < %{version} -Obsoletes: subdomain-leaf-cert < %{version} -Obsoletes: subdomain-parser < %{version} -Obsoletes: subdomain-parser-common < %{version} -Obsoletes: subdomain-parser-demo < %{version} -Obsoletes: subdomain_parser < %{version} +Obsoletes: libimnxcert < 2.9 +Obsoletes: subdomain-leaf-cert < 2.9 +Obsoletes: subdomain-parser < 2.9 +Obsoletes: subdomain-parser-common < 2.9 +Obsoletes: subdomain-parser-demo < 2.9 +Obsoletes: subdomain_parser < 2.9 Provides: libimnxcert = %{version} Provides: subdomain-leaf-cert = %{version} Provides: subdomain-parser = %{version} @@ -166,10 +147,8 @@ Provides: apparmor-parser(CAP_SYSLOG) # initscript needs /lib/lsb/init-functions from insserv/insserv-compat Requires: insserv -%if 0%{?suse_version} > 1320 BuildRequires: systemd-rpm-macros %{?systemd_requires} -%endif %description parser The AppArmor Parser is a userlevel program that is used to load in @@ -214,13 +193,11 @@ Summary: Utility library for AppArmor License: LGPL-2.1+ Group: Development/Libraries/C and C++ %ifarch ppc64 -Obsoletes: libapparmor-64bit < %{version} +Obsoletes: libapparmor-64bit < 2.9 Provides: libapparmor-64bit = %{version} %endif Provides: libapparmor = %{version} -#Provides: libimmunix = %{version} -Obsoletes: libapparmor < %{version} -#Obsoletes: libimmunix < %{version} +Obsoletes: libapparmor < 2.9 %description -n libapparmor1 This package provides the libapparmor library, which contains the @@ -338,7 +315,7 @@ License: GPL-2.0 and LGPL-2.1+ Group: Productivity/Security Requires: apparmor-abstractions >= %{version} Requires: apparmor-parser(CAP_SYSLOG) -Obsoletes: subdomain-profiles < %{version} +Obsoletes: subdomain-profiles < 2.9 Provides: subdomain-profiles = %{version} BuildArch: noarch @@ -356,7 +333,7 @@ Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profi License: GPL-2.0 and LGPL-2.1+ Group: Productivity/Security Requires: libapparmor1 = %{version} -# some of the tools are still perl-based (aa-decode, aa-exec and aa-notify) +# some of the tools are still perl-based (aa-decode and aa-notify) Requires: perl = %{perl_version} Requires: perl-apparmor = %{version} %if %{with python3} @@ -366,12 +343,8 @@ Requires: python3-base Requires: python-apparmor = %{version} Requires: python-base %endif -# aa-unconfined needs netstat -%if 0%{?suse_version} > 1320 -Recommends: net-tools-deprecated -%else -Recommends: net-tools -%endif +# aa-unconfined needs ss +Recommends: iproute2 # aa-notify -p needs notify-send Recommends: libnotify-tools BuildArch: noarch @@ -435,27 +408,19 @@ SubDomain. %patch1 -p1 %patch2 %patch3 -p1 -%patch4 # Ruby 2.0 mkmf prefixes every path with $(DESTDIR) -%if 0%{?suse_version} > 1230 %patch5 -p1 -%endif %patch6 %patch7 -p1 +%patch8 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" %build -echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 - export SUSE_ASNEEDED=0 -# re-define _libdir to /lib or /lib64 -%define _libdir /%{_lib} - -echo new _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 %if %{with python3} export PYTHON=/usr/bin/python3 @@ -485,6 +450,9 @@ export PYTHON=/usr/bin/python3 # Utilities: make -C utils +# binutils +make -C binutils + # deprecated/utils (perl modules still needed by YaST) %if %{with perl} make -C deprecated/utils @@ -492,8 +460,6 @@ make -C deprecated/utils # parser: make -C parser V=1 -# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough -make -C parser V=1 techdoc.txt # Apache mod_apparmor: %if %{with apache} @@ -508,8 +474,6 @@ make -C parser V=1 techdoc.txt # Profiles: make -C profiles -##configure --disable-static --with-pic \ -#--with-perl \ %if %{with tomcat} make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME} %endif @@ -522,11 +486,24 @@ export PYTHON_VERSIONS=python3 make check -C libraries/libapparmor make check -C parser +make check -C binutils + # profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks # also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory) (cd profiles && make check-parser) -# utils make check fails if profiles don't exist in /etc/apparmor.d/ -# make check -C utils + +# these tests fail if /etc/apparmor.d/abstractions/* or /sbin/apparmor_parser don't exist +# (aa.py doesn't allow to inject in-tree paths early enough) +rm -v utils/test/test-aa.py +rm -v utils/test/test-aa-easyprof.py +rm -v utils/test/test-libapparmor-test_multi.py +rm -v utils/test/test-mount_parse.py +rm -v utils/test/test-parser-simple-tests.py +rm -v utils/test/test-pivot_root_parse.py +rm -v utils/test/test-regex_matches.py +rm -v utils/test/test-unix_parse.py + +make check -C utils %install @@ -535,8 +512,7 @@ export PYTHON=/usr/bin/python3 %endif # libapparmor -# override pkgconfigdir for now - TODO: don't redefine libdir when packaging AppArmor 3.0 -%makeinstall -C libraries/libapparmor pkgconfigdir=/usr/%{_lib}/pkgconfig/ +%makeinstall -C libraries/libapparmor # create symlink for old change_hat(2) manpage ( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 ) @@ -544,12 +520,10 @@ export PYTHON=/usr/bin/python3 %makeinstall -C utils test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568 mkdir -p %{buildroot}%{_localstatedir}/log/apparmor -%if %{with python3} - # enforce usage of python3 - for file in %{buildroot}/%{_sbindir}/aa-* ; do - sed -i '1s,^#! /usr/bin/env python$,#! /usr/bin/env python3,' "$file" - done -%endif + +# binutils +%makeinstall -C binutils +( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec ) # deprecated/utils (perl modules still needed by YaST) %if %{with perl} @@ -569,7 +543,7 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache %endif %if %{with pam} - %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security + %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}/%{_lib}/security %endif %if %{with tomcat} @@ -577,8 +551,8 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache %makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME} %endif -find %{buildroot} -name .packlist -exec rm -f {} \; -find %{buildroot} -name perllocal.pod -exec rm -f {} \; +find %{buildroot} -name .packlist -exec rm -vf {} \; +find %{buildroot} -name perllocal.pod -exec rm -vf {} \; # Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm]. # Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix @@ -587,7 +561,7 @@ for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do f=$(basename $file) case "${f#aa-}" in audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \ - audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.8* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* ) + audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.1* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* ) if [ "${f#aa-}" != "$f" ]; then ln -s $f $d/${f#aa-} fi @@ -599,16 +573,14 @@ mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8} mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8} rm -f %{buildroot}%{_mandir}/man8/decode.8 -for pkg in apparmor-utils apparmor-parser; do +for pkg in apparmor-utils apparmor-parser aa-binutils; do %find_lang $pkg done # remove *.la files -rm -fv %{buildroot}%{_libdir}/libapparmor.la +rm -fv %{buildroot}%{_libdir}/libapparmor.la -%if 0%{?suse_version} > 1320 install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service -%endif echo ------------------------------------------------------------------- #find -ls @@ -621,7 +593,7 @@ echo ------------------------------------------------------------------- %doc parser/*.