pool/apparmor
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1177351 from home:cboltz

Browse Source 
- exclude runc profile until updated runc packages (including
  updated profile with "signal peer=runc") have arrived

- add aa-remove-unknown-fix-unconfined.diff to fix
  aa-remove-unknown for 'unconfined' profiles (boo#1225457)
- set permissions for %ghost files (boo#1223578)

OBS-URL: https://build.opensuse.org/request/show/1177351
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=407
This commit is contained in:
Christian Boltz 2024-05-28 12:49:08 +00:00 committed by Git OBS Bridge
parent ae29aa0b55
commit 7450ea5e32
3 changed files with 47 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
aa-remove-unknown-fix-unconfined.diff Normal file
View File

@ -0,0 +1,26 @@
commit cabd88a94055d2a7b876758d36fe559a6b728f45
Author: Christian Boltz <apparmor@cboltz.de>
Date: Sat May 25 13:12:49 2024 +0200
Fix aa-remove-unknown for 'unconfined' profiles
Without this patch, aa-remove-unknown uses 'profile_name (unconfined)'
when trying to unload unconfined profiles, which fails for obvious
reasons with (picking a random example)
Removing 'busybox (unconfined)'
/sbin/aa-remove-unknown: line 112: echo: write error: No such file or directory
diff --git a/utils/aa-remove-unknown b/utils/aa-remove-unknown
index 0e00d6a03..983d23727 100755
--- a/utils/aa-remove-unknown
+++ b/utils/aa-remove-unknown
@@ -89,7 +89,7 @@ LOADED_PROFILES=$("$PARSER" -N $PROFILE_DIRS) || {
echo "$LOADED_PROFILES" | awk '
BEGIN {
while (getline < "'${PROFILES}'" ) {
- str = sub(/ \((enforce|complain)\)$/, "", $0);
+ str = sub(/ \((enforce|complain|unconfined)\)$/, "", $0);
if (match($0, /^libvirt-[0-9a-f\-]+$/) == 0)
arr[$str] = $str
}

13
apparmor.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Tue May 28 12:20:59 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>
- exclude runc profile until updated runc packages (including
updated profile with "signal peer=runc") have arrived
-------------------------------------------------------------------
Sat May 25 11:31:05 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>
- add aa-remove-unknown-fix-unconfined.diff to fix
aa-remove-unknown for 'unconfined' profiles (boo#1225457)
- set permissions for %ghost files (boo#1223578)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri May 24 12:21:18 UTC 2024 - Christian Boltz <suse-beta@cboltz.de> Fri May 24 12:21:18 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>

10
apparmor.spec
View File

@ -88,6 +88,9 @@ Patch10: tools-fix-redefinition.diff
# make test-aa-notify a bit more relaxed to allow different argparse wording on Leap 15.5 (merged upstream 2024-05-06 (4.0 and master) https://gitlab.com/apparmor/apparmor/-/merge_requests/1226) # make test-aa-notify a bit more relaxed to allow different argparse wording on Leap 15.5 (merged upstream 2024-05-06 (4.0 and master) https://gitlab.com/apparmor/apparmor/-/merge_requests/1226)
Patch11: test-aa-notify.diff Patch11: test-aa-notify.diff
# Fix aa-remove-unknown for 'unconfined' profiles (submitted upstream 2024-05-25 https://gitlab.com/apparmor/apparmor/-/merge_requests/1240)
Patch12: aa-remove-unknown-fix-unconfined.diff
PreReq: sed PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: autoconf BuildRequires: autoconf
@ -357,6 +360,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
%endif %endif
%patch -P 10 -p1 %patch -P 10 -p1
%patch -P 11 -p1 %patch -P 11 -p1
%patch -P 12 -p1
%build %build
export SUSE_ASNEEDED=0 export SUSE_ASNEEDED=0
@ -426,7 +430,7 @@ for oldlocal in \
usr.sbin.identd usr.sbin.mdnsd usr.sbin.nmbd usr.sbin.nscd usr.sbin.ntpd usr.sbin.smbd usr.sbin.smbd-shares usr.sbin.smbldap-useradd usr.sbin.traceroute \ usr.sbin.identd usr.sbin.mdnsd usr.sbin.nmbd usr.sbin.nscd usr.sbin.ntpd usr.sbin.smbd usr.sbin.smbd-shares usr.sbin.smbldap-useradd usr.sbin.traceroute \
usr.sbin.winbindd zgrep usr.sbin.winbindd zgrep
do do
echo "%ghost /etc/apparmor.d/local/$oldlocal" echo "%ghost %config %attr(0644,root,root) /etc/apparmor.d/local/$oldlocal"
done > oldlocal.files done > oldlocal.files
%check %check
@ -660,7 +664,9 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
%config(noreplace) %{_sysconfdir}/apparmor.d/rootlesskit %config(noreplace) %{_sysconfdir}/apparmor.d/rootlesskit
%config(noreplace) %{_sysconfdir}/apparmor.d/rpm %config(noreplace) %{_sysconfdir}/apparmor.d/rpm
%config(noreplace) %{_sysconfdir}/apparmor.d/rssguard %config(noreplace) %{_sysconfdir}/apparmor.d/rssguard
%config(noreplace) %{_sysconfdir}/apparmor.d/runc # exclude runc profile until the updated runc (including updated profile with "signal peer=runc") has arrived
#config(noreplace) %{_sysconfdir}/apparmor.d/runc
%exclude %{_sysconfdir}/apparmor.d/runc
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd %config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd %config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd %config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd