pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 953283 from home:cboltz

Browse Source 
- update to AppArmor 3.0.4
  - various fixes in profiles, abstractions, apparmor_parser and utils
    (some of them were already included as patches)
  - add support for mctp address family
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.4
    for the full upstream changelog
- remove upstream(ed) patches:
  - aa-notify-more-arch-mr809.diff
  - ruby-3.1-build-fix.diff
  - add-samba-bgqd.diff
  - openssl-engdef-mr818.diff
  - profiles-python-3.10-mr783.diff
  - update-samba-abstractions-ldb2.diff
- refresh patches:
  - apparmor-samba-include-permissions-for-shares.diff
  - ruby-2_0-mkmf-destdir.patch

AppArmor 3.0.4 also includes a fix for the issue with 'mctp' found via
https://build.opensuse.org/request/show/951354
so you might want to pick this SR into Staging:O

OBS-URL: https://build.opensuse.org/request/show/953283
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=316
This commit is contained in:
Christian Boltz 2022-02-10 18:40:04 +00:00 committed by Git OBS Bridge
parent a53ba0c4c6
commit 7ae734d682
15 changed files with 49 additions and 538 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

188
aa-notify-more-arch-mr809.diff
View File

@ -1,188 +0,0 @@
This patch contains the code changes from
https://gitlab.com/apparmor/apparmor/-/merge_requests/809
It does NOT include the added unit tests because adding binary test files with a patch is too hard.
diff --git a/utils/aa-notify b/utils/aa-notify
index 91d0f3b9c240e1ff0fec8aa673ef70fa78cf33bc..024044a0c58ed4827502da66786acb4e9b54fc2f 100755
--- a/utils/aa-notify
+++ b/utils/aa-notify
@@ -34,7 +34,6 @@ import os
import re
import sys
import time
-import struct
import notify2
import psutil
import pwd
@@ -45,6 +44,7 @@ import apparmor.ui as aaui
import apparmor.config as aaconfig
from apparmor.common import DebugLogger, open_file_read
from apparmor.fail import enable_aa_exception_handler
+from apparmor.notify import get_last_login_timestamp
from apparmor.translations import init_translation
import LibAppArmor # C-library to parse one log line
@@ -61,48 +61,6 @@ def get_user_login():
return username
-def get_last_login_timestamp(username):
- '''Directly read wtmp and get last login for user as epoch timestamp'''
- timestamp = 0
- filename = '/var/log/wtmp'
- last_login = 0
-
- debug_logger.debug('Username: {}'.format(username))
-
- with open(filename, "rb") as wtmp_file:
- offset = 0
- wtmp_filesize = os.path.getsize(filename)
- debug_logger.debug('WTMP filesize: {}'.format(wtmp_filesize))
- while offset < wtmp_filesize:
- wtmp_file.seek(offset)
- offset += 384 # Increment for next entry
-
- type = struct.unpack("<L", wtmp_file.read(4))[0]
- debug_logger.debug('WTMP entry type: {}'.format(type))
-
- # Only parse USER lines
- if type == 7:
- # Read each item and move pointer forward
- pid = struct.unpack("<L", wtmp_file.read(4))[0]
- line = wtmp_file.read(32).decode("utf-8", "replace").split('\0', 1)[0]
- id = wtmp_file.read(4).decode("utf-8", "replace").split('\0', 1)[0]
- user = wtmp_file.read(32).decode("utf-8", "replace").split('\0', 1)[0]
- host = wtmp_file.read(256).decode("utf-8", "replace").split('\0', 1)[0]
- term = struct.unpack("<H", wtmp_file.read(2))[0]
- exit = struct.unpack("<H", wtmp_file.read(2))[0]
- session = struct.unpack("<L", wtmp_file.read(4))[0]
- timestamp = struct.unpack("<L", wtmp_file.read(4))[0]
- usec = struct.unpack("<L", wtmp_file.read(4))[0]
- entry = (pid, line, id, user, host, term, exit, session, timestamp, usec)
- debug_logger.debug('WTMP entry: {}'.format(entry))
-
- # Store login timestamp for requested user
- if user == username:
- last_login = timestamp
-
- # When loop is done, last value should be the latest login timestamp
- return last_login
-
def format_event(event, logsource):
