Accepting request 560016 from home:cboltz
- update to AppArmor 2.12 - add support for 'owner' rules in aa-logprof and aa-genprof - add support for includes with absolute path in aa-logprof etc. (lp#1733700) - update aa-decode to also decode PROCTITLE (lp#1736841) - several profile and abstraction updates, including boo#1069470 - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 for the detailed upstream changelog - drop upstreamed patches: - read_inactive_profile-exactly-once.patch - utils-fix-sorted-save_profiles-regression.diff - lessopen profile: change all 'rix' rules to 'mrix' - update to AppArmor 2.11.95 aka 2.12 beta1 - add JSON interface to aa-logprof and aa-genprof (used by YaST) - drop old YaST interface code - update audio, base and nameservice abstractions - allow @{pid} to match 7-digit pids - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 for the detailed upstream changelog - drop upstreamed patches - apparmor-yast-cleanup.patch - apparmor-json-support.patch - nameservice-libtirpc.diff - drop obsolete perl modules (YaST no longer needs them) - drop patches that were only needed by the obsolete perl modules: - apparmor-utils-string-split - apparmor-abstractions-no-multiline.diff - drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in apparmor_parser - refresh utils-fix-sorted-save_profiles-regression.diff OBS-URL: https://build.opensuse.org/request/show/560016 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=194
This commit is contained in:
parent
51c20bdc0e
commit
7823513103
10
aa-teardown
Normal file
10
aa-teardown
Normal file
@ -0,0 +1,10 @@
|
||||
#!/bin/bash
|
||||
|
||||
test $# = 0 || {
|
||||
echo "Usage: $0"
|
||||
echo
|
||||
echo "Unloads all AppArmor profiles"
|
||||
exit 1
|
||||
}
|
||||
|
||||
/lib/apparmor/apparmor.systemd stop
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:e8e2b22c18e6b6741c1f96942398923b97316b53d86408629f922d5689ec3507
|
||||
size 5017646
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQI3BAABCgAhBQJZ6G0zGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
|
||||
5k49NmS7OPgP/1sdG9m/DZrgBz3BFHhe15u8K5BRXbrsOkoT3yLwH8gXY1bwlbSU
|
||||
H1bnz5itktyxapwae9Lyq1Qdr9eDpjgbQ1l2VbN34psLeuHH/6Q+R0ONYEktnWXs
|
||||
RSHIPYxZwDbnMIDKdTyGaF7VefNFRMGp+AM6n1NQVKdo0ycKuNFo9tlMW2iWLueq
|
||||
rng6vgTfyWbm9SbDSra8AjRPapxJznEUpV4fdl0OUDkrs4fsyOMcMStxKm6b4GvD
|
||||
LOcV+XGMugyR8as8P1BT+BOYtt3n+itJg0L0g31IkpPTduALb7VPuIG/RnPOrZV4
|
||||
o2tN+zqQLbbWoomSRj8kH319UIfgDxrSk2CM50WPYPIvWuqt0PZJXc8+36W6Gg5H
|
||||
Mxagz78lb94pJLD6HhBL7R4xGEI2T4aLGdOADYfkZaE+y1T4KrW1J1XPVhnIGiSg
|
||||
Kj6lIIkUxsYn39BczeWfCHTmmS5M1J08abAER14o7K8Y5jHKFl34Fmbq/MKnZTju
|
||||
/quiIbwUFe/wjFf6MZk9fyz0V/Gt/9MypwhKBA4eGj7qXiW/O9hzSxrf/B0ABvva
|
||||
2AXwtsCLyRH1a9ZzezDpnf6zLRq4qiJZY81nNxJPkKXQg1w7obl6NR9pbfoXtVhZ
|
||||
BkACyjgmwf0SZRlWnUrEfGriH8V40yLSvUMx4Lax7pLKCfNBlJJUXlrF
|
||||
=vKvS
|
||||
-----END PGP SIGNATURE-----
|
3
apparmor-2.12.tar.gz
Normal file
3
apparmor-2.12.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056
|
||||
size 7258450
|
16
apparmor-2.12.tar.gz.asc
Normal file
16
apparmor-2.12.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQI3BAABCgAhBQJaP2rLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
|
||||
5k49NmS72aQP/1y8Xr4GxCKJAonXSYdF3dlR54SIz6DWyMcdFnmE49w4/XVFhrf6
|
||||
T3sIQzGdb38o1cjf6oPWaitMuOlr8SHZOSAtZXZm7xDh3fGXG11Vj12iNBX4o6CJ
|
||||
WyrBG1MUX4u03iDjnv98rtbAViS9/DZsbN9iPZ9Ibo+Fb/wVS4EKe5iCZWTpqdW5
|
||||
lbrWQVajqCw4EzD0ld6kklsuH6nb+pII4KawSDsk4hN5o4HxTZeK/lgwZ/sFE5LA
|
||||
RJb3vShdSsIodDsj5mc5wfDVmzdqPcfTTaffLcW8uXYuMhtcI6vRAxGEKqHwDa4x
|
||||
aUasiJPfFH21e1lTlztzCi2vlSdrnb89V2m7lHiOOL2bCtHhnIduRYgo+WnMZC+m
|
||||
FcF9heBrTSajzg9ZE3EpVsN2wQYEGrVQer2MSy2vE8n+9JDxaJeyZ1RbT5yoeSkO
|
||||
zPo6IlrfSruRdLVVekzZezoDow2kWfyzfTbDcOdZlDIchwPyXwVdGwFAf/s9aSoz
|
||||
i/UIL0XpLCrd+MkaLeClWxPQR0IR5US3kxgI3vmpg4AGICq4Ayg6A2tQCMjI66Db
|
||||
l1SRwLsEsZT9gfcvXeBF2w+xh9bCDUasmxcFkhv5axr12/r2nZWcKE0U1bsuK6bd
|
||||
BOn2oRNshOcxnh6ni5YbTuASH52H3evKM5zypYmUpc4nUqHbFjeJOetM
|
||||
=rBMH
|
||||
-----END PGP SIGNATURE-----
|
@ -1,242 +0,0 @@
|
||||
=== modified file 'profiles/apparmor.d/abstractions/X'
|
||||
Index: profiles/apparmor.d/abstractions/X
|
||||
===================================================================
|
||||
--- profiles/apparmor.d/abstractions/X.orig 2016-04-22 22:35:12.416535187 +0200
|
||||
+++ profiles/apparmor.d/abstractions/X 2016-04-22 22:35:46.556500929 +0200
|
||||
@@ -25,12 +25,8 @@
|
||||
|
||||
# the unix socket to use to connect to the display
|
||||
/tmp/.X11-unix/* rw,
|
||||
- unix (connect, receive, send)
|
||||
- type=stream
|
||||
- peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
- unix (connect, receive, send)
|
||||
- type=stream
|
||||
- peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
|
||||
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
|
||||
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
|
||||
|
||||
/usr/include/X11/ r,
|
||||
/usr/include/X11/** r,
|
||||
Index: profiles/apparmor.d/abstractions/dbus-accessibility-strict
|
||||
===================================================================
|
||||
--- profiles/apparmor.d/abstractions/dbus-accessibility-strict.orig 2014-10-18 13:11:18.498652324 +0200
|
||||
+++ profiles/apparmor.d/abstractions/dbus-accessibility-strict 2014-10-18 13:11:31.098494805 +0200
|
||||
@@ -9,9 +9,4 @@
|
||||
#
|
||||
# ------------------------------------------------------------------
|
||||
|
||||
- dbus send
|
||||
- bus=accessibility
|
||||
- path=/org/freedesktop/DBus
|
||||
- interface=org.freedesktop.DBus
|
||||
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||
- peer=(name=org.freedesktop.DBus),
|
||||
+ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
|
||||
Index: profiles/apparmor.d/abstractions/dbus-session-strict
|
||||
===================================================================
|
||||
--- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2017-01-11 21:20:01.381935015 +0100
|
||||
+++ profiles/apparmor.d/abstractions/dbus-session-strict 2017-01-11 21:20:07.641905170 +0100
|
||||
@@ -14,16 +14,9 @@
|
||||
/var/lib/dbus/machine-id r,
|
||||
owner /run/user/*/bus rw,
|
||||
|
||||
- unix (connect, receive, send)
|
||||
- type=stream
|
||||
- peer=(addr="@/tmp/dbus-*"),
|
||||
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
|
||||
|
||||
# dbus with systemd and --enable-user-session
|
||||
owner /run/user/[0-9]*/bus rw,
|
||||
|
||||
- dbus send
|
||||
- bus=session
|
||||
- path=/org/freedesktop/DBus
|
||||
- interface=org.freedesktop.DBus
|
||||
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||
- peer=(name=org.freedesktop.DBus),
|
||||
+ dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
|
||||
Index: profiles/apparmor.d/abstractions/dbus-strict
|
||||
===================================================================
|
||||
--- profiles/apparmor.d/abstractions/dbus-strict.orig 2014-10-18 13:11:18.498652324 +0200
|
||||
+++ profiles/apparmor.d/abstractions/dbus-strict 2014-10-18 13:11:31.098494805 +0200
|
||||
@@ -11,9 +11,4 @@
|
||||
|
||||
/{,var/}run/dbus/system_bus_socket rw,
|
||||
|
||||
- dbus send
|
||||
- bus=system
|
||||
- path=/org/freedesktop/DBus
|
||||
- interface=org.freedesktop.DBus
|
||||
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||
- peer=(name=org.freedesktop.DBus),
|
||||
+ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
|
||||
Index: profiles/apparmor.d/abstractions/fcitx-strict
|
||||
===================================================================
|
||||
--- profiles/apparmor.d/abstractions/fcitx-strict.orig 2017-01-11 21:44:55.726947350 +0100
|
||||
+++ profiles/apparmor.d/abstractions/fcitx-strict 2017-01-11 21:45:02.830914856 +0100
|
||||
