Accepting request 953283 from home:cboltz

- update to AppArmor 3.0.4 - various fixes in profiles, abstractions, apparmor_parser and utils (some of them were already included as patches) - add support for mctp address family - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.4 for the full upstream changelog - remove upstream(ed) patches: - aa-notify-more-arch-mr809.diff - ruby-3.1-build-fix.diff - add-samba-bgqd.diff - openssl-engdef-mr818.diff - profiles-python-3.10-mr783.diff - update-samba-abstractions-ldb2.diff - refresh patches: - apparmor-samba-include-permissions-for-shares.diff - ruby-2_0-mkmf-destdir.patch AppArmor 3.0.4 also includes a fix for the issue with 'mctp' found via https://build.opensuse.org/request/show/951354 so you might want to pick this SR into Staging:O OBS-URL: https://build.opensuse.org/request/show/953283 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=316
2022-02-10 18:40:04 +00:00 · 2022-02-10 18:40:04 +00:00 · 7ae734d682
commit 7ae734d682
parent a53ba0c4c6
15 changed files with 49 additions and 538 deletions
--- a/aa-notify-more-arch-mr809.diff
+++ b/aa-notify-more-arch-mr809.diff
@ -1,188 +0,0 @@
-This patch contains the code changes from
-https://gitlab.com/apparmor/apparmor/-/merge_requests/809
-
-It does NOT include the added unit tests because adding binary test files with a patch is too hard.
-
-
-
-
-diff --git a/utils/aa-notify b/utils/aa-notify
-index 91d0f3b9c240e1ff0fec8aa673ef70fa78cf33bc..024044a0c58ed4827502da66786acb4e9b54fc2f 100755
--- a/utils/aa-notify
-+++ b/utils/aa-notify
-@@ -34,7 +34,6 @@ import os
- import re
- import sys
- import time
-import struct
- import notify2
- import psutil
- import pwd
-@@ -45,6 +44,7 @@ import apparmor.ui as aaui
- import apparmor.config as aaconfig
- from apparmor.common import DebugLogger, open_file_read
- from apparmor.fail import enable_aa_exception_handler
-+from apparmor.notify import get_last_login_timestamp
- from apparmor.translations import init_translation
- 
- import LibAppArmor  # C-library to parse one log line
-@@ -61,48 +61,6 @@ def get_user_login():
-     return username
- 
- 
-def get_last_login_timestamp(username):
-    '''Directly read wtmp and get last login for user as epoch timestamp'''
-    timestamp = 0
-    filename = '/var/log/wtmp'
-    last_login = 0
-
-    debug_logger.debug('Username: {}'.format(username))
-
-    with open(filename, "rb") as wtmp_file:
-        offset = 0
-        wtmp_filesize = os.path.getsize(filename)
-        debug_logger.debug('WTMP filesize: {}'.format(wtmp_filesize))
-        while offset < wtmp_filesize:
-            wtmp_file.seek(offset)
-            offset += 384  # Increment for next entry
-
-            type = struct.unpack("<L", wtmp_file.read(4))[0]
-            debug_logger.debug('WTMP entry type: {}'.format(type))
-
-            # Only parse USER lines
-            if type == 7:
-                # Read each item and move pointer forward
-                pid = struct.unpack("<L", wtmp_file.read(4))[0]
-                line = wtmp_file.read(32).decode("utf-8", "replace").split('\0', 1)[0]
-                id = wtmp_file.read(4).decode("utf-8", "replace").split('\0', 1)[0]
-                user = wtmp_file.read(32).decode("utf-8", "replace").split('\0', 1)[0]
-                host = wtmp_file.read(256).decode("utf-8", "replace").split('\0', 1)[0]
-                term = struct.unpack("<H", wtmp_file.read(2))[0]
-                exit = struct.unpack("<H", wtmp_file.read(2))[0]
-                session = struct.unpack("<L", wtmp_file.read(4))[0]
-                timestamp = struct.unpack("<L", wtmp_file.read(4))[0]
-                usec = struct.unpack("<L", wtmp_file.read(4))[0]
-                entry = (pid, line, id, user, host, term, exit, session, timestamp, usec)
-                debug_logger.debug('WTMP entry: {}'.format(entry))
-
-                # Store login timestamp for requested user
-                if user == username:
-                    last_login = timestamp
-
-    # When loop is done, last value should be the latest login timestamp
-    return last_login
-
- 
- def format_event(event, logsource):
-     output = []
-diff --git a/utils/apparmor/notify.py b/utils/apparmor/notify.py
-new file mode 100644
-index 0000000000000000000000000000000000000000..1101a29346d79dd873c347fd12dd79cda1e1c786
--- /dev/null
-+++ b/utils/apparmor/notify.py
-@@ -0,0 +1,105 @@
-+#! /usr/bin/python3
-+# ----------------------------------------------------------------------
-+#    Copyright (C) 2018–2019 Otto Kekäläinen <otto@kekalainen.net>
-+#    Copyright (C) 2021 Christian Boltz
-+#
-+#    This program is free software; you can redistribute it and/or
-+#    modify it under the terms of version 2 of the GNU General Public
-+#    License as published by the Free Software Foundation.