[1-9].html %doc utils/vim/apparmor.vim.5.html %doc common/apparmor.css -%doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt +%doc parser/techdoc.pdf # apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file %dir %{_datadir}/apparmor %{_datadir}/apparmor/apparmor.vim @@ -630,6 +602,8 @@ echo ------------------------------------------------------------------- %defattr(-,root,root) %doc parser/README parser/COPYING.GPL /sbin/apparmor_parser +%{_bindir}/aa-enabled +%{_bindir}/aa-exec %dir %attr(-, root, root) %{_sysconfdir}/apparmor %dir %{_sysconfdir}/apparmor.d %{_sysconfdir}/apparmor.d/cache @@ -640,14 +614,15 @@ echo ------------------------------------------------------------------- %else %{_sysconfdir}/init.d/apparmor %endif -%if 0%{?suse_version} > 1320 %{_unitdir}/apparmor.service -%endif %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf %config(noreplace) %{_sysconfdir}/apparmor/parser.conf %{_localstatedir}/lib/apparmor %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions +%doc %{_mandir}/man1/aa-enabled.1.gz +%doc %{_mandir}/man1/aa-exec.1.gz +%doc %{_mandir}/man1/exec.1.gz %doc %{_mandir}/man5/apparmor.d.5.gz %doc %{_mandir}/man5/apparmor.vim.5.gz %doc %{_mandir}/man5/subdomain.conf.5.gz @@ -658,11 +633,10 @@ echo ------------------------------------------------------------------- if [ -f %{_sysconfdir}/init.d/subdomain ] ; then chkconfig --del subdomain fi -%if 0%{?suse_version} > 1320 %service_add_pre apparmor.service -%endif -%files parser-lang -f apparmor-parser.lang +%files parser-lang -f apparmor-parser.lang -f aa-binutils.lang +%defattr(-,root,root) %files -n libapparmor1 %defattr(-,root,root) @@ -672,8 +646,10 @@ fi %defattr(-,root,root) %{_libdir}/libapparmor.a %{_libdir}/libapparmor.so -/usr/%{_lib}/pkgconfig/libapparmor.pc +%{_libdir}/pkgconfig/libapparmor.pc %doc %{_mandir}/man2/aa_change_hat.2.gz +%doc %{_mandir}/man2/aa_change_profile.2.gz +%doc %{_mandir}/man2/aa_stack_profile.2.gz %doc %{_mandir}/man2/change_hat.2.gz %doc %{_mandir}/man2/aa_find_mountpoint.2.gz %doc %{_mandir}/man2/aa_getcon.2.gz @@ -732,7 +708,6 @@ fi %dir %{_datadir}/apparmor %{_datadir}/apparmor/easyprof/ %dir %{_localstatedir}/log/apparmor -%doc %{_mandir}/man2/aa_change_profile.2.gz %doc %{_mandir}/man5/logprof.conf.5.gz %doc %{_mandir}/man8/apparmor_notify.8.gz %doc %{_mandir}/man8/aa-*.gz @@ -743,7 +718,6 @@ fi %doc %{_mandir}/man8/disable.8.gz %doc %{_mandir}/man8/easyprof.8.gz %doc %{_mandir}/man8/enforce.8.gz -%doc %{_mandir}/man8/exec.8.gz %doc %{_mandir}/man8/genprof.8.gz %doc %{_mandir}/man8/logprof.8.gz %doc %{_mandir}/man8/unconfined.8.gz @@ -800,7 +774,7 @@ fi %files -n pam_apparmor %defattr(444,root,root,755) -%attr(555,root,root) %{_libdir}/security/pam_apparmor.so +%attr(555,root,root) /%{_lib}/security/pam_apparmor.so %endif %if %{with tomcat} @@ -853,9 +827,7 @@ fi fi %endif -%if 0%{?suse_version} > 1320 %service_add_post apparmor.service -%endif %preun parser if [ "$1" = 0 ] ; then @@ -867,9 +839,7 @@ if [ "$1" = 0 ] ; then %endif fi -%if 0%{?suse_version} > 1320 %service_del_preun apparmor.service -%endif %postun parser %if %{distro} == "suse" @@ -885,11 +855,9 @@ fi %{insserv_cleanup} || true %endif -%if 0%{?suse_version} > 1320 # don't call try-restart, see bnc#853019 export DISABLE_RESTART_ON_UPDATE="yes" %service_del_postun apparmor.service -%endif %post abstractions %if %{distro} == "suse" diff --git a/sshd-profile-drop-local-include-r3615.diff b/sshd-profile-drop-local-include-r3615.diff new file mode 100644 index 0000000..bab6aca --- /dev/null +++ b/sshd-profile-drop-local-include-r3615.diff @@ -0,0 +1,30 @@ +------------------------------------------------------------ +revno: 3615 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2017-01-12 22:01:11 +0100 +message: + sshd profile: drop local/ include + + The local/ include in the sshd profile in extras causes some trouble: + - it breaks "make check" because the parser can't find the local/ file + - it results in a broken profile if someone uses this profile as + starting point, but doesn't notice it needs the local include + + + Acked-by: Steve Beattie + + +=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd' +--- profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-12-07 19:00:06 +0000 ++++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2017-01-12 21:01:11 +0000 +@@ -140,5 +140,5 @@ + /usr/lib/openssh/sftp-server PUx, + + # Site-specific additions and overrides. See local/README for details. +- #include ++ ## include + } + + +vim:ft=diff From 8c83a952f734d47b31e1a8cb3ad668925f97f2639354edf89cd3582913824bd8 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Mon, 30 Jan 2017 22:53:15 +0000 Subject: [PATCH 2/2] Accepting request 453533 from home:cboltz - add upstream-changes-r3616..3628.diff: - update abstractions/base, abstractions/apache2-common and dovecot profiles - merge ask_the_questions() of aa-logprof and aa-mergeprof - pass LDFLAGS when building parser, libapparmor perl bindings and pam_apparmor - adjust deleting the cache in profiles %post to the new cache location - silence errors when deleting the cache (boo#976914) - split libapparmor into separate spec to get rid of build loop involving mariadb, systemd, apparmor, libapr and mariadb again (see the discussion in SR 448871 for details) - libapparmor.spec is based on the AppArmor 2.11 apparmor.spec, but with minimum BuildRequires OBS-URL: https://build.opensuse.org/request/show/453533 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=166 --- apparmor.changes | 17 + apparmor.spec | 68 +- libapparmor.changes | 11 + libapparmor.spec | 122 ++++ upstream-changes-r3616..3628.diff | 1101 +++++++++++++++++++++++++++++ 5 files changed, 1258 insertions(+), 61 deletions(-) create mode 100644 libapparmor.changes create mode 100644 libapparmor.spec create mode 100644 upstream-changes-r3616..3628.diff diff --git a/apparmor.changes b/apparmor.changes index a8e780d..522a739 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Mon Jan 30 21:37:48 UTC 2017 - suse-beta@cboltz.de + +- add upstream-changes-r3616..3628.diff: + - update abstractions/base, abstractions/apache2-common and dovecot profiles + - merge ask_the_questions() of aa-logprof and aa-mergeprof + - pass LDFLAGS when building parser, libapparmor perl bindings and pam_apparmor +- adjust deleting the cache in profiles %post to the new cache location +- silence errors when deleting the cache (boo#976914) + +------------------------------------------------------------------- +Sat Jan 28 21:40:11 UTC 2017 - suse-beta@cboltz.de + +- split libapparmor into separate spec to get rid of build loop + involving mariadb, systemd, apparmor, libapr and mariadb again + (see the discussion in SR 448871 for details) + ------------------------------------------------------------------- Fri Jan 27 20:08:03 UTC 2017 - suse-beta@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 9fb2d45..3a9d8d5 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -82,6 +82,9 @@ Patch7: apparmor-lessopen-profile.patch # drop local/ include from sshd profile to prevent failure in "make check" (taken from upstream bzr trunk r3615) Patch8: sshd-profile-drop-local-include-r3615.diff +# upstream changes (trunk r3616..3628) +Patch9: upstream-changes-r3616..3628.