@@ -11,11 +11,6 @@
|
||||
|
||||
#include <abstractions/dbus-session-strict>
|
||||
|
||||
- dbus send
|
||||
- bus=fcitx
|
||||
- path=/org/freedesktop/DBus
|
||||
- interface=org.freedesktop.DBus
|
||||
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
|
||||
- peer=(name=org.freedesktop.DBus),
|
||||
+ dbus send bus=fcitx path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
|
||||
|
||||
owner @{HOME}/.config/fcitx/dbus/* r,
|
||||
Index: profiles/apparmor.d/abstractions/libpam-systemd
|
||||
===================================================================
|
||||
--- profiles/apparmor.d/abstractions/libpam-systemd.orig 2017-01-11 21:47:13.814315855 +0100
|
||||
+++ profiles/apparmor.d/abstractions/libpam-systemd 2017-01-11 21:47:19.490289904 +0100
|
||||
@@ -12,8 +12,4 @@
|
||||
#include <abstractions/dbus-strict>
|
||||
|
||||
# libpam-systemd notifies systemd-logind about session logins/logouts
|
||||
- dbus send
|
||||
- bus=system
|
||||
- path=/org/freedesktop/login1
|
||||
- interface=org.freedesktop.login1.Manager
|
||||
- member={CreateSession,ReleaseSession},
|
||||
+ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession},
|
||||
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base
|
||||
===================================================================
|
||||
--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2017-01-11 21:20:07.641905170 +0100
|
||||
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2017-01-11 21:20:52.197692834 +0100
|
||||
@@ -21,78 +21,37 @@
|
||||
#
|
||||
# Access required for connecting to/communication with Unity HUD
|
||||
#
|
||||
- dbus (send)
|
||||
- bus=session
|
||||
- path="/com/canonical/hud",
|
||||
- dbus (send)
|
||||
- bus=session
|
||||
- interface="com.canonical.hud.*",
|
||||
- dbus (send)
|
||||
- bus=session
|
||||
- path="/com/canonical/hud/applications/*",
|
||||
- dbus (receive)
|
||||
- bus=session
|
||||
- path="/com/canonical/hud",
|
||||
- dbus (receive)
|
||||
- bus=session
|
||||
- interface="com.canonical.hud.*",
|
||||
+ dbus (send) bus=session path="/com/canonical/hud",
|
||||
+ dbus (send) bus=session interface="com.canonical.hud.*",
|
||||
+ dbus (send) bus=session path="/com/canonical/hud/applications/*",
|
||||
+ dbus (receive) bus=session path="/com/canonical/hud",
|
||||
+ dbus (receive) bus=session interface="com.canonical.hud.*",
|
||||
|
||||
#
|
||||
# Allow access for connecting to/communication with the appmenu
|
||||
#
|
||||
# dbusmenu
|
||||
- dbus (send)
|
||||
- bus=session
|
||||
- interface="com.canonical.AppMenu.*",
|
||||
- dbus (receive, send)
|
||||
- bus=session
|
||||
- path=/com/canonical/menu/**,
|
||||
+ dbus (send) bus=session interface="com.canonical.AppMenu.*",
|
||||
+ dbus (receive, send) bus=session path=/com/canonical/menu/**,
|
||||
|
||||
# gmenu
|
||||
- dbus (receive, send)
|
||||
- bus=session
|
||||
- interface=org.gtk.Actions,
|
||||
- dbus (receive, send)
|
||||
- bus=session
|
||||
- interface=org.gtk.Menus,
|
||||
+ dbus (receive, send) bus=session interface=org.gtk.Actions,
|
||||
+ dbus (receive, send) bus=session interface=org.gtk.Menus,
|
||||
|
||||
#
|
||||
# Access required for using freedesktop notifications
|
||||
#
|
||||
- dbus (send)
|
||||
- bus=session
|
||||
- path=/org/freedesktop/Notifications
|
||||
- member=GetCapabilities,
|
||||
- dbus (send)
|
||||
- bus=session
|
||||
- path=/org/freedesktop/Notifications
|
||||
- member=GetServerInformation,
|
||||
- dbus (send)
|
||||
- bus=session
|
||||
- path=/org/freedesktop/Notifications
|
||||
- member=Notify,
|
||||
- dbus (receive)
|
||||
- bus=session
|
||||
- member="Notify"
|
||||
- peer=(name="org.freedesktop.DBus"),
|
||||
- dbus (receive)
|
||||
- bus=session
|
||||
- path=/org/freedesktop/Notifications
|
||||
- member=NotificationClosed,
|
||||
- dbus (send)
|
||||
- bus=session
|
||||
- path=/org/freedesktop/Notifications
|
||||
- member=CloseNotification,
|
||||
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=GetCapabilities,
|
||||
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=GetServerInformation,
|
||||
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=Notify,
|
||||
+ dbus (receive) bus=session member="Notify" peer=(name="org.freedesktop.DBus"),
|
||||
+ dbus (receive) bus=session path=/org/freedesktop/Notifications member=NotificationClosed,
|
||||
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=CloseNotification,
|
||||
|
||||
# accessibility
|
||||
- dbus (send)
|
||||
- bus=session
|
||||
- peer=(name=org.a11y.Bus),
|
||||
- dbus (receive)
|
||||
- bus=session
|
||||
- interface=org.a11y.atspi*,
|
||||
- dbus (receive, send)
|
||||
- bus=accessibility,
|
||||
+ dbus (send) bus=session peer=(name=org.a11y.Bus),
|
||||
+ dbus (receive) bus=session interface=org.a11y.atspi*,
|
||||
+ dbus (receive, send) bus=accessibility,
|
||||
|
||||
#
|
||||
# Deny potentially dangerous access
|
||||
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-launcher
|
||||
===================================================================
|
||||
--- profiles/apparmor.d/abstractions/ubuntu-unity7-launcher.orig 2014-10-18 13:11:18.497652337 +0200
|
||||
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-launcher 2014-10-18 13:11:31.098494805 +0200
|
||||
@@ -1,7 +1,4 @@
|
||||
#
|
||||
# Access required for connecting to/communicating with the Unity Launcher
|
||||
#
|
||||
- dbus (send)
|
||||
- bus=session
|
||||
- interface="com.canonical.Unity.LauncherEntry"
|
||||
- member="Update",
|
||||
+ dbus (send) bus=session interface="com.canonical.Unity.LauncherEntry" member="Update",
|
||||
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-messaging
|
||||
===================================================================
|
||||
--- profiles/apparmor.d/abstractions/ubuntu-unity7-messaging.orig 2014-10-18 13:11:18.498652324 +0200
|
||||
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-messaging 2014-10-18 13:11:31.099494792 +0200
|
||||
@@ -2,6 +2,4 @@
|
||||
# Access required for connecting to/communicating with the Unity messaging
|
||||
# indicator
|
||||
#
|
||||
- dbus (receive, send)
|
||||
- bus=session
|
||||
- path="/com/canonical/indicator/messages/*",
|
||||
+ dbus (receive, send) bus=session path="/com/canonical/indicator/messages/*",
|
||||
Index: profiles/apparmor.d/abstractions/gnome
|
||||
===================================================================
|
||||
--- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200
|
||||
+++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200
|
||||
@@ -93,6 +93,4 @@
|
||||
|
||||
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
|
||||
# rules)
|
||||
- unix (send, receive, connect)
|
||||
- type=stream
|
||||
- peer=(addr="@/dbus-vfs-daemon/socket-*"),
|
||||
+ unix (send, receive, connect) type=stream peer=(addr="@/dbus-vfs-daemon/socket-*"),
|
@ -1,307 +0,0 @@
|
||||
commit aa95d7c9d4b0a7386ac52ad8dbcb28922198c8b7
|
||||
Author: Goldwyn Rodrigues <rgoldwyn@suse.de>
|
||||
Date: Thu Jun 15 18:22:43 2017 +0200
|
||||
|
||||
json support for logprof and genprof
|
||||
|
||||
From: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
||||
|
||||
Provides json support to tools in order to interact with other
|
||||
utilities such as Yast.
|
||||
|
||||
The JSON output is one per line, in order to differentiate between
|
||||
multiple records. Each JSON record has a "dialog" entry which defines
|
||||
the type of message passed. A response must contain the "dialog"
|
||||
entry. "info" message does not require a response.
|
||||
|
||||
"apparmor-json-version" added in order to identify the communication
|
||||
protocol version for future updates.
|
||||
|
||||
This is based on work done by Christian Boltz.
