pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 560016 from home:cboltz

Browse Source 
- update to AppArmor 2.12
  - add support for 'owner' rules in aa-logprof and aa-genprof
  - add support for includes with absolute path in aa-logprof etc. (lp#1733700)
  - update aa-decode to also decode PROCTITLE (lp#1736841)
  - several profile and abstraction updates, including boo#1069470
  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12
    for the detailed upstream changelog
- drop upstreamed patches:
  - read_inactive_profile-exactly-once.patch
  - utils-fix-sorted-save_profiles-regression.diff
- lessopen profile: change all 'rix' rules to 'mrix'

- update to AppArmor 2.11.95 aka 2.12 beta1
  - add JSON interface to aa-logprof and aa-genprof (used by YaST)
  - drop old YaST interface code
  - update audio, base and nameservice abstractions
  - allow @{pid} to match 7-digit pids
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95
    for the detailed upstream changelog
- drop upstreamed patches
  - apparmor-yast-cleanup.patch
  - apparmor-json-support.patch
  - nameservice-libtirpc.diff
- drop obsolete perl modules (YaST no longer needs them)
- drop patches that were only needed by the obsolete perl modules:
  - apparmor-utils-string-split
  - apparmor-abstractions-no-multiline.diff
- drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in
  apparmor_parser
- refresh utils-fix-sorted-save_profiles-regression.diff

OBS-URL: https://build.opensuse.org/request/show/560016
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=194
This commit is contained in:
Christian Boltz 2017-12-26 14:30:01 +00:00 committed by Git OBS Bridge
parent 51c20bdc0e
commit 7823513103
19 changed files with 180 additions and 1411 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
aa-teardown Normal file
View File

@ -0,0 +1,10 @@
#!/bin/bash
test $# = 0 || {
echo "Usage: $0"
echo
echo "Unloads all AppArmor profiles"
exit 1
}
/lib/apparmor/apparmor.systemd stop

3
apparmor-2.11.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e8e2b22c18e6b6741c1f96942398923b97316b53d86408629f922d5689ec3507
size 5017646

16
apparmor-2.11.1.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQI3BAABCgAhBQJZ6G0zGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
5k49NmS7OPgP/1sdG9m/DZrgBz3BFHhe15u8K5BRXbrsOkoT3yLwH8gXY1bwlbSU
H1bnz5itktyxapwae9Lyq1Qdr9eDpjgbQ1l2VbN34psLeuHH/6Q+R0ONYEktnWXs
RSHIPYxZwDbnMIDKdTyGaF7VefNFRMGp+AM6n1NQVKdo0ycKuNFo9tlMW2iWLueq
rng6vgTfyWbm9SbDSra8AjRPapxJznEUpV4fdl0OUDkrs4fsyOMcMStxKm6b4GvD
LOcV+XGMugyR8as8P1BT+BOYtt3n+itJg0L0g31IkpPTduALb7VPuIG/RnPOrZV4
o2tN+zqQLbbWoomSRj8kH319UIfgDxrSk2CM50WPYPIvWuqt0PZJXc8+36W6Gg5H
Mxagz78lb94pJLD6HhBL7R4xGEI2T4aLGdOADYfkZaE+y1T4KrW1J1XPVhnIGiSg
Kj6lIIkUxsYn39BczeWfCHTmmS5M1J08abAER14o7K8Y5jHKFl34Fmbq/MKnZTju
/quiIbwUFe/wjFf6MZk9fyz0V/Gt/9MypwhKBA4eGj7qXiW/O9hzSxrf/B0ABvva
2AXwtsCLyRH1a9ZzezDpnf6zLRq4qiJZY81nNxJPkKXQg1w7obl6NR9pbfoXtVhZ
BkACyjgmwf0SZRlWnUrEfGriH8V40yLSvUMx4Lax7pLKCfNBlJJUXlrF
=vKvS
-----END PGP SIGNATURE-----

3
apparmor-2.12.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056
size 7258450

16
apparmor-2.12.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQI3BAABCgAhBQJaP2rLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
5k49NmS72aQP/1y8Xr4GxCKJAonXSYdF3dlR54SIz6DWyMcdFnmE49w4/XVFhrf6
T3sIQzGdb38o1cjf6oPWaitMuOlr8SHZOSAtZXZm7xDh3fGXG11Vj12iNBX4o6CJ
WyrBG1MUX4u03iDjnv98rtbAViS9/DZsbN9iPZ9Ibo+Fb/wVS4EKe5iCZWTpqdW5
lbrWQVajqCw4EzD0ld6kklsuH6nb+pII4KawSDsk4hN5o4HxTZeK/lgwZ/sFE5LA
RJb3vShdSsIodDsj5mc5wfDVmzdqPcfTTaffLcW8uXYuMhtcI6vRAxGEKqHwDa4x
aUasiJPfFH21e1lTlztzCi2vlSdrnb89V2m7lHiOOL2bCtHhnIduRYgo+WnMZC+m
FcF9heBrTSajzg9ZE3EpVsN2wQYEGrVQer2MSy2vE8n+9JDxaJeyZ1RbT5yoeSkO
zPo6IlrfSruRdLVVekzZezoDow2kWfyzfTbDcOdZlDIchwPyXwVdGwFAf/s9aSoz
i/UIL0XpLCrd+MkaLeClWxPQR0IR5US3kxgI3vmpg4AGICq4Ayg6A2tQCMjI66Db
l1SRwLsEsZT9gfcvXeBF2w+xh9bCDUasmxcFkhv5axr12/r2nZWcKE0U1bsuK6bd
BOn2oRNshOcxnh6ni5YbTuASH52H3evKM5zypYmUpc4nUqHbFjeJOetM
=rBMH
-----END PGP SIGNATURE-----