-+#
-+#    This program is distributed in the hope that it will be useful,
-+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+#    GNU General Public License for more details.
-+#
-+# ----------------------------------------------------------------------
-+
-+import os
-+import struct
-+
-+from apparmor.common import AppArmorBug, DebugLogger
-+
-+debug_logger = DebugLogger('apparmor.notify')
-+
-+
-+def sane_timestamp(timestamp):
-+    ''' Check if the given timestamp is in a date range that makes sense for a wtmp file '''
-+
-+    if timestamp < 946681200:  # 2000-01-01
-+        return False
-+    elif timestamp > 2524604400:  # 2050-01-01
-+        return False
-+
-+    return True
-+
-+def get_last_login_timestamp(username, filename='/var/log/wtmp'):
-+    '''Directly read wtmp and get last login for user as epoch timestamp'''
-+    timestamp = 0
-+    last_login = 0
-+
-+    debug_logger.debug('Username: {}'.format(username))
-+
-+    with open(filename, "rb") as wtmp_file:
-+        offset = 0
-+        wtmp_filesize = os.path.getsize(filename)
-+        debug_logger.debug('WTMP filesize: {}'.format(wtmp_filesize))
-+
-+        if wtmp_filesize < 356:
-+            return 0  # (nearly) empty wtmp file, no entries
-+
-+        # detect architecture based on utmp format differences
-+        wtmp_file.seek(340)  # first possible timestamp position
-+        timestamp_x86_64    = struct.unpack("<L", wtmp_file.read(4))[0]
-+        timestamp_aarch64   = struct.unpack("<L", wtmp_file.read(4))[0]
-+        timestamp_s390x     = struct.unpack(">L", wtmp_file.read(4))[0]
-+        debug_logger.debug('WTMP timestamps: x86_64 %s, aarch64 %s, s390x %s' % (timestamp_x86_64, timestamp_aarch64, timestamp_s390x))
-+
-+        if sane_timestamp(timestamp_x86_64):
-+            endianness = '<'  # little endian
-+            extra_offset_before = 0
-+            extra_offset_after = 0
-+        elif sane_timestamp(timestamp_aarch64):
-+            endianness = '<'  # little endian
-+            extra_offset_before = 4
-+            extra_offset_after = 12
-+        elif sane_timestamp(timestamp_s390x):
-+            endianness = '>'  # big endian
-+            extra_offset_before = 8
-+            extra_offset_after = 8
-+        else:
-+            raise AppArmorBug('Your /var/log/wtmp is broken or has an unknown format. Please open a bugreport with /var/log/wtmp and the output of "last" attached!')