|
||||
|
||||
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
||||
|
||||
|
||||
Acked-by: Christian Boltz <apparmor@cboltz.de>
|
||||
Acked-by: Seth Arnold <seth.arnold@canonical.com>
|
||||
|
||||
diff --git a/utils/aa-genprof b/utils/aa-genprof
|
||||
index e2e65442..c9415e10 100755
|
||||
--- a/utils/aa-genprof
|
||||
+++ b/utils/aa-genprof
|
||||
@@ -61,8 +61,12 @@ parser = argparse.ArgumentParser(description=_('Generate profile for the given p
|
||||
parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
|
||||
parser.add_argument('-f', '--file', type=str, help=_('path to logfile'))
|
||||
parser.add_argument('program', type=str, help=_('name of program to profile'))
|
||||
+parser.add_argument('-j', '--json', action="store_true", help=_('Input and Output in JSON'))
|
||||
args = parser.parse_args()
|
||||
|
||||
+if args.json:
|
||||
+ aaui.set_json_mode()
|
||||
+
|
||||
profiling = args.program
|
||||
profiledir = args.dir
|
||||
|
||||
diff --git a/utils/aa-logprof b/utils/aa-logprof
|
||||
index c05cbef3..0ff37652 100755
|
||||
--- a/utils/aa-logprof
|
||||
+++ b/utils/aa-logprof
|
||||
@@ -16,6 +16,7 @@ import argparse
|
||||
import os
|
||||
|
||||
import apparmor.aa as apparmor
|
||||
+import apparmor.ui as aaui
|
||||
|
||||
# setup exception handling
|
||||
from apparmor.fail import enable_aa_exception_handler
|
||||
@@ -29,8 +30,12 @@ parser = argparse.ArgumentParser(description=_('Process log entries to generate
|
||||
parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
|
||||
parser.add_argument('-f', '--file', type=str, help=_('path to logfile'))
|
||||
parser.add_argument('-m', '--mark', type=str, help=_('mark in the log to start processing after'))
|
||||
+parser.add_argument('-j', '--json', action='store_true', help=_('Input and Output in JSON'))
|
||||
args = parser.parse_args()
|
||||
|
||||
+if args.json:
|
||||
+ aaui.set_json_mode()
|
||||
+
|
||||
profiledir = args.dir
|
||||
logmark = args.mark or ''
|
||||
|
||||
diff --git a/utils/apparmor/ui.py b/utils/apparmor/ui.py
|
||||
index f25fff31..0010f468 100644
|
||||
--- a/utils/apparmor/ui.py
|
||||
+++ b/utils/apparmor/ui.py
|
||||
@@ -1,5 +1,7 @@
|
||||
# ----------------------------------------------------------------------
|
||||
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
|
||||
+# Copyright (C) 2017 Christian Boltz <apparmor@cboltz.de>
|
||||
+# Copyright (C) 2017 SUSE Linux
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of version 2 of the GNU General Public
|
||||
@@ -11,6 +13,8 @@
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# ----------------------------------------------------------------------
|
||||
+
|
||||
+import json
|
||||
import sys
|
||||
import re
|
||||
import readline
|
||||
@@ -24,14 +28,32 @@ _ = init_translation()
|
||||
# Set up UI logger for separate messages from UI module
|
||||
debug_logger = DebugLogger('UI')
|
||||
|
||||
-# The operating mode: yast or text, text by default
|
||||
-UI_mode = 'text'
|
||||
-
|
||||
# If Python3, wrap input in raw_input so make check passes
|
||||
if not 'raw_input' in dir(__builtins__): raw_input = input
|
||||
|
||||
ARROWS = {'A': 'UP', 'B': 'DOWN', 'C': 'RIGHT', 'D': 'LEFT'}
|
||||
|
||||
+UI_mode = 'text'
|
||||
+
|
||||
+def write_json(jsonout):
|
||||
+ print(json.dumps(jsonout, sort_keys=False, separators=(',', ': ')))
|
||||
+ sys.stdout.flush()
|
||||
+
|
||||
+def set_json_mode():
|
||||
+ global UI_mode
|
||||
+ UI_mode = 'json'
|
||||
+ jsonout = {'dialog': 'apparmor-json-version', 'data': '2.12'}
|
||||
+ write_json(jsonout)
|
||||
+
|
||||
+# reads the response on command line for json and verifies the response
|
||||
+# for the dialog type
|
||||
+def json_response(dialog_type):
|
||||
+ string = raw_input('\n')
|
||||
+ rh = json.loads(string.strip())
|
||||
+ if rh["dialog"] != dialog_type:
|
||||
+ raise AppArmorException('Expected response %s got %s.' % (dialog_type, string))
|
||||
+ return rh
|
||||
+
|
||||
def getkey():
|
||||
key = readkey()
|
||||
if key == '\x1B':
|
||||
@@ -44,12 +66,18 @@ def getkey():
|
||||
|
||||
def UI_Info(text):
|
||||
debug_logger.info(text)
|
||||
- if UI_mode == 'text':
|
||||
+ if UI_mode == 'json':
|
||||
+ jsonout = {'dialog': 'info', 'data': text}
|
||||
+ write_json(jsonout)
|
||||
+ else: # text mode
|
||||
sys.stdout.write(text + '\n')
|
||||
|
||||
def UI_Important(text):
|
||||
debug_logger.debug(text)
|
||||
- if UI_mode == 'text':
|
||||
+ if UI_mode == 'json':
|
||||
+ jsonout = {'dialog': 'important', 'data': text}
|
||||
+ write_json(jsonout)
|
||||
+ else: # text mode
|
||||
sys.stdout.write('\n' + text + '\n')
|
||||
|
||||
def get_translated_hotkey(translated, cmsg=''):
|
||||
@@ -67,14 +95,18 @@ def get_translated_hotkey(translated, cmsg=''):
|
||||
def UI_YesNo(text, default):
|
||||
debug_logger.debug('UI_YesNo: %s: %s %s' % (UI_mode, text, default))
|
||||
default = default.lower()
|
||||
- ans = None
|
||||
- if UI_mode == 'text':
|
||||
- yes = CMDS['CMD_YES']
|
||||
- no = CMDS['CMD_NO']
|
||||
- yeskey = get_translated_hotkey(yes).lower()
|
||||
- nokey = get_translated_hotkey(no).lower()
|
||||
- ans = 'XXXINVALIDXXX'
|
||||
- while ans not in ['y', 'n']:
|
||||
+ yes = CMDS['CMD_YES']
|
||||
+ no = CMDS['CMD_NO']
|
||||
+ yeskey = get_translated_hotkey(yes).lower()
|
||||
+ nokey = get_translated_hotkey(no).lower()
|
||||
+ ans = 'XXXINVALIDXXX'
|
||||
+ while ans not in ['y', 'n']:
|
||||
+ if UI_mode == 'json':
|
||||
+ jsonout = {'dialog': 'yesno', 'text': text, 'default': default}
|
||||
+ write_json(jsonout)
|
||||
+ hm = json_response('yesno')
|
||||
+ ans = hm['response_key']
|
||||
+ else: # text mode
|
||||
sys.stdout.write('\n' + text + '\n')
|
||||
if default == 'y':
|
||||
sys.stdout.write('\n[%s] / %s\n' % (yes, no))
|
||||
@@ -102,18 +134,22 @@ def UI_YesNo(text, default):
|
||||
def UI_YesNoCancel(text, default):
|
||||
debug_logger.debug('UI_YesNoCancel: %s: %s %s' % (UI_mode, text, default))
|
||||
default = default.lower()
|
||||
- ans = None
|
||||
- if UI_mode == 'text':
|
||||
- yes = CMDS['CMD_YES']
|
||||
- no = CMDS['CMD_NO']
|
||||
- cancel = CMDS['CMD_CANCEL']
|
||||
-
|
||||
- yeskey = get_translated_hotkey(yes).lower()
|
||||
- nokey = get_translated_hotkey(no).lower()
|
||||
- cancelkey = get_translated_hotkey(cancel).lower()
|
||||
-
|
||||
- ans = 'XXXINVALIDXXX'
|
||||
- while ans not in ['c', 'n', 'y']:
|
||||
+ yes = CMDS['CMD_YES']
|
||||
+ no = CMDS['CMD_NO']
|
||||
+ cancel = CMDS['CMD_CANCEL']
|
||||
+
|
||||
+ yeskey = get_translated_hotkey(yes).lower()
|
||||
+ nokey = get_translated_hotkey(no).lower()
|
||||
+ cancelkey = get_translated_hotkey(cancel).lower()
|
||||
+
|
||||
+ ans = 'XXXINVALIDXXX'
|
||||
+ while ans not in ['c', 'n', 'y']:
|
||||
+ if UI_mode == 'json':
|
||||
+ jsonout = {'dialog': 'yesnocancel', 'text': text, 'default': default}
|
||||
+ write_json(jsonout)
|
||||
+ hm = json_response('yesnocancel')
|
||||
+ ans = hm['response_key']
|
||||
+ else: # text mode
|
||||
sys.stdout.write('\n' + text + '\n')
|
||||
if default == 'y':
|
||||
sys.stdout.write('\n[%s] / %s / %s\n' % (yes, no, cancel))
|
||||
@@ -148,7 +184,11 @@ def UI_YesNoCancel(text, default):
|
||||
def UI_GetString(text, default):
|
||||
debug_logger.debug('UI_GetString: %s: %s %s' % (UI_mode, text, default))
|
||||
string = default
|
||||
- if UI_mode == 'text':
|
||||
+ if UI_mode == 'json':
|
||||
+ jsonout = {'dialog': 'getstring', 'text': text, 'default': default}
|
||||
+ write_json(jsonout)
|
||||
+ string = json_response('getstring')["response"]
|
||||
+ else: # text mode
|
||||
readline.set_startup_hook(lambda: readline.insert_text(default))
|
||||
try:
|
||||
string = raw_input('\n' + text)
|
||||
@@ -161,15 +201,18 @@ def UI_GetString(text, default):
|
||||
def UI_GetFile(file):
|
||||
debug_logger.debug('UI_GetFile: %s' % UI_mode)
|
||||
filename = None
|
||||
- if UI_mode == 'text':
|
||||
+ if UI_mode == 'json':
|
||||
+ jsonout = {'dialog': 'getfile', 'text': file['description']}
|
||||
+ write_json(jsonout)
|
||||
+ filename = json_response('getfile')["response"]
|
||||
+ else: # text mode
|
||||
sys.stdout.write(file['description'] + '\n')
|
||||
filename = sys.stdin.read()
|
||||
return filename
|
||||
|
||||
def UI_BusyStart(message):
|
||||
debug_logger.debug('UI_BusyStart: %s' % UI_mode)
|
||||
- if UI_mode == 'text':
|
||||
- UI_Info(message)
|
||||
+ UI_Info(message)
|
||||
|
||||
def UI_BusyStop():
|
||||
debug_logger.debug('UI_BusyStop: %s' % UI_mode)
|
||||
@@ -254,8 +297,7 @@ class PromptQuestion(object):
|
||||
def promptUser(self, params=''):
|
||||
cmd = None
|
||||
arg = None
|
||||
- if UI_mode == 'text':
|
||||
- cmd, arg = self.Text_PromptUser()
|
||||
+ cmd, arg = self.Text_PromptUser()
|
||||
if cmd == 'CMD_ABORT':
|
||||
confirm_and_abort()
|
||||
cmd = 'XXXINVALIDXXX'
|
||||
@@ -324,6 +366,17 @@ class PromptQuestion(object):
|
||||
function_regexp += ')$'
|
||||
|
||||
ans = 'XXXINVALIDXXX'
|
||||
+ hdict = dict()
|
||||
+ jsonprompt = {
|
||||
+ 'dialog': 'promptuser',
|
||||
+ 'title': title,
|
||||
+ 'headers': hdict,
|
||||
+ 'explanation': explanation,
|
||||
+ 'options': options,
|
||||
+ 'menu_items': menu_items,
|
||||
+ 'default_key': default_key,
|
||||
+ }
|
||||
+
|
||||
while not re.search(function_regexp, ans, flags=re.IGNORECASE):
|
||||
|
||||
prompt = '\n'
|
||||
@@ -335,6 +388,7 @@ class PromptQuestion(object):
|
||||
while header_copy:
|
||||
header = header_copy.pop(0)
|
||||
value = header_copy.pop(0)
|
||||
+ hdict[header] = value