242
apparmor-abstractions-no-multiline.diff
View File

@ -1,242 +0,0 @@
=== modified file 'profiles/apparmor.d/abstractions/X'
Index: profiles/apparmor.d/abstractions/X
===================================================================
--- profiles/apparmor.d/abstractions/X.orig 2016-04-22 22:35:12.416535187 +0200
+++ profiles/apparmor.d/abstractions/X 2016-04-22 22:35:46.556500929 +0200
@@ -25,12 +25,8 @@
# the unix socket to use to connect to the display
/tmp/.X11-unix/* rw,
- unix (connect, receive, send)
- type=stream
- peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
- unix (connect, receive, send)
- type=stream
- peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
/usr/include/X11/ r,
/usr/include/X11/** r,
Index: profiles/apparmor.d/abstractions/dbus-accessibility-strict
===================================================================
--- profiles/apparmor.d/abstractions/dbus-accessibility-strict.orig 2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/dbus-accessibility-strict 2014-10-18 13:11:31.098494805 +0200
@@ -9,9 +9,4 @@
#
# ------------------------------------------------------------------
- dbus send
- bus=accessibility
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
- peer=(name=org.freedesktop.DBus),
+ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
Index: profiles/apparmor.d/abstractions/dbus-session-strict
===================================================================
--- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2017-01-11 21:20:01.381935015 +0100
+++ profiles/apparmor.d/abstractions/dbus-session-strict 2017-01-11 21:20:07.641905170 +0100
@@ -14,16 +14,9 @@
/var/lib/dbus/machine-id r,
owner /run/user/*/bus rw,
- unix (connect, receive, send)
- type=stream
- peer=(addr="@/tmp/dbus-*"),
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
# dbus with systemd and --enable-user-session
owner /run/user/[0-9]*/bus rw,
- dbus send
- bus=session
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
- peer=(name=org.freedesktop.DBus),
+ dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
Index: profiles/apparmor.d/abstractions/dbus-strict
===================================================================
--- profiles/apparmor.d/abstractions/dbus-strict.orig 2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/dbus-strict 2014-10-18 13:11:31.098494805 +0200
@@ -11,9 +11,4 @@
/{,var/}run/dbus/system_bus_socket rw,
- dbus send
- bus=system
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
- peer=(name=org.freedesktop.DBus),
+ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
Index: profiles/apparmor.d/abstractions/fcitx-strict
===================================================================
--- profiles/apparmor.d/abstractions/fcitx-strict.orig 2017-01-11 21:44:55.726947350 +0100
+++ profiles/apparmor.d/abstractions/fcitx-strict 2017-01-11 21:45:02.830914856 +0100
@@ -11,11 +11,6 @@
#include <abstractions/dbus-session-strict>
- dbus send
- bus=fcitx
- path=/org/freedesktop/DBus
- interface=org.freedesktop.DBus
- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
- peer=(name=org.freedesktop.DBus),
+ dbus send bus=fcitx path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
owner @{HOME}/.config/fcitx/dbus/* r,
Index: profiles/apparmor.d/abstractions/libpam-systemd
===================================================================
--- profiles/apparmor.d/abstractions/libpam-systemd.orig 2017-01-11 21:47:13.814315855 +0100
+++ profiles/apparmor.d/abstractions/libpam-systemd 2017-01-11 21:47:19.490289904 +0100
@@ -12,8 +12,4 @@
#include <abstractions/dbus-strict>
# libpam-systemd notifies systemd-logind about session logins/logouts
- dbus send
- bus=system
- path=/org/freedesktop/login1
- interface=org.freedesktop.login1.Manager
- member={CreateSession,ReleaseSession},
+ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession},
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base
===================================================================
--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2017-01-11 21:20:07.641905170 +0100
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2017-01-11 21:20:52.197692834 +0100
@@ -21,78 +21,37 @@
#
# Access required for connecting to/communication with Unity HUD
#
- dbus (send)
- bus=session
- path="/com/canonical/hud",
- dbus (send)
- bus=session
- interface="com.canonical.hud.*",
- dbus (send)
- bus=session
- path="/com/canonical/hud/applications/*",
- dbus (receive)
- bus=session
- path="/com/canonical/hud",
- dbus (receive)
- bus=session
- interface="com.canonical.hud.*",
+ dbus (send) bus=session path="/com/canonical/hud",
+ dbus (send) bus=session interface="com.canonical.hud.*",
+ dbus (send) bus=session path="/com/canonical/hud/applications/*",
+ dbus (receive) bus=session path="/com/canonical/hud",
+ dbus (receive) bus=session interface="com.canonical.hud.*",
#
# Allow access for connecting to/communication with the appmenu
#
# dbusmenu
- dbus (send)
- bus=session
- interface="com.canonical.AppMenu.*",
- dbus (receive, send)
- bus=session
- path=/com/canonical/menu/**,
+ dbus (send) bus=session interface="com.canonical.AppMenu.*",
+ dbus (receive, send) bus=session path=/com/canonical/menu/**,
# gmenu
- dbus (receive, send)
- bus=session
- interface=org.gtk.Actions,
- dbus (receive, send)
- bus=session
- interface=org.gtk.Menus,
+ dbus (receive, send) bus=session interface=org.gtk.Actions,
+ dbus (receive, send) bus=session interface=org.gtk.Menus,
#
# Access required for using freedesktop notifications
#
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=GetCapabilities,
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=GetServerInformation,
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=Notify,
- dbus (receive)
- bus=session
- member="Notify"
- peer=(name="org.freedesktop.DBus"),
- dbus (receive)
- bus=session
- path=/org/freedesktop/Notifications
- member=NotificationClosed,
- dbus (send)
- bus=session
- path=/org/freedesktop/Notifications
- member=CloseNotification,
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=GetCapabilities,
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=GetServerInformation,
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=Notify,
+ dbus (receive) bus=session member="Notify" peer=(name="org.freedesktop.DBus"),
+ dbus (receive) bus=session path=/org/freedesktop/Notifications member=NotificationClosed,
+ dbus (send) bus=session path=/org/freedesktop/Notifications member=CloseNotification,
# accessibility
- dbus (send)
- bus=session
- peer=(name=org.a11y.Bus),
- dbus (receive)
- bus=session
- interface=org.a11y.atspi*,
- dbus (receive, send)
- bus=accessibility,
+ dbus (send) bus=session peer=(name=org.a11y.Bus),
+ dbus (receive) bus=session interface=org.a11y.atspi*,
+ dbus (receive, send) bus=accessibility,
#
# Deny potentially dangerous access
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-launcher
===================================================================
--- profiles/apparmor.d/abstractions/ubuntu-unity7-launcher.orig 2014-10-18 13:11:18.497652337 +0200
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-launcher 2014-10-18 13:11:31.098494805 +0200
@@ -1,7 +1,4 @@
#
# Access required for connecting to/communicating with the Unity Launcher
#
- dbus (send)
- bus=session
- interface="com.canonical.Unity.LauncherEntry"
- member="Update",
+ dbus (send) bus=session interface="com.canonical.Unity.LauncherEntry" member="Update",
Index: profiles/apparmor.d/abstractions/ubuntu-unity7-messaging
===================================================================
--- profiles/apparmor.d/abstractions/ubuntu-unity7-messaging.orig 2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-messaging 2014-10-18 13:11:31.099494792 +0200
@@ -2,6 +2,4 @@
# Access required for connecting to/communicating with the Unity messaging
# indicator
#
- dbus (receive, send)
- bus=session
- path="/com/canonical/indicator/messages/*",
+ dbus (receive, send) bus=session path="/com/canonical/indicator/messages/*",
Index: profiles/apparmor.d/abstractions/gnome
===================================================================
--- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200
+++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200
@@ -93,6 +93,4 @@
# Allow connecting to the GNOME vfs socket (still need corresponding DBus
# rules)
- unix (send, receive, connect)
- type=stream
- peer=(addr="@/dbus-vfs-daemon/socket-*"),
+ unix (send, receive, connect) type=stream peer=(addr="@/dbus-vfs-daemon/socket-*"),