output = []
diff --git a/utils/apparmor/notify.py b/utils/apparmor/notify.py
new file mode 100644
index 0000000000000000000000000000000000000000..1101a29346d79dd873c347fd12dd79cda1e1c786
--- /dev/null
+++ b/utils/apparmor/notify.py
@@ -0,0 +1,105 @@
+#! /usr/bin/python3
+# ----------------------------------------------------------------------
+# Copyright (C) 20182019 Otto Kekäläinen <otto@kekalainen.net>
+# Copyright (C) 2021 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# ----------------------------------------------------------------------
+
+import os
+import struct
+
+from apparmor.common import AppArmorBug, DebugLogger
+
+debug_logger = DebugLogger('apparmor.notify')
+
+
+def sane_timestamp(timestamp):
+ ''' Check if the given timestamp is in a date range that makes sense for a wtmp file '''
+
+ if timestamp < 946681200: # 2000-01-01
+ return False
+ elif timestamp > 2524604400: # 2050-01-01
+ return False
+
+ return True
+
+def get_last_login_timestamp(username, filename='/var/log/wtmp'):
+ '''Directly read wtmp and get last login for user as epoch timestamp'''
+ timestamp = 0
+ last_login = 0
+
+ debug_logger.debug('Username: {}'.format(username))
+
+ with open(filename, "rb") as wtmp_file:
+ offset = 0
+ wtmp_filesize = os.path.getsize(filename)
+ debug_logger.debug('WTMP filesize: {}'.format(wtmp_filesize))
+
+ if wtmp_filesize < 356:
+ return 0 # (nearly) empty wtmp file, no entries
+
+ # detect architecture based on utmp format differences
+ wtmp_file.seek(340) # first possible timestamp position
+ timestamp_x86_64 = struct.unpack("<L", wtmp_file.read(4))[0]
+ timestamp_aarch64 = struct.unpack("<L", wtmp_file.read(4))[0]
+ timestamp_s390x = struct.unpack(">L", wtmp_file.read(4))[0]
+ debug_logger.debug('WTMP timestamps: x86_64 %s, aarch64 %s, s390x %s' % (timestamp_x86_64, timestamp_aarch64, timestamp_s390x))
+
+ if sane_timestamp(timestamp_x86_64):
+ endianness = '<' # little endian
+ extra_offset_before = 0
+ extra_offset_after = 0
+ elif sane_timestamp(timestamp_aarch64):
+ endianness = '<' # little endian
+ extra_offset_before = 4
+ extra_offset_after = 12
+ elif sane_timestamp(timestamp_s390x):
+ endianness = '>' # big endian
+ extra_offset_before = 8
+ extra_offset_after = 8
+ else:
+ raise AppArmorBug('Your /var/log/wtmp is broken or has an unknown format. Please open a bugreport with /var/log/wtmp and the output of "last" attached!')
+
+ while offset < wtmp_filesize:
+ wtmp_file.seek(offset)
+ offset += 384 + extra_offset_before + extra_offset_after # Increment for next entry
+
+ type = struct.unpack('%sH' % endianness, wtmp_file.read(2))[0]
+ debug_logger.debug('WTMP entry type: {}'.format(type))
+ wtmp_file.read(2) # skip padding
+
+ # Only parse USER lines
+ if type == 7:
+ # Read each item and move pointer forward
+ pid = struct.unpack("<L", wtmp_file.read(4))[0]
+ line = wtmp_file.read(32).decode("utf-8", "replace").split('\0', 1)[0]
+ id = wtmp_file.read(4).decode("utf-8", "replace").split('\0', 1)[0]
+ user = wtmp_file.read(32).decode("utf-8", "replace").split('\0', 1)[0]
+ host = wtmp_file.read(256).decode("utf-8", "replace").split('\0', 1)[0]
+ term = struct.unpack("<H", wtmp_file.read(2))[0]
+ exit = struct.unpack("<H", wtmp_file.read(2))[0]
+ session = struct.unpack("<L", wtmp_file.read(4))[0]
+ if extra_offset_before:
+ wtmp_file.read(extra_offset_before)
+ timestamp = struct.unpack('%sL' % endianness, wtmp_file.read(4))[0]
+ if extra_offset_after:
+ wtmp_file.read(extra_offset_after)
+ usec = struct.unpack("<L", wtmp_file.read(4))[0]
+ entry = (pid, line, id, user, host, term, exit, session, timestamp, usec)
+ debug_logger.debug('WTMP entry: {}'.format(entry))
+
+ # Store login timestamp for requested user
+ if user == username:
+ last_login = timestamp
+
+ # When loop is done, last value should be the latest login timestamp
+ return last_login