|
||||
prompt += formatstr % (header + ':', value)
|
||||
prompt += '\n'
|
||||
|
||||
@@ -352,9 +406,14 @@ class PromptQuestion(object):
|
||||
|
||||
prompt += ' / '.join(menu_items)
|
||||
|
||||
- sys.stdout.write(prompt + '\n')
|
||||
-
|
||||
- ans = getkey().lower()
|
||||
+ if UI_mode == 'json':
|
||||
+ write_json(jsonprompt)
|
||||
+ hm = json_response('promptuser')
|
||||
+ ans = hm["response_key"]
|
||||
+ selected = hm["selected"]
|
||||
+ else: # text mode
|
||||
+ sys.stdout.write(prompt + '\n')
|
||||
+ ans = getkey().lower()
|
||||
|
||||
if ans:
|
||||
if ans == 'up':
|
||||
@@ -381,7 +440,7 @@ class PromptQuestion(object):
|
||||
selected = ans - 1
|
||||
ans = 'XXXINVALIDXXX'
|
||||
|
||||
- if keys.get(ans, False) == 'CMD_HELP':
|
||||
+ if keys.get(ans, False) == 'CMD_HELP' and UI_mode != 'json':
|
||||
sys.stdout.write('\n%s\n' % helptext)
|
||||
ans = 'again'
|
||||
|
@ -1,9 +1,9 @@
|
||||
Index: apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen
|
||||
Index: profiles/apparmor.d/usr.bin.lessopen.sh
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen.sh
|
||||
@@ -0,0 +1,40 @@
|
||||
+# Last Modified: Fri Nov 28 08:01:09 2014
|
||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ profiles/apparmor.d/usr.bin.lessopen.sh 2017-10-28 14:15:12.624358664 +0200
|
||||
@@ -0,0 +1,49 @@
|
||||
+# vim: ft=apparmor
|
||||
+#include <tunables/global>
|
||||
+
|
||||
+/usr/bin/lessopen.sh {
|
||||
@ -12,34 +12,43 @@ Index: apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen
|
||||
+ #include <abstractions/consoles>
|
||||
+ #include <abstractions/perl>
|
||||
+
|
||||
+ capability dac_override,
|
||||
+ capability dac_read_search,
|
||||
+
|
||||
+ /** rk,
|
||||
+ /bin/bash ix,
|
||||
+ /bin/rpm rix,
|
||||
+ /bin/tar rix,
|
||||
+ /bin/bash mrix,
|
||||
+ /bin/rpm mrix,
|
||||
+ /bin/tar mrix,
|
||||
+ /tmp/less.* rw,
|
||||
+ /usr/bin/bzip2 rix,
|
||||
+ /usr/bin/cabextract rix,
|
||||
+ /usr/bin/cat rix,
|
||||
+ /usr/bin/colordiff rix,
|
||||
+ /usr/bin/dvi2tty rix,
|
||||
+ /usr/bin/file rix,
|
||||
+ /usr/bin/grep rix,
|
||||
+ /usr/bin/groff rix,
|
||||
+ /usr/bin/gzip rix,
|
||||
+ /usr/bin/head rix,
|
||||
+ /usr/bin/lynx rix,
|
||||
+ /usr/bin/mktemp rix,
|
||||
+ /usr/bin/nm rix,
|
||||
+ /usr/bin/pdftotext rix,
|
||||
+ /usr/bin/ps2ascii rix,
|
||||
+ /usr/bin/rm rix,
|
||||
+ /usr/bin/seq rix,
|
||||
+ /usr/bin/tar rix,
|
||||
+ /usr/bin/unzip rix,
|
||||
+ /usr/bin/unzip-plain rix,
|
||||
+ /usr/bin/w3m rix,
|
||||
+ /usr/bin/which rix,
|
||||
+ /usr/bin/xz rix,
|
||||
+ /usr/bin/bzip2 mrix,
|
||||
+ /usr/bin/cabextract mrix,
|
||||
+ /usr/bin/cat mrix,
|
||||
+ /usr/bin/colordiff mrix,
|
||||
+ /usr/bin/dvi2tty mrix,
|
||||
+ /usr/bin/eqn mrix,
|
||||
+ /usr/bin/file mrix,
|
||||
+ /usr/bin/grep mrix,
|
||||
+ /usr/bin/groff mrix,
|
||||
+ /usr/bin/grotty mrix,
|
||||
+ /usr/bin/gzip mrix,
|
||||
+ /usr/bin/head mrix,
|
||||
+ /usr/bin/lynx mrix,
|
||||
+ /usr/bin/mktemp mrix,
|
||||
+ /usr/bin/nm mrix,
|
||||
+ /usr/bin/pic mrix,
|
||||
+ /usr/bin/pdftotext mrix,
|
||||
+ /usr/bin/ps2ascii mrix,
|
||||
+ /usr/bin/rm mrix,
|
||||
+ /usr/bin/seq mrix,
|
||||
+ /usr/bin/soelim mrix,
|
||||
+ /usr/bin/tar mrix,
|
||||
+ /usr/bin/tbl mrix,
|
||||
+ /usr/bin/troff mrix,
|
||||
+ /usr/bin/unzip mrix,
|
||||
+ /usr/bin/unzip-plain mrix,
|
||||
+ /usr/bin/w3m mrix,
|
||||
+ /usr/bin/which mrix,
|
||||
+ /usr/bin/xz mrix,
|
||||
+
|
||||
+ #include <local/usr.bin.lessopen.sh>
|
||||
+}
|
||||
|
@ -1,24 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: AppArmor.pm: Split long string
|
||||
|
||||
The string split here ends up not displaying well in yast.
|
||||
---
|
||||
utils/Immunix/AppArmor.pm | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/deprecated/utils/Immunix/AppArmor.pm
|
||||
+++ b/deprecated/utils/Immunix/AppArmor.pm
|
||||
@@ -6335,7 +6335,12 @@ sub check_qualifiers($) {
|
||||
|
||||
if ($cfg->{qualifiers}{$program}) {
|
||||
unless($cfg->{qualifiers}{$program} =~ /p/) {
|
||||
- fatal_error(sprintf(gettext("\%s is currently marked as a program that should not have it's own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you're doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $program));
|
||||
+ fatal_error(sprintf(gettext(
|
||||
+"\%s is currently marked as a program that should not have its own\n".
|
||||
+"profile. Usually, programs are marked this way if creating a profile for \n".
|
||||
+"them is likely to break the rest of the system. If you know what you're\n".
|
||||
+"doing and are certain you want to create a profile for this program, edit\n".
|
||||
+"the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $program));
|
||||
}
|
||||
}
|
||||
}
|
@ -1,606 +0,0 @@
|
||||
commit 99e2b9e1dfccf765dd84f44f1368892b6a082406
|
||||
Author: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
||||
Date: Sun Jun 11 13:03:44 2017 +0200
|
||||
|
||||
Remove yast from utils
|
||||
|
||||
From: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
||||
|
||||
This is the yast cleanup from the utils code. All yast communication
|
||||
should be done with JSON interface now.
|
||||
|
||||
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
||||
|
||||
|
||||
|
||||
Acked-by: Christian Boltz <apparmor@cboltz.de>
|
||||
|
||||
diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
|
||||
index 141c20dd..6db4b277 100644
|
||||
--- a/utils/apparmor/aa.py
|
||||
+++ b/utils/apparmor/aa.py
|
||||
@@ -14,7 +14,6 @@
|
||||
# ----------------------------------------------------------------------
|
||||
# No old version logs, only 2.6 + supported
|
||||
from __future__ import division, with_statement
|
||||
-import inspect
|
||||
import os
|
||||
import re
|
||||
import shutil
|
||||
@@ -64,8 +63,6 @@ from apparmor.rule import quote_if_needed
|
||||
|
||||
ruletypes = ['capability', 'change_profile', 'dbus', 'file', 'network', 'ptrace', 'rlimit', 'signal']
|
||||
|
||||
-from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast
|
||||
-
|
||||
# setup module translations
|
||||
from apparmor.translations import init_translation
|
||||
_ = init_translation()
|
||||
@@ -146,15 +143,9 @@ def fatal_error(message):
|
||||
# Add the traceback to message
|
||||
message = tb_stack + '\n\n' + message
|
||||
debug_logger.error(message)
|
||||
- caller = inspect.stack()[1][3]
|
||||
-
|
||||
- # If caller is SendDataToYast or GetDatFromYast simply exit
|
||||
- if caller == 'SendDataToYast' or caller == 'GetDatFromYast':
|
||||
- sys.exit(1)
|
||||
|
||||
# Else tell user what happened
|
||||
aaui.UI_Important(message)
|
||||
- shutdown_yast()
|
||||
sys.exit(1)
|
||||
|
||||
def check_for_apparmor(filesystem='/proc/filesystems', mounts='/proc/mounts'):
|
||||
@@ -539,7 +530,6 @@ def confirm_and_abort():
|
||||
ans = aaui.UI_YesNo(_('Are you sure you want to abandon this set of profile changes and exit?'), 'n')
|
||||
if ans == 'y':
|
||||
aaui.UI_Info(_('Abandoning all changes.'))
|
||||
- shutdown_yast()
|
||||
for prof in created:
|
||||
delete_profile(prof)
|
||||
sys.exit(0)
|
||||
@@ -601,20 +591,12 @@ def get_profile(prof_name):
|
||||
p = profile_hash[options[arg]]
|
||||
q.selected = options.index(options[arg])
|
||||
if ans == 'CMD_VIEW_PROFILE':
|
||||
- if aaui.UI_mode == 'yast':
|
||||
- SendDataToYast({'type': 'dialogue-view-profile',
|
||||
- 'user': options[arg],
|
||||
- 'profile': p['profile'],
|
||||
- 'profile_type': p['profile_type']
|
||||
- })
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
- else:
|
||||
- pager = get_pager()
|
||||
- proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
|
||||
+ pager = get_pager()
|
||||
+ proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
|
||||
# proc.communicate('Profile submitted by %s:\n\n%s\n\n' %
|
||||
# (options[arg], p['profile']))
|
||||
- proc.communicate(p['profile'].encode())
|
||||
- proc.kill()
|
||||
+ proc.communicate(p['profile'].encode())
|
||||
+ proc.kill()
|
||||
elif ans == 'CMD_USE_PROFILE':
|
||||
if p['profile_type'] == 'INACTIVE_LOCAL':
|
||||
profile_data = p['profile_data']
|
||||
@@ -864,76 +846,16 @@ def fetch_profiles_by_user(url, distro, user):
|
||||
def submit_created_profiles(new_profiles):
|
||||
#url = cfg['repository']['url']
|
||||
if new_profiles:
|
||||
- if aaui.UI_mode == 'yast':
|
||||
- title = 'New Profiles'
|
||||
- message = 'Please select the newly created profiles that you would like to store in the repository'
|
||||
- yast_select_and_upload_profiles(title, message, new_profiles)
|
||||
- else:
|
||||
- title = 'Submit newly created profiles to the repository'
|
||||
- message = 'Would you like to upload newly created profiles?'
|
||||
- console_select_and_upload_profiles(title, message, new_profiles)
|
||||
+ title = 'Submit newly created profiles to the repository'
|
||||
+ message = 'Would you like to upload newly created profiles?'
|
||||
+ console_select_and_upload_profiles(title, message, new_profiles)
|
||||
|
||||
def submit_changed_profiles(changed_profiles):
|
||||
#url = cfg['repository']['url']
|
||||
if changed_profiles:
|
||||
- if aaui.UI_mode == 'yast':
|
||||
- title = 'Changed Profiles'
|
||||
- message = 'Please select which of the changed profiles would you like to upload to the repository'
|
||||
- yast_select_and_upload_profiles(title, message, changed_profiles)
|
||||
- else:
|
||||
- title = 'Submit changed profiles to the repository'
|
||||
- message = 'The following profiles from the repository were changed.\nWould you like to upload your changes?'