307
apparmor-json-support.patch
View File

@ -1,307 +0,0 @@
commit aa95d7c9d4b0a7386ac52ad8dbcb28922198c8b7
Author: Goldwyn Rodrigues <rgoldwyn@suse.de>
Date: Thu Jun 15 18:22:43 2017 +0200
json support for logprof and genprof
From: Goldwyn Rodrigues <rgoldwyn@suse.com>
Provides json support to tools in order to interact with other
utilities such as Yast.
The JSON output is one per line, in order to differentiate between
multiple records. Each JSON record has a "dialog" entry which defines
the type of message passed. A response must contain the "dialog"
entry. "info" message does not require a response.
"apparmor-json-version" added in order to identify the communication
protocol version for future updates.
This is based on work done by Christian Boltz.
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
diff --git a/utils/aa-genprof b/utils/aa-genprof
index e2e65442..c9415e10 100755
--- a/utils/aa-genprof
+++ b/utils/aa-genprof
@@ -61,8 +61,12 @@ parser = argparse.ArgumentParser(description=_('Generate profile for the given p
parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
parser.add_argument('-f', '--file', type=str, help=_('path to logfile'))
parser.add_argument('program', type=str, help=_('name of program to profile'))
+parser.add_argument('-j', '--json', action="store_true", help=_('Input and Output in JSON'))
args = parser.parse_args()
+if args.json:
+ aaui.set_json_mode()
+
profiling = args.program
profiledir = args.dir
diff --git a/utils/aa-logprof b/utils/aa-logprof
index c05cbef3..0ff37652 100755
--- a/utils/aa-logprof
+++ b/utils/aa-logprof
@@ -16,6 +16,7 @@ import argparse
import os
import apparmor.aa as apparmor
+import apparmor.ui as aaui
# setup exception handling
from apparmor.fail import enable_aa_exception_handler
@@ -29,8 +30,12 @@ parser = argparse.ArgumentParser(description=_('Process log entries to generate
parser.add_argument('-d', '--dir', type=str, help=_('path to profiles'))
parser.add_argument('-f', '--file', type=str, help=_('path to logfile'))
parser.add_argument('-m', '--mark', type=str, help=_('mark in the log to start processing after'))
+parser.add_argument('-j', '--json', action='store_true', help=_('Input and Output in JSON'))
args = parser.parse_args()
+if args.json:
+ aaui.set_json_mode()
+
profiledir = args.dir
logmark = args.mark or ''
diff --git a/utils/apparmor/ui.py b/utils/apparmor/ui.py
index f25fff31..0010f468 100644
--- a/utils/apparmor/ui.py
+++ b/utils/apparmor/ui.py
@@ -1,5 +1,7 @@
# ----------------------------------------------------------------------
# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
+# Copyright (C) 2017 Christian Boltz <apparmor@cboltz.de>
+# Copyright (C) 2017 SUSE Linux
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -11,6 +13,8 @@
# GNU General Public License for more details.
#
# ----------------------------------------------------------------------
+
+import json
import sys
import re
import readline
@@ -24,14 +28,32 @@ _ = init_translation()
# Set up UI logger for separate messages from UI module
debug_logger = DebugLogger('UI')
-# The operating mode: yast or text, text by default
-UI_mode = 'text'
-
# If Python3, wrap input in raw_input so make check passes
if not 'raw_input' in dir(__builtins__): raw_input = input
ARROWS = {'A': 'UP', 'B': 'DOWN', 'C': 'RIGHT', 'D': 'LEFT'}
+UI_mode = 'text'
+
+def write_json(jsonout):
+ print(json.dumps(jsonout, sort_keys=False, separators=(',', ': ')))
+ sys.stdout.flush()
+
+def set_json_mode():
+ global UI_mode
+ UI_mode = 'json'
+ jsonout = {'dialog': 'apparmor-json-version', 'data': '2.12'}
+ write_json(jsonout)
+
+# reads the response on command line for json and verifies the response
+# for the dialog type
+def json_response(dialog_type):
+ string = raw_input('\n')
+ rh = json.loads(string.strip())
+ if rh["dialog"] != dialog_type:
+ raise AppArmorException('Expected response %s got %s.' % (dialog_type, string))
+ return rh
+
def getkey():
key = readkey()
if key == '\x1B':
@@ -44,12 +66,18 @@ def getkey():
def UI_Info(text):
debug_logger.info(text)
- if UI_mode == 'text':
+ if UI_mode == 'json':
+ jsonout = {'dialog': 'info', 'data': text}
+ write_json(jsonout)
+ else: # text mode
sys.stdout.write(text + '\n')
def UI_Important(text):
debug_logger.debug(text)
- if UI_mode == 'text':
+ if UI_mode == 'json':
+ jsonout = {'dialog': 'important', 'data': text}
+ write_json(jsonout)
+ else: # text mode
sys.stdout.write('\n' + text + '\n')
def get_translated_hotkey(translated, cmsg=''):
@@ -67,14 +95,18 @@ def get_translated_hotkey(translated, cmsg=''):
def UI_YesNo(text, default):
debug_logger.debug('UI_YesNo: %s: %s %s' % (UI_mode, text, default))
default = default.lower()
- ans = None
- if UI_mode == 'text':
- yes = CMDS['CMD_YES']
- no = CMDS['CMD_NO']
- yeskey = get_translated_hotkey(yes).lower()
- nokey = get_translated_hotkey(no).lower()
- ans = 'XXXINVALIDXXX'
- while ans not in ['y', 'n']:
+ yes = CMDS['CMD_YES']
+ no = CMDS['CMD_NO']
+ yeskey = get_translated_hotkey(yes).lower()
+ nokey = get_translated_hotkey(no).lower()
+ ans = 'XXXINVALIDXXX'
+ while ans not in ['y', 'n']:
+ if UI_mode == 'json':
+ jsonout = {'dialog': 'yesno', 'text': text, 'default': default}
+ write_json(jsonout)
+ hm = json_response('yesno')
+ ans = hm['response_key']
+ else: # text mode
sys.stdout.write('\n' + text + '\n')
if default == 'y':
sys.stdout.write('\n[%s] / %s\n' % (yes, no))
@@ -102,18 +134,22 @@ def UI_YesNo(text, default):
def UI_YesNoCancel(text, default):
debug_logger.debug('UI_YesNoCancel: %s: %s %s' % (UI_mode, text, default))
default = default.lower()
- ans = None
- if UI_mode == 'text':
- yes = CMDS['CMD_YES']
- no = CMDS['CMD_NO']
- cancel = CMDS['CMD_CANCEL']
-
- yeskey = get_translated_hotkey(yes).lower()
- nokey = get_translated_hotkey(no).lower()
- cancelkey = get_translated_hotkey(cancel).lower()
-
- ans = 'XXXINVALIDXXX'
- while ans not in ['c', 'n', 'y']:
+ yes = CMDS['CMD_YES']
+ no = CMDS['CMD_NO']
+ cancel = CMDS['CMD_CANCEL']
+
+ yeskey = get_translated_hotkey(yes).lower()
+ nokey = get_translated_hotkey(no).lower()
+ cancelkey = get_translated_hotkey(cancel).lower()
+
+ ans = 'XXXINVALIDXXX'
+ while ans not in ['c', 'n', 'y']:
+ if UI_mode == 'json':
+ jsonout = {'dialog': 'yesnocancel', 'text': text, 'default': default}
+ write_json(jsonout)
+ hm = json_response('yesnocancel')
+ ans = hm['response_key']
+ else: # text mode
sys.stdout.write('\n' + text + '\n')
if default == 'y':
sys.stdout.write('\n[%s] / %s / %s\n' % (yes, no, cancel))
@@ -148,7 +184,11 @@ def UI_YesNoCancel(text, default):
def UI_GetString(text, default):
debug_logger.debug('UI_GetString: %s: %s %s' % (UI_mode, text, default))
string = default
- if UI_mode == 'text':
+ if UI_mode == 'json':
+ jsonout = {'dialog': 'getstring', 'text': text, 'default': default}
+ write_json(jsonout)
+ string = json_response('getstring')["response"]
+ else: # text mode
readline.set_startup_hook(lambda: readline.insert_text(default))
try:
string = raw_input('\n' + text)
@@ -161,15 +201,18 @@ def UI_GetString(text, default):
def UI_GetFile(file):
debug_logger.debug('UI_GetFile: %s' % UI_mode)
filename = None
- if UI_mode == 'text':
+ if UI_mode == 'json':
+ jsonout = {'dialog': 'getfile', 'text': file['description']}
+ write_json(jsonout)
+ filename = json_response('getfile')["response"]
+ else: # text mode
sys.stdout.write(file['description'] + '\n')
filename = sys.stdin.read()
return filename
def UI_BusyStart(message):
debug_logger.debug('UI_BusyStart: %s' % UI_mode)
- if UI_mode == 'text':
- UI_Info(message)
+ UI_Info(message)
def UI_BusyStop():
debug_logger.debug('UI_BusyStop: %s' % UI_mode)
@@ -254,8 +297,7 @@ class PromptQuestion(object):
def promptUser(self, params=''):
cmd = None
arg = None
- if UI_mode == 'text':
- cmd, arg = self.Text_PromptUser()
+ cmd, arg = self.Text_PromptUser()
if cmd == 'CMD_ABORT':
confirm_and_abort()
cmd = 'XXXINVALIDXXX'
@@ -324,6 +366,17 @@ class PromptQuestion(object):
function_regexp += ')$'
ans = 'XXXINVALIDXXX'
+ hdict = dict()
+ jsonprompt = {
+ 'dialog': 'promptuser',
+ 'title': title,
+ 'headers': hdict,
+ 'explanation': explanation,
+ 'options': options,
+ 'menu_items': menu_items,
+ 'default_key': default_key,
+ }
+
while not re.search(function_regexp, ans, flags=re.IGNORECASE):
prompt = '\n'
@@ -335,6 +388,7 @@ class PromptQuestion(object):
while header_copy:
header = header_copy.pop(0)
value = header_copy.pop(0)
+ hdict[header] = value
prompt += formatstr % (header + ':', value)
prompt += '\n'
@@ -352,9 +406,14 @@ class PromptQuestion(object):
prompt += ' / '.join(menu_items)
- sys.stdout.write(prompt + '\n')
-
- ans = getkey().lower()
+ if UI_mode == 'json':
+ write_json(jsonprompt)
+ hm = json_response('promptuser')
+ ans = hm["response_key"]
+ selected = hm["selected"]
+ else: # text mode
+ sys.stdout.write(prompt + '\n')
+ ans = getkey().lower()
if ans:
if ans == 'up':
@@ -381,7 +440,7 @@ class PromptQuestion(object):
selected = ans - 1
ans = 'XXXINVALIDXXX'
- if keys.get(ans, False) == 'CMD_HELP':
+ if keys.get(ans, False) == 'CMD_HELP' and UI_mode != 'json':
sys.stdout.write('\n%s\n' % helptext)
ans = 'again'

