Accepting request 337046 from home:cboltz

- add syslog-ng-profile-boo948584.diff - add several permissions needed
  by latest syslog-ng (boo#948584, boo#948753)
- add upstream-profile-updates-r3205-3241.diff with several profile updates:
  - add /usr/share/locale-bundle/** to abstractions/base
  - allow dnsmask to use /bin/sh (boo#940749) and /bin/dash
  - allow dovecot imap to read /run/dovecot/mounts
  - allow avahi-daemon to write to /run/systemd/notify
  - allow ntpd to read $PATH directory listings (boo#945592, boo#948752)
  - update dhclient profile
  - allow skype to read @{PROC}/@{pid}/net/dev (boo#939568)
  - and some other small updates
- drop upstreamed apparmor-winbindd-r3213.diff (included in the
  upstream-profile-updates patch)

OBS-URL: https://build.opensuse.org/request/show/337046
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=145

apparmor-winbindd-r3213.diff

@@ -1,29 +0,0 @@
-------------------------------------------------------------
-revno: 3213
-committer: Christian Boltz <apparmor@cboltz.de>
-branch nick: apparmor
-timestamp: Thu 2015-07-30 22:03:02 +0200
-message:
-  winbindd profile: allow k for /etc/samba/smbd.tmp/msg/*
-  
-  References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 starting at comment 15
-  
-  
-  Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
-
-
-=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
---- profiles/apparmor.d/usr.sbin.winbindd	2015-05-18 23:25:26 +0000
-+++ profiles/apparmor.d/usr.sbin.winbindd	2015-07-30 20:03:02 +0000
-@@ -15,7 +15,7 @@
-   /etc/samba/secrets.tdb rwk,
-   /etc/samba/smbd.tmp/ rw,
-   /etc/samba/smbd.tmp/msg/ rw,
--  /etc/samba/smbd.tmp/msg/* rw,
-+  /etc/samba/smbd.tmp/msg/* rwk,
-   @{PROC}/sys/kernel/core_pattern r,
-   /tmp/.winbindd/ w,
-   /tmp/krb5cc_* rwk,
-
-
-vim:ft=diff

apparmor.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Wed Oct  7 16:12:24 UTC 2015 - opensuse@cboltz.de
+
+- add syslog-ng-profile-boo948584.diff - add several permissions needed
+  by latest syslog-ng (boo#948584, boo#948753)
+- add upstream-profile-updates-r3205-3241.diff with several profile updates:
+  - add /usr/share/locale-bundle/** to abstractions/base
+  - allow dnsmask to use /bin/sh (boo#940749) and /bin/dash
+  - allow dovecot imap to read /run/dovecot/mounts
+  - allow avahi-daemon to write to /run/systemd/notify
+  - allow ntpd to read $PATH directory listings (boo#945592, boo#948752)
+  - update dhclient profile
+  - allow skype to read @{PROC}/@{pid}/net/dev (boo#939568)
+  - and some other small updates
+- drop upstreamed apparmor-winbindd-r3213.diff (included in the
+  upstream-profile-updates patch)
+
 -------------------------------------------------------------------
 Sun Sep 13 20:16:57 UTC 2015 - opensuse@cboltz.de
 

apparmor.spec

@@ -95,8 +95,11 @@ Patch7:         apparmor-lessopen-profile.patch
 # boo#862170 - fix ugly initscript output (commited upstream trunk r3208)
 Patch8:         fix-initscript-aa_log_end_msg.diff
 
-# additional winbindd permissions (commited upstream trunk r3213, 2.9 r2946) - (boo#921098 #c15..19)
-Patch9:         apparmor-winbindd-r3213.diff
+# additional syslog-ng permissions (submitted upstream 2015-10-07) (boo#948584, boo#948753)
+Patch9:         syslog-ng-profile-boo948584.diff
+
+# several profile updates taken from upstream bzr trunk r3205..3241
+Patch10:        upstream-profile-updates-r3205-3241.diff
 
 Url:            https://launchpad.net/apparmor
 PreReq:         sed
@@ -448,6 +451,7 @@ SubDomain.
 %patch7 -p1
 %patch8
 %patch9
+%patch10
 