|
||||
- console_select_and_upload_profiles(title, message, changed_profiles)
|
||||
-
|
||||
-def yast_select_and_upload_profiles(title, message, profiles_up):
|
||||
- url = cfg['repository']['url']
|
||||
- profile_changes = hasher()
|
||||
- profs = profiles_up[:]
|
||||
- for p in profs:
|
||||
- profile_changes[p[0]] = get_profile_diff(p[2], p[1])
|
||||
- SendDataToYast({'type': 'dialog-select-profiles',
|
||||
- 'title': title,
|
||||
- 'explanation': message,
|
||||
- 'default_select': 'false',
|
||||
- 'disable_ask_upload': 'true',
|
||||
- 'profiles': profile_changes
|
||||
- })
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
- selected_profiles = []
|
||||
- changelog = None
|
||||
- changelogs = None
|
||||
- single_changelog = False
|
||||
- if yarg['STATUS'] == 'cancel':
|
||||
- return
|
||||
- else:
|
||||
- selected_profiles = yarg['PROFILES']
|
||||
- changelogs = yarg['CHANGELOG']
|
||||
- if changelogs.get('SINGLE_CHANGELOG', False):
|
||||
- changelog = changelogs['SINGLE_CHANGELOG']
|
||||
- single_changelog = True
|
||||
- user, passw = get_repo_user_pass()
|
||||
- for p in selected_profiles:
|
||||
- profile_string = serialize_profile(aa[p], p)
|
||||
- if not single_changelog:
|
||||
- changelog = changelogs[p]
|
||||
- status_ok, ret = upload_profile(url, user, passw, cfg['repository']['distro'],
|
||||
- p, profile_string, changelog)
|
||||
- if status_ok:
|
||||
- newprofile = ret
|
||||
- newid = newprofile['id']
|
||||
- set_repo_info(aa[p][p], url, user, newid)
|
||||
- write_profile_ui_feedback(p)
|
||||
- else:
|
||||
- if not ret:
|
||||
- ret = 'UNKNOWN ERROR'
|
||||
- aaui.UI_Important(_('WARNING: An error occurred while uploading the profile %(profile)s\n%(ret)s') % { 'profile': p, 'ret': ret })
|
||||
- aaui.UI_Info(_('Uploaded changes to repository.'))
|
||||
- if yarg.get('NEVER_ASK_AGAIN'):
|
||||
- unselected_profiles = []
|
||||
- for p in profs:
|
||||
- if p[0] not in selected_profiles:
|
||||
- unselected_profiles.append(p[0])
|
||||
- set_profiles_local_only(unselected_profiles)
|
||||
+ title = 'Submit changed profiles to the repository'
|
||||
+ message = 'The following profiles from the repository were changed.\nWould you like to upload your changes?'
|
||||
+ console_select_and_upload_profiles(title, message, changed_profiles)
|
||||
|
||||
def upload_profile(url, user, passw, distro, p, profile_string, changelog):
|
||||
# To-Do
|
||||
@@ -1925,10 +1847,6 @@ def do_logprof_pass(logmark='', passno=0, log_pid=log_pid):
|
||||
|
||||
ask_the_questions(log_dict)
|
||||
|
||||
- if aaui.UI_mode == 'yast':
|
||||
- # To-Do
|
||||
- pass
|
||||
-
|
||||
finishing = False
|
||||
# Check for finished
|
||||
save_profiles()
|
||||
@@ -1958,80 +1876,52 @@ def save_profiles():
|
||||
changed_list = sorted(changed.keys())
|
||||
|
||||
if changed_list:
|
||||
+ q = aaui.PromptQuestion()
|
||||
+ q.title = 'Changed Local Profiles'
|
||||
+ q.explanation = _('The following local profiles were changed. Would you like to save them?')
|
||||
+ q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT']
|
||||
+ q.default = 'CMD_VIEW_CHANGES'
|
||||
+ q.selected = 0
|
||||
+ ans = ''
|
||||
+ arg = None
|
||||
+ while ans != 'CMD_SAVE_CHANGES':
|
||||
+ if not changed:
|
||||
+ return
|
||||
+
|
||||
+ q.options = sorted(changed.keys())
|
||||
+
|
||||
+ ans, arg = q.promptUser()
|
||||
+ if ans == 'CMD_SAVE_SELECTED':
|
||||
+ profile_name = list(changed.keys())[arg]
|
||||
+ write_profile_ui_feedback(profile_name)
|
||||
+ reload_base(profile_name)
|
||||
|
||||
- if aaui.UI_mode == 'yast':
|
||||
- # To-Do
|
||||
- # selected_profiles = [] # XXX selected_profiles_ref?
|
||||
- profile_changes = dict()
|
||||
- for prof in changed_list:
|
||||
- oldprofile = serialize_profile(original_aa[prof], prof)
|
||||
- newprofile = serialize_profile(aa[prof], prof)
|
||||
- profile_changes[prof] = get_profile_diff(oldprofile, newprofile)
|
||||
- explanation = _('Select which profile changes you would like to save to the\nlocal profile set.')
|
||||
- title = _('Local profile changes')
|
||||
- SendDataToYast({'type': 'dialog-select-profiles',
|
||||
- 'title': title,
|
||||
- 'explanation': explanation,
|
||||
- 'dialog_select': 'true',
|
||||
- 'get_changelog': 'false',
|
||||
- 'profiles': profile_changes
|
||||
- })
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
- if yarg['STATUS'] == 'cancel':
|
||||
- return None
|
||||
- else:
|
||||
- selected_profiles_ref = yarg['PROFILES']
|
||||
- for profile_name in selected_profiles_ref:
|
||||
- write_profile_ui_feedback(profile_name)
|
||||
- reload_base(profile_name)
|
||||
-
|
||||
- else:
|
||||
- q = aaui.PromptQuestion()
|
||||
- q.title = 'Changed Local Profiles'
|
||||
- q.explanation = _('The following local profiles were changed. Would you like to save them?')
|
||||
- q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT']
|
||||
- q.default = 'CMD_VIEW_CHANGES'
|
||||
- q.selected = 0
|
||||
- ans = ''
|
||||
- arg = None
|
||||
- while ans != 'CMD_SAVE_CHANGES':
|
||||
- if not changed:
|
||||
- return
|
||||
-
|
||||
- q.options = sorted(changed.keys())
|
||||
-
|
||||
- ans, arg = q.promptUser()
|
||||
- if ans == 'CMD_SAVE_SELECTED':
|
||||
- profile_name = list(changed.keys())[arg]
|
||||
- write_profile_ui_feedback(profile_name)
|
||||
- reload_base(profile_name)
|
||||
-
|
||||
- elif ans == 'CMD_VIEW_CHANGES':
|
||||
- which = list(changed.keys())[arg]
|
||||
- oldprofile = None
|
||||
- if aa[which][which].get('filename', False):
|
||||
- oldprofile = aa[which][which]['filename']
|
||||
- else:
|
||||
- oldprofile = get_profile_filename(which)
|
||||
+ elif ans == 'CMD_VIEW_CHANGES':
|
||||
+ which = list(changed.keys())[arg]
|
||||
+ oldprofile = None
|
||||
+ if aa[which][which].get('filename', False):
|
||||
+ oldprofile = aa[which][which]['filename']
|
||||
+ else:
|
||||
+ oldprofile = get_profile_filename(which)
|
||||
|
||||
- try:
|
||||
- newprofile = serialize_profile_from_old_profile(aa[which], which, '')
|
||||
- except AttributeError:
|
||||
- # see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1528139
|
||||
- newprofile = "###\n###\n### Internal error while generating diff, please use '%s' instead\n###\n###\n" % _('View Changes b/w (C)lean profiles')
|
||||
+ try:
|
||||
+ newprofile = serialize_profile_from_old_profile(aa[which], which, '')
|
||||
+ except AttributeError:
|
||||
+ # see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1528139
|
||||
+ newprofile = "###\n###\n### Internal error while generating diff, please use '%s' instead\n###\n###\n" % _('View Changes b/w (C)lean profiles')
|
||||
|
||||
- display_changes_with_comments(oldprofile, newprofile)
|
||||
+ display_changes_with_comments(oldprofile, newprofile)
|
||||
|
||||
- elif ans == 'CMD_VIEW_CHANGES_CLEAN':
|
||||
- which = list(changed.keys())[arg]
|
||||
- oldprofile = serialize_profile(original_aa[which], which, '')
|
||||
- newprofile = serialize_profile(aa[which], which, '')
|
||||
+ elif ans == 'CMD_VIEW_CHANGES_CLEAN':
|
||||
+ which = list(changed.keys())[arg]
|
||||
+ oldprofile = serialize_profile(original_aa[which], which, '')
|
||||
+ newprofile = serialize_profile(aa[which], which, '')
|
||||
|
||||
- display_changes(oldprofile, newprofile)
|
||||
+ display_changes(oldprofile, newprofile)
|
||||
|
||||
- for profile_name in sorted(changed.keys()):
|
||||
- write_profile_ui_feedback(profile_name)
|
||||
- reload_base(profile_name)
|
||||
+ for profile_name in sorted(changed.keys()):
|
||||
+ write_profile_ui_feedback(profile_name)
|
||||
+ reload_base(profile_name)
|
||||
|
||||
def get_pager():
|
||||
return 'less'
|
||||
@@ -2065,33 +1955,26 @@ def get_profile_diff(oldprofile, newprofile):
|
||||
return ''.join(diff)
|
||||
|
||||
def display_changes(oldprofile, newprofile):
|
||||
- if aaui.UI_mode == 'yast':
|
||||
- aaui.UI_LongMessage(_('Profile Changes'), get_profile_diff(oldprofile, newprofile))
|
||||
- else:
|
||||
- difftemp = generate_diff(oldprofile, newprofile)
|
||||
- subprocess.call('less %s' % difftemp.name, shell=True)
|
||||
- difftemp.delete = True
|
||||
- difftemp.close()
|
||||
+ difftemp = generate_diff(oldprofile, newprofile)
|
||||
+ subprocess.call('less %s' % difftemp.name, shell=True)
|
||||
+ difftemp.delete = True
|
||||
+ difftemp.close()
|
||||
|
||||
def display_changes_with_comments(oldprofile, newprofile):
|
||||
"""Compare the new profile with the existing profile inclusive of all the comments"""
|
||||
if not os.path.exists(oldprofile):
|
||||
raise AppArmorException(_("Can't find existing profile %s to compare changes.") % oldprofile)
|
||||
- if aaui.UI_mode == 'yast':
|
||||
- #To-Do
|
||||
- pass
|
||||
- else:
|
||||
- newtemp = tempfile.NamedTemporaryFile('w')
|
||||
- newtemp.write(newprofile)
|
||||
- newtemp.flush()
|
||||
+ newtemp = tempfile.NamedTemporaryFile('w')
|
||||
+ newtemp.write(newprofile)
|
||||
+ newtemp.flush()
|
||||
|
||||
- difftemp = tempfile.NamedTemporaryFile('w')
|
||||
+ difftemp = tempfile.NamedTemporaryFile('w')
|
||||
|
||||
- subprocess.call('diff -u -p %s %s > %s' % (oldprofile, newtemp.name, difftemp.name), shell=True)
|
||||
+ subprocess.call('diff -u -p %s %s > %s' % (oldprofile, newtemp.name, difftemp.name), shell=True)
|
||||
|
||||
- newtemp.close()
|
||||
- subprocess.call('less %s' % difftemp.name, shell=True)
|
||||
- difftemp.close()
|
||||
+ newtemp.close()
|
||||
+ subprocess.call('less %s' % difftemp.name, shell=True)
|
||||
+ difftemp.close()
|
||||
|
||||
def set_process(pid, profile):
|
||||
# If process not running don't do anything
|
||||
diff --git a/utils/apparmor/ui.py b/utils/apparmor/ui.py
|
||||
index bfbde8c6..f25fff31 100644
|
||||
--- a/utils/apparmor/ui.py
|
||||
+++ b/utils/apparmor/ui.py
|
||||
@@ -14,7 +14,6 @@
|
||||
import sys
|
||||
import re
|
||||
import readline
|
||||
-from apparmor.yasti import yastLog, SendDataToYast, GetDataFromYast
|
||||
|
||||
from apparmor.common import readkey, AppArmorException, DebugLogger
|
||||
|
||||
@@ -47,18 +46,11 @@ def UI_Info(text):
|
||||
debug_logger.info(text)
|
||||
if UI_mode == 'text':
|
||||
sys.stdout.write(text + '\n')
|
||||
- else:
|
||||
- yastLog(text)
|
||||
|
||||
def UI_Important(text):
|
||||
debug_logger.debug(text)
|
||||
if UI_mode == 'text':
|
||||
sys.stdout.write('\n' + text + '\n')
|
||||
- else:
|
||||
- SendDataToYast({'type': 'dialog-error',
|
||||
- 'message': text
|
||||
- })
|
||||
- path, yarg = GetDataFromYast()
|
||||
|
||||
def get_translated_hotkey(translated, cmsg=''):
|
||||
msg = 'PromptUser: ' + _('Invalid hotkey for')
|
||||
@@ -105,15 +97,6 @@ def UI_YesNo(text, default):
|
||||
continue # If user presses any other button ask again
|
||||
else:
|
||||
ans = default
|
||||
-
|
||||
- else:
|
||||
- SendDataToYast({'type': 'dialog-yesno',
|
||||
- 'question': text
|
||||
- })
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
- ans = yarg['answer']
|
||||
- if not ans:
|
||||
- ans = default
|
||||
return ans
|
||||
|
||||
def UI_YesNoCancel(text, default):
|
||||
@@ -160,14 +143,6 @@ def UI_YesNoCancel(text, default):
|
||||
default = 'c'
|
||||
else:
|
||||
ans = default
|
||||
- else:
|
||||
- SendDataToYast({'type': 'dialog-yesnocancel',
|
||||
- 'question': text
|
||||
- })
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
- ans = yarg['answer']
|
||||
- if not ans:
|
||||
- ans = default
|
||||
return ans
|
||||
|
||||
def UI_GetString(text, default):
|
||||
@@ -181,13 +156,6 @@ def UI_GetString(text, default):
|
||||
string = ''
|
||||
finally:
|
||||
readline.set_startup_hook()
|
||||
- else:
|
||||
- SendDataToYast({'type': 'dialog-getstring',
|
||||
- 'label': text,
|
||||
- 'default': default
|
||||
- })
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
- string = yarg['string']
|
||||
return string.strip()
|
||||
|
||||
def UI_GetFile(file):
|
||||
@@ -196,29 +164,15 @@ def UI_GetFile(file):
|
||||
if UI_mode == 'text':
|
||||
sys.stdout.write(file['description'] + '\n')
|
||||
filename = sys.stdin.read()
|
||||
- else:
|
||||
- file['type'] = 'dialog-getfile'
|
||||
- SendDataToYast(file)
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
- if yarg['answer'] == 'okay':
|
||||
- filename = yarg['filename']
|
||||
return filename
|
||||
|
||||
def UI_BusyStart(message):
|
||||
debug_logger.debug('UI_BusyStart: %s' % UI_mode)
|
||||
if UI_mode == 'text':
|
||||
UI_Info(message)
|
||||
- else:
|
||||
- SendDataToYast({'type': 'dialog-busy-start',
|
||||
- 'message': message
|
||||
- })
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
|
||||
def UI_BusyStop():
|
||||
debug_logger.debug('UI_BusyStop: %s' % UI_mode)
|
||||
- if UI_mode != 'text':
|
||||
- SendDataToYast({'type': 'dialog-busy-stop'})
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
|
||||
CMDS = {'CMD_ALLOW': _('(A)llow'),
|
||||
'CMD_OTHER': _('(M)ore'),
|
||||
@@ -302,13 +256,6 @@ class PromptQuestion(object):
|
||||
arg = None
|
||||
if UI_mode == 'text':
|
||||
cmd, arg = self.Text_PromptUser()
|
||||
- else:
|
||||
- self.type = 'wizard'
|
||||
- SendDataToYast(self)
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
- if not cmd:
|
||||
- cmd = 'CMD_ABORT'
|
||||
- arg = yarg['selected']
|
||||
if cmd == 'CMD_ABORT':
|
||||
confirm_and_abort()
|
||||
cmd = 'XXXINVALIDXXX'
|
||||
@@ -447,25 +394,8 @@ def confirm_and_abort():
|
||||
ans = UI_YesNo(_('Are you sure you want to abandon this set of profile changes and exit?'), 'n')
|
||||
if ans == 'y':
|
||||
UI_Info(_('Abandoning all changes.'))
|
||||
- #shutdown_yast()
|
||||
- #for prof in created:
|
||||
- # delete_profile(prof)
|
||||
sys.exit(0)
|
||||
|
||||
-def UI_ShortMessage(title, message):
|
||||
- SendDataToYast({'type': 'short-dialog-message',
|
||||
- 'headline': title,
|
||||
- 'message': message
|
||||
- })
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
-
|
||||
-def UI_LongMessage(title, message):
|
||||
- SendDataToYast({'type': 'long-dialog-message',
|
||||
- 'headline': title,
|
||||
- 'message': message
|
||||
- })
|
||||
- ypath, yarg = GetDataFromYast()
|
||||
-
|
||||
def is_number(number):
|
||||
try:
|
||||
return int(number)
|
||||
diff --git a/utils/apparmor/yasti.py b/utils/apparmor/yasti.py
|
||||
deleted file mode 100644
|
||||
index 180e7152..00000000
|
||||
--- a/utils/apparmor/yasti.py
|
||||
+++ /dev/null
|
||||
@@ -1,106 +0,0 @@
|
||||
-# ----------------------------------------------------------------------
|
||||
-# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
|
||||
-#
|
||||
-# This program is free software; you can redistribute it and/or
|
||||
-# modify it under the terms of version 2 of the GNU General Public
|
||||
-# License as published by the Free Software Foundation.
|
||||
-#
|
||||
-# This program is distributed in the hope that it will be useful,
|
||||
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
-# GNU General Public License for more details.
|
||||
-#
|
||||
-# ----------------------------------------------------------------------
|
||||
-import re
|
||||
-import sys
|
||||
-try:
|
||||
- import ycp
|
||||
-except ImportError:
|
||||
- # ycp isn't found everywhere.
|
||||
- ycp = None
|
||||
-
|
||||
-from apparmor.common import error, DebugLogger
|
||||
-
|
||||
-# Set up UI logger for separate messages from YaST module
|
||||
-debug_logger = DebugLogger('YaST')
|
||||
-
|
||||
-
|
||||
-def setup_yast():
|
||||
- # To-Do
|
||||
- pass
|
||||
-
|
||||
-def shutdown_yast():
|
||||
- # To-Do
|
||||
- pass
|
||||
-
|
||||
-def yastLog(text):
|
||||
- ycp.y2milestone(text)
|
||||
-
|
||||
-def SendDataToYast(data):
|
||||
- debug_logger.info('SendDataToYast: Waiting for YCP command')
|
||||
- for line in sys.stdin:
|
||||
- ycommand, ypath, yargument = ParseCommand(line)
|
||||
- if ycommand and ycommand == 'Read':
|
||||
- debug_logger.info('SendDataToYast: Sending--%s' % data)
|
||||
- ycp.Return(data)
|
||||
- return True
|
||||
- else:
|
||||
- debug_logger.info('SendDataToYast: Expected \'Read\' but got-- %s' % line)
|
||||
- error('SendDataToYast: didn\'t receive YCP command before connection died')
|
||||
-
|
||||
-def GetDataFromYast():
|
||||
- debug_logger.inf('GetDataFromYast: Waiting for YCP command')
|
||||
- for line in sys.stdin:
|
||||
- debug_logger.info('GetDataFromYast: YCP: %s' % line)
|
||||
- ycommand, ypath, yarg = ParseCommand(line)
|
||||
- debug_logger.info('GetDataFromYast: Recieved--\n%s' % yarg)
|
||||
- if ycommand and ycommand == 'Write':
|
||||
- ycp.Return('true')
|
||||
- return ypath, yarg
|
||||
- else:
|
||||
- debug_logger.info('GetDataFromYast: Expected Write but got-- %s' % line)
|
||||
- error('GetDataFromYast: didn\'t receive YCP command before connection died')
|
||||
-
|
||||
-def ParseCommand(commands):
|
||||
- term = ParseTerm(commands)
|
||||
- if term:
|
||||
- command = term[0]
|
||||
- term = term[1:]
|
||||
- else:
|
||||
- command = ''
|
||||
- path = ''
|
||||
- pathref = None
|
||||
- if term:
|
||||
- pathref = term[0]
|
||||
- term = term[1:]
|
||||
- if pathref:
|
||||
- if pathref.strip():
|
||||
- path = pathref.strip()
|
||||
- elif command != 'result':
|
||||
- ycp.y2error('The first arguement is not a path. (%s)' % pathref)
|
||||
- argument = None
|
||||
- if term:
|
||||
- argument = term[0]
|
||||
- if len(term) > 1:
|
||||
- ycp.y2warning('Superfluous command arguments ignored')
|
||||
- return (command, path, argument)
|
||||
-
|
||||
-def ParseTerm(inp):
|
||||
- regex_term = re.compile('^\s*`?(\w*)\s*')
|
||||
- term = regex_term.search(inp)
|
||||
- ret = []
|
||||
- symbol = None
|
||||
- if term:
|
||||
- symbol = term.groups()[0]
|
||||
- else:
|
||||
- ycp.y2error('No term symbol')
|
||||
- ret.append(symbol)
|
||||
- inp = regex_term.sub('', inp)
|
||||
- if not inp.startswith('('):
|
||||
- ycp.y2error('No term parantheses')
|
||||
- argref, err, rest = ycp.ParseYcpTermBody(inp)
|
||||
- if err:
|
||||
- ycp.y2error('%s (%s)' % (err, rest))
|
||||
- else:
|
||||
- ret += argref
|
||||
- return ret
|
@ -1,3 +1,45 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 25 15:27:03 UTC 2017 - suse-beta@cboltz.de
|
||||
|
||||
- update to AppArmor 2.12
|
||||
- add support for 'owner' rules in aa-logprof and aa-genprof
|
||||
- add support for includes with absolute path in aa-logprof etc. (lp#1733700)
|
||||
- update aa-decode to also decode PROCTITLE (lp#1736841)
|
||||
- several profile and abstraction updates, including boo#1069470
|
||||
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12
|
||||
for the detailed upstream changelog
|
||||
- drop upstreamed patches:
|
||||
- read_inactive_profile-exactly-once.patch
|
||||
- utils-fix-sorted-save_profiles-regression.diff
|
||||
- lessopen profile: change all 'rix' rules to 'mrix'
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 30 10:30:33 UTC 2017 - suse-beta@cboltz.de
|
||||
|
||||
- update to AppArmor 2.11.95 aka 2.12 beta1
|
||||
- add JSON interface to aa-logprof and aa-genprof (used by YaST)
|
||||
- drop old YaST interface code
|
||||
- update audio, base and nameservice abstractions
|
||||
- allow @{pid} to match 7-digit pids
|
||||
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95
|
||||
for the detailed upstream changelog
|
||||
- drop upstreamed patches
|
||||
- apparmor-yast-cleanup.patch
|
||||
- apparmor-json-support.patch
|
||||
- nameservice-libtirpc.diff
|
||||
- drop obsolete perl modules (YaST no longer needs them)
|
||||
- drop patches that were only needed by the obsolete perl modules:
|
||||
- apparmor-utils-string-split
|
||||
- apparmor-abstractions-no-multiline.diff
|
||||
- drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in
|
||||
apparmor_parser
|
||||
- refresh utils-fix-sorted-save_profiles-regression.diff
|
||||
- add aa-teardown (new script to unload all profiles)
|
||||
- make ExecStop in apparmor.service a no-op (workaround for a systemd
|
||||
restriction, see boo#996520 and boo#853019 for details)
|
||||
- lessopen profile: allow capability dac_read_search and dac_override,
|
||||
allow groff to execute several helpers (boo#1065388)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 29 15:26:48 UTC 2017 - rgoldwyn@suse.com
|
||||
|
||||
|
@ -8,9 +8,17 @@ ConditionSecurity=apparmor
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/lib/apparmor/apparmor.systemd start
|
||||
ExecStart=/lib/apparmor/apparmor.systemd reload
|
||||
ExecReload=/lib/apparmor/apparmor.systemd reload
|
||||
ExecStop=/lib/apparmor/apparmor.systemd stop
|
||||
|
||||
# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
|
||||
# from running processes (and not being able to re-apply it later).
|
||||
# Upstream systemd developers refused to implement an option that allows overriding
|
||||
# this behaviour, therefore we have to make ExecStop a no-op to error out on the
|
||||
# safe side.
|
||||
#
|
||||
# If you really want to unload all AppArmor profiles, run aa-teardown
|
||||
ExecStop=/bin/true
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
|
@ -35,7 +35,7 @@
|
||||
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
|
||||
|
||||
Name: apparmor
|
||||
Version: 2.11.1
|
||||
Version: 2.12
|
||||
Release: 0
|
||||
Summary: AppArmor userlevel parser utility
|
||||
License: GPL-2.0+
|
||||
@ -50,6 +50,7 @@ Source6: baselibs.conf
|
||||
Source7: apparmor-rpmlintrc
|
||||
Source8: apparmor.service
|
||||
Source9: apparmor.systemd
|
||||
Source10: aa-teardown
|
||||
|
||||
# enable caching of profiles (= massive performance speedup when loading profiles)
|
||||
Patch1: apparmor-enable-profile-cache.diff
|
||||
@ -57,36 +58,12 @@ Patch1: apparmor-enable-profile-cache.diff
|
||||
# include autogenerated profile sniplet for samba shares (bnc#688040)
|
||||
Patch2: apparmor-samba-include-permissions-for-shares.diff
|
||||
|
||||
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
|
||||
Patch3: apparmor-utils-string-split
|
||||
|
||||
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
|
||||
Patch5: ruby-2_0-mkmf-destdir.patch
|
||||
|
||||
# change multiline rules in abstractions to one line - needed because YaST still uses the perl module, which doesn't support multiline rules
|
||||
# (bnc#900013, not for upstream)
|
||||
Patch6: apparmor-abstractions-no-multiline.diff
|
||||
|
||||
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
|
||||
Patch7: apparmor-lessopen-profile.patch
|
||||
|
||||
# add JSON support to aa-logprof and aa-genprof (will be in upstream 2.12)
|
||||
Patch12: apparmor-yast-cleanup.patch
|
||||
Patch13: apparmor-json-support.patch
|
||||
|
||||
# temporary solution for unix dgram and unix stream - boo#1061195 (sent for upstream review, but will probably stay openSUSE only)
|
||||
# TODO: replace with proper unix rules when Kernel 4.15 arrives
|
||||
Patch15: profiles-sockets-temporary-fix.patch
|
||||
|
||||
# fix NIS/YP logins - libtirpc needs to read /etc/netconfig - commited upstream 2017-10-20 (trunk r3716, 2.11 r3682, 2.10 r3408, 2.9 r3069)
|
||||
Patch16: nameservice-libtirpc.diff
|
||||
|
||||
# Fix sorted() regression in save_profiles() - submitted upstream 2017-10-22
|
||||
Patch17: utils-fix-sorted-save_profiles-regression.diff
|
||||
|
||||
# bsc#1069346
|
||||
Patch18: read_inactive_profile-exactly-once.patch
|
||||
|
||||
PreReq: sed
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
%define apparmor_bin_prefix /lib/apparmor
|
||||
@ -193,18 +170,12 @@ License: GPL-2.0 and LGPL-2.1+
|
||||
Group: Development/Libraries/Perl
|
||||
Requires: libapparmor1 = %{version}
|
||||
Requires: perl = %{perl_version}
|
||||
Requires: perl(DBD::SQLite)
|
||||
Requires: perl(Locale::gettext)
|
||||
Requires: perl(RPC::XML)
|
||||
Requires: perl(RPC::XML)
|
||||
Requires: perl(Term::ReadKey)
|
||||
Requires: perl(Term::ReadKey)
|
||||
Provides: perl-libapparmor = %{version}
|
||||
Obsoletes: perl-libapparmor < 2.5
|
||||
|
||||
%description -n perl-apparmor
|
||||
This package provides the perl interface to AppArmor. It is used for perl
|
||||
applications interfacing with AppArmor, including the AppArmor utilities.
|
||||
applications interfacing with AppArmor.
|
||||
|
||||
%endif
|
||||
|
||||
@ -378,19 +349,8 @@ SubDomain.
