Accepting request 842315 from security:apparmor

- update to AppArmor 2.13.5
  - add missing permissions to several profiles and abstractions
  - bugfixes in parser and tools
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.5
    for the detailed upstream changelog
- remove upstream(ed) patches
  - changes-since-2.13.4.diff
  - abstractions-X-xauth-mr582.diff
  - sevdb-caps-mr589.diff
  - libvirt-leaseshelper.patch
  - cap_checkpoint_restore.diff
- add libapparmor-so-number.diff to fix libapparmor so version (!658)

libapparmor:
- update to AppArmor 2.13.5
  - fix two potential build failures
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.5
    for the detailed upstream changelog
- add libapparmor-so-number.diff to fix libapparmor so version (!658) (forwarded request 842314 from cboltz)

OBS-URL: https://build.opensuse.org/request/show/842315
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=144

abstractions-X-xauth-mr582.diff

@@ -1,31 +0,0 @@
-commit 02b9090edab82021f5e2ecc7f2f4a5fc877949db
-Author: Christian Boltz <apparmor@cboltz.de>
-Date:   Mon Jul 20 20:35:41 2020 +0200
-
-    abstractions/X: add another xauth path
-    
-    Future sddm version will use $XDG_RUNTIME_DIR/xauth_XXXXXX
-    
-    References:
-    - https://bugzilla.opensuse.org/show_bug.cgi?id=1174290
-    - https://bugzilla.suse.com/show_bug.cgi?id=1174293
-    - https://github.com/sddm/sddm/pull/1230
-    - https://github.com/jonls/redshift/issues/763
-    
-    This is the 2.13 version of 35f033ca7c0dbd03111a54ea50b3f2713b9d5584 /
-    https://gitlab.com/apparmor/apparmor/-/merge_requests/581
-    
-    The difference is that this commit avoids using the @{run} variable.
-
-diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X
-index 1eca218d..e903861a 100644
---- a/profiles/apparmor.d/abstractions/X
-+++ b/profiles/apparmor.d/abstractions/X
-@@ -24,6 +24,7 @@
-   owner /{,var/}run/lightdm/*/xauthority r,
-   owner /{,var/}run/user/*/gdm/Xauthority r,
-   owner /{,var/}run/user/*/X11/Xauthority r,
-+  owner /{,var/}run/user/*/xauth_* r,
- 
-   # the unix socket to use to connect to the display
-   /tmp/.X11-unix/* rw,

apparmor-2.13.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:90bf86c07ffbe2c22be46d75c7345fad12d5911653c59750a37d59c63ad5d10e
-size 7390179

apparmor-2.13.4.tar.gz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl5qHBQaHGFwcGFybW9y
-QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLuB+BAAgKn0XnskA42OHiVxKty+
-lA2Bez6BKdbFWlqzMWw2uisNtCOr8bt0yvU3JWGb5CzrNbCVqBv6rqJeuLIBLZ3u
-70Ldfnno962kFi57mOehVVQ2yaDKY2EpPBC6HnDdsb4Tf95aiE2c9gGvvfxjUZ/7
-eHNUrPrpKvvpdnrL1+O7qmWPh68DVArceFpSt/M1Yz49V00XhaGemMVDvk/iPB2/
-tyJ0XETzjHQYeJ5IHsXrd5qe3nDOQ4YycpgyQKqiGSgO8jbwFdVyFb7nG2BGfvXG
-80wUrHc4qTv3rYYwlW+6aN2MVOKNm0T8mES+PAWJ5IVNkwsWg8VafkwLVZy0JhyW
-QY2eI5cQGVfEKl6MiXXEy6HL/CJT2MfVDj6oSD/6thFTokTyJoowvcZcsbZVvhEM
-pdh4foe7pPYavqBErQ15S9YOXeYUDH0mmdzvH0Qj1A/l4MGpio86XTOpihkfq6GR
-yZy0TMy6ZYPBxfKdcfusUHEf9YUO+ag2WRwkmIYXAKn4jTYMVjeEPQmHpZYWJ+t3
-yOlHo5+1/oyMTQXTK/5o7v/44ah2wxHszqtAHF9/ykfVCouxzBUrpbJ/NhWi32aX
-OvdNPzZWcLqogOcuL+GuPMfXv/uw9nfc+BcniR9TBJG4jq5aMe2BLBWinRNPPnJP
-nfHrUWYuwo2ADEN/STz5Bgw=
-=+xo5
------END PGP SIGNATURE-----