 # search for left-over multiline rules
 test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"

syslog-ng-profile-boo948584.diff

@@ -0,0 +1,34 @@
+=== modified file 'profiles/apparmor.d/sbin.syslog-ng'
+--- profiles/apparmor.d/sbin.syslog-ng	2015-03-07 20:16:11 +0000
++++ profiles/apparmor.d/sbin.syslog-ng	2015-10-07 10:33:01 +0000
+@@ -20,6 +20,7 @@
+   #include <abstractions/consoles>
+   #include <abstractions/nameservice>
+   #include <abstractions/mysql>
++  #include <abstractions/openssl>
+ 
+   capability chown,
+   capability dac_override,
+@@ -37,7 +38,10 @@
+   /dev/syslog w,
+   /dev/tty10 rw,
+   /dev/xconsole rw,
++  /etc/machine-id r,
+   /etc/syslog-ng/* r,
++  /etc/syslog-ng/conf.d/ r,
++  /etc/syslog-ng/conf.d/* r,
+   @{PROC}/kmsg r,
+   /etc/hosts.deny r,
+   /etc/hosts.allow r,
+@@ -50,6 +54,10 @@
+   @{CHROOT_BASE}/var/log/** w,
+   @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw,
+   @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw,
++  /var/log/journal/ r,
++  /var/log/journal/*/ r,
++  /var/log/journal/*/*.journal r,
++  /{var/,}run/syslog-ng.ctl a,
+   /{var/,}run/syslog-ng/additional-log-sockets.conf r,
+ 
+   # Site-specific additions and overrides. See local/README for details.
+