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %{distro} == "suse" @@ -188,33 +191,6 @@ The documentation is in the apparmor-admin_en package. %endif -%package -n libapparmor1 -Summary: Utility library for AppArmor -License: LGPL-2.1+ -Group: Development/Libraries/C and C++ -%ifarch ppc64 -Obsoletes: libapparmor-64bit < 2.9 -Provides: libapparmor-64bit = %{version} -%endif -Provides: libapparmor = %{version} -Obsoletes: libapparmor < 2.9 - -%description -n libapparmor1 -This package provides the libapparmor library, which contains the -change_hat(2) symbol, used for sub-process confinement by AppArmor, as -well as functions to parse AppArmor log messages. - -%package -n libapparmor-devel -Summary: Development headers and libraries for libapparmor -License: LGPL-2.1+ -Group: Development/Libraries/C and C++ -Requires: libapparmor1 = %{version} -Provides: libapparmor:/usr/include/sys/apparmor.h - -%description -n libapparmor-devel -These libraries are needed for developing software that makes use of the -AppArmor API. - %if %{with perl} %package -n perl-apparmor @@ -415,6 +391,7 @@ SubDomain. %patch6 %patch7 -p1 %patch8 +%patch9 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" @@ -511,10 +488,8 @@ make check -C utils export PYTHON=/usr/bin/python3 %endif -# libapparmor -%makeinstall -C libraries/libapparmor -# create symlink for old change_hat(2) manpage -( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 ) +# libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec +%makeinstall -C libraries/libapparmor/swig # utilities %makeinstall -C utils @@ -638,31 +613,6 @@ fi %files parser-lang -f apparmor-parser.lang -f aa-binutils.lang %defattr(-,root,root) -%files -n libapparmor1 -%defattr(-,root,root) -%{_libdir}/libapparmor.so.* - -%files -n libapparmor-devel -%defattr(-,root,root) -%{_libdir}/libapparmor.a -%{_libdir}/libapparmor.so -%{_libdir}/pkgconfig/libapparmor.pc -%doc %{_mandir}/man2/aa_change_hat.2.gz -%doc %{_mandir}/man2/aa_change_profile.2.gz -%doc %{_mandir}/man2/aa_stack_profile.2.gz -%doc %{_mandir}/man2/change_hat.2.gz -%doc %{_mandir}/man2/aa_find_mountpoint.2.gz -%doc %{_mandir}/man2/aa_getcon.2.gz -%doc %{_mandir}/man2/aa_query_label.2.gz -%doc %{_mandir}/man3/aa_features.3.gz -%doc %{_mandir}/man3/aa_kernel_interface.3.gz -%doc %{_mandir}/man3/aa_policy_cache.3.gz -%doc %{_mandir}/man3/aa_splitcon.3.gz -%dir %{_includedir}/aalogparse -%{_includedir}/sys/apparmor.h -%{_includedir}/sys/apparmor_private.h -%{_includedir}/aalogparse/* - %files abstractions %defattr(644,root,root,755) %dir %{_sysconfdir}/apparmor.d/ @@ -875,7 +825,7 @@ export DISABLE_RESTART_ON_UPDATE="yes" %post profiles %if %{distro} == "suse" # workaround for bnc#904620#c8 / lp#1392042 - rm -f /var/cache/apparmor/* + rm -f /var/lib/apparmor/cache/* 2>/dev/null #restart_on_update boot.apparmor - but non-broken (bnc#853019) # (copy&paste from parser postun script) test -n "$FIRST_ARG" || FIRST_ARG=$1 @@ -887,10 +837,6 @@ export DISABLE_RESTART_ON_UPDATE="yes" fi %endif -%post -n libapparmor1 -p /sbin/ldconfig - -%postun -n libapparmor1 -p /sbin/ldconfig - %if %{with tomcat} %post -n tomcat_apparmor -p /sbin/ldconfig diff --git a/libapparmor.changes b/libapparmor.changes new file mode 100644 index 0000000..30f7b23 --- /dev/null +++ b/libapparmor.changes @@ -0,0 +1,11 @@ +------------------------------------------------------------------- +Sat Jan 28 21:40:11 UTC 2017 - suse-beta@cboltz.de + +- split libapparmor into separate spec to get rid of build loop + involving mariadb, systemd, apparmor, libapr and mariadb again + (see the discussion in SR 448871 for details) +- libapparmor.spec is based on the AppArmor 2.11 apparmor.spec, but + with minimum BuildRequires + + + diff --git a/libapparmor.spec b/libapparmor.spec new file mode 100644 index 0000000..79179a2 --- /dev/null +++ b/libapparmor.spec @@ -0,0 +1,122 @@ +# +# spec file for package libapparmor +# +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2011-2017 Christian Boltz +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + +Name: libapparmor +Version: 2.11.0 +Release: 0 +Summary: Utility library for AppArmor +License: LGPL-2.1+ +Group: Development/Libraries/C and C++ +Url: https://launchpad.net/apparmor +Source0: apparmor-%{version}.tar.gz +Source1: apparmor-%{version}.tar.gz.asc +BuildRequires: bison +BuildRequires: dejagnu +BuildRequires: flex +BuildRequires: pkg-config +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +This package provides the libapparmor library, which contains the +change_hat(2) symbol, used for sub-process confinement by AppArmor, as +well as functions to parse AppArmor log messages. + + +%package -n libapparmor1 +Summary: Utility library for AppArmor +Group: Development/Libraries/C and C++ +%ifarch ppc64 +Obsoletes: libapparmor-64bit < 2.9 +Provides: libapparmor-64bit = %{version} +%endif +Provides: libapparmor = %{version} +Obsoletes: libapparmor < 2.9 + +%description -n libapparmor1 +This package provides the libapparmor library, which contains the +change_hat(2) symbol, used for sub-process confinement by AppArmor, as +well as functions to parse AppArmor log messages. + +%package -n libapparmor-devel +Summary: Development headers and libraries for libapparmor +Group: Development/Libraries/C and C++ +Requires: libapparmor1 = %{version} +Provides: libapparmor:/usr/include/sys/apparmor.h + +%description -n libapparmor-devel +These libraries are needed for developing software that makes use of the +AppArmor API. + + + +%prep +%setup -q -n apparmor-%{version} + +%build +( + cd ./libraries/libapparmor + %configure \ + --without-perl \ + --without-python \ + --without-ruby \ + + make +) + +%check +make check -C libraries/libapparmor + +%install +%makeinstall -C libraries/libapparmor +# create symlink for old change_hat(2) manpage +( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 ) + +# remove *.la files +rm -fv %{buildroot}%{_libdir}/libapparmor.la + +%post -n libapparmor1 -p /sbin/ldconfig + +%postun -n libapparmor1 -p /sbin/ldconfig + +%files -n libapparmor1 +%defattr(-,root,root) +%{_libdir}/libapparmor.so.