apparmor-2.13.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:637e2a14d844e53e0f0b31dc8fe8821f7bb36908c709ccc23e29033053caa717
+size 7399437

apparmor-2.13.5.tar.gz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl+IIdIaHGFwcGFybW9y
+QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLvg3A//aLD6j+QfyQws0vgP502C
+u806LuXLugkXJIYF2ITO2hiBHkrEDwMQchKggFDnDT15x7we6iOfSiZPyD7ltGap
+Kruwx3pkfwM/NHtBU2Q+eZiJbxkOnKquRMx6YKeJtnUNPOb8q+QK/KO+bkG8dBjA
+3uHIC0ytp+OvKSVjPfOj2N0KoKVYep+HjARkZBqeFstjXggGMD4yJDvkFmlSDho6
+Tq9Bx5jFkckiBKrQRI2j+0pKAmkp3eGdguSButRNohq01DAvfT+1SIZC7aye1T8F
+by8sXZBDkEJbDjaAW4mdzzfk/XX5xOjstNJlaT4Ld2WiiXtipQ502ibrvBjLKANi
+5Wa9gmcHa830ak9n7aRraq7AJ5DgcjXa+5XjHFjdDdRtYMDcImeopg9EttJkBosp
+D9ZhmiLXVb2GBFj5thc1h8ZQ5Y2gBKzUSO37DyReIRBRo0PqLQNzjObaQWg5mXf1
+EIhU2+mEplKKwpO2k0Xb14vnwfUTmJv+aKcx7oPjgeBypT+s0M2GaYOMrXKBH+Ky
+VTo/Y4ZzrOCqLKSE64ziH+1LH6eaQhPf7vnd9kjhcD/kjotDHrEGNiHHwDMH5hPd
+1KD/i+0aYdBsNoqGEfEhMjut2DmL+Tn8PYXORtVUWksOIlvoirGKzA/V/dscSxuM
+QF5dHbSaF1/Uy5jtKgurV7Q=
+=Yxgq
+-----END PGP SIGNATURE-----

apparmor.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Sat Oct 17 15:46:01 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 2.13.5
+  - add missing permissions to several profiles and abstractions
+  - bugfixes in parser and tools
+  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.5
+    for the detailed upstream changelog
+- remove upstream(ed) patches
+  - changes-since-2.13.4.diff
+  - abstractions-X-xauth-mr582.diff
+  - sevdb-caps-mr589.diff
+  - libvirt-leaseshelper.patch
+  - cap_checkpoint_restore.diff
+- add libapparmor-so-number.diff to fix libapparmor so version (!658)
+
 -------------------------------------------------------------------
 Wed Oct 14 12:16:52 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
 

apparmor.spec

@@ -2,7 +2,7 @@
 # spec file for package apparmor
 #
 # Copyright (c) 2020 SUSE LLC
-# Copyright (c) 2011-2019 Christian Boltz
+# Copyright (c) 2011-2020 Christian Boltz
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -35,7 +35,7 @@
 %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
 
 Name:           apparmor
-Version:        2.13.4
+Version:        2.13.5
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@@ -65,24 +65,11 @@ Patch4:         apparmor-lessopen-profile.patch
 # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
 Patch5:         apparmor-lessopen-nfs-workaround.diff
 
-# changes and fixes since the 2.13.4 Release (v2.13.4 (= df0ac742)..5f61bd4c
-Patch9:         changes-since-2.13.4.diff
-
 # update abstractions/base and nameservice for /usr/etc (submitted upstream 2020-01-25 https://gitlab.com/apparmor/apparmor/merge_requests/447, only merged to master, not 2.13.x)
 Patch10:        ./usr-etc-abstractions-base-nameservice.diff
 