62
add-samba-bgqd.diff
View File

@ -1,62 +0,0 @@
commit 85e53a5d040cdf3f7705da9e625b85041694aa4c
Author: Christian Boltz <apparmor@cboltz.de>
Date: Fri Oct 15 22:02:36 2021 +0200
Add profile for samba-bgqd
... and some rules in the smbd profile to execute it and send it a term
signal.
samba-bgqd is (quoting its manpage) "an internal helper program
performing asynchronous printing-related jobs."
samba-bgqd was added in Samba 4.15.
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
Index: apparmor-3.0.3/profiles/apparmor.d/samba-bgqd
===================================================================
--- /dev/null
+++ apparmor-3.0.3/profiles/apparmor.d/samba-bgqd
@@ -0,0 +1,20 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-bgqd /usr/lib*/samba/samba-bgqd {
+ include <abstractions/base>
+ include <abstractions/cups-client>
+ include <abstractions/nameservice>
+ include <abstractions/samba>
+
+ signal receive set=term peer=smbd,
+
+ @{PROC}/sys/kernel/core_pattern r,
+ @{run}/samba/samba-bgqd.pid wk,
+
+ /usr/lib*/samba/samba-bgqd m,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/samba-bgqd>
+}
Index: apparmor-3.0.3/profiles/apparmor.d/usr.sbin.smbd
===================================================================
--- apparmor-3.0.3.orig/profiles/apparmor.d/usr.sbin.smbd
+++ apparmor-3.0.3/profiles/apparmor.d/usr.sbin.smbd
@@ -24,6 +24,8 @@ profile smbd /usr/{bin,sbin}/smbd {
capability sys_resource,
capability sys_tty_config,
+ signal send set=term peer=samba-bgqd,
+
/etc/mtab r,
/etc/netgroup r,
/etc/printcap r,
@@ -35,6 +37,7 @@ profile smbd /usr/{bin,sbin}/smbd {
/usr/lib*/samba/charset/*.so mr,
/usr/lib*/samba/gensec/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
+ /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
/usr/lib*/samba/{lowcase,upcase,valid}.dat r,
/usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
/usr/lib/@{multiarch}/samba/**/ r,

3
apparmor-3.0.3.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:153db05d8f491e0596022663c19fb1166806cb473b3c6f0a7279feda2ec25a59
size 7790012

17
apparmor-3.0.3.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmEOR6AaHGFwcGFybW9y
QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLsckQ//V7k3Kao73EXlJKtTjMnt
AVc1qUqht/bxfT014BYZs0eT8HYRyBq0BhbDBfjPJA05kyXO0eHDOip5QmltXHR6
qeRD974rgv4jmIHInHiY2QlFuAtxhO+CPsSw2WZtdQMb1zFYg9BMh+lSz2aNECrc
GRYi4UflsNFxnUGnKCIt3FKvaGX9S9dA3vEgQrXMcIEFvHzrcRPYtUGiutFe66xF
S6Z2PoymQAK5fW4D1lkBZXAx1jqzNzVzaaA6D0H8GcFb7zL2c2q/0L4+EfFabxXv
uP4Vtw6ZS6upLr7AsbE55t8QlJ0IwiA7EJhn7cFfvJNkGWsJh9dr0LGtIf+B+zTd
1dVtwuNtWotz202WeyYuokddX/zCSldb6/Sc2BhyFhqmUWjeQdDqjfLyTVsmBpc9
0+NwY53/Em1qoFvMAtiqGWG3JjTF3ZVEdQEzRQyG9zMBDm2Vm3+uplL70MjgdSm0
Cb1wpSsef5/Q28qY7+1/WV3/OGdq/9kqWS0n3+i2JtuxAaiHK6FRhSZi+0QGU0QH
igJ+TKYmtyDGiqYrCasmED9sBkGNKvSDRmc+0hfCEzk5sj3tYR65OBmO0JBMKVR4
9Lyt2hXScP7avuMdTPU0kj/2i7o5N6OfDdCV9LQinN8rzMmwGIYinmTxcVoRN9i/
wYTg3RfP5TxHfmrOnuzWCCM=
=2ySc
-----END PGP SIGNATURE-----

3
apparmor-3.0.4.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:09bf48d7a171f9790c39a1404bad105a788934cfe77b7490c7f5c63c2576b725
size 7796852

17
apparmor-3.0.4.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmIEYPoaHGFwcGFybW9y
QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLsuXRAAwUfR2mTa8T1f9JKDV9oI
VyHMNPx4UQ8UGHPjdggPZpgU8tdLgIeTzrVB9IFmUNxREmeQURyr12lWJiL7rUjp
uICigANNZPtfYDB8PNF6OPbwZ61A44RZ26SZJauKQg/iP1c/m3NH24TReUqB2UgC
Zrjx4KBH30m0+wc2Ca5f017CRDRL6oPjbUnCdY6S8XdVzbbd4x/4K0yoaS8mNLde
GUbs4cMJnuMndVPhNVIiKvRt/qmYl2nB3HBzU9VXmq/GBR9wDpb1G6N3IuB7Oaak
WrB32ymgllwi5av3L1vXQhisZ1LAaH7GNElCX5c4rJa/6Bsfru5kTecEXSIJXf2H
P8XmwUkdrl7idfAbSg/jW1h02uD99WTymii2SCwYWhNX9s0BRuSMPASA9TgrYOZN
oTshsA8lYaAafdAU6OboaeS91WL65hTr3GUcGgYl+qYcYTdyU6IG4MooCwATM2st
SHt7HPOJLNntMt8CGcPx1Q9UA8ta3kNlcf6YSycWCqWvPEvCkpex23gVUVIXzVKr
bs2tvJO59BsCxiL6umsksv5otIXDrm4yay1QaYl+KUEOvU051SUyXey7pQ/qO0LY
leifVmldlLfPosAKiJqiQ3RAKp7Zr/YrvKLLxeLj5MrKUmSR2UQ5xC8aXfYYhDqh
+PPpcMO9Io9UyHHofXB7dlA=
=rXSS
-----END PGP SIGNATURE-----

2
apparmor-samba-include-permissions-for-shares.diff
View File

@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000
+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000
@@ -56,6 +56,10 @@
@@ -59,6 +59,10 @@
@{HOMEDIRS}/** lrwk,
/var/lib/samba/usershares/{,**} lrwk,

20
apparmor.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Thu Feb 10 16:55:38 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
- update to AppArmor 3.0.4
- various fixes in profiles, abstractions, apparmor_parser and utils
(some of them were already included as patches)
- add support for mctp address family
- see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.4
for the full upstream changelog
- remove upstream(ed) patches:
- aa-notify-more-arch-mr809.diff
- ruby-3.1-build-fix.diff
- add-samba-bgqd.diff
- openssl-engdef-mr818.diff
- profiles-python-3.10-mr783.diff
- update-samba-abstractions-ldb2.diff
- refresh patches:
- apparmor-samba-include-permissions-for-shares.diff
- ruby-2_0-mkmf-destdir.patch
-------------------------------------------------------------------
Wed Jan 26 17:14:58 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>

28
apparmor.spec
View File

@ -45,7 +45,7 @@
%define JAR_FILE changeHatValve.jar
Name: apparmor
Version: 3.0.3
Version: 3.0.4
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0-or-later
@ -78,26 +78,6 @@ Patch5: apparmor-lessopen-nfs-workaround.diff
# make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
Patch6: apache-extra-profile-include-if-exists.diff
# update abstractions/python and profiles for python 3.10 (submitted upstream 2021-08-11 https://gitlab.com/apparmor/apparmor/-/merge_requests/783)
Patch7: profiles-python-3.10-mr783.diff
# add samba-bgqd profile (accepted upstream 2021-10-15 https://gitlab.com/apparmor/apparmor/-/merge_requests/807)
# updated for boo#1192336 (merged upstream 2021-12-20 https://gitlab.com/apparmor/apparmor/-/merge_requests/819 in 3.0 and master)
Patch8: add-samba-bgqd.diff
# aa-notify: Add support for reading s390x and aarch64 wtmp file (boo#1181155) (merged upstream 2021-11-08 in master and 3.0 branch - https://gitlab.com/apparmor/apparmor/-/merge_requests/809)
Patch9: aa-notify-more-arch-mr809.diff
# allow reading /etc/ssl/engdef.d/ and /etc/ssl/engines.d/ in abstractions/openssl (submitted upstream 2021-12-19 - https://gitlab.com/apparmor/apparmor/-/merge_requests/818)
Patch10: openssl-engdef-mr818.diff
# add update-samba-abstractions-ldb2.diff to cater for changes to ldb
# packaging to allow parallel installation with libldb bsc#1192684 (submitted upstream 2022-01-17 - https://gitlab.com/apparmor/apparmor/-/merge_requests/821)
Patch11: update-samba-abstractions-ldb2.diff
# fix build with ruby 3.1 (boo#1194221, from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/827)
Patch12: ruby-3.1-build-fix.diff
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@ -360,12 +340,6 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
%patch3 -p1
%patch4
%patch5
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%build
%define _lto_cflags %{nil}