-+
-+        while offset < wtmp_filesize:
-+            wtmp_file.seek(offset)
-+            offset += 384 + extra_offset_before + extra_offset_after  # Increment for next entry
-+
-+            type = struct.unpack('%sH' % endianness, wtmp_file.read(2))[0]
-+            debug_logger.debug('WTMP entry type: {}'.format(type))
-+            wtmp_file.read(2)  # skip padding
-+
-+            # Only parse USER lines
-+            if type == 7:
-+                # Read each item and move pointer forward
-+                pid = struct.unpack("<L", wtmp_file.read(4))[0]
-+                line = wtmp_file.read(32).decode("utf-8", "replace").split('\0', 1)[0]
-+                id = wtmp_file.read(4).decode("utf-8", "replace").split('\0', 1)[0]
-+                user = wtmp_file.read(32).decode("utf-8", "replace").split('\0', 1)[0]
-+                host = wtmp_file.read(256).decode("utf-8", "replace").split('\0', 1)[0]
-+                term = struct.unpack("<H", wtmp_file.read(2))[0]
-+                exit = struct.unpack("<H", wtmp_file.read(2))[0]
-+                session = struct.unpack("<L", wtmp_file.read(4))[0]
-+                if extra_offset_before:
-+                    wtmp_file.read(extra_offset_before)
-+                timestamp = struct.unpack('%sL' % endianness, wtmp_file.read(4))[0]
-+                if extra_offset_after:
-+                    wtmp_file.read(extra_offset_after)
-+                usec = struct.unpack("<L", wtmp_file.read(4))[0]
-+                entry = (pid, line, id, user, host, term, exit, session, timestamp, usec)
-+                debug_logger.debug('WTMP entry: {}'.format(entry))
-+
-+                # Store login timestamp for requested user
-+                if user == username:
-+                    last_login = timestamp
-+
-+    # When loop is done, last value should be the latest login timestamp
-+    return last_login
--- a/add-samba-bgqd.diff
+++ b/add-samba-bgqd.diff
@ -1,62 +0,0 @@
-commit 85e53a5d040cdf3f7705da9e625b85041694aa4c
-Author: Christian Boltz <apparmor@cboltz.de>
-Date:   Fri Oct 15 22:02:36 2021 +0200
-
-    Add profile for samba-bgqd
-    
-    ... and some rules in the smbd profile to execute it and send it a term
-    signal.
-    
-    samba-bgqd is (quoting its manpage) "an internal helper program
-    performing asynchronous printing-related jobs."
-    
-    samba-bgqd was added in Samba 4.15.
-    
-    Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1191532
-
-Index: apparmor-3.0.3/profiles/apparmor.d/samba-bgqd
-===================================================================
--- /dev/null
-+++ apparmor-3.0.3/profiles/apparmor.d/samba-bgqd
-@@ -0,0 +1,20 @@
-+abi <abi/3.0>,
-+
-+include <tunables/global>
-+
-+profile samba-bgqd /usr/lib*/samba/samba-bgqd {
-+  include <abstractions/base>
-+  include <abstractions/cups-client>
-+  include <abstractions/nameservice>
-+  include <abstractions/samba>
-+
-+  signal receive set=term peer=smbd,
-+
-+  @{PROC}/sys/kernel/core_pattern r,
-+  @{run}/samba/samba-bgqd.pid wk,
-+
-+  /usr/lib*/samba/samba-bgqd m,
-+
-+  # Site-specific additions and overrides. See local/README for details.
-+  include if exists <local/samba-bgqd>
-+}
-Index: apparmor-3.0.3/profiles/apparmor.d/usr.sbin.smbd
-===================================================================
--- apparmor-3.0.3.orig/profiles/apparmor.d/usr.sbin.smbd
-+++ apparmor-3.0.3/profiles/apparmor.d/usr.sbin.smbd
-@@ -24,6 +24,8 @@ profile smbd /usr/{bin,sbin}/smbd {
-   capability sys_resource,
-   capability sys_tty_config,
- 
-+  signal send set=term peer=samba-bgqd,
-+
-   /etc/mtab r,
-   /etc/netgroup r,
-   /etc/printcap r,
-@@ -35,6 +37,7 @@ profile smbd /usr/{bin,sbin}/smbd {