-# allow /{,var/}run/user/*/xauth_* r, in abstractions/X (submitted upstream 2020-07-20 https://gitlab.com/apparmor/apparmor/-/merge_requests/581 (master), https://gitlab.com/apparmor/apparmor/-/merge_requests/582 (2.11..2.13))
-Patch11:        abstractions-X-xauth-mr582.diff
-
-# add CAP_BPF and CAP_PERFMON to severity.db (merged upstream 2020-08-07 https://gitlab.com/apparmor/apparmor/-/merge_requests/589 (2.11..master))
-Patch12:        sevdb-caps-mr589.diff
-
-# add /usr/libexec as a path for libvirt_leaseshelper script, jsc#SLE-14253
-# needs to go upstream
-Patch13:        libvirt-leaseshelper.patch
-
-# add CAP_CHECKPOINT_RESTORE to severity.db (https://gitlab.com/apparmor/apparmor/-/merge_requests/656, submitted upstream 2020-10-14 for 2.10..master)
-Patch14:        cap_checkpoint_restore.diff
+# fix libapparmor so version (submitted upstream 2020-10-17 https://gitlab.com/apparmor/apparmor/-/merge_requests/658)
+Patch11:        libapparmor-so-number.diff
 
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -372,7 +359,6 @@ SubDomain.
 %patch3 -p1
 %patch4
 %patch5
-%patch9 -p1
 
 %if 0%{?suse_version} > 1500
 # /usr/etc/ changes in abstractions, apply only to Tumbleweed, but not to Leap 15.x
@@ -380,9 +366,6 @@ SubDomain.
 %endif
 
 %patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
 
 %build
 %define _lto_cflags %{nil}

cap_checkpoint_restore.diff

@@ -1,18 +0,0 @@
-commit 2c2dbdc3a3012ce06371edc1e9be6f58711d8565
-Author: Christian Boltz <apparmor@cboltz.de>
-Date:   Wed Oct 14 14:01:55 2020 +0200
-
-    Add CAP_CHECKPOINT_RESTORE to severity.db
-
-diff --git a/utils/severity.db b/utils/severity.db
-index 3e07d44e..85b1d5de 100644
---- a/utils/severity.db
-+++ b/utils/severity.db
-@@ -30,6 +30,7 @@
-        CAP_SETUID 9
-        CAP_FOWNER 9
-        CAP_BPF 9
-+       CAP_CHECKPOINT_RESTORE 9
- # Denial of service, bypass audit controls, information leak
-        CAP_SYS_TIME 8
-        CAP_NET_ADMIN 8

libapparmor-so-number.diff

@@ -0,0 +1,42 @@
+commit 145136f6041aba4fffbbf8d1a5df368998b81ca1
+Author: Christian Boltz <apparmor@cboltz.de>
+Date:   Sat Oct 17 17:30:39 2020 +0200
+
+    Fix 2.13 libapparmor so version
+    
+    ab0f4ab2ed7e734827b143cd32dace4444875e9b increased AA_LIB_REVISION and
+    AA_LIB_AGE, with the result that 2.13.5 builds libapparmor.so.0.7.3,
+    while 2.13.4 had libapparmor-1.6.2
+    
+    This patch reverts the AA_LIB_AGE increase to fix the so name so that
+    we'll get libapparmor-1.6.3.
+    
+    Note: If you want to apply this fix on top of the 2.13.5 tarball, you'll
+    need to also apply the patch to Makefile.in.
+
+diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am
+index b59b2d1c..6d9c6296 100644
+--- a/libraries/libapparmor/src/Makefile.am
++++ b/libraries/libapparmor/src/Makefile.am
+@@ -28,7 +28,7 @@ INCLUDES = $(all_includes)
+ #
+ AA_LIB_CURRENT = 7
+ AA_LIB_REVISION = 3
+-AA_LIB_AGE = 7
++AA_LIB_AGE = 6
+ 
+ SUFFIXES = .pc.in .pc
+ 
+diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am
+index b59b2d1c..6d9c6296 100644
+--- a/libraries/libapparmor/src/Makefile.in
++++ b/libraries/libapparmor/src/Makefile.in
+@@ -587,7 +587,7 @@ INCLUDES = $(all_includes)
+ #
+ AA_LIB_CURRENT = 7
+ AA_LIB_REVISION = 3
+-AA_LIB_AGE = 7
++AA_LIB_AGE = 6
+ SUFFIXES = .pc.in .pc
+ BUILT_SOURCES = grammar.h scanner.h af_protos.h
+ AM_LFLAGS = -v

libapparmor.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Sat Oct 17 15:45:32 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 2.13.5
+  - fix two potential build failures
+  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.5
+    for the detailed upstream changelog
+- add libapparmor-so-number.diff to fix libapparmor so version (!658)
+
 -------------------------------------------------------------------
 Thu Mar 12 19:30:19 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
 