* + +%files -n libapparmor-devel +%defattr(-,root,root) +%{_libdir}/libapparmor.a +%{_libdir}/libapparmor.so +%{_libdir}/pkgconfig/libapparmor.pc +%doc %{_mandir}/man2/aa_change_hat.2.gz +%doc %{_mandir}/man2/aa_change_profile.2.gz +%doc %{_mandir}/man2/aa_stack_profile.2.gz +%doc %{_mandir}/man2/change_hat.2.gz +%doc %{_mandir}/man2/aa_find_mountpoint.2.gz +%doc %{_mandir}/man2/aa_getcon.2.gz +%doc %{_mandir}/man2/aa_query_label.2.gz +%doc %{_mandir}/man3/aa_features.3.gz +%doc %{_mandir}/man3/aa_kernel_interface.3.gz +%doc %{_mandir}/man3/aa_policy_cache.3.gz +%doc %{_mandir}/man3/aa_splitcon.3.gz +%dir %{_includedir}/aalogparse +%{_includedir}/sys/apparmor.h +%{_includedir}/sys/apparmor_private.h +%{_includedir}/aalogparse/* + +%changelog diff --git a/upstream-changes-r3616..3628.diff b/upstream-changes-r3616..3628.diff new file mode 100644 index 0000000..49bdc33 --- /dev/null +++ b/upstream-changes-r3616..3628.diff @@ -0,0 +1,1101 @@ +------------------------------------------------------------ +revno: 3628 +committer: Christian Boltz +branch nick: apparmor +timestamp: Mon 2017-01-30 20:43:47 +0100 +message: + Dovecot profile: change Px to mrPx for /usr/lib/dovecot/* + + Some of the /usr/lib/dovecot/* rules already have mrPx permissions, + while others don't. + + With a more recent kernel, I noticed that at least auth, config, dict, + lmtp, pop3 and ssl-params need mrPx instead of just Px (confirmed by the + audit.log and actual breakage caused by the missing mr permissions). + + The mr additions for anvil, log and managesieve are just a wild guess, + but I would be very surprised if they don't need mr. + + + Acked-by: Seth Arnold for trunk, 2.10 and 2.9. +------------------------------------------------------------ +revno: 3627 +fixes bug: https://launchpad.net/bugs/1512131 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2017-01-26 21:41:38 +0100 +message: + Dovecot profile update + + Add several permissions to the dovecot profiles that are needed on ubuntu + (surprisingly not on openSUSE, maybe it depends on the dovecot config?) + + As discussed some weeks ago, the added permissions use only /run/ + instead of /{var/,}run/ (which is hopefully superfluous nowadays). + + + References: https://bugs.launchpad.net/apparmor/+bug/1512131 + + + Acked-by: Seth Arnold for trunk, 2.10 and 2.9. +------------------------------------------------------------ +revno: 3626 +fixes bug: https://launchpad.net/bugs/1658239 +author: Kees Cook +committer: Seth Arnold +branch nick: apparmor +timestamp: Fri 2017-01-20 17:01:50 -0800 +message: + glibc uses /proc/*/auxv and /proc/*/status files, too + + Acked-by: Seth Arnold +------------------------------------------------------------ +revno: 3625 +fixes bug: https://launchpad.net/bugs/1658238 +author: Kees Cook +committer: Seth Arnold +branch nick: apparmor +timestamp: Fri 2017-01-20 16:58:46 -0800 +message: + Apache2 profile updates for proper signal handling, optional saslauth, + and OCSP stapling + + Acked-by: Seth Arnold +------------------------------------------------------------ +revno: 3624 +committer: Christian Boltz +branch nick: apparmor +timestamp: Fri 2017-01-20 01:20:41 +0100 +message: + Drop unused global variables in aa.py + + Grepping through the code shows that running_under_genprof, + unimplemented_warning, ALL, t, seen and skip are unused, so drop them. + + + Acked-by: Steve Beattie + + + Also drop a '# t = hasher()" comment, as noticed by Steve. +------------------------------------------------------------ +revno: 3623 +author: Kees Cook +committer: Tyler Hicks +branch nick: apparmor +timestamp: Thu 2017-01-19 23:04:34 +0000 +message: + pass LDFLAGS fully into build + + Acked-by: John Johansen + Signed-off-by: Tyler Hicks +------------------------------------------------------------ +revno: 3622 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2017-01-19 16:54:47 +0100 +message: + [7/7] Drop most of aa-mergeprof ask_the_questions() + + Replace most of aa-mergeprof ask_merge_questions() with a call to + aa.py ask_the_questions() (which is, besides some small exceptions that + are not relevant for aa-mergeprof, in sync with the dropped code). + + The remaining part gets renamed to ask_merge_questions() to avoid + confusion with the function name in aa.py. Also drop the (now + superfluous) parameter. + + aa.py ask_the_questions() needs to allow 'merge' as aamode. + While on it, replace the fatal_error() call for unknown aamode with + raising an AppArmorBug. + + + Acked-by: Seth Arnold +------------------------------------------------------------ +revno: 3621 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2017-01-19 16:52:38 +0100 +message: + [6/7] make log_dict a parameter of ask_the_questions() + + This allows to hand over any source instead of using the global variable. + + Now that the function expects its input as parameter, get rid of the + global log_dict, which means + - change collapse_log() to initialize log_dict as local variable and + return it + - change do_logprof_pass() to catch collapse_log()'s return value and + hand it over to ask_the_questions() + - drop all references to the global log_dict variable + - update test-libapparmor-test_multi to follow the changes + + Also fix an if condition that would fail if aa[profile][hat] does not + exist - get() defaults to None if the requested item doesn't exist, and + None.get('file') will raise an Exception. + + + Acked-by: Seth Arnold +------------------------------------------------------------ +revno: 3620 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2017-01-19 16:48:44 +0100 +message: + [5/7] move ask_conflict_mode() to aa.py + + The function is an exact copy of the code in aa-mergeprof (except + removing the 'self' function parameter and changing the whitespace + level) + + Also add a ask_conflict_mode() call to aa.py ask_the_questions(). + This is needed for aa-mergeprof, and won't hurt in aa-logprof mode + because handle_children() already handles all exec events. + + + Acked-by: Seth Arnold +------------------------------------------------------------ +revno: 3619 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2017-01-19 16:47:35 +0100 +message: + [4/7] Copy code to ask for adding hats to aa.py ask_the_questions() + + Everything below "if aamode == 'merge':" is an exact copy of the code in + aa-mergeprof (with whitespace changed). + + aa-logprof and aa-mergeprof will continue to ignore events from unknown + hats and subprofiles. + + + Acked-by: Seth Arnold +------------------------------------------------------------ +revno: 3618 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2017-01-19 16:47:05 +0100 +message: + [3/7] Copy code to ask for adding includes to aa.py ask_the_questions() + + This is an exact copy of the code in aa-mergeprof (with whitespace changed). + + + Acked-by: Seth Arnold +------------------------------------------------------------ +revno: 3617 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2017-01-19 16:46:23 +0100 +message: + [2/7] replace other.aa with log_dict['merge'] + + Set log_dict['merge'] = other.aa and aamode = 'merge', and use + log_dict[aamode] everywhere. + + This brings aa-mergeprof ask_the_questions() closer to the code in aa.py. + + + Acked-by: Seth Arnold +------------------------------------------------------------ +revno: 3616 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2017-01-19 16:45:29 +0100 +message: + [1/7] drop traces of 3-way-merge in aa-mergeprof + + 3-way-merge was never really implemented. + + This patch drops all traces of it to make the code more readable and + easier to maintain. + + + Acked-by: Seth Arnold + + +=== modified file 'changehat/pam_apparmor/Makefile' +--- changehat/pam_apparmor/Makefile 2016-12-10 18:25:31 +0000 ++++ changehat/pam_apparmor/Makefile 2017-01-19 23:04:34 +0000 +@@ -55,7 +55,7 @@ + AA_LDLIBS = -lapparmor + endif + EXTRA_CFLAGS=$(CFLAGS) $(CPPFLAGS) -fPIC -shared -Wall $(LIBAPPARMOR_INCLUDE) +-LINK_FLAGS=-Xlinker -x $(AA_LINK_FLAGS) ++LINK_FLAGS=-Xlinker -x $(AA_LINK_FLAGS) $(LDFLAGS) + LIBS=-lpam $(AA_LDLIBS) + OBJECTS=${NAME}.o get_options.o + + +=== modified file 'libraries/libapparmor/swig/perl/Makefile.PL.in' +--- libraries/libapparmor/swig/perl/Makefile.PL.in 2014-01-06 22:08:55 +0000 ++++ libraries/libapparmor/swig/perl/Makefile.PL.in 2017-01-19 23:04:34 +0000 +@@ -13,5 +13,6 @@ + 'INC' => q[@CPPFLAGS@ -I@top_srcdir@/include @CFLAGS@], + 'LIBS' => q[-L@top_builddir@/src/.libs/ -lapparmor @LIBS@], + 'OBJECT' => 'libapparmor_wrap.o', # $(OBJ_EXT) ++ 'dynamic_lib' => { 'OTHERLDFLAGS' => q[@LDFLAGS@], }, + ) ; + + +=== modified file 'parser/Makefile' +--- parser/Makefile 2016-12-10 18:25:31 +0000 ++++ parser/Makefile 2017-01-19 23:04:34 +0000 +@@ -86,7 +86,7 @@ + AAREDIR= libapparmor_re + AAREOBJECT = ${AAREDIR}/libapparmor_re.a + AAREOBJECTS = $(AAREOBJECT) +-AARE_LDFLAGS = -static-libgcc -static-libstdc++ -L. ++AARE_LDFLAGS = -static-libgcc -static-libstdc++ -L. $(LDFLAGS) + AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread + + ifdef USE_SYSTEM + +=== modified file 'profiles/apparmor.d/abstractions/apache2-common' +--- profiles/apparmor.d/abstractions/apache2-common 2014-06-24 18:06:06 +0000 ++++ profiles/apparmor.d/abstractions/apache2-common 2017-01-21 00:58:46 +0000 +@@ -8,6 +8,8 @@ + signal (receive) peer=unconfined, + # Allow apache to send us signals by default + signal (receive) peer=/usr/sbin/apache2, ++ # Allow other hats to signal by default ++ signal peer=/usr/sbin/apache2//*, + # Allow us to signal ourselves + signal peer=@{profile_name}, + +@@ -25,3 +27,8 @@ + + /dev/urandom r, + ++ # sasl-auth ++ /run/saslauthd/mux rw, ++ ++ # OCSP stapling ++ /var/log/apache2/stapling-cache rw, + +=== modified file 'profiles/apparmor.d/abstractions/base' +--- profiles/apparmor.d/abstractions/base 2016-12-03 15:52:47 +0000 ++++ profiles/apparmor.d/abstractions/base 2017-01-21 01:01:50 +0000 +@@ -85,7 +85,7 @@ + /sys/devices/system/cpu/online r, + + # glibc's *printf protections read the maps file +- @{PROC}/@{pid}/maps r, ++ @{PROC}/@{pid}/{maps,auxv,status} r, + + # libgcrypt reads some flags from /proc + @{PROC}/sys/crypto/* r, + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.anvil' +--- profiles/apparmor.d/usr.lib.dovecot.anvil 2014-06-27 19:14:53 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.anvil 2017-01-26 20:41:38 +0000 +@@ -18,6 +18,7 @@ + capability setuid, + capability sys_chroot, + ++ /run/dovecot/anvil rw, + /usr/lib/dovecot/anvil mr, + + # Site-specific additions and overrides. See local/README for details. + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth' +--- profiles/apparmor.d/usr.lib.dovecot.auth 2016-12-27 16:46:07 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.auth 2017-01-26 20:41:38 +0000 +@@ -37,6 +37,9 @@ + /var/tmp/sieve_* rw, + /var/tmp/smtp_* rw, + ++ /run/dovecot/auth-master rw, ++ /run/dovecot/auth-worker rw, ++ /run/dovecot/login/login rw, + /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw, + /{var/,}run/dovecot/stats-user rw, + /{var/,}run/dovecot/anvil-auth-penalty rw, + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' +--- profiles/apparmor.d/usr.lib.dovecot.imap 2016-10-05 18:46:03 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.imap 2017-01-26 20:41:38 +0000 +@@ -21,6 +21,8 @@ + capability setuid, + deny capability block_suspend, + ++ network unix stream, ++ + @{DOVECOT_MAILSTORE}/ rw, + @{DOVECOT_MAILSTORE}/** rwkl, + +@@ -33,6 +35,7 @@ + /usr/bin/doveconf rix, + /usr/lib/dovecot/imap mrix, + /usr/share/dovecot/** r, ++ /run/dovecot/login/imap rw, + /{,var/}run/dovecot/auth-master rw, + /{,var/}run/dovecot/mounts r, + + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login' +--- profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-12-22 16:41:59 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2017-01-26 20:41:38 +0000 +@@ -22,6 +22,7 @@ + + network inet stream, + network inet6 stream, ++ network unix stream, + + /usr/lib/dovecot/imap-login mr, + /{,var/}run/dovecot/anvil rw, + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.ssl-params' +--- profiles/apparmor.d/usr.lib.dovecot.ssl-params 2014-06-27 19:14:53 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.ssl-params 2017-01-26 20:41:38 +0000 +@@ -15,6 +15,7 @@ + #include + #include + ++ /run/dovecot/login/ssl-params rw, + /usr/lib/dovecot/ssl-params mr, + /var/lib/dovecot/ssl-parameters.dat rw, + /var/lib/dovecot/ssl-parameters.dat.tmp rwk, + +=== modified file 'profiles/apparmor.d/usr.sbin.dovecot' +--- profiles/apparmor.d/usr.sbin.dovecot 2016-11-29 20:35:14 +0000 ++++ profiles/apparmor.d/usr.sbin.dovecot 2017-01-30 19:43:47 +0000 +@@ -36,21 +36,21 @@ + /etc/SuSE-release r, + @{PROC}/@{pid}/mounts r, + /usr/bin/doveconf rix, +- /usr/lib/dovecot/anvil Px, +- /usr/lib/dovecot/auth Px, +- /usr/lib/dovecot/config Px, +- /usr/lib/dovecot/dict Px, ++ /usr/lib/dovecot/anvil mrPx, ++ /usr/lib/dovecot/auth mrPx, ++ /usr/lib/dovecot/config mrPx, ++ /usr/lib/dovecot/dict mrPx, + /usr/lib/dovecot/dovecot-auth Pxmr, + /usr/lib/dovecot/imap Pxmr, + /usr/lib/dovecot/imap-login Pxmr, +- /usr/lib/dovecot/lmtp Px, +- /usr/lib/dovecot/log Px, +- /usr/lib/dovecot/managesieve Px, ++ /usr/lib/dovecot/lmtp mrPx, ++ /usr/lib/dovecot/log mrPx, ++ /usr/lib/dovecot/managesieve mrPx, + /usr/lib/dovecot/managesieve-login Pxmr, +- /usr/lib/dovecot/pop3 Px, ++ /usr/lib/dovecot/pop3 mrPx, + /usr/lib/dovecot/pop3-login Pxmr, + /usr/lib/dovecot/ssl-build-param rix, +- /usr/lib/dovecot/ssl-params Px, ++ /usr/lib/dovecot/ssl-params mrPx, + /usr/sbin/dovecot mrix, + /usr/share/dovecot/protocols.d/ r, + /usr/share/dovecot/protocols.d/** r, + +=== modified file 'utils/aa-mergeprof' +--- utils/aa-mergeprof 2016-10-01 18:57:09 +0000 ++++ utils/aa-mergeprof 2017-01-19 15:54:47 +0000 +@@ -1,7 +1,7 @@ + #! /usr/bin/python3 + # ---------------------------------------------------------------------- + # Copyright (C) 2013 Kshitij Gupta +-# Copyright (C) 2014-2016 Christian Boltz ++# Copyright (C) 2014-2017 Christian Boltz + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -23,10 +23,6 @@ + import apparmor.cleanprofile as cleanprofile + import apparmor.ui as aaui + +-from apparmor.aa import (add_to_options, available_buttons, combine_name, delete_duplicates, +- get_profile_filename, is_known_rule, match_includes, profile_storage, +- set_options_audit_mode, propose_file_rules, selection_to_rule_obj) +-from apparmor.aare import AARE + from apparmor.common import AppArmorException + from apparmor.regex import re_match_include + +@@ -41,16 +37,13 @@ + + parser = argparse.ArgumentParser(description=_('Merge the given profiles into /etc/apparmor.d/ (or the directory specified with -d)')) + parser.add_argument('files', nargs='+', type=str, help=_('Profile(s) to merge')) +-#parser.add_argument('other', nargs='?', type=str, help=_('other profile')) + parser.add_argument('-d', '--dir', type=str, help=_('path to profiles')) + #parser.add_argument('-a', '--auto', action='store_true', help=_('Automatically merge profiles, exits incase of *x conflicts')) + args = parser.parse_args() + + args.other = None +-# 2-way merge or 3-way merge based on number of params +-merge_mode = 2 #if args.other == None else 3 + +-profiles = [args.files, [args.other]] ++profiles = args.files + + profiledir = args.dir + if profiledir: +@@ -87,61 +80,29 @@ + return profile_to_filename + + def main(): +- profiles_to_merge = set() +- +- base_files, other_files = profiles +- +- base_profile_to_file = find_profiles_from_files(base_files) +- +- profiles_to_merge = profiles_to_merge.union(set(base_profile_to_file.keys())) +- +- other_profile_to_file = dict() +- +- if merge_mode == 3: +- other_profile_to_file = find_profiles_from_files(other_files) +- profiles_to_merge.add(other_profile_to_file.keys()) ++ base_profile_to_file = find_profiles_from_files(profiles) ++ ++ profiles_to_merge = set(base_profile_to_file.keys()) + + user_profile_to_file = find_files_from_profiles(profiles_to_merge) + +-# print(base_files,"\n",other_files) +-# print(base_profile_to_file,"\n",other_profile_to_file,"\n",user_profile_to_file) +-# print(profiles_to_merge) +- + for profile_name in profiles_to_merge: + aaui.UI_Info("\n\n" + _("Merging profile for %s" % profile_name)) + user_file = user_profile_to_file[profile_name] + base_file = base_profile_to_file.get(profile_name, None) +- other_file = None +- +- if merge_mode == 3: +- other_file = other_profile_to_file.get(profile_name, None) +- +- if base_file == None: +- if other_file == None: +- continue +- +- act([user_file, other_file, None], 2, profile_name) +- else: +- if other_file == None: +- act([user_file, base_file, None], 2, profile_name) +- else: +- act([user_file, base_file, other_file], 3, profile_name) ++ ++ act([user_file, base_file], profile_name) + + reset_aa() + +-def act(files, merge_mode, merging_profile): ++def act(files, merging_profile): + mergeprofiles = Merge(files) + #Get rid of common/superfluous stuff + mergeprofiles.clear_common() + + # if not args.auto: + if 1 == 1: # workaround to avoid lots of whitespace changes +- if merge_mode == 3: +- mergeprofiles.ask_the_questions('other', merging_profile) +- +- mergeprofiles.clear_common() +- +- mergeprofiles.ask_the_questions('base', merging_profile) ++ mergeprofiles.ask_merge_questions() + + q = aaui.PromptQuestion() + q.title = _('Changed Local Profiles') +@@ -172,7 +133,7 @@ + + class Merge(object): + def __init__(self, profiles): +- user, base, other = profiles ++ user, base = profiles + + #Read and parse base profile and save profile data, include data from it and reset them + apparmor.aa.read_profile(base, True) +@@ -180,12 +141,6 @@ + + reset_aa() + +- #Read and parse other profile and save profile data, include data from it and reset them +- if merge_mode == 3: +- apparmor.aa.read_profile(other, True) +- self.other = cleanprofile.Prof(other) +- reset_aa() +- + #Read and parse user profile + apparmor.aa.read_profile(user, True) + self.user = cleanprofile.Prof(user) +@@ -193,67 +148,18 @@ + def clear_common(self): + deleted = 0 + +- if merge_mode == 3: +- #Remove off the parts in other profile which are common/superfluous from user profile +- user_other = cleanprofile.CleanProf(False, self.user, self.other) +- deleted += user_other.compare_profiles() +- + #Remove off the parts in base profile which are common/superfluous from user profile + user_base = cleanprofile.CleanProf(False, self.user, self.base) + deleted += user_base.compare_profiles() + +- if merge_mode == 3: +- #Remove off the parts in other profile which are common/superfluous from base profile +- base_other = cleanprofile.CleanProf(False, self.base, self.other) +- deleted += base_other.compare_profiles() +- +- def ask_conflict_mode(self, profile, hat, old_profile, merge_profile): +- '''ask user about conflicting exec rules''' +- for oldrule in old_profile['file'].rules: +- conflictingrules = merge_profile['file'].get_exec_conflict_rules(oldrule) +- +- if conflictingrules.rules: +- q = aaui.PromptQuestion() +- q.headers = [_('Path'), oldrule.path.regex] +- q.headers += [_('Select the appropriate mode'), ''] +- options = [] +- options.append(oldrule.get_clean()) +- for rule in conflictingrules.rules: +- options.append(rule.get_clean()) +- q.options = options +- q.functions = ['CMD_ALLOW', 'CMD_ABORT'] +- done = False +- while not done: +- ans, selected = q.promptUser() +- if ans == 'CMD_ALLOW': +- if selected == 0: +- pass # just keep the existing rule +- elif selected > 0: +- # replace existing rule with merged one +- old_profile['file'].delete(oldrule) +- old_profile['file'].add(conflictingrules.rules[selected - 1]) +- else: +- raise AppArmorException(_('Unknown selection')) +- +- for rule in conflictingrules.rules: +- merge_profile['file'].delete(rule) # make sure aa-mergeprof doesn't ask to add conflicting rules later +- +- done = True +- +- def ask_the_questions(self, other, profile): +- aa = self.user.aa # keep references so that the code in this function can use the short name +- changed = apparmor.aa.changed # (and be more in sync with aa.py ask_the_questions()) +- +- if other == 'other': +- other = self.other +- else: +- other = self.base +- #print(other.aa) +- +- #Add the file-wide includes from the other profile to the user profile ++ def ask_merge_questions(self): ++ other = self.base ++ log_dict = {'merge': other.aa} ++ + apparmor.aa.loadincludes() + done = False + ++ #Add the file-wide includes from the other profile to the user profile + options = [] + for inc in other.filelist[other.filename]['include'].keys(): + if not inc in self.user.filelist[self.user.filename]['include'].keys(): +@@ -281,211 +187,10 @@ + elif ans == 'CMD_FINISHED': + return + +- sev_db = apparmor.aa.sev_db +- if not sev_db: +- sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown')) +- +- sev_db.unload_variables() +- sev_db.load_variables(get_profile_filename(profile)) +- +- for hat in sorted(other.aa[profile].keys()): +- +- if not aa[profile].get(hat): +- ans = '' +- while ans not in ['CMD_ADDHAT', 'CMD_ADDSUBPROFILE', 'CMD_DENY']: +- q = aaui.PromptQuestion() +- q.headers += [_('Profile'), profile] +- +- if other.aa[profile][hat]['profile']: +- q.headers += [_('Requested Subprofile'), hat] +- q.functions.append('CMD_ADDSUBPROFILE') +- else: +- q.headers += [_('Requested Hat'), hat] +- q.functions.append('CMD_ADDHAT') +- +- q.functions += ['CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'] +- +- q.default = 'CMD_DENY' +- +- ans = q.promptUser()[0] +- +- if ans == 'CMD_FINISHED': +- return +- +- if ans == 'CMD_DENY': +- continue # don't ask about individual rules if the user doesn't want the additional subprofile/hat +- +- if other.aa[profile][hat]['profile']: +- aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing subprofile') +- aa[profile][hat]['profile'] = True +- else: +- aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing hat') +- aa[profile][hat]['profile'] = False +- +- #Add the includes from the other profile to the user profile +- done = False +- +- options = [] +- for inc in other.aa[profile][hat]['include'].keys(): +- if not inc in aa[profile][hat]['include'].keys(): +- options.append('#include <%s>' %inc) +- +- default_option = 1 +- +- q = aaui.PromptQuestion() +- q.options = options +- q.selected = default_option - 1 +- q.headers = [_('File includes'), _('Select the ones you wish to add')] +- q.functions = ['CMD_ALLOW', 'CMD_IGNORE_ENTRY', 'CMD_ABORT', 'CMD_FINISHED'] +- q.default = 'CMD_ALLOW' +- +- while not done and options: +- ans, selected = q.promptUser() +- if ans == 'CMD_IGNORE_ENTRY': +- done = True +- elif ans == 'CMD_ALLOW': +- selection = options[selected] +- inc = re_match_include(selection) +- deleted = apparmor.aa.delete_duplicates(aa[profile][hat], inc) +- aa[profile][hat]['include'][inc] = True +- options.pop(selected) +- aaui.UI_Info(_('Adding %s to the file.') % selection) +- if deleted: +- aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) +- elif ans == 'CMD_FINISHED': +- return +- +- # check for and ask about conflicting exec modes +- self.ask_conflict_mode(profile, hat, aa[profile][hat], other.aa[profile][hat]) +- +- for ruletype in apparmor.aa.ruletypes: +- if other.aa[profile][hat].get(ruletype, False): # needed until we have proper profile initialization +- for rule_obj in other.aa[profile][hat][ruletype].rules: +- +- if is_known_rule(aa[profile][hat], ruletype, rule_obj): +- continue +- +- default_option = 1 +- options = [] +- newincludes = match_includes(aa[profile][hat], ruletype, rule_obj) +- q = aaui.PromptQuestion() +- if newincludes: +- options += list(map(lambda inc: '#include <%s>' % inc, sorted(set(newincludes)))) +- +- if ruletype == 'file' and rule_obj.path: +- options += propose_file_rules(aa[profile][hat], rule_obj) +- else: +- options.append(rule_obj.get_clean()) +- +- done = False +- while not done: +- q.options = options +- q.selected = default_option - 1 +- q.headers = [_('Profile'), combine_name(profile, hat)] +- q.headers += rule_obj.logprof_header() +- +- # Load variables into sev_db? Not needed/used for capabilities and network rules. +- severity = rule_obj.severity(sev_db) +- if severity != sev_db.NOT_IMPLEMENTED: +- q.headers += [_('Severity'), severity] +- +- q.functions = available_buttons(rule_obj) +- q.default = q.functions[0] +- +- ans, selected = q.promptUser() +- selection = options[selected] +- if ans == 'CMD_IGNORE_ENTRY': +- done = True +- break +- +- elif ans == 'CMD_FINISHED': +- return +- +- elif ans.startswith('CMD_AUDIT'): +- if ans == 'CMD_AUDIT_NEW': +- rule_obj.audit = True +- rule_obj.raw_rule = None +- else: +- rule_obj.audit = False +- rule_obj.raw_rule = None +- +- options = set_options_audit_mode(rule_obj, options) +- +- elif ans == 'CMD_ALLOW': +- done = True +- changed[profile] = True +- +- inc = re_match_include(selection) +- if inc: +- deleted = delete_duplicates(aa[profile][hat], inc) +- +- aa[profile][hat]['include'][inc] = True +- +- aaui.UI_Info(_('Adding %s to profile.') % selection) +- if deleted: +- aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) +- +- else: +- rule_obj = selection_to_rule_obj(rule_obj, selection) +- deleted = aa[profile][hat][ruletype].add(rule_obj, cleanup=True) +- +- aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean()) +- if deleted: +- aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) +- +- elif ans == 'CMD_DENY': +- if re_match_include(selection): +- aaui.UI_Important("Denying via an include file isn't supported by the AppArmor tools") +- +- else: +- done = True +- changed[profile] = True +- +- rule_obj = selection_to_rule_obj(rule_obj, selection) +- rule_obj.deny = True +- rule_obj.raw_rule = None # reset raw rule after manually modifying rule_obj +- deleted = aa[profile][hat][ruletype].add(rule_obj, cleanup=True) +- aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean()) +- if deleted: +- aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) +- +- elif ans == 'CMD_GLOB': +- if not re_match_include(selection): +- globbed_rule_obj = selection_to_rule_obj(rule_obj, selection) +- globbed_rule_obj.glob() +- options, default_option = add_to_options(options, globbed_rule_obj.get_raw()) +- +- elif ans == 'CMD_GLOBEXT': +- if not re_match_include(selection): +- globbed_rule_obj = selection_to_rule_obj(rule_obj, selection) +- globbed_rule_obj.glob_ext() +- options, default_option = add_to_options(options, globbed_rule_obj.get_raw()) +- +- elif ans == 'CMD_NEW': +- if not re_match_include(selection): +- edit_rule_obj = selection_to_rule_obj(rule_obj, selection) +- prompt, oldpath = edit_rule_obj.edit_header() +- +- newpath = aaui.UI_GetString(prompt, oldpath) +- if newpath: +- try: +- input_matches_path = rule_obj.validate_edit(newpath) # note that we check against the original rule_obj here, not edit_rule_obj (which might be based on a globbed path) +- except AppArmorException: +- aaui.UI_Important(_('The path you entered is invalid (not starting with / or a variable)!')) +- continue +- +- if not input_matches_path: +- ynprompt = _('The specified path does not match this log entry:\n\n Log Entry: %(path)s\n Entered Path: %(ans)s\nDo you really want to use this path?') % { 'path': oldpath, 'ans': newpath } +- key = aaui.UI_YesNo(ynprompt, 'n') +- if key == 'n': +- continue +- +- edit_rule_obj.store_edit(newpath) +- options, default_option = add_to_options(options, edit_rule_obj.get_raw()) +- apparmor.aa.user_globs[newpath] = AARE(newpath, True) +- +- else: +- done = False ++ if not apparmor.aa.sev_db: ++ apparmor.aa.sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown')) ++ ++ apparmor.aa.ask_the_questions(log_dict) + + if __name__ == '__main__': + main() + +=== modified file 'utils/apparmor/aa.py' +--- utils/apparmor/aa.py 2016-12-30 23:48:41 +0000 ++++ utils/apparmor/aa.py 2017-01-20 00:20:41 +0000 +@@ -1,6 +1,6 @@ + # ---------------------------------------------------------------------- + # Copyright (C) 2013 Kshitij Gupta +-# Copyright (C) 2014-2016 Christian Boltz ++# Copyright (C) 2014-2017 Christian Boltz + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -74,8 +74,6 @@ + debug_logger = DebugLogger('aa') + + CONFDIR = '/etc/apparmor' +-running_under_genprof = False +-unimplemented_warning = False + + # The database for severity + sev_db = None +@@ -99,12 +97,7 @@ + # format: user_globs['/foo*'] = AARE('/foo*') + user_globs = {} + +-# The key for representing bare "file," rules +-ALL = '\0ALL' +- + ## Variables used under logprof +-### Were our +-t = hasher() # dict() + transitions = hasher() + + aa = hasher() # Profiles originally in sd, replace by aa +@@ -114,13 +107,10 @@ + log = [] + pid = dict() + +-seen = hasher() # dir() + profile_changes = hasher() + prelog = hasher() +-log_dict = hasher() # dict() + changed = dict() + created = [] +-skip = hasher() + helpers = dict() # Preserve this between passes # was our + ### logprof ends + +@@ -1486,16 +1476,17 @@ + + return globs + +-def ask_the_questions(): ++def ask_the_questions(log_dict): + for aamode in sorted(log_dict.keys()): + # Describe the type of changes + if aamode == 'PERMITTING': + aaui.UI_Info(_('Complain-mode changes:')) + elif aamode == 'REJECTING': + aaui.UI_Info(_('Enforce-mode changes:')) ++ elif aamode == 'merge': ++ pass # aa-mergeprof + else: +- # This is so wrong! +- fatal_error(_('Invalid mode found: %s') % aamode) ++ raise AppArmorBug(_('Invalid mode found: %s') % aamode) + + for profile in sorted(log_dict[aamode].keys()): + # Update the repo profiles +@@ -1513,16 +1504,83 @@ + + for hat in hats: + +- if not aa[profile].get(hat).get('file'): +- # Ignore