71
apparmor-lessopen-profile.patch
View File

@ -1,9 +1,9 @@
Index: apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen
Index: profiles/apparmor.d/usr.bin.lessopen.sh
===================================================================
--- /dev/null
+++ apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen.sh
@@ -0,0 +1,40 @@
+# Last Modified: Fri Nov 28 08:01:09 2014
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ profiles/apparmor.d/usr.bin.lessopen.sh 2017-10-28 14:15:12.624358664 +0200
@@ -0,0 +1,49 @@
+# vim: ft=apparmor
+#include <tunables/global>
+
+/usr/bin/lessopen.sh {
@ -12,34 +12,43 @@ Index: apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen
+ #include <abstractions/consoles>
+ #include <abstractions/perl>
+
+ capability dac_override,
+ capability dac_read_search,
+
+ /** rk,
+ /bin/bash ix,
+ /bin/rpm rix,
+ /bin/tar rix,
+ /bin/bash mrix,
+ /bin/rpm mrix,
+ /bin/tar mrix,
+ /tmp/less.* rw,
+ /usr/bin/bzip2 rix,
+ /usr/bin/cabextract rix,
+ /usr/bin/cat rix,
+ /usr/bin/colordiff rix,
+ /usr/bin/dvi2tty rix,
+ /usr/bin/file rix,
+ /usr/bin/grep rix,
+ /usr/bin/groff rix,
+ /usr/bin/gzip rix,
+ /usr/bin/head rix,
+ /usr/bin/lynx rix,
+ /usr/bin/mktemp rix,
+ /usr/bin/nm rix,
+ /usr/bin/pdftotext rix,
+ /usr/bin/ps2ascii rix,
+ /usr/bin/rm rix,
+ /usr/bin/seq rix,
+ /usr/bin/tar rix,
+ /usr/bin/unzip rix,
+ /usr/bin/unzip-plain rix,
+ /usr/bin/w3m rix,
+ /usr/bin/which rix,
+ /usr/bin/xz rix,
+ /usr/bin/bzip2 mrix,
+ /usr/bin/cabextract mrix,
+ /usr/bin/cat mrix,
+ /usr/bin/colordiff mrix,
+ /usr/bin/dvi2tty mrix,
+ /usr/bin/eqn mrix,
+ /usr/bin/file mrix,
+ /usr/bin/grep mrix,
+ /usr/bin/groff mrix,
+ /usr/bin/grotty mrix,
+ /usr/bin/gzip mrix,
+ /usr/bin/head mrix,
+ /usr/bin/lynx mrix,
+ /usr/bin/mktemp mrix,
+ /usr/bin/nm mrix,
+ /usr/bin/pic mrix,
+ /usr/bin/pdftotext mrix,
+ /usr/bin/ps2ascii mrix,
+ /usr/bin/rm mrix,
+ /usr/bin/seq mrix,
+ /usr/bin/soelim mrix,
+ /usr/bin/tar mrix,
+ /usr/bin/tbl mrix,
+ /usr/bin/troff mrix,
+ /usr/bin/unzip mrix,
+ /usr/bin/unzip-plain mrix,
+ /usr/bin/w3m mrix,
+ /usr/bin/which mrix,
+ /usr/bin/xz mrix,
+
+ #include <local/usr.bin.lessopen.sh>
+}

24
apparmor-utils-string-split
View File

@ -1,24 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: AppArmor.pm: Split long string
The string split here ends up not displaying well in yast.
---
utils/Immunix/AppArmor.pm | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/deprecated/utils/Immunix/AppArmor.pm
+++ b/deprecated/utils/Immunix/AppArmor.pm
@@ -6335,7 +6335,12 @@ sub check_qualifiers($) {
if ($cfg->{qualifiers}{$program}) {
unless($cfg->{qualifiers}{$program} =~ /p/) {
- fatal_error(sprintf(gettext("\%s is currently marked as a program that should not have it's own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you're doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $program));
+ fatal_error(sprintf(gettext(
+"\%s is currently marked as a program that should not have its own\n".
+"profile. Usually, programs are marked this way if creating a profile for \n".
+"them is likely to break the rest of the system. If you know what you're\n".
+"doing and are certain you want to create a profile for this program, edit\n".
+"the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $program));
}
}
}