libapparmor.spec

@@ -18,7 +18,7 @@
 
 
 Name:           libapparmor
-Version:        2.13.4
+Version:        2.13.5
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later
@@ -32,6 +32,9 @@ BuildRequires:  flex
 BuildRequires:  pkg-config
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
+# fix libapparmor so version (submitted upstream 2020-10-17 https://gitlab.com/apparmor/apparmor/-/merge_requests/658
+Patch1:         libapparmor-so-number.diff
+
 %description
 This package provides the libapparmor library, which contains the
 change_hat(2) symbol, used for sub-process confinement by AppArmor, as
@@ -67,6 +70,7 @@ AppArmor API.
 
 %prep
 %setup -q -n apparmor-%{version}
+%patch1 -p1
 
 %build
 %define _lto_cflags %{nil}

libvirt-leaseshelper.patch

@@ -1,31 +0,0 @@
-profiles: Add /usr/libexec as a path to the libvirt leaseshelper script
-
-openSUSE recently joined most distros in defining libexecdir as /usr/libexec.
-The SUSE libvirt package, which for a long time has set libexecdir to
-/usr/lib64/libvirt, needs to adopt. Jira SLE-14253 requests libvirt to use
-/usr/libexec. libvirt 6.7.0 will be hitting Factory soon with libexecdir
-set to /usr/libexec. Add it as a path for the libvirt_leaseshelper script.
-
-Signed-off-by: Jim Fehlig <jfehlig@suse.com>
-Index: apparmor-2.13.4/profiles/apparmor.d/usr.sbin.dnsmasq
-===================================================================
---- apparmor-2.13.4.orig/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ apparmor-2.13.4/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -88,7 +88,7 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin
-   /{,var/}run/libvirt/network/*.pid rw,
- 
-   # libvirt lease helper
--  /usr/lib{,64}/libvirt/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
-+  /usr/{lib/libvirt,lib64/libvirt,libexec}/libvirt_leaseshelper Cx -> libvirt_leaseshelper,
- 
-   # lxc-net pid and lease files
-   /{,var/}run/lxc/dnsmasq.pid    rw,
-@@ -115,7 +115,7 @@ profile /usr/sbin/dnsmasq /usr/{bin,sbin
- 
-     /etc/libnl-3/classid r,
- 
--    /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
-+    /usr/{lib/libvirt,lib64/libvirt,libexec}/libvirt_leaseshelper m,
- 
-     owner @{PROC}/@{pid}/net/psched r,
-     owner @{PROC}/@{pid}/status r,

sevdb-caps-mr589.diff

@@ -1,40 +0,0 @@
-https://gitlab.com/apparmor/apparmor/-/merge_requests/589
-
-commit ae012502095596df4675555da635c868e3b3c04a
-Author: Christian Boltz <apparmor@cboltz.de>
-Date:   Fri Aug 7 22:37:19 2020 +0200
-
-    Add CAP_BPF and CAP_PERFMON to severity.db
-    
-    These capabilities were introduced in Linux 5.8
-    
-    References: https://bugs.launchpad.net/bugs/1890547
-
-diff --git a/utils/severity.db b/utils/severity.db
-index 3c028400..3e07d44e 100644
---- a/utils/severity.db
-+++ b/utils/severity.db
-@@ -2,6 +2,7 @@
- #
- #    Copyright (C) 2002-2005 Novell/SUSE
- #    Copyright (C) 2014 Canonical Ltd.
-+#    Copyright (C) 2020 Christian Boltz
- #
- #    This program is free software; you can redistribute it and/or
- #    modify it under the terms of version 2 of the GNU General Public
-@@ -28,6 +29,7 @@
-        CAP_SETGID 9
-        CAP_SETUID 9
-        CAP_FOWNER 9
-+       CAP_BPF 9
- # Denial of service, bypass audit controls, information leak
-        CAP_SYS_TIME 8
-        CAP_NET_ADMIN 8
-@@ -49,6 +51,7 @@
-        CAP_BLOCK_SUSPEND 8
-        CAP_DAC_READ_SEARCH 7
-        CAP_AUDIT_READ 7
-+       CAP_PERFMON 7
- # unused
-        CAP_NET_BROADCAST 0
-