2
libapparmor.spec
View File

@ -18,7 +18,7 @@
Name: libapparmor
Version: 3.0.3
Version: 3.0.4
Release: 0
Summary: Utility library for AppArmor
License: LGPL-2.1-or-later

26
openssl-engdef-mr818.diff
View File

@ -1,26 +0,0 @@
(context lines adjusted to match 3.0 branch)
From e58dd798f09c1df6f8de42f64d07221d34adfc87 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Sun, 19 Dec 2021 22:36:05 +0100
Subject: [PATCH] abstractions/openssl: allow /etc/ssl/{engdef,engines}.d/
These directories were introduced in openssl in
https://patchwork.ozlabs.org/project/openwrt/patch/20210429153530.10020-2-cotequeiroz@gmail.com/
---
profiles/apparmor.d/abstractions/openssl | 2 ++
1 file changed, 2 insertions(+)
Index: profiles/apparmor.d/abstractions/openssl
===================================================================
--- a/profiles/apparmor.d/abstractions/openssl.orig 2021-12-19 22:51:13.837139097 +0100
+++ b/profiles/apparmor.d/abstractions/openssl 2021-12-19 22:52:05.845049787 +0100
@@ -12,6 +12,8 @@
/etc/ssl/openssl.cnf r,
/usr/share/ssl/openssl.cnf r,
+ /etc/ssl/{engdef,engines}.d/ r,
+ /etc/ssl/{engdef,engines}.d/*.cnf r,
@{PROC}/sys/crypto/fips_enabled r,

86
profiles-python-3.10-mr783.diff
View File

@ -1,86 +0,0 @@
https://gitlab.com/apparmor/apparmor/-/merge_requests/783
From ea7b201ba48b87469297d58751c57b03ceb82320 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Wed, 11 Aug 2021 21:37:40 +0200
Subject: [PATCH] Update abstractions/python and profiles for python 3.10
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/187
---
profiles/apparmor.d/abstractions/python | 18 +++++++++---------
profiles/apparmor.d/lsb_release | 2 +-
.../profiles/extras/usr.bin.chromium-browser | 4 ++--
3 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/profiles/apparmor.d/abstractions/python b/profiles/apparmor.d/abstractions/python
index 1b5cc9d0d..727030bdf 100644
--- a/profiles/apparmor.d/abstractions/python
+++ b/profiles/apparmor.d/abstractions/python
@@ -12,18 +12,18 @@
abi <abi/3.0>,
- /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
- /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
- /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
+ /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/**.{pyc,so} mr,
+ /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
+ /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
/usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
- /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr,
- /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
- /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
- /usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
+ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr,
+ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
+ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
+ /usr/local/lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr,
# Site-wide configuration
- /etc/python{2.[4-7],3.[0-9]}/** r,
+ /etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r,
# shared python paths
/usr/share/{pyshared,pycentral,python-support}/** r,
@@ -36,7 +36,7 @@
/usr/lib/wx/python/*.pth r,
# python build configuration and headers
- /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
+ /usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
# Include additions to the abstraction
include if exists <abstractions/python.d>
diff --git a/profiles/apparmor.d/lsb_release b/profiles/apparmor.d/lsb_release
index 33a1c71db..ad8b998fc 100644
--- a/profiles/apparmor.d/lsb_release
+++ b/profiles/apparmor.d/lsb_release
@@ -18,7 +18,7 @@ profile lsb_release {
/dev/tty rw,
/usr/bin/lsb_release r,
- /usr/bin/python3.[0-9] mr,
+ /usr/bin/python3.{1,}[0-9] mr,
/etc/debian_version r,
/etc/default/apport r,
diff --git a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
index 2df5338db..b47b6f721 100644
--- a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
+++ b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
@@ -267,9 +267,9 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
/usr/share/distro-info/** r,
/var/lib/dpkg/** r,
- /usr/local/lib/python3.[0-9]/dist-packages/ r,
+ /usr/local/lib/python3.{1,}[0-9]/dist-packages/ r,
/usr/bin/ r,
- /usr/bin/python3.[0-9] mr,
+ /usr/bin/python3.{1,}[0-9] mr,
}
profile sandbox {
--
GitLab