606
apparmor-yast-cleanup.patch
View File

@ -1,606 +0,0 @@
commit 99e2b9e1dfccf765dd84f44f1368892b6a082406
Author: Goldwyn Rodrigues <rgoldwyn@suse.com>
Date: Sun Jun 11 13:03:44 2017 +0200
Remove yast from utils
From: Goldwyn Rodrigues <rgoldwyn@suse.com>
This is the yast cleanup from the utils code. All yast communication
should be done with JSON interface now.
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index 141c20dd..6db4b277 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -14,7 +14,6 @@
# ----------------------------------------------------------------------
# No old version logs, only 2.6 + supported
from __future__ import division, with_statement
-import inspect
import os
import re
import shutil
@@ -64,8 +63,6 @@ from apparmor.rule import quote_if_needed
ruletypes = ['capability', 'change_profile', 'dbus', 'file', 'network', 'ptrace', 'rlimit', 'signal']
-from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast
-
# setup module translations
from apparmor.translations import init_translation
_ = init_translation()
@@ -146,15 +143,9 @@ def fatal_error(message):
# Add the traceback to message
message = tb_stack + '\n\n' + message
debug_logger.error(message)
- caller = inspect.stack()[1][3]
-
- # If caller is SendDataToYast or GetDatFromYast simply exit
- if caller == 'SendDataToYast' or caller == 'GetDatFromYast':
- sys.exit(1)
# Else tell user what happened
aaui.UI_Important(message)
- shutdown_yast()
sys.exit(1)
def check_for_apparmor(filesystem='/proc/filesystems', mounts='/proc/mounts'):
@@ -539,7 +530,6 @@ def confirm_and_abort():
ans = aaui.UI_YesNo(_('Are you sure you want to abandon this set of profile changes and exit?'), 'n')
if ans == 'y':
aaui.UI_Info(_('Abandoning all changes.'))
- shutdown_yast()
for prof in created:
delete_profile(prof)
sys.exit(0)
@@ -601,20 +591,12 @@ def get_profile(prof_name):
p = profile_hash[options[arg]]
q.selected = options.index(options[arg])
if ans == 'CMD_VIEW_PROFILE':
- if aaui.UI_mode == 'yast':
- SendDataToYast({'type': 'dialogue-view-profile',
- 'user': options[arg],
- 'profile': p['profile'],
- 'profile_type': p['profile_type']
- })
- ypath, yarg = GetDataFromYast()
- else:
- pager = get_pager()
- proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
+ pager = get_pager()
+ proc = subprocess.Popen(pager, stdin=subprocess.PIPE)
# proc.communicate('Profile submitted by %s:\n\n%s\n\n' %
# (options[arg], p['profile']))
- proc.communicate(p['profile'].encode())
- proc.kill()
+ proc.communicate(p['profile'].encode())
+ proc.kill()
elif ans == 'CMD_USE_PROFILE':
if p['profile_type'] == 'INACTIVE_LOCAL':
profile_data = p['profile_data']
@@ -864,76 +846,16 @@ def fetch_profiles_by_user(url, distro, user):
def submit_created_profiles(new_profiles):
#url = cfg['repository']['url']
if new_profiles:
- if aaui.UI_mode == 'yast':
- title = 'New Profiles'
- message = 'Please select the newly created profiles that you would like to store in the repository'
- yast_select_and_upload_profiles(title, message, new_profiles)
- else:
- title = 'Submit newly created profiles to the repository'
- message = 'Would you like to upload newly created profiles?'
- console_select_and_upload_profiles(title, message, new_profiles)
+ title = 'Submit newly created profiles to the repository'
+ message = 'Would you like to upload newly created profiles?'
+ console_select_and_upload_profiles(title, message, new_profiles)
def submit_changed_profiles(changed_profiles):
#url = cfg['repository']['url']
if changed_profiles:
- if aaui.UI_mode == 'yast':
- title = 'Changed Profiles'
- message = 'Please select which of the changed profiles would you like to upload to the repository'
- yast_select_and_upload_profiles(title, message, changed_profiles)
- else:
- title = 'Submit changed profiles to the repository'
- message = 'The following profiles from the repository were changed.\nWould you like to upload your changes?'
- console_select_and_upload_profiles(title, message, changed_profiles)
-
-def yast_select_and_upload_profiles(title, message, profiles_up):
- url = cfg['repository']['url']
- profile_changes = hasher()
- profs = profiles_up[:]
- for p in profs:
- profile_changes[p[0]] = get_profile_diff(p[2], p[1])
- SendDataToYast({'type': 'dialog-select-profiles',
- 'title': title,
- 'explanation': message,
- 'default_select': 'false',
- 'disable_ask_upload': 'true',
- 'profiles': profile_changes
- })
- ypath, yarg = GetDataFromYast()
- selected_profiles = []
- changelog = None
- changelogs = None
- single_changelog = False
- if yarg['STATUS'] == 'cancel':
- return
- else:
- selected_profiles = yarg['PROFILES']
- changelogs = yarg['CHANGELOG']
- if changelogs.get('SINGLE_CHANGELOG', False):
- changelog = changelogs['SINGLE_CHANGELOG']
- single_changelog = True
- user, passw = get_repo_user_pass()
- for p in selected_profiles:
- profile_string = serialize_profile(aa[p], p)
- if not single_changelog:
- changelog = changelogs[p]
- status_ok, ret = upload_profile(url, user, passw, cfg['repository']['distro'],
- p, profile_string, changelog)
- if status_ok:
- newprofile = ret
- newid = newprofile['id']
- set_repo_info(aa[p][p], url, user, newid)
- write_profile_ui_feedback(p)
- else:
- if not ret:
- ret = 'UNKNOWN ERROR'
- aaui.UI_Important(_('WARNING: An error occurred while uploading the profile %(profile)s\n%(ret)s') % { 'profile': p, 'ret': ret })
- aaui.UI_Info(_('Uploaded changes to repository.'))
- if yarg.get('NEVER_ASK_AGAIN'):
- unselected_profiles = []
- for p in profs:
- if p[0] not in selected_profiles:
- unselected_profiles.append(p[0])
- set_profiles_local_only(unselected_profiles)
+ title = 'Submit changed profiles to the repository'
+ message = 'The following profiles from the repository were changed.\nWould you like to upload your changes?'
+ console_select_and_upload_profiles(title, message, changed_profiles)
def upload_profile(url, user, passw, distro, p, profile_string, changelog):
# To-Do
@@ -1925,10 +1847,6 @@ def do_logprof_pass(logmark='', passno=0, log_pid=log_pid):
ask_the_questions(log_dict)
- if aaui.UI_mode == 'yast':
- # To-Do
- pass
-
finishing = False
# Check for finished
save_profiles()
@@ -1958,80 +1876,52 @@ def save_profiles():
changed_list = sorted(changed.keys())
if changed_list:
+ q = aaui.PromptQuestion()
+ q.title = 'Changed Local Profiles'
+ q.explanation = _('The following local profiles were changed. Would you like to save them?')
+ q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT']
+ q.default = 'CMD_VIEW_CHANGES'
+ q.selected = 0
+ ans = ''
+ arg = None
+ while ans != 'CMD_SAVE_CHANGES':
+ if not changed:
+ return
+
+ q.options = sorted(changed.keys())
+
+ ans, arg = q.promptUser()
+ if ans == 'CMD_SAVE_SELECTED':
+ profile_name = list(changed.keys())[arg]
+ write_profile_ui_feedback(profile_name)
+ reload_base(profile_name)
- if aaui.UI_mode == 'yast':
- # To-Do
- # selected_profiles = [] # XXX selected_profiles_ref?
- profile_changes = dict()
- for prof in changed_list:
- oldprofile = serialize_profile(original_aa[prof], prof)
- newprofile = serialize_profile(aa[prof], prof)
- profile_changes[prof] = get_profile_diff(oldprofile, newprofile)
- explanation = _('Select which profile changes you would like to save to the\nlocal profile set.')
- title = _('Local profile changes')
- SendDataToYast({'type': 'dialog-select-profiles',
- 'title': title,
- 'explanation': explanation,
- 'dialog_select': 'true',
- 'get_changelog': 'false',
- 'profiles': profile_changes
- })
- ypath, yarg = GetDataFromYast()
- if yarg['STATUS'] == 'cancel':
- return None
- else:
- selected_profiles_ref = yarg['PROFILES']
- for profile_name in selected_profiles_ref:
- write_profile_ui_feedback(profile_name)
- reload_base(profile_name)
-
- else:
- q = aaui.PromptQuestion()
- q.title = 'Changed Local Profiles'
- q.explanation = _('The following local profiles were changed. Would you like to save them?')
- q.functions = ['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT']
- q.default = 'CMD_VIEW_CHANGES'
- q.selected = 0
- ans = ''
- arg = None
- while ans != 'CMD_SAVE_CHANGES':
- if not changed:
- return
-
- q.options = sorted(changed.keys())
-
- ans, arg = q.promptUser()
- if ans == 'CMD_SAVE_SELECTED':
- profile_name = list(changed.keys())[arg]
- write_profile_ui_feedback(profile_name)
- reload_base(profile_name)
-
- elif ans == 'CMD_VIEW_CHANGES':
- which = list(changed.keys())[arg]
- oldprofile = None
- if aa[which][which].get('filename', False):
- oldprofile = aa[which][which]['filename']
- else:
- oldprofile = get_profile_filename(which)
+ elif ans == 'CMD_VIEW_CHANGES':
+ which = list(changed.keys())[arg]
+ oldprofile = None
+ if aa[which][which].get('filename', False):
+ oldprofile = aa[which][which]['filename']
+ else:
+ oldprofile = get_profile_filename(which)
- try:
- newprofile = serialize_profile_from_old_profile(aa[which], which, '')
- except AttributeError:
- # see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1528139
- newprofile = "###\n###\n### Internal error while generating diff, please use '%s' instead\n###\n###\n" % _('View Changes b/w (C)lean profiles')
+ try:
+ newprofile = serialize_profile_from_old_profile(aa[which], which, '')
+ except AttributeError:
+ # see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1528139
+ newprofile = "###\n###\n### Internal error while generating diff, please use '%s' instead\n###\n###\n" % _('View Changes b/w (C)lean profiles')
- display_changes_with_comments(oldprofile, newprofile)
+ display_changes_with_comments(oldprofile, newprofile)
- elif ans == 'CMD_VIEW_CHANGES_CLEAN':
- which = list(changed.keys())[arg]
- oldprofile = serialize_profile(original_aa[which], which, '')
- newprofile = serialize_profile(aa[which], which, '')
+ elif ans == 'CMD_VIEW_CHANGES_CLEAN':
+ which = list(changed.keys())[arg]
+ oldprofile = serialize_profile(original_aa[which], which, '')
+ newprofile = serialize_profile(aa[which], which, '')
- display_changes(oldprofile, newprofile)
+ display_changes(oldprofile, newprofile)
- for profile_name in sorted(changed.keys()):
- write_profile_ui_feedback(profile_name)
- reload_base(profile_name)
+ for profile_name in sorted(changed.keys()):
+ write_profile_ui_feedback(profile_name)
+ reload_base(profile_name)
def get_pager():
return 'less'
@@ -2065,33 +1955,26 @@ def get_profile_diff(oldprofile, newprofile):
return ''.join(diff)
def display_changes(oldprofile, newprofile):
- if aaui.UI_mode == 'yast':
- aaui.UI_LongMessage(_('Profile Changes'), get_profile_diff(oldprofile, newprofile))
- else:
- difftemp = generate_diff(oldprofile, newprofile)
- subprocess.call('less %s' % difftemp.name, shell=True)
- difftemp.delete = True
- difftemp.close()
+ difftemp = generate_diff(oldprofile, newprofile)
+ subprocess.call('less %s' % difftemp.name, shell=True)
+ difftemp.delete = True
+ difftemp.close()
def display_changes_with_comments(oldprofile, newprofile):
"""Compare the new profile with the existing profile inclusive of all the comments"""
if not os.path.exists(oldprofile):
raise AppArmorException(_("Can't find existing profile %s to compare changes.") % oldprofile)
- if aaui.UI_mode == 'yast':
- #To-Do
- pass
- else:
- newtemp = tempfile.NamedTemporaryFile('w')
- newtemp.write(newprofile)
- newtemp.flush()
+ newtemp = tempfile.NamedTemporaryFile('w')
+ newtemp.write(newprofile)
+ newtemp.flush()
- difftemp = tempfile.NamedTemporaryFile('w')
+ difftemp = tempfile.NamedTemporaryFile('w')
- subprocess.call('diff -u -p %s %s > %s' % (oldprofile, newtemp.name, difftemp.name), shell=True)
+ subprocess.call('diff -u -p %s %s > %s' % (oldprofile, newtemp.name, difftemp.name), shell=True)
- newtemp.close()
- subprocess.call('less %s' % difftemp.name, shell=True)
- difftemp.close()
+ newtemp.close()
+ subprocess.call('less %s' % difftemp.name, shell=True)
+ difftemp.close()
def set_process(pid, profile):
# If process not running don't do anything
diff --git a/utils/apparmor/ui.py b/utils/apparmor/ui.py
index bfbde8c6..f25fff31 100644
--- a/utils/apparmor/ui.py
+++ b/utils/apparmor/ui.py
@@ -14,7 +14,6 @@
import sys
import re
import readline
-from apparmor.yasti import yastLog, SendDataToYast, GetDataFromYast
from apparmor.common import readkey, AppArmorException, DebugLogger
@@ -47,18 +46,11 @@ def UI_Info(text):
debug_logger.info(text)
if UI_mode == 'text':
sys.stdout.write(text + '\n')
- else:
- yastLog(text)
def UI_Important(text):
debug_logger.debug(text)
if UI_mode == 'text':
sys.stdout.write('\n' + text + '\n')
- else:
- SendDataToYast({'type': 'dialog-error',
- 'message': text
- })
- path, yarg = GetDataFromYast()
def get_translated_hotkey(translated, cmsg=''):
msg = 'PromptUser: ' + _('Invalid hotkey for')
@@ -105,15 +97,6 @@ def UI_YesNo(text, default):
continue # If user presses any other button ask again
else:
ans = default
-
- else:
- SendDataToYast({'type': 'dialog-yesno',
- 'question': text
- })
- ypath, yarg = GetDataFromYast()
- ans = yarg['answer']
- if not ans:
- ans = default
return ans
def UI_YesNoCancel(text, default):
@@ -160,14 +143,6 @@ def UI_YesNoCancel(text, default):
default = 'c'
else:
ans = default
- else:
- SendDataToYast({'type': 'dialog-yesnocancel',
- 'question': text
- })
- ypath, yarg = GetDataFromYast()
- ans = yarg['answer']
- if not ans:
- ans = default
return ans
def UI_GetString(text, default):
@@ -181,13 +156,6 @@ def UI_GetString(text, default):
string = ''
finally:
readline.set_startup_hook()
- else:
- SendDataToYast({'type': 'dialog-getstring',
- 'label': text,
- 'default': default
- })
- ypath, yarg = GetDataFromYast()
- string = yarg['string']
return string.strip()
def UI_GetFile(file):
@@ -196,29 +164,15 @@ def UI_GetFile(file):
if UI_mode == 'text':
sys.stdout.write(file['description'] + '\n')
filename = sys.stdin.read()
- else:
- file['type'] = 'dialog-getfile'
- SendDataToYast(file)
- ypath, yarg = GetDataFromYast()
- if yarg['answer'] == 'okay':
- filename = yarg['filename']
return filename
def UI_BusyStart(message):
debug_logger.debug('UI_BusyStart: %s' % UI_mode)
if UI_mode == 'text':
UI_Info(message)
- else:
- SendDataToYast({'type': 'dialog-busy-start',
- 'message': message
- })
- ypath, yarg = GetDataFromYast()
def UI_BusyStop():
debug_logger.debug('UI_BusyStop: %s' % UI_mode)
- if UI_mode != 'text':
- SendDataToYast({'type': 'dialog-busy-stop'})
- ypath, yarg = GetDataFromYast()
CMDS = {'CMD_ALLOW': _('(A)llow'),
'CMD_OTHER': _('(M)ore'),
@@ -302,13 +256,6 @@ class PromptQuestion(object):
arg = None
if UI_mode == 'text':
cmd, arg = self.Text_PromptUser()
- else:
- self.type = 'wizard'
- SendDataToYast(self)
- ypath, yarg = GetDataFromYast()
- if not cmd:
- cmd = 'CMD_ABORT'
- arg = yarg['selected']
if cmd == 'CMD_ABORT':
confirm_and_abort()
cmd = 'XXXINVALIDXXX'
@@ -447,25 +394,8 @@ def confirm_and_abort():
ans = UI_YesNo(_('Are you sure you want to abandon this set of profile changes and exit?'), 'n')
if ans == 'y':
UI_Info(_('Abandoning all changes.'))
- #shutdown_yast()
- #for prof in created:
- # delete_profile(prof)
sys.exit(0)
-def UI_ShortMessage(title, message):
- SendDataToYast({'type': 'short-dialog-message',
- 'headline': title,
- 'message': message
- })
- ypath, yarg = GetDataFromYast()
-
-def UI_LongMessage(title, message):
- SendDataToYast({'type': 'long-dialog-message',
- 'headline': title,
- 'message': message
- })
- ypath, yarg = GetDataFromYast()
-
def is_number(number):
try:
return int(number)
diff --git a/utils/apparmor/yasti.py b/utils/apparmor/yasti.py
deleted file mode 100644
index 180e7152..00000000
--- a/utils/apparmor/yasti.py
+++ /dev/null
@@ -1,106 +0,0 @@
-# ----------------------------------------------------------------------
-# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of version 2 of the GNU General Public
-# License as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# ----------------------------------------------------------------------
-import re
-import sys
-try:
- import ycp
-except ImportError:
- # ycp isn't found everywhere.
- ycp = None
-
-from apparmor.common import error, DebugLogger
-
-# Set up UI logger for separate messages from YaST module
-debug_logger = DebugLogger('YaST')
-
-
-def setup_yast():
- # To-Do
- pass
-
-def shutdown_yast():
- # To-Do
- pass
-
-def yastLog(text):
- ycp.y2milestone(text)
-
-def SendDataToYast(data):
- debug_logger.info('SendDataToYast: Waiting for YCP command')
- for line in sys.stdin:
- ycommand, ypath, yargument = ParseCommand(line)
- if ycommand and ycommand == 'Read':
- debug_logger.info('SendDataToYast: Sending--%s' % data)
- ycp.Return(data)
- return True
- else:
- debug_logger.info('SendDataToYast: Expected \'Read\' but got-- %s' % line)
- error('SendDataToYast: didn\'t receive YCP command before connection died')
-
-def GetDataFromYast():
- debug_logger.inf('GetDataFromYast: Waiting for YCP command')
- for line in sys.stdin:
- debug_logger.info('GetDataFromYast: YCP: %s' % line)
- ycommand, ypath, yarg = ParseCommand(line)
- debug_logger.info('GetDataFromYast: Recieved--\n%s' % yarg)
- if ycommand and ycommand == 'Write':
- ycp.Return('true')
- return ypath, yarg
- else:
- debug_logger.info('GetDataFromYast: Expected Write but got-- %s' % line)
- error('GetDataFromYast: didn\'t receive YCP command before connection died')
-
-def ParseCommand(commands):
- term = ParseTerm(commands)
- if term:
- command = term[0]
- term = term[1:]
- else:
- command = ''
- path = ''
- pathref = None
- if term:
- pathref = term[0]
- term = term[1:]
- if pathref:
- if pathref.strip():
- path = pathref.strip()
- elif command != 'result':
- ycp.y2error('The first arguement is not a path. (%s)' % pathref)
- argument = None
- if term:
- argument = term[0]
- if len(term) > 1:
- ycp.y2warning('Superfluous command arguments ignored')
- return (command, path, argument)
-
-def ParseTerm(inp):
- regex_term = re.compile('^\s*`?(\w*)\s*')
- term = regex_term.search(inp)
- ret = []
- symbol = None
- if term:
- symbol = term.groups()[0]
- else:
- ycp.y2error('No term symbol')
- ret.append(symbol)
- inp = regex_term.sub('', inp)
- if not inp.startswith('('):
- ycp.y2error('No term parantheses')
- argref, err, rest = ycp.ParseYcpTermBody(inp)
- if err:
- ycp.y2error('%s (%s)' % (err, rest))
- else:
- ret += argref
- return ret