log events for a non-existing profile or child profile. Such events can occour +- # after deleting a profile or hat manually, or when processing a foreign log. +- # (Checking for 'file' is a simplified way to check if it's a profile_storage() struct.) +- debug_logger.debug("Ignoring events for non-existing profile %s" % combine_name(profile, hat)) +- continue ++ if not aa[profile].get(hat, {}).get('file'): ++ if aamode != 'merge': ++ # Ignore log events for a non-existing profile or child profile. Such events can occour ++ # after deleting a profile or hat manually, or when processing a foreign log. ++ # (Checking for 'file' is a simplified way to check if it's a profile_storage() struct.) ++ debug_logger.debug("Ignoring events for non-existing profile %s" % combine_name(profile, hat)) ++ continue ++ ++ ans = '' ++ while ans not in ['CMD_ADDHAT', 'CMD_ADDSUBPROFILE', 'CMD_DENY']: ++ q = aaui.PromptQuestion() ++ q.headers += [_('Profile'), profile] ++ ++ if log_dict[aamode][profile][hat]['profile']: ++ q.headers += [_('Requested Subprofile'), hat] ++ q.functions.append('CMD_ADDSUBPROFILE') ++ else: ++ q.headers += [_('Requested Hat'), hat] ++ q.functions.append('CMD_ADDHAT') ++ ++ q.functions += ['CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'] ++ ++ q.default = 'CMD_DENY' ++ ++ ans = q.promptUser()[0] ++ ++ if ans == 'CMD_FINISHED': ++ return ++ ++ if ans == 'CMD_DENY': ++ continue # don't ask about individual rules if the user doesn't want the additional subprofile/hat ++ ++ if log_dict[aamode][profile][hat]['profile']: ++ aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing subprofile') ++ aa[profile][hat]['profile'] = True ++ else: ++ aa[profile][hat] = profile_storage(profile, hat, 'mergeprof ask_the_questions() - missing hat') ++ aa[profile][hat]['profile'] = False ++ ++ #Add the includes from the other profile to the user profile ++ done = False ++ ++ options = [] ++ for inc in log_dict[aamode][profile][hat]['include'].keys(): ++ if not inc in aa[profile][hat]['include'].keys(): ++ options.append('#include <%s>' %inc) ++ ++ default_option = 1 ++ ++ q = aaui.PromptQuestion() ++ q.options = options ++ q.selected = default_option - 1 ++ q.headers = [_('File includes'), _('Select the ones you wish to add')] ++ q.functions = ['CMD_ALLOW', 'CMD_IGNORE_ENTRY', 'CMD_ABORT', 'CMD_FINISHED'] ++ q.default = 'CMD_ALLOW' ++ ++ while not done and options: ++ ans, selected = q.promptUser() ++ if ans == 'CMD_IGNORE_ENTRY': ++ done = True ++ elif ans == 'CMD_ALLOW': ++ selection = options[selected] ++ inc = re_match_include(selection) ++ deleted = apparmor.aa.delete_duplicates(aa[profile][hat], inc) ++ aa[profile][hat]['include'][inc] = True ++ options.pop(selected) ++ aaui.UI_Info(_('Adding %s to the file.') % selection) ++ if deleted: ++ aaui.UI_Info(_('Deleted %s previous matching profile entries.') % deleted) ++ elif ans == 'CMD_FINISHED': ++ return ++ ++ # check for and ask about conflicting exec modes ++ ask_conflict_mode(profile, hat, aa[profile][hat], log_dict[aamode][profile][hat]) + + for ruletype in ruletypes: + for rule_obj in log_dict[aamode][profile][hat][ruletype].rules: +- # XXX aa-mergeprof also has this code - if you change it, keep aa-mergeprof in sync! + + if is_known_rule(aa[profile][hat], ruletype, rule_obj): + continue +@@ -1655,7 +1713,6 @@ + + else: + done = False +- # END of code (mostly) shared with aa-mergeprof + + def selection_to_rule_obj(rule_obj, selection): + rule_type = type(rule_obj) +@@ -1726,6 +1783,39 @@ + + return deleted + ++def ask_conflict_mode(profile, hat, old_profile, merge_profile): ++ '''ask user about conflicting exec rules''' ++ for oldrule in old_profile['file'].rules: ++ conflictingrules = merge_profile['file'].get_exec_conflict_rules(oldrule) ++ ++ if conflictingrules.rules: ++ q = aaui.PromptQuestion() ++ q.headers = [_('Path'), oldrule.path.regex] ++ q.headers += [_('Select the appropriate mode'), ''] ++ options = [] ++ options.append(oldrule.get_clean()) ++ for rule in conflictingrules.rules: ++ options.append(rule.get_clean()) ++ q.options = options ++ q.functions = ['CMD_ALLOW', 'CMD_ABORT'] ++ done = False ++ while not done: ++ ans, selected = q.promptUser() ++ if ans == 'CMD_ALLOW': ++ if selected == 0: ++ pass # just keep the existing rule ++ elif selected > 0: ++ # replace existing rule with merged one ++ old_profile['file'].delete(oldrule) ++ old_profile['file'].add(conflictingrules.rules[selected - 1]) ++ else: ++ raise AppArmorException(_('Unknown selection')) ++ ++ for rule in conflictingrules.rules: ++ merge_profile['file'].delete(rule) # make sure aa-mergeprof doesn't ask to add conflicting rules later ++ ++ done = True ++ + def match_includes(profile, rule_type, rule_obj): + newincludes = [] + for incname in include.keys(): +@@ -1769,9 +1859,7 @@ + + def do_logprof_pass(logmark='', passno=0, pid=pid): + # set up variables for this pass +-# t = hasher() + # transitions = hasher() +-# seen = hasher() # XXX global? + global log + log = [] + global existing_profiles +@@ -1779,9 +1867,7 @@ + # aa = hasher() + # profile_changes = hasher() + # prelog = hasher() +-# log_dict = hasher() + # changed = dict() +-# skip = hasher() # XXX global? + # filelist = hasher() + + aaui.UI_Info(_('Reading log entries from %s.') % logfile) +@@ -1811,9 +1897,9 @@ + for pid in sorted(profile_changes.keys()): + set_process(pid, profile_changes[pid]) + +- collapse_log() ++ log_dict = collapse_log() + +- ask_the_questions() ++ ask_the_questions(log_dict) + + if aaui.UI_mode == 'yast': + # To-Do +@@ -2019,6 +2105,7 @@ + process.close() + + def collapse_log(): ++ log_dict = hasher() + for aamode in prelog.keys(): + for profile in prelog[aamode].keys(): + for hat in prelog[aamode][profile].keys(): +@@ -2099,6 +2186,8 @@ + if not is_known_rule(aa[profile][hat], 'signal', signal_event): + log_dict[aamode][profile][hat]['signal'].add(signal_event) + ++ return log_dict ++ + def is_skippable_file(path): + """Returns True if filename matches something to be skipped (rpm or dpkg backup files, hidden files etc.) + The list of skippable files needs to be synced with apparmor initscript and libapparmor _aa_is_blacklisted() + +=== modified file 'utils/test/test-libapparmor-test_multi.py' +--- utils/test/test-libapparmor-test_multi.py 2016-11-01 20:40:29 +0000 ++++ utils/test/test-libapparmor-test_multi.py 2017-01-19 15:52:38 +0000 +@@ -214,7 +214,6 @@ + apparmor.aa.log = dict() + apparmor.aa.aa = apparmor.aa.hasher() + apparmor.aa.prelog = apparmor.aa.hasher() +- apparmor.aa.log_dict = apparmor.aa.hasher() + + profile = parsed_event['profile'] + hat = profile +@@ -229,12 +228,12 @@ + for root in log: + apparmor.aa.handle_children('', '', root) # interactive for exec events! + +- apparmor.aa.collapse_log() ++ log_dict = apparmor.aa.collapse_log() + + apparmor.aa.filelist = apparmor.aa.hasher() + apparmor.aa.filelist[profile_dummy_file]['profiles'][profile] = True + +- new_profile = apparmor.aa.serialize_profile(apparmor.aa.log_dict[aamode][profile], profile, None) ++ new_profile = apparmor.aa.serialize_profile(log_dict[aamode][profile], profile, None) + + expected_profile = read_file('%s.profile' % params) + + + +vim:ft=diff