-   /usr/lib*/samba/charset/*.so mr,
-   /usr/lib*/samba/gensec/*.so mr,
-   /usr/lib*/samba/pdb/*.so mr,
-+  /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
-   /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
-   /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
-   /usr/lib/@{multiarch}/samba/**/ r,
--- a/apparmor-3.0.3.tar.gz
+++ b/apparmor-3.0.3.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:153db05d8f491e0596022663c19fb1166806cb473b3c6f0a7279feda2ec25a59
-size 7790012
--- a/apparmor-3.0.3.tar.gz.asc
+++ b/apparmor-3.0.3.tar.gz.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmEOR6AaHGFwcGFybW9y
-QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLsckQ//V7k3Kao73EXlJKtTjMnt
-AVc1qUqht/bxfT014BYZs0eT8HYRyBq0BhbDBfjPJA05kyXO0eHDOip5QmltXHR6
-qeRD974rgv4jmIHInHiY2QlFuAtxhO+CPsSw2WZtdQMb1zFYg9BMh+lSz2aNECrc
-GRYi4UflsNFxnUGnKCIt3FKvaGX9S9dA3vEgQrXMcIEFvHzrcRPYtUGiutFe66xF
-S6Z2PoymQAK5fW4D1lkBZXAx1jqzNzVzaaA6D0H8GcFb7zL2c2q/0L4+EfFabxXv
-uP4Vtw6ZS6upLr7AsbE55t8QlJ0IwiA7EJhn7cFfvJNkGWsJh9dr0LGtIf+B+zTd
-1dVtwuNtWotz202WeyYuokddX/zCSldb6/Sc2BhyFhqmUWjeQdDqjfLyTVsmBpc9
-0+NwY53/Em1qoFvMAtiqGWG3JjTF3ZVEdQEzRQyG9zMBDm2Vm3+uplL70MjgdSm0
-Cb1wpSsef5/Q28qY7+1/WV3/OGdq/9kqWS0n3+i2JtuxAaiHK6FRhSZi+0QGU0QH
-igJ+TKYmtyDGiqYrCasmED9sBkGNKvSDRmc+0hfCEzk5sj3tYR65OBmO0JBMKVR4
-9Lyt2hXScP7avuMdTPU0kj/2i7o5N6OfDdCV9LQinN8rzMmwGIYinmTxcVoRN9i/
-wYTg3RfP5TxHfmrOnuzWCCM=
-=2ySc
-----END PGP SIGNATURE-----
--- a/apparmor-3.0.4.tar.gz
+++ b/apparmor-3.0.4.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:09bf48d7a171f9790c39a1404bad105a788934cfe77b7490c7f5c63c2576b725
+size 7796852
--- a/apparmor-3.0.4.tar.gz.asc
+++ b/apparmor-3.0.4.tar.gz.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmIEYPoaHGFwcGFybW9y
+QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLsuXRAAwUfR2mTa8T1f9JKDV9oI
+VyHMNPx4UQ8UGHPjdggPZpgU8tdLgIeTzrVB9IFmUNxREmeQURyr12lWJiL7rUjp
+uICigANNZPtfYDB8PNF6OPbwZ61A44RZ26SZJauKQg/iP1c/m3NH24TReUqB2UgC
+Zrjx4KBH30m0+wc2Ca5f017CRDRL6oPjbUnCdY6S8XdVzbbd4x/4K0yoaS8mNLde
+GUbs4cMJnuMndVPhNVIiKvRt/qmYl2nB3HBzU9VXmq/GBR9wDpb1G6N3IuB7Oaak
+WrB32ymgllwi5av3L1vXQhisZ1LAaH7GNElCX5c4rJa/6Bsfru5kTecEXSIJXf2H
+P8XmwUkdrl7idfAbSg/jW1h02uD99WTymii2SCwYWhNX9s0BRuSMPASA9TgrYOZN
+oTshsA8lYaAafdAU6OboaeS91WL65hTr3GUcGgYl+qYcYTdyU6IG4MooCwATM2st
+SHt7HPOJLNntMt8CGcPx1Q9UA8ta3kNlcf6YSycWCqWvPEvCkpex23gVUVIXzVKr
+bs2tvJO59BsCxiL6umsksv5otIXDrm4yay1QaYl+KUEOvU051SUyXey7pQ/qO0LY
+leifVmldlLfPosAKiJqiQ3RAKp7Zr/YrvKLLxeLj5MrKUmSR2UQ5xC8aXfYYhDqh
+PPpcMO9Io9UyHHofXB7dlA=
+=rXSS
+-----END PGP SIGNATURE-----
--- a/apparmor-samba-include-permissions-for-shares.diff
+++ b/apparmor-samba-include-permissions-for-shares.diff
@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
 === modified file 'profiles/apparmor.d/usr.sbin.smbd'
 --- profiles/apparmor.d/usr.sbin.smbd	2011-08-27 18:50:42 +0000
 +++ profiles/apparmor.d/usr.sbin.smbd	2011-10-19 09:37:04 +0000
-@@ -56,6 +56,10 @@
+@@ -59,6 +59,10 @@
   @{HOMEDIRS}/** lrwk,
   /var/lib/samba/usershares/{,**} lrwk,
 
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Thu Feb 10 16:55:38 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 3.0.4
+  - various fixes in profiles, abstractions, apparmor_parser and utils
+    (some of them were already included as patches)
+  - add support for mctp address family
+  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.4
+    for the full upstream changelog
+- remove upstream(ed) patches:
+  - aa-notify-more-arch-mr809.diff
+  - ruby-3.1-build-fix.diff
+  - add-samba-bgqd.diff
+  - openssl-engdef-mr818.diff
+  - profiles-python-3.10-mr783.diff
+  - update-samba-abstractions-ldb2.diff
+- refresh patches:
+  - apparmor-samba-include-permissions-for-shares.diff