42
apparmor.changes
View File

@ -1,3 +1,45 @@
-------------------------------------------------------------------
Mon Dec 25 15:27:03 UTC 2017 - suse-beta@cboltz.de
- update to AppArmor 2.12
- add support for 'owner' rules in aa-logprof and aa-genprof
- add support for includes with absolute path in aa-logprof etc. (lp#1733700)
- update aa-decode to also decode PROCTITLE (lp#1736841)
- several profile and abstraction updates, including boo#1069470
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12
for the detailed upstream changelog
- drop upstreamed patches:
- read_inactive_profile-exactly-once.patch
- utils-fix-sorted-save_profiles-regression.diff
- lessopen profile: change all 'rix' rules to 'mrix'
-------------------------------------------------------------------
Tue Nov 30 10:30:33 UTC 2017 - suse-beta@cboltz.de
- update to AppArmor 2.11.95 aka 2.12 beta1
- add JSON interface to aa-logprof and aa-genprof (used by YaST)
- drop old YaST interface code
- update audio, base and nameservice abstractions
- allow @{pid} to match 7-digit pids
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95
for the detailed upstream changelog
- drop upstreamed patches
- apparmor-yast-cleanup.patch
- apparmor-json-support.patch
- nameservice-libtirpc.diff
- drop obsolete perl modules (YaST no longer needs them)
- drop patches that were only needed by the obsolete perl modules:
- apparmor-utils-string-split
- apparmor-abstractions-no-multiline.diff
- drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in
apparmor_parser
- refresh utils-fix-sorted-save_profiles-regression.diff
- add aa-teardown (new script to unload all profiles)
- make ExecStop in apparmor.service a no-op (workaround for a systemd
restriction, see boo#996520 and boo#853019 for details)
- lessopen profile: allow capability dac_read_search and dac_override,
allow groff to execute several helpers (boo#1065388)
-------------------------------------------------------------------
Wed Nov 29 15:26:48 UTC 2017 - rgoldwyn@suse.com

12
apparmor.service
View File

@ -8,9 +8,17 @@ ConditionSecurity=apparmor
[Service]
Type=oneshot
ExecStart=/lib/apparmor/apparmor.systemd start
ExecStart=/lib/apparmor/apparmor.systemd reload
ExecReload=/lib/apparmor/apparmor.systemd reload
ExecStop=/lib/apparmor/apparmor.systemd stop
# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
# from running processes (and not being able to re-apply it later).
# Upstream systemd developers refused to implement an option that allows overriding
# this behaviour, therefore we have to make ExecStop a no-op to error out on the
# safe side.
#
# If you really want to unload all AppArmor profiles, run aa-teardown
ExecStop=/bin/true
RemainAfterExit=yes
[Install]

96
apparmor.spec
View File

@ -35,7 +35,7 @@
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
Name: apparmor
Version: 2.11.1
Version: 2.12
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0+
@ -50,6 +50,7 @@ Source6: baselibs.conf
Source7: apparmor-rpmlintrc
Source8: apparmor.service
Source9: apparmor.systemd
Source10: aa-teardown
# enable caching of profiles (= massive performance speedup when loading profiles)
Patch1: apparmor-enable-profile-cache.diff
@ -57,36 +58,12 @@ Patch1: apparmor-enable-profile-cache.diff
# include autogenerated profile sniplet for samba shares (bnc#688040)
Patch2: apparmor-samba-include-permissions-for-shares.diff
# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
Patch3: apparmor-utils-string-split
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
Patch5: ruby-2_0-mkmf-destdir.patch
# change multiline rules in abstractions to one line - needed because YaST still uses the perl module, which doesn't support multiline rules
# (bnc#900013, not for upstream)
Patch6: apparmor-abstractions-no-multiline.diff
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch7: apparmor-lessopen-profile.patch
# add JSON support to aa-logprof and aa-genprof (will be in upstream 2.12)
Patch12: apparmor-yast-cleanup.patch
Patch13: apparmor-json-support.patch
# temporary solution for unix dgram and unix stream - boo#1061195 (sent for upstream review, but will probably stay openSUSE only)
# TODO: replace with proper unix rules when Kernel 4.15 arrives
Patch15: profiles-sockets-temporary-fix.patch
# fix NIS/YP logins - libtirpc needs to read /etc/netconfig - commited upstream 2017-10-20 (trunk r3716, 2.11 r3682, 2.10 r3408, 2.9 r3069)
Patch16: nameservice-libtirpc.diff
# Fix sorted() regression in save_profiles() - submitted upstream 2017-10-22
Patch17: utils-fix-sorted-save_profiles-regression.diff
# bsc#1069346
Patch18: read_inactive_profile-exactly-once.patch
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apparmor_bin_prefix /lib/apparmor
@ -193,18 +170,12 @@ License: GPL-2.0 and LGPL-2.1+
Group: Development/Libraries/Perl
Requires: libapparmor1 = %{version}
Requires: perl = %{perl_version}
Requires: perl(DBD::SQLite)
Requires: perl(Locale::gettext)
Requires: perl(RPC::XML)
Requires: perl(RPC::XML)
Requires: perl(Term::ReadKey)
Requires: perl(Term::ReadKey)
Provides: perl-libapparmor = %{version}
Obsoletes: perl-libapparmor < 2.5
%description -n perl-apparmor
This package provides the perl interface to AppArmor. It is used for perl
applications interfacing with AppArmor, including the AppArmor utilities.
applications interfacing with AppArmor.
%endif
@ -378,19 +349,8 @@ SubDomain.
%setup -q
%patch1 -p1
%patch2
%patch3 -p1
%patch5 -p1
%patch6
%patch7 -p1
%patch12 -p1
%patch13 -p1
%patch15 -p1
%patch16
%patch17
%patch18 -p1
# search for left-over multiline rules
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"
%patch7
%build
export SUSE_ASNEEDED=0
@ -426,11 +386,6 @@ make -C utils
# binutils
make -C binutils
# deprecated/utils (perl modules still needed by YaST)
%if %{with perl}
make -C deprecated/utils
%endif
# parser:
make -C parser V=1
@ -485,11 +440,6 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
%makeinstall -C binutils
( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec )
# deprecated/utils (perl modules still needed by YaST)
%if %{with perl}
%makeinstall -C deprecated/utils
%endif
%makeinstall -C profiles
%makeinstall -C parser
@ -541,8 +491,12 @@ done
rm -fv %{buildroot}%{_libdir}/libapparmor.la
# Adjust for systemd
test ! -f %{buildroot}%{_unitdir}/apparmor.service
install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
test ! -f %{buildroot}%{apparmor_bin_prefix}/apparmor.systemd
install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix}
test ! -f %{buildroot}%{_sbindir}/aa-teardown
install -m0755 %{S:10} %{buildroot}%{_sbindir}
rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor
rm %{buildroot}/sbin/rcsubdomain
ln -sf service %{buildroot}/sbin/rcapparmor
@ -569,6 +523,7 @@ echo -------------------------------------------------------------------
/sbin/apparmor_parser
%{_bindir}/aa-enabled
%{_bindir}/aa-exec
%{_sbindir}/aa-teardown
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
%dir %{_sysconfdir}/apparmor.d
%{_sysconfdir}/apparmor.d/cache
@ -625,7 +580,20 @@ fi
%config(noreplace) %{_sysconfdir}/apparmor/logprof.conf
%config(noreplace) %{_sysconfdir}/apparmor/notify.conf
%config(noreplace) %{_sysconfdir}/apparmor/severity.db
%{_sbindir}/aa-*
%{_sbindir}/aa-audit
%{_sbindir}/aa-autodep
%{_sbindir}/aa-cleanprof
%{_sbindir}/aa-complain
%{_sbindir}/aa-decode
%{_sbindir}/aa-disable
%{_sbindir}/aa-enforce
%{_sbindir}/aa-genprof
%{_sbindir}/aa-logprof
%{_sbindir}/aa-mergeprof
%{_sbindir}/aa-notify
%{_sbindir}/aa-remove-unknown
%{_sbindir}/aa-status
%{_sbindir}/aa-unconfined
%{_sbindir}/apparmor_status
%{_sbindir}/audit
%{_sbindir}/autodep
@ -645,7 +613,22 @@ fi
%dir %{_localstatedir}/log/apparmor
%doc %{_mandir}/man5/logprof.conf.5.gz
%doc %{_mandir}/man8/apparmor_notify.8.gz
%doc %{_mandir}/man8/aa-*.gz
%doc %{_mandir}/man8/aa-audit.8.gz
%doc %{_mandir}/man8/aa-autodep.8.gz
%doc %{_mandir}/man8/aa-cleanprof.8.gz
%doc %{_mandir}/man8/aa-complain.8.gz
%doc %{_mandir}/man8/aa-decode.8.gz
%doc %{_mandir}/man8/aa-disable.8.gz
%doc %{_mandir}/man8/aa-easyprof.8.gz
%doc %{_mandir}/man8/aa-enforce.8.gz
%doc %{_mandir}/man8/aa-genprof.8.gz
%doc %{_mandir}/man8/aa-logprof.8.gz
%doc %{_mandir}/man8/aa-mergeprof.8.gz
%doc %{_mandir}/man8/aa-notify.8.gz
%doc %{_mandir}/man8/aa-remove-unknown.8.gz
%doc %{_mandir}/man8/aa-status.8.gz
%doc %{_mandir}/man8/aa-unconfined.8.gz
%doc %{_mandir}/man8/apparmor_status.8.gz
%doc %{_mandir}/man8/audit.8.gz
%doc %{_mandir}/man8/autodep.8.gz
@ -664,7 +647,6 @@ fi
%if %{with perl}
%files -n perl-apparmor
%defattr(-,root,root)
%{perl_vendorlib}/Immunix
%{perl_vendorarch}/auto/LibAppArmor/
%{perl_vendorarch}/LibAppArmor.pm
%endif