11
ruby-2_0-mkmf-destdir.patch
View File

@ -1,10 +1,11 @@
diff -wruN -x '*~' -x '*.o' -x '*.a' -x '*.so' -x '*.so.[0-9]' -x autom4te.cache -x .deps -x .libs -x Makefile -x Makefile ../orig-apparmor-2.8.1/libraries/libapparmor/swig/ruby/extconf.rb ./libraries/libapparmor/swig/ruby/extconf.rb
--- ../orig-apparmor-2.8.1/libraries/libapparmor/swig/ruby/extconf.rb 2009-05-12 23:56:56.000000000 +0200
+++ ./libraries/libapparmor/swig/ruby/extconf.rb 2013-06-04 14:52:01.677579537 +0200
@@ -28,7 +28,14 @@
Index: libraries/libapparmor/swig/ruby/extconf.rb
===================================================================
--- a/libraries/libapparmor/swig/ruby/extconf.rb.orig 2022-02-10 17:54:05.008544807 +0100
+++ b/libraries/libapparmor/swig/ruby/extconf.rb 2022-02-10 17:54:21.792506325 +0100
@@ -20,7 +20,14 @@ if find_library('apparmor', 'parse_recor
# hack 2: strip all rpath references
open('Makefile.ruby', 'w') do |out|
IO.foreach('Makefile.new') do |line|
IO.foreach('Makefile') do |line|
- out.puts line.gsub(/-Wl,-R'[^']*'/, '')
+ l = line.gsub(/-Wl,-R'[^']*'/, '')
+ # oldincludedir = $(DESTDIR)/usr/include