+  - ruby-2_0-mkmf-destdir.patch
+
 -------------------------------------------------------------------
 Wed Jan 26 17:14:58 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -45,7 +45,7 @@
 %define JAR_FILE changeHatValve.jar

 Name:           apparmor
-Version:        3.0.3
+Version:        3.0.4
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@ -78,26 +78,6 @@ Patch5:         apparmor-lessopen-nfs-workaround.diff
 # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
 Patch6:         apache-extra-profile-include-if-exists.diff

-# update abstractions/python and profiles for python 3.10 (submitted upstream 2021-08-11 https://gitlab.com/apparmor/apparmor/-/merge_requests/783)
-Patch7:         profiles-python-3.10-mr783.diff
-
-# add samba-bgqd profile (accepted upstream 2021-10-15 https://gitlab.com/apparmor/apparmor/-/merge_requests/807)
-# updated for boo#1192336 (merged upstream 2021-12-20 https://gitlab.com/apparmor/apparmor/-/merge_requests/819 in 3.0 and master)
-Patch8:         add-samba-bgqd.diff
-
-# aa-notify: Add support for reading s390x and aarch64 wtmp file (boo#1181155) (merged upstream 2021-11-08 in master and 3.0 branch - https://gitlab.com/apparmor/apparmor/-/merge_requests/809)
-Patch9:         aa-notify-more-arch-mr809.diff
-
-# allow reading /etc/ssl/engdef.d/ and /etc/ssl/engines.d/ in abstractions/openssl (submitted upstream 2021-12-19 - https://gitlab.com/apparmor/apparmor/-/merge_requests/818)
-Patch10:        openssl-engdef-mr818.diff
-
-# add update-samba-abstractions-ldb2.diff to cater for changes to ldb
-# packaging to allow parallel installation with libldb bsc#1192684 (submitted upstream 2022-01-17 - https://gitlab.com/apparmor/apparmor/-/merge_requests/821)
-Patch11:        update-samba-abstractions-ldb2.diff
-
-# fix build with ruby 3.1 (boo#1194221, from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/827)
-Patch12:        ruby-3.1-build-fix.diff
-
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@ -360,12 +340,6 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch3 -p1
 %patch4
 %patch5
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1

 %build
 %define _lto_cflags %{nil}
--- a/libapparmor.spec
+++ b/libapparmor.spec
@ -18,7 +18,7 @@


 Name:           libapparmor
-Version:        3.0.3
+Version:        3.0.4
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later
--- a/openssl-engdef-mr818.diff
+++ b/openssl-engdef-mr818.diff
@ -1,26 +0,0 @@
-(context lines adjusted to match 3.0 branch)
-
-From e58dd798f09c1df6f8de42f64d07221d34adfc87 Mon Sep 17 00:00:00 2001
-From: Christian Boltz <apparmor@cboltz.de>
-Date: Sun, 19 Dec 2021 22:36:05 +0100
-Subject: [PATCH] abstractions/openssl: allow /etc/ssl/{engdef,engines}.d/
-
-These directories were introduced in openssl in
-https://patchwork.ozlabs.org/project/openwrt/patch/20210429153530.10020-2-cotequeiroz@gmail.com/
---
- profiles/apparmor.d/abstractions/openssl | 2 ++
- 1 file changed, 2 insertions(+)
-
-Index: profiles/apparmor.d/abstractions/openssl
-===================================================================
--- a/profiles/apparmor.d/abstractions/openssl.orig	2021-12-19 22:51:13.837139097 +0100
-+++ b/profiles/apparmor.d/abstractions/openssl	2021-12-19 22:52:05.845049787 +0100
-@@ -12,6 +12,8 @@
- 
-   /etc/ssl/openssl.cnf r,
-   /usr/share/ssl/openssl.cnf r,
-+  /etc/ssl/{engdef,engines}.d/ r,
-+  /etc/ssl/{engdef,engines}.d/*.cnf r,
-   @{PROC}/sys/crypto/fips_enabled r,
- 
- 
--- a/profiles-python-3.10-mr783.diff
+++ b/profiles-python-3.10-mr783.diff
@ -1,86 +0,0 @@
-https://gitlab.com/apparmor/apparmor/-/merge_requests/783
-
-From ea7b201ba48b87469297d58751c57b03ceb82320 Mon Sep 17 00:00:00 2001
-From: Christian Boltz <apparmor@cboltz.de>
-Date: Wed, 11 Aug 2021 21:37:40 +0200
-Subject: [PATCH] Update abstractions/python and profiles for python 3.10
-
-Fixes: https://gitlab.com/apparmor/apparmor/-/issues/187
---
- profiles/apparmor.d/abstractions/python        | 18 +++++++++---------
- profiles/apparmor.d/lsb_release                |  2 +-
- .../profiles/extras/usr.bin.chromium-browser   |  4 ++--
- 3 files changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/profiles/apparmor.d/abstractions/python b/profiles/apparmor.d/abstractions/python
-index 1b5cc9d0d..727030bdf 100644
--- a/profiles/apparmor.d/abstractions/python
-+++ b/profiles/apparmor.d/abstractions/python
-@@ -12,18 +12,18 @@
- 
-   abi <abi/3.0>,
- 
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so}           mr,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth}       r,
-  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
-+  /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/**.{pyc,so}           mr,
-+  /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/**.{egg,py,pth}       r,
-+  /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
-   /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so            mr,
- 
-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so}           mr,
-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth}       r,
-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
-  /usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so            mr,
-+  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so}           mr,
-+  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth}       r,
-+  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
-+  /usr/local/lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so            mr,
- 
-   # Site-wide configuration
-  /etc/python{2.[4-7],3.[0-9]}/** r,
-+  /etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r,
- 
-   # shared python paths
-   /usr/share/{pyshared,pycentral,python-support}/**      r,
-@@ -36,7 +36,7 @@
-   /usr/lib/wx/python/*.pth r,
- 
-   # python build configuration and headers
-  /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
-+  /usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
- 
-   # Include additions to the abstraction
-   include if exists <abstractions/python.d>
-diff --git a/profiles/apparmor.d/lsb_release b/profiles/apparmor.d/lsb_release
-index 33a1c71db..ad8b998fc 100644
--- a/profiles/apparmor.d/lsb_release
-+++ b/profiles/apparmor.d/lsb_release
-@@ -18,7 +18,7 @@ profile lsb_release {
-   /dev/tty rw,
- 
-   /usr/bin/lsb_release r,
-  /usr/bin/python3.[0-9] mr,
-+  /usr/bin/python3.{1,}[0-9] mr,
- 
-   /etc/debian_version r,
-   /etc/default/apport r,
-diff --git a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
-index 2df5338db..b47b6f721 100644
--- a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
-+++ b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
-@@ -267,9 +267,9 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
-     /usr/share/distro-info/** r,
-     /var/lib/dpkg/** r,
- 
-    /usr/local/lib/python3.[0-9]/dist-packages/ r,
-+    /usr/local/lib/python3.{1,}[0-9]/dist-packages/ r,
-     /usr/bin/ r,
-    /usr/bin/python3.[0-9] mr,
-+    /usr/bin/python3.{1,}[0-9] mr,
-   }
- 
-   profile sandbox {
-- 
-GitLab
-
--- a/ruby-2_0-mkmf-destdir.patch
+++ b/ruby-2_0-mkmf-destdir.patch
@ -1,10 +1,11 @@
-diff -wruN -x '*~' -x '*.o' -x '*.a' -x '*.so' -x '*.so.[0-9]' -x autom4te.cache -x .deps -x .libs -x Makefile -x Makefile ../orig-apparmor-2.8.1/libraries/libapparmor/swig/ruby/extconf.rb ./libraries/libapparmor/swig/ruby/extconf.rb
--- ../orig-apparmor-2.8.1/libraries/libapparmor/swig/ruby/extconf.rb	2009-05-12 23:56:56.000000000 +0200
-+++ ./libraries/libapparmor/swig/ruby/extconf.rb	2013-06-04 14:52:01.677579537 +0200
-@@ -28,7 +28,14 @@
+Index: libraries/libapparmor/swig/ruby/extconf.rb
+===================================================================
+--- a/libraries/libapparmor/swig/ruby/extconf.rb.orig	2022-02-10 17:54:05.008544807 +0100
+++ b/libraries/libapparmor/swig/ruby/extconf.rb	2022-02-10 17:54:21.792506325 +0100
+@@ -20,7 +20,14 @@ if find_library('apparmor', 'parse_recor
   # hack 2: strip all rpath references
   open('Makefile.ruby', 'w') do |out|
-     IO.foreach('Makefile.new') do |line|
+     IO.foreach('Makefile') do |line|
 -      out.puts line.gsub(/-Wl,-R'[^']*'/, '')
 +      l = line.gsub(/-Wl,-R'[^']*'/, '')
 +      # oldincludedir = $(DESTDIR)/usr/include
--- a/ruby-3.1-build-fix.diff
+++ b/ruby-3.1-build-fix.diff
@ -1,110 +0,0 @@
-https://gitlab.com/apparmor/apparmor/-/merge_requests/827
-
-From fde8acf86ddb82f1c10332478daebd3fad1bee45 Mon Sep 17 00:00:00 2001
-From: John Johansen <john.johansen@canonical.com>
-Date: Wed, 26 Jan 2022 08:04:04 -0800
-Subject: [PATCH] libapparmor: Fix ruby 3.1 build for libapparmor
-
-The Hack used to build the libapparmor swig interface for ruby fails
-with ruby 3.1.  Instead of trying to do black magic in ruby to rename
-the generated Makefile to Makefile.new, just save off the Makefile
-and restore after ruby's setup has been called.
-
-Fixes: https://gitlab.com/apparmor/apparmor/-/issues/206
-Signed-off-by: John Johansen <john.johansen@canonical.com>
---
- .gitignore                                  |  2 +-
- libraries/libapparmor/swig/ruby/Makefile.am |  4 +++-
- libraries/libapparmor/swig/ruby/extconf.rb  | 14 +++-----------
- 3 files changed, 7 insertions(+), 13 deletions(-)
-
-
-
-Additionally patch libraries/libapparmor/swig/ruby/Makefile.in which is shipped
-in the tarball and based on Makefile.am.
-
-
-
-
-diff --git a/.gitignore b/.gitignore
-index 4782a351a..bac706f2b 100644
--- a/.gitignore
-+++ b/.gitignore
-@@ -177,7 +177,7 @@ libraries/libapparmor/swig/ruby/LibAppArmor_wrap.c
- libraries/libapparmor/swig/ruby/LibAppArmor_wrap.o
- libraries/libapparmor/swig/ruby/Makefile
- libraries/libapparmor/swig/ruby/Makefile.in
-libraries/libapparmor/swig/ruby/Makefile.new
-+libraries/libapparmor/swig/ruby/Makefile.bak
- libraries/libapparmor/swig/ruby/Makefile.ruby
- libraries/libapparmor/swig/ruby/mkmf.log
- libraries/libapparmor/testsuite/.deps
-diff --git a/libraries/libapparmor/swig/ruby/Makefile.am b/libraries/libapparmor/swig/ruby/Makefile.am
-index 03ef02fd6..3f4572816 100644
--- a/libraries/libapparmor/swig/ruby/Makefile.am
-+++ b/libraries/libapparmor/swig/ruby/Makefile.am
-@@ -9,7 +9,9 @@ LibAppArmor_wrap.c : $(srcdir)/../SWIG/libapparmor.i
- MOSTLYCLEANFILES=LibAppArmor_wrap.c
- 
- Makefile.ruby: extconf.rb
-+	mv Makefile Makefile.bak
- 	PREFIX=$(prefix) $(RUBY) $< --with-LibAppArmor-include=$(top_srcdir)/include
-+	mv Makefile.bak Makefile
- 
- LibAppArmor.so: LibAppArmor_wrap.c Makefile.ruby
- 	$(MAKE) -fMakefile.ruby
-@@ -22,7 +24,7 @@ install-exec-local: Makefile.ruby
- 
- clean-local:
- 	if test -f Makefile.ruby; then $(MAKE) -fMakefile.ruby clean; fi
-	rm -f Makefile.ruby Makefile.new
-+	rm -f Makefile.ruby Makefile.new Makefile.bak
- 	rm -f *.o *.so *.log
- 
- endif
-diff --git a/libraries/libapparmor/swig/ruby/extconf.rb b/libraries/libapparmor/swig/ruby/extconf.rb
-index 647d2d831..6a2ef7457 100644
--- a/libraries/libapparmor/swig/ruby/extconf.rb
-+++ b/libraries/libapparmor/swig/ruby/extconf.rb
-@@ -2,16 +2,8 @@
- 
- require 'mkmf'
- 
-# hack 1: ruby black magic to write a Makefile.new instead of a Makefile
-alias open_orig open
-def open(path, mode=nil, perm=nil)
-  path = 'Makefile.new' if path == 'Makefile'
-  if block_given?
-    open_orig(path, mode, perm) { |io| yield(io) }
-  else
-    open_orig(path, mode, perm)
-  end
-end
-+# hack 1: Before extconf.rb gets called, Makefile gets backed up, and
-+#         restored afterwards (see Makefile.am)
- 
- if ENV['PREFIX']
-   prefix = CONFIG['prefix']
-@@ -27,7 +19,7 @@ if find_library('apparmor', 'parse_record', '../../src/.libs') and
- 
-   # hack 2: strip all rpath references
-   open('Makefile.ruby', 'w') do |out|
-    IO.foreach('Makefile.new') do |line|
-+    IO.foreach('Makefile') do |line|
-       l = line.gsub(/-Wl,-R'[^']*'/, '')
-       # oldincludedir = $(DESTDIR)/usr/include
-       # -> oldincludedir = /usr/include
-Index: apparmor-3.0.3/libraries/libapparmor/swig/ruby/Makefile.in
-===================================================================
--- apparmor-3.0.3.orig/libraries/libapparmor/swig/ruby/Makefile.in	2022-01-26 13:13:38.958238926 +0100
-+++ apparmor-3.0.3/libraries/libapparmor/swig/ruby/Makefile.in	2022-01-26 13:15:08.206094528 +0100
-@@ -469,7 +469,9 @@ uninstall-am:
- @HAVE_RUBY_TRUE@	$(SWIG) -ruby -module LibAppArmor -I$(top_srcdir)/include -o $@ $(srcdir)/../SWIG/libapparmor.i
- 
- @HAVE_RUBY_TRUE@Makefile.ruby: extconf.rb
-+@HAVE_RUBY_TRUE@	mv Makefile Makefile.bak
- @HAVE_RUBY_TRUE@	PREFIX=$(prefix) $(RUBY) $< --with-LibAppArmor-include=$(top_srcdir)/include
-+@HAVE_RUBY_TRUE@	mv Makefile.bak Makefile
- 
- @HAVE_RUBY_TRUE@LibAppArmor.so: LibAppArmor_wrap.c Makefile.ruby
- @HAVE_RUBY_TRUE@	$(MAKE) -fMakefile.ruby
--- a/update-samba-abstractions-ldb2.diff
+++ b/update-samba-abstractions-ldb2.diff
@ -1,12 +0,0 @@
-diff -ruNp apparmor-3.0.3.orig/profiles/apparmor.d/abstractions/samba apparmor-3.0.3/profiles/apparmor.d/abstractions/samba
--- apparmor-3.0.3.orig/profiles/apparmor.d/abstractions/samba	2021-08-07 10:40:00.000000000 +0200
-+++ apparmor-3.0.3/profiles/apparmor.d/abstractions/samba	2022-01-17 16:25:37.552673486 +0100
-@@ -13,6 +13,8 @@
- 
-   /etc/samba/* r,
-   /usr/lib*/ldb/*.so mr,
-+  /usr/lib*/ldb2/*.so mr,
-+  /usr/lib*/ldb2/modules/ldb/*.so mr,
-   /usr/lib*/samba/ldb/*.so mr,
-   /usr/share/samba/*.dat r,
-   /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,