17
libapparmor.changes
View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Mon Dec 25 15:32:35 UTC 2017 - suse-beta@cboltz.de
- update to AppArmor 2.12
- preserve errno across aa_*_unref() functions
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12
for the detailed upstream changelog
- no longer package static libapparmor.a
-------------------------------------------------------------------
Tue Oct 31 10:41:55 UTC 2017 - suse-beta@cboltz.de
- update to AppArmor 2.11.95 aka 2.12 beta1
- no changes in libapparmor
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95
for the detailed upstream changelog
-------------------------------------------------------------------
Wed Oct 25 19:36:55 UTC 2017 - suse-beta@cboltz.de

6
libapparmor.spec
View File

@ -18,7 +18,7 @@
Name: libapparmor
Version: 2.11.1
Version: 2.12
Release: 0
Summary: Utility library for AppArmor
License: LGPL-2.1+
@ -87,8 +87,9 @@ make check -C libraries/libapparmor
# create symlink for old change_hat(2) manpage
( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )
# remove *.la files
# remove *.la and *.a files
rm -fv %{buildroot}%{_libdir}/libapparmor.la
rm -fv %{buildroot}%{_libdir}/libapparmor.a
%post -n libapparmor1 -p /sbin/ldconfig
@ -100,7 +101,6 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
%files -n libapparmor-devel
%defattr(-,root,root)
%{_libdir}/libapparmor.a
%{_libdir}/libapparmor.so
%{_libdir}/pkgconfig/libapparmor.pc
%doc %{_mandir}/man2/aa_change_hat.2.gz

13
nameservice-libtirpc.diff
View File

@ -1,13 +0,0 @@
=== modified file 'profiles/apparmor.d/abstractions/nameservice'
--- profiles/apparmor.d/abstractions/nameservice 2017-09-15 20:47:26 +0000
+++ profiles/apparmor.d/abstractions/nameservice 2017-10-17 21:29:36 +0000
@@ -21,6 +21,9 @@
/etc/passwd r,
/etc/protocols r,
+ # libtirpc (used for NIS/YP login) needs this
+ /etc/netconfig r,
+
# When using libnss-extrausers, the passwd and group files are merged from
# an alternate path
/var/lib/extrausers/group r,

39
profiles-sockets-temporary-fix.patch
View File

@ -1,39 +0,0 @@
Subject: [PATCH] Temporarily fix socket mediation in nameservice
References: bsc#1061195
As per the conversation on IRC:
cboltz: ah yes, the upstreamed version fixes a couple
holes in the old patch suse carried
One of these "holes" were unix events, which explains the denials you noticed (and that I also see now after installing 4.14rc2).
The final solution will be to add some "unix" rules - but that's hard at the moment because 4.14 doesn't log all details needed for unix rules.
Instead, I'll add a temporary patch for abstractions/nameservice that adds
network unix dgram,
network unix stream,
(including a TODO note to replace it as soon as support for unix rules
was upstreamed, probably 4.15). These rules are broader than needed,
but should avoid user-visible breakage - and at least with 4.14, unix
rules would get downgraded to network unix anyway ;-)
---
profiles/apparmor.d/abstractions/nameservice | 6 ++++++
1 file changed, 6 insertions(+)
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -92,5 +92,11 @@
# Netlink raw needed for nscd
network netlink raw,
+ # This is a temporary fix for nameservices with the new socket
+ # mediations in 4.14-rc2
+ # TODO: To be replaced once unix rules are upstreamed
+ network unix dgram,
+ network unix stream,
+
# interface details
@{PROC}/@{pid}/net/route r,

34
read_inactive_profile-exactly-once.patch
View File

@ -1,34 +0,0 @@
commit b307e535fa26bff0abffb6bfd1aeab5d6c7c3622
Author: Christian Boltz <apparmor@cboltz.de>
Date: Tue Nov 28 21:46:36 2017 +0100
Let read_inactive_profiles() do nothing when calling it the second time
autodep() calls read_inactive_profiles() each time it's called (= for
each binary). The result is a "Conflicting profile" error (showing the
same filename twice) if autodep() runs more than once. This can easily
happen when using "aa-autodep /usr/bin/*".
This patch adds an attribute to read_inactive_profiles() that lets the
function return without doing anything if was called before.
---
utils/apparmor/aa.py | 7 +++++++
1 file changed, 7 insertions(+)
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -2107,6 +2107,13 @@ def read_profiles():
read_profile(profile_dir + '/' + file, True)
def read_inactive_profiles():
+ if hasattr(read_inactive_profiles, 'already_read'):
+ # each autodep() run calls read_inactive_profiles, but that's a) superfluous and b) triggers a conflict because the inactive profiles are already loaded
+ # therefore don't do anything if the inactive profiles were already loaded
+ return
+
+ read_inactive_profiles.already_read = True
+
if not os.path.exists(extra_profile_dir):
return None
try:

34
utils-fix-sorted-save_profiles-regression.diff
View File

@ -1,34 +0,0 @@
--- utils/apparmor/aa.py 2017-10-11 21:20:00.789641479 +0200
+++ utils/apparmor/aa.py 2017-10-22 14:15:00.412193634 +0200
@@ -1827,16 +1827,18 @@
if not changed:
return
- q.options = sorted(changed.keys())
+ options = sorted(changed.keys())
+ q.options = options
ans, arg = q.promptUser()
+
+ which = options[arg]
+
if ans == 'CMD_SAVE_SELECTED':
- profile_name = list(changed.keys())[arg]
- write_profile_ui_feedback(profile_name)
- reload_base(profile_name)
+ write_profile_ui_feedback(which)
+ reload_base(which)
elif ans == 'CMD_VIEW_CHANGES':
- which = list(changed.keys())[arg]
oldprofile = None
if aa[which][which].get('filename', False):
oldprofile = aa[which][which]['filename']
@@ -1852,7 +1854,6 @@
display_changes_with_comments(oldprofile, newprofile)
elif ans == 'CMD_VIEW_CHANGES_CLEAN':
- which = list(changed.keys())[arg]
oldprofile = serialize_profile(original_aa[which], which, '')
newprofile = serialize_profile(aa[which], which, '')