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch2
|
||||
%patch3 -p1
|
||||
%patch5 -p1
|
||||
%patch6
|
||||
%patch7 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch15 -p1
|
||||
%patch16
|
||||
%patch17
|
||||
%patch18 -p1
|
||||
|
||||
# search for left-over multiline rules
|
||||
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
|
||||
%patch7
|
||||
|
||||
%build
|
||||
export SUSE_ASNEEDED=0
|
||||
@ -426,11 +386,6 @@ make -C utils
|
||||
# binutils
|
||||
make -C binutils
|
||||
|
||||
# deprecated/utils (perl modules still needed by YaST)
|
||||
%if %{with perl}
|
||||
make -C deprecated/utils
|
||||
%endif
|
||||
|
||||
# parser:
|
||||
make -C parser V=1
|
||||
|
||||
@ -485,11 +440,6 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
|
||||
%makeinstall -C binutils
|
||||
( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec )
|
||||
|
||||
# deprecated/utils (perl modules still needed by YaST)
|
||||
%if %{with perl}
|
||||
%makeinstall -C deprecated/utils
|
||||
%endif
|
||||
|
||||
%makeinstall -C profiles
|
||||
|
||||
%makeinstall -C parser
|
||||
@ -541,8 +491,12 @@ done
|
||||
rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||
|
||||
# Adjust for systemd
|
||||
test ! -f %{buildroot}%{_unitdir}/apparmor.service
|
||||
install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
|
||||
test ! -f %{buildroot}%{apparmor_bin_prefix}/apparmor.systemd
|
||||
install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix}
|
||||
test ! -f %{buildroot}%{_sbindir}/aa-teardown
|
||||
install -m0755 %{S:10} %{buildroot}%{_sbindir}
|
||||
rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor
|
||||
rm %{buildroot}/sbin/rcsubdomain
|
||||
ln -sf service %{buildroot}/sbin/rcapparmor
|
||||
@ -569,6 +523,7 @@ echo -------------------------------------------------------------------
|
||||
/sbin/apparmor_parser
|
||||
%{_bindir}/aa-enabled
|
||||
%{_bindir}/aa-exec
|
||||
%{_sbindir}/aa-teardown
|
||||
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
|
||||
%dir %{_sysconfdir}/apparmor.d
|
||||
%{_sysconfdir}/apparmor.d/cache
|
||||
@ -625,7 +580,20 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/apparmor/logprof.conf
|
||||
%config(noreplace) %{_sysconfdir}/apparmor/notify.conf
|
||||
%config(noreplace) %{_sysconfdir}/apparmor/severity.db
|
||||
%{_sbindir}/aa-*
|
||||
%{_sbindir}/aa-audit
|
||||
%{_sbindir}/aa-autodep
|
||||
%{_sbindir}/aa-cleanprof
|
||||
%{_sbindir}/aa-complain
|
||||
%{_sbindir}/aa-decode
|
||||
%{_sbindir}/aa-disable
|
||||
%{_sbindir}/aa-enforce
|
||||
%{_sbindir}/aa-genprof
|
||||
%{_sbindir}/aa-logprof
|
||||
%{_sbindir}/aa-mergeprof
|
||||
%{_sbindir}/aa-notify
|
||||
%{_sbindir}/aa-remove-unknown
|
||||
%{_sbindir}/aa-status
|
||||
%{_sbindir}/aa-unconfined
|
||||
%{_sbindir}/apparmor_status
|
||||
%{_sbindir}/audit
|
||||
%{_sbindir}/autodep
|
||||
@ -645,7 +613,22 @@ fi
|
||||
%dir %{_localstatedir}/log/apparmor
|
||||
%doc %{_mandir}/man5/logprof.conf.5.gz
|
||||
%doc %{_mandir}/man8/apparmor_notify.8.gz
|
||||
%doc %{_mandir}/man8/aa-*.gz
|
||||
%doc %{_mandir}/man8/aa-audit.8.gz
|
||||
%doc %{_mandir}/man8/aa-autodep.8.gz
|
||||
%doc %{_mandir}/man8/aa-cleanprof.8.gz
|
||||
%doc %{_mandir}/man8/aa-complain.8.gz
|
||||
%doc %{_mandir}/man8/aa-decode.8.gz
|
||||
%doc %{_mandir}/man8/aa-disable.8.gz
|
||||
%doc %{_mandir}/man8/aa-easyprof.8.gz
|
||||
%doc %{_mandir}/man8/aa-enforce.8.gz
|
||||
%doc %{_mandir}/man8/aa-genprof.8.gz
|
||||
%doc %{_mandir}/man8/aa-logprof.8.gz
|
||||
%doc %{_mandir}/man8/aa-mergeprof.8.gz
|
||||
%doc %{_mandir}/man8/aa-notify.8.gz
|
||||
%doc %{_mandir}/man8/aa-remove-unknown.8.gz
|
||||
%doc %{_mandir}/man8/aa-status.8.gz
|
||||
%doc %{_mandir}/man8/aa-unconfined.8.gz
|
||||
|
||||
%doc %{_mandir}/man8/apparmor_status.8.gz
|
||||
%doc %{_mandir}/man8/audit.8.gz
|
||||
%doc %{_mandir}/man8/autodep.8.gz
|
||||
@ -664,7 +647,6 @@ fi
|
||||
%if %{with perl}
|
||||
%files -n perl-apparmor
|
||||
%defattr(-,root,root)
|
||||
%{perl_vendorlib}/Immunix
|
||||
%{perl_vendorarch}/auto/LibAppArmor/
|
||||
%{perl_vendorarch}/LibAppArmor.pm
|
||||
%endif
|
||||
|
@ -1,3 +1,20 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 25 15:32:35 UTC 2017 - suse-beta@cboltz.de
|
||||
|
||||
- update to AppArmor 2.12
|
||||
- preserve errno across aa_*_unref() functions
|
||||
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12
|
||||
for the detailed upstream changelog
|
||||
- no longer package static libapparmor.a
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 31 10:41:55 UTC 2017 - suse-beta@cboltz.de
|
||||
|
||||
- update to AppArmor 2.11.95 aka 2.12 beta1
|
||||
- no changes in libapparmor
|
||||
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95
|
||||
for the detailed upstream changelog
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 25 19:36:55 UTC 2017 - suse-beta@cboltz.de
|
||||
|
||||
|
@ -18,7 +18,7 @@
|
||||
|
||||
|
||||
Name: libapparmor
|
||||
Version: 2.11.1
|
||||
Version: 2.12
|
||||
Release: 0
|
||||
Summary: Utility library for AppArmor
|
||||
License: LGPL-2.1+
|
||||
@ -87,8 +87,9 @@ make check -C libraries/libapparmor
|
||||
# create symlink for old change_hat(2) manpage
|
||||
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
|
||||
|
||||
# remove *.la files
|
||||
# remove *.la and *.a files
|
||||
rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||
rm -fv %{buildroot}%{_libdir}/libapparmor.a
|
||||
|
||||
%post -n libapparmor1 -p /sbin/ldconfig
|
||||
|
||||
@ -100,7 +101,6 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||
|
||||
%files -n libapparmor-devel
|
||||
%defattr(-,root,root)
|
||||
%{_libdir}/libapparmor.a
|
||||
%{_libdir}/libapparmor.so
|
||||
%{_libdir}/pkgconfig/libapparmor.pc
|
||||
%doc %{_mandir}/man2/aa_change_hat.2.gz
|
||||
|
@ -1,13 +0,0 @@
|
||||
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
|
||||
--- profiles/apparmor.d/abstractions/nameservice 2017-09-15 20:47:26 +0000
|
||||
+++ profiles/apparmor.d/abstractions/nameservice 2017-10-17 21:29:36 +0000
|
||||
@@ -21,6 +21,9 @@
|
||||
/etc/passwd r,
|
||||
/etc/protocols r,
|
||||
|
||||
+ # libtirpc (used for NIS/YP login) needs this
|
||||
+ /etc/netconfig r,
|
||||
+
|
||||
# When using libnss-extrausers, the passwd and group files are merged from
|
||||
# an alternate path
|
||||
/var/lib/extrausers/group r,
|
@ -1,39 +0,0 @@
|
||||
Subject: [PATCH] Temporarily fix socket mediation in nameservice
|
||||
References: bsc#1061195
|
||||
|
||||
|
||||
As per the conversation on IRC:
|
||||
cboltz: ah yes, the upstreamed version fixes a couple
|
||||
holes in the old patch suse carried
|
||||
|
||||
One of these "holes" were unix events, which explains the denials you noticed (and that I also see now after installing 4.14rc2).
|
||||
|
||||
The final solution will be to add some "unix" rules - but that's hard at the moment because 4.14 doesn't log all details needed for unix rules.
|
||||
|
||||
Instead, I'll add a temporary patch for abstractions/nameservice that adds
|
||||
network unix dgram,
|
||||
network unix stream,
|
||||
|
||||
(including a TODO note to replace it as soon as support for unix rules
|
||||
was upstreamed, probably 4.15). These rules are broader than needed,
|
||||
but should avoid user-visible breakage - and at least with 4.14, unix
|
||||
rules would get downgraded to network unix anyway ;-)
|
||||
|
||||
---
|
||||
profiles/apparmor.d/abstractions/nameservice | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
--- a/profiles/apparmor.d/abstractions/nameservice
|
||||
+++ b/profiles/apparmor.d/abstractions/nameservice
|
||||
@@ -92,5 +92,11 @@
|
||||
# Netlink raw needed for nscd
|
||||
network netlink raw,
|
||||
|
||||
+ # This is a temporary fix for nameservices with the new socket
|
||||
+ # mediations in 4.14-rc2
|
||||
+ # TODO: To be replaced once unix rules are upstreamed
|
||||
+ network unix dgram,
|
||||
+ network unix stream,
|
||||
+
|
||||
# interface details
|
||||
@{PROC}/@{pid}/net/route r,
|
@ -1,34 +0,0 @@
|
||||
commit b307e535fa26bff0abffb6bfd1aeab5d6c7c3622
|
||||
Author: Christian Boltz <apparmor@cboltz.de>
|
||||
Date: Tue Nov 28 21:46:36 2017 +0100
|
||||
|
||||
Let read_inactive_profiles() do nothing when calling it the second time
|
||||
|
||||
autodep() calls read_inactive_profiles() each time it's called (= for
|
||||
each binary). The result is a "Conflicting profile" error (showing the
|
||||
same filename twice) if autodep() runs more than once. This can easily
|
||||
happen when using "aa-autodep /usr/bin/*".
|
||||
|
||||
This patch adds an attribute to read_inactive_profiles() that lets the
|
||||
function return without doing anything if was called before.
|
||||
|
||||
---
|
||||
utils/apparmor/aa.py | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
--- a/utils/apparmor/aa.py
|
||||
+++ b/utils/apparmor/aa.py
|
||||
@@ -2107,6 +2107,13 @@ def read_profiles():
|
||||
read_profile(profile_dir + '/' + file, True)
|
||||
|
||||
def read_inactive_profiles():
|
||||
+ if hasattr(read_inactive_profiles, 'already_read'):
|
||||
+ # each autodep() run calls read_inactive_profiles, but that's a) superfluous and b) triggers a conflict because the inactive profiles are already loaded
|
||||
+ # therefore don't do anything if the inactive profiles were already loaded
|
||||
+ return
|
||||
+
|
||||
+ read_inactive_profiles.already_read = True
|
||||
+
|
||||
if not os.path.exists(extra_profile_dir):
|
||||
return None
|
||||
try:
|
@ -1,34 +0,0 @@
|
||||
--- utils/apparmor/aa.py 2017-10-11 21:20:00.789641479 +0200
|
||||
+++ utils/apparmor/aa.py 2017-10-22 14:15:00.412193634 +0200
|
||||
@@ -1827,16 +1827,18 @@
|
||||
if not changed:
|
||||
return
|
||||
|
||||
- q.options = sorted(changed.keys())
|
||||
+ options = sorted(changed.keys())
|
||||
+ q.options = options
|
||||
|
||||
ans, arg = q.promptUser()
|
||||
+
|
||||
+ which = options[arg]
|
||||
+
|
||||
if ans == 'CMD_SAVE_SELECTED':
|
||||
- profile_name = list(changed.keys())[arg]
|
||||
- write_profile_ui_feedback(profile_name)
|
||||
- reload_base(profile_name)
|
||||
+ write_profile_ui_feedback(which)
|
||||
+ reload_base(which)
|
||||
|
||||
elif ans == 'CMD_VIEW_CHANGES':
|
||||
- which = list(changed.keys())[arg]
|
||||
oldprofile = None
|
||||
if aa[which][which].get('filename', False):
|
||||
oldprofile = aa[which][which]['filename']
|
||||
@@ -1852,7 +1854,6 @@
|
||||
display_changes_with_comments(oldprofile, newprofile)
|
||||
|
||||
elif ans == 'CMD_VIEW_CHANGES_CLEAN':
|
||||
- which = list(changed.keys())[arg]
|
||||
oldprofile = serialize_profile(original_aa[which], which, '')
|
||||
newprofile = serialize_profile(aa[which], which, '')
|
||||
|
Loading…
Reference in New Issue
Block a user