110
ruby-3.1-build-fix.diff
View File

@ -1,110 +0,0 @@
https://gitlab.com/apparmor/apparmor/-/merge_requests/827
From fde8acf86ddb82f1c10332478daebd3fad1bee45 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 26 Jan 2022 08:04:04 -0800
Subject: [PATCH] libapparmor: Fix ruby 3.1 build for libapparmor
The Hack used to build the libapparmor swig interface for ruby fails
with ruby 3.1. Instead of trying to do black magic in ruby to rename
the generated Makefile to Makefile.new, just save off the Makefile
and restore after ruby's setup has been called.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/206
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
.gitignore | 2 +-
libraries/libapparmor/swig/ruby/Makefile.am | 4 +++-
libraries/libapparmor/swig/ruby/extconf.rb | 14 +++-----------
3 files changed, 7 insertions(+), 13 deletions(-)
Additionally patch libraries/libapparmor/swig/ruby/Makefile.in which is shipped
in the tarball and based on Makefile.am.
diff --git a/.gitignore b/.gitignore
index 4782a351a..bac706f2b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -177,7 +177,7 @@ libraries/libapparmor/swig/ruby/LibAppArmor_wrap.c
libraries/libapparmor/swig/ruby/LibAppArmor_wrap.o
libraries/libapparmor/swig/ruby/Makefile
libraries/libapparmor/swig/ruby/Makefile.in
-libraries/libapparmor/swig/ruby/Makefile.new
+libraries/libapparmor/swig/ruby/Makefile.bak
libraries/libapparmor/swig/ruby/Makefile.ruby
libraries/libapparmor/swig/ruby/mkmf.log
libraries/libapparmor/testsuite/.deps
diff --git a/libraries/libapparmor/swig/ruby/Makefile.am b/libraries/libapparmor/swig/ruby/Makefile.am
index 03ef02fd6..3f4572816 100644
--- a/libraries/libapparmor/swig/ruby/Makefile.am
+++ b/libraries/libapparmor/swig/ruby/Makefile.am
@@ -9,7 +9,9 @@ LibAppArmor_wrap.c : $(srcdir)/../SWIG/libapparmor.i
MOSTLYCLEANFILES=LibAppArmor_wrap.c
Makefile.ruby: extconf.rb
+ mv Makefile Makefile.bak
PREFIX=$(prefix) $(RUBY) $< --with-LibAppArmor-include=$(top_srcdir)/include
+ mv Makefile.bak Makefile
LibAppArmor.so: LibAppArmor_wrap.c Makefile.ruby
$(MAKE) -fMakefile.ruby
@@ -22,7 +24,7 @@ install-exec-local: Makefile.ruby
clean-local:
if test -f Makefile.ruby; then $(MAKE) -fMakefile.ruby clean; fi
- rm -f Makefile.ruby Makefile.new
+ rm -f Makefile.ruby Makefile.new Makefile.bak
rm -f *.o *.so *.log
endif
diff --git a/libraries/libapparmor/swig/ruby/extconf.rb b/libraries/libapparmor/swig/ruby/extconf.rb
index 647d2d831..6a2ef7457 100644
--- a/libraries/libapparmor/swig/ruby/extconf.rb
+++ b/libraries/libapparmor/swig/ruby/extconf.rb
@@ -2,16 +2,8 @@
require 'mkmf'
-# hack 1: ruby black magic to write a Makefile.new instead of a Makefile
-alias open_orig open
-def open(path, mode=nil, perm=nil)
- path = 'Makefile.new' if path == 'Makefile'
- if block_given?
- open_orig(path, mode, perm) { |io| yield(io) }
- else
- open_orig(path, mode, perm)
- end
-end
+# hack 1: Before extconf.rb gets called, Makefile gets backed up, and
+# restored afterwards (see Makefile.am)
if ENV['PREFIX']
prefix = CONFIG['prefix']
@@ -27,7 +19,7 @@ if find_library('apparmor', 'parse_record', '../../src/.libs') and
# hack 2: strip all rpath references
open('Makefile.ruby', 'w') do |out|
- IO.foreach('Makefile.new') do |line|
+ IO.foreach('Makefile') do |line|
l = line.gsub(/-Wl,-R'[^']*'/, '')
# oldincludedir = $(DESTDIR)/usr/include
# -> oldincludedir = /usr/include
Index: apparmor-3.0.3/libraries/libapparmor/swig/ruby/Makefile.in
===================================================================
--- apparmor-3.0.3.orig/libraries/libapparmor/swig/ruby/Makefile.in 2022-01-26 13:13:38.958238926 +0100
+++ apparmor-3.0.3/libraries/libapparmor/swig/ruby/Makefile.in 2022-01-26 13:15:08.206094528 +0100
@@ -469,7 +469,9 @@ uninstall-am:
@HAVE_RUBY_TRUE@ $(SWIG) -ruby -module LibAppArmor -I$(top_srcdir)/include -o $@ $(srcdir)/../SWIG/libapparmor.i
@HAVE_RUBY_TRUE@Makefile.ruby: extconf.rb
+@HAVE_RUBY_TRUE@ mv Makefile Makefile.bak
@HAVE_RUBY_TRUE@ PREFIX=$(prefix) $(RUBY) $< --with-LibAppArmor-include=$(top_srcdir)/include
+@HAVE_RUBY_TRUE@ mv Makefile.bak Makefile
@HAVE_RUBY_TRUE@LibAppArmor.so: LibAppArmor_wrap.c Makefile.ruby
@HAVE_RUBY_TRUE@ $(MAKE) -fMakefile.ruby

12
update-samba-abstractions-ldb2.diff
View File

@ -1,12 +0,0 @@
diff -ruNp apparmor-3.0.3.orig/profiles/apparmor.d/abstractions/samba apparmor-3.0.3/profiles/apparmor.d/abstractions/samba
--- apparmor-3.0.3.orig/profiles/apparmor.d/abstractions/samba 2021-08-07 10:40:00.000000000 +0200
+++ apparmor-3.0.3/profiles/apparmor.d/abstractions/samba 2022-01-17 16:25:37.552673486 +0100
@@ -13,6 +13,8 @@
/etc/samba/* r,
/usr/lib*/ldb/*.so mr,
+ /usr/lib*/ldb2/*.so mr,
+ /usr/lib*/ldb2/modules/ldb/*.so mr,
/usr/lib*/samba/ldb/*.so mr,
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,