upstream-profile-updates-r3205-3241.diff

@@ -0,0 +1,297 @@
+AppArmor bzr trunk
+bzr diff -r3205..3241 profiles/
+(+ abstractions/X change modified to single line syntax)
+
+------------------------------------------------------------
+revno: 3238
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: apparmor
+timestamp: Fri 2015-09-18 19:06:47 +0200
+message:
+  dnsmasq profile - also allow /bin/sh
+  
+  This patch is based on a SLE12 patch to allow executing the
+  --dhcp-script. We already have most parts of that patch since r2841,
+  however the SLE bugreport indicates that /bin/sh is executed (which is
+  usually a symlink to /bin/bash or /bin/dash), so we should also allow
+  /bin/sh
+  
+  References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public)
+  
+  
+  Acked-by: Seth Arnold <seth.arnold@canonicalc.com> for trunk and 2.9
+------------------------------------------------------------
+revno: 3237
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: apparmor
+timestamp: Tue 2015-09-15 14:24:57 +0200
+message:
+  Allow ntpd to read directory listings of $PATH
+  
+  For some reasons, it needs to do that to find readable, writeable and
+  executable files.
+  
+  See also https://bugzilla.opensuse.org/show_bug.cgi?id=945592
+  
+  
+  Acked-by: Seth Arnold <seth.arnold@canonical.com>
+------------------------------------------------------------
+revno: 3236
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: apparmor
+timestamp: Wed 2015-09-09 00:00:23 +0200
+message:
+  Update the /sbin/dhclient profile
+  
+  Add some permissions that I need on my system:
+  - execute nm-dhcp-helper
+  - read and write /var/lib/dhcp6/dhclient.leases
+  - read /var/lib/NetworkManager/dhclient-*.conf
+  - read and write /var/lib/NetworkManager/dhclient-*.conf
+  
+  
+  Looks-good-by: Steve Beattie <steve@nxnw.org>
+  Acked-by: <timeout> for trunk and 2.9
+------------------------------------------------------------
+revno: 3234
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: apparmor
+timestamp: Thu 2015-09-03 18:27:00 +0200
+message:
+  Dovecot imap needs to read /run/dovecot/mounts
+  
+  Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
+------------------------------------------------------------
+revno: 3225
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: apparmor
+timestamp: Sun 2015-08-23 15:20:20 +0200
+message:
+  add /usr/share/locale-bundle/ to abstractions/base
+  
+  /usr/share/locale-bundle/ contains translations packaged in
+  bundle-lang-* packages in openSUSE.
+  
+  
+  Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
+------------------------------------------------------------
+revno: 3213
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: apparmor
+timestamp: Thu 2015-07-30 22:03:02 +0200
+message:
+  winbindd profile: allow k for /etc/samba/smbd.tmp/msg/*
+  
+  References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 starting at comment 15
+  
+  
+  Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
+------------------------------------------------------------
+revno: 3212
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: apparmor
+timestamp: Tue 2015-07-28 01:15:31 +0200
+message:
+  skype profile: allow reading @{PROC}/@{pid}/net/dev
+  
+  References: https://bugzilla.opensuse.org/show_bug.cgi?id=939568
+  
+  
+  Acked-by: Seth Arnold <seth.arnold@canonical.com> for trunk and 2.9
+------------------------------------------------------------
+revno: 3211
+committer: Jamie Strandboge <jamie@ubuntu.com>
+branch nick: apparmor
+timestamp: Fri 2015-07-24 15:03:30 -0500
+message:
+  profiles/apparmor.d/usr.sbin.avahi-daemon: allow write access to
+  /run/systemd/notify which is needed on systems with systemd
+  
+  Signed-off-by: Jamie Strandboge <jamie@canonical.com>
+  Acked-by: Seth Arnold <seth.arnold@canonical.com>
+------------------------------------------------------------
+revno: 3210
+committer: Jamie Strandboge <jamie@ubuntu.com>
+branch nick: apparmor
+timestamp: Fri 2015-07-24 15:01:46 -0500
+message:
+  profiles/apparmor.d/abstractions/X: also allow unix connections to
+  @/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird
+  
+  Signed-off-by: Jamie Strandboge <jamie@canonical.com>
+  Acked-by: Seth Arnold <seth.arnold@canonical.com>
+------------------------------------------------------------
+revno: 3209
+committer: Jamie Strandboge <jamie@ubuntu.com>
+branch nick: apparmor
+timestamp: Fri 2015-07-24 13:56:27 -0500
+message:
+  profiles/apparmor.d/usr.sbin.dnsmasq: allow /bin/dash in addition to /bin/bash
+  
+  Signed-off-by: Jamie Strandboge <jamie@canonical.com>
+  Acked-by: Christian Boltz <apparmor@cboltz.de>
+------------------------------------------------------------
+revno: 3207 [merge]
+committer: Jamie Strandboge <jamie@ubuntu.com>
+branch nick: apparmor
+timestamp: Mon 2015-07-20 10:16:18 -0500
+message:
+  [ intrigeri ]
+  dconf abstraction: allow reading /etc/dconf/**.
+  That's needed e.g. for Totem on current Debian Jessie.
+  
+  Acked-By: Jamie Strandboge <jamie@canonical.com>
+------------------------------------------------------------
+Use --include-merged or -n0 to see merged revisions.
+
+
+
+
+=== modified file 'profiles/apparmor.d/abstractions/X'
+--- profiles/apparmor.d/abstractions/X	2015-03-25 21:58:31 +0000
++++ profiles/apparmor.d/abstractions/X	2015-07-24 20:01:46 +0000
+@@ -27,4 +27,5 @@
+   unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
++  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+ 
+   /usr/include/X11/               r,
+   /usr/include/X11/**             r,
+
+=== modified file 'profiles/apparmor.d/abstractions/base'
+--- profiles/apparmor.d/abstractions/base	2015-01-21 19:30:46 +0000
++++ profiles/apparmor.d/abstractions/base	2015-08-23 13:20:20 +0000
+@@ -26,6 +26,7 @@
+   /etc/locale/**                 r,
+   /etc/locale.alias              r,
+   /etc/localtime                 r,
++  /usr/share/locale-bundle/**    r,
+   /usr/share/locale-langpack/**  r,
+   /usr/share/locale/**           r,
+   /usr/share/**/locale/**        r,
+
+=== modified file 'profiles/apparmor.d/abstractions/dconf'
+--- profiles/apparmor.d/abstractions/dconf	2013-10-09 13:18:09 +0000
++++ profiles/apparmor.d/abstractions/dconf	2015-07-19 13:42:54 +0000
+@@ -3,5 +3,6 @@
+ # permissions for querying dconf settings; granting write access should
+ # be specified in a specific application's profile.
+ 
++  /etc/dconf/** r,
+   owner /{,var/}run/user/*/dconf/user r,
+   owner @{HOME}/.config/dconf/user r,
+
+=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
+--- profiles/apparmor.d/usr.lib.dovecot.imap	2014-12-22 16:41:59 +0000
++++ profiles/apparmor.d/usr.lib.dovecot.imap	2015-09-03 16:27:00 +0000
+@@ -27,6 +27,7 @@
+   @{HOME} r, # ???
+   /usr/lib/dovecot/imap mr,
+   /{,var/}run/dovecot/auth-master rw,
++  /{,var/}run/dovecot/mounts r,
+ 
+   # Site-specific additions and overrides. See local/README for details.
+   #include <local/usr.lib.dovecot.imap>
+
+=== modified file 'profiles/apparmor.d/usr.sbin.avahi-daemon'
+--- profiles/apparmor.d/usr.sbin.avahi-daemon	2014-09-03 19:16:32 +0000
++++ profiles/apparmor.d/usr.sbin.avahi-daemon	2015-07-24 20:03:30 +0000
+@@ -26,6 +26,7 @@
+   /{,var/}run/avahi-daemon/ w,
+   /{,var/}run/avahi-daemon/pid krw,
+   /{,var/}run/avahi-daemon/socket w,
++  /{,var/}run/systemd/notify w,
+ 
+   # Site-specific additions and overrides. See local/README for details.
+   #include <local/usr.sbin.avahi-daemon>
+
+=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
+--- profiles/apparmor.d/usr.sbin.dnsmasq	2015-03-30 03:49:09 +0000
++++ profiles/apparmor.d/usr.sbin.dnsmasq	2015-09-18 17:06:47 +0000
+@@ -45,7 +45,7 @@
+ 
+   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+ 
+-  /bin/bash ix, # Required to execute --dhcp-script argument
++  /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument
+ 
+   # access to iface mtu needed for Router Advertisement messages in IPv6
+   # Neighbor Discovery protocol (RFC 2461)
+
+=== modified file 'profiles/apparmor.d/usr.sbin.ntpd'
+--- profiles/apparmor.d/usr.sbin.ntpd	2015-05-18 23:20:49 +0000
++++ profiles/apparmor.d/usr.sbin.ntpd	2015-09-15 12:24:57 +0000
+@@ -37,6 +37,7 @@
+   /etc/ntpd.conf.tmp r,
+ 
+   /tmp/ntp* rwl,
++  /{usr/,usr/local/,}{s,}bin/ r,
+   /usr/sbin/ntpd rmix,
+   /var/lib/ntp/drift rwl,
+   /var/lib/ntp/drift.TEMP rwl,
+
+=== modified file 'profiles/apparmor.d/usr.sbin.winbindd'
+--- profiles/apparmor.d/usr.sbin.winbindd	2015-05-18 23:25:26 +0000
++++ profiles/apparmor.d/usr.sbin.winbindd	2015-07-30 20:03:02 +0000
+@@ -15,7 +15,7 @@
+   /etc/samba/secrets.tdb rwk,
+   /etc/samba/smbd.tmp/ rw,
+   /etc/samba/smbd.tmp/msg/ rw,
+-  /etc/samba/smbd.tmp/msg/* rw,
++  /etc/samba/smbd.tmp/msg/* rwk,
+   @{PROC}/sys/kernel/core_pattern r,
+   /tmp/.winbindd/ w,
+   /tmp/krb5cc_* rwk,
+
+=== modified file 'profiles/apparmor/profiles/extras/sbin.dhclient'
+--- profiles/apparmor/profiles/extras/sbin.dhclient	2013-01-02 23:34:38 +0000
++++ profiles/apparmor/profiles/extras/sbin.dhclient	2015-09-08 22:00:23 +0000
+@@ -1,6 +1,7 @@
+ # ------------------------------------------------------------------
+ #
+ #    Copyright (C) 2002-2005 Novell/SUSE
++#    Copyright (C) 2015 Christian Boltz
+ #
+ #    This program is free software; you can redistribute it and/or
+ #    modify it under the terms of version 2 of the GNU General Public
+@@ -25,6 +26,8 @@
+   #include <abstractions/bash>
+   #include <abstractions/nameservice>
+ 
++  capability net_raw,
++
+   network packet packet,
+   network packet raw,
+ 
+@@ -47,13 +50,17 @@
+   /usr/bin/uptime             mrix,
+   /usr/bin/vmstat             mrix,
+   /usr/bin/w                  mrix,
++  /usr/lib/nm-dhcp-helper     rix,
+   /var/lib/dhcp/dhclient.leases     rw,
+   /var/lib/dhcp/dhclient-*.leases   rw,
++  /var/lib/dhcp6/dhclient.leases    rw,
++  /var/lib/NetworkManager/dhclient-*.conf  r,
++  /var/lib/NetworkManager/dhclient-*.lease rw,
+   /var/log/lastlog            r,
+   /var/log/messages           r,
+   /var/log/wtmp               r,
+-  /{,var/}run/dhclient.pid       rw,
+-  /{,var/}run/dhclient-*.pid     rw,
++  /{,var/}run/dhclient.pid    rw,
++  /{,var/}run/dhclient-*.pid  rw,
+   /var/spool                  r,
+   /var/spool/mail             r,
+ 
+
+=== modified file 'profiles/apparmor/profiles/extras/usr.bin.skype'
+--- profiles/apparmor/profiles/extras/usr.bin.skype	2013-01-02 23:34:38 +0000
++++ profiles/apparmor/profiles/extras/usr.bin.skype	2015-07-27 23:15:31 +0000
+@@ -20,6 +20,7 @@
+ 
+   @{PROC}/sys/kernel/{ostype,osrelease} r,
+   @{PROC}/@{pid}/net/arp r,
++  @{PROC}/@{pid}/net/dev r,
+   owner @{PROC}/@{pid}/auxv r,
+   owner @{PROC}/@{pid}/cmdline r,
+   owner @{PROC}/@{pid}/fd/ r,
+