diff --git a/apparmor-winbindd-r3213.diff b/apparmor-winbindd-r3213.diff deleted file mode 100644 index a932358..0000000 --- a/apparmor-winbindd-r3213.diff +++ /dev/null @@ -1,29 +0,0 @@ ------------------------------------------------------------- -revno: 3213 -committer: Christian Boltz -branch nick: apparmor -timestamp: Thu 2015-07-30 22:03:02 +0200 -message: - winbindd profile: allow k for /etc/samba/smbd.tmp/msg/* - - References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 starting at comment 15 - - - Acked-by: Steve Beattie for trunk and 2.9 - - -=== modified file 'profiles/apparmor.d/usr.sbin.winbindd' ---- profiles/apparmor.d/usr.sbin.winbindd 2015-05-18 23:25:26 +0000 -+++ profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000 -@@ -15,7 +15,7 @@ - /etc/samba/secrets.tdb rwk, - /etc/samba/smbd.tmp/ rw, - /etc/samba/smbd.tmp/msg/ rw, -- /etc/samba/smbd.tmp/msg/* rw, -+ /etc/samba/smbd.tmp/msg/* rwk, - @{PROC}/sys/kernel/core_pattern r, - /tmp/.winbindd/ w, - /tmp/krb5cc_* rwk, - - -vim:ft=diff diff --git a/apparmor.changes b/apparmor.changes index ee6c143..4d779bf 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Wed Oct 7 16:12:24 UTC 2015 - opensuse@cboltz.de + +- add syslog-ng-profile-boo948584.diff - add several permissions needed + by latest syslog-ng (boo#948584, boo#948753) +- add upstream-profile-updates-r3205-3241.diff with several profile updates: + - add /usr/share/locale-bundle/** to abstractions/base + - allow dnsmask to use /bin/sh (boo#940749) and /bin/dash + - allow dovecot imap to read /run/dovecot/mounts + - allow avahi-daemon to write to /run/systemd/notify + - allow ntpd to read $PATH directory listings (boo#945592, boo#948752) + - update dhclient profile + - allow skype to read @{PROC}/@{pid}/net/dev (boo#939568) + - and some other small updates +- drop upstreamed apparmor-winbindd-r3213.diff (included in the + upstream-profile-updates patch) + ------------------------------------------------------------------- Sun Sep 13 20:16:57 UTC 2015 - opensuse@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 1b34a9c..9ab4ef1 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -95,8 +95,11 @@ Patch7: apparmor-lessopen-profile.patch # boo#862170 - fix ugly initscript output (commited upstream trunk r3208) Patch8: fix-initscript-aa_log_end_msg.diff -# additional winbindd permissions (commited upstream trunk r3213, 2.9 r2946) - (boo#921098 #c15..19) -Patch9: apparmor-winbindd-r3213.diff +# additional syslog-ng permissions (submitted upstream 2015-10-07) (boo#948584, boo#948753) +Patch9: syslog-ng-profile-boo948584.diff + +# several profile updates taken from upstream bzr trunk r3205..3241 +Patch10: upstream-profile-updates-r3205-3241.diff Url: https://launchpad.net/apparmor PreReq: sed @@ -448,6 +451,7 @@ SubDomain. %patch7 -p1 %patch8 %patch9 +%patch10 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" diff --git a/syslog-ng-profile-boo948584.diff b/syslog-ng-profile-boo948584.diff new file mode 100644 index 0000000..b0554c3 --- /dev/null +++ b/syslog-ng-profile-boo948584.diff @@ -0,0 +1,34 @@ +=== modified file 'profiles/apparmor.d/sbin.syslog-ng' +--- profiles/apparmor.d/sbin.syslog-ng 2015-03-07 20:16:11 +0000 ++++ profiles/apparmor.d/sbin.syslog-ng 2015-10-07 10:33:01 +0000 +@@ -20,6 +20,7 @@ + #include + #include + #include ++ #include + + capability chown, + capability dac_override, +@@ -37,7 +38,10 @@ + /dev/syslog w, + /dev/tty10 rw, + /dev/xconsole rw, ++ /etc/machine-id r, + /etc/syslog-ng/* r, ++ /etc/syslog-ng/conf.d/ r, ++ /etc/syslog-ng/conf.d/* r, + @{PROC}/kmsg r, + /etc/hosts.deny r, + /etc/hosts.allow r, +@@ -50,6 +54,10 @@ + @{CHROOT_BASE}/var/log/** w, + @{CHROOT_BASE}/{,var/}run/syslog-ng.pid krw, + @{CHROOT_BASE}/{,var/}run/syslog-ng.ctl rw, ++ /var/log/journal/ r, ++ /var/log/journal/*/ r, ++ /var/log/journal/*/*.journal r, ++ /{var/,}run/syslog-ng.ctl a, + /{var/,}run/syslog-ng/additional-log-sockets.conf r, + + # Site-specific additions and overrides. See local/README for details. + diff --git a/upstream-profile-updates-r3205-3241.diff b/upstream-profile-updates-r3205-3241.diff new file mode 100644 index 0000000..3dc95c3 --- /dev/null +++ b/upstream-profile-updates-r3205-3241.diff @@ -0,0 +1,297 @@ +AppArmor bzr trunk +bzr diff -r3205..3241 profiles/ +(+ abstractions/X change modified to single line syntax) + +------------------------------------------------------------ +revno: 3238 +committer: Christian Boltz +branch nick: apparmor +timestamp: Fri 2015-09-18 19:06:47 +0200 +message: + dnsmasq profile - also allow /bin/sh + + This patch is based on a SLE12 patch to allow executing the + --dhcp-script. We already have most parts of that patch since r2841, + however the SLE bugreport indicates that /bin/sh is executed (which is + usually a symlink to /bin/bash or /bin/dash), so we should also allow + /bin/sh + + References: https://bugzilla.opensuse.org/show_bug.cgi?id=940749 (non-public) + + + Acked-by: Seth Arnold for trunk and 2.9 +------------------------------------------------------------ +revno: 3237 +committer: Christian Boltz +branch nick: apparmor +timestamp: Tue 2015-09-15 14:24:57 +0200 +message: + Allow ntpd to read directory listings of $PATH + + For some reasons, it needs to do that to find readable, writeable and + executable files. + + See also https://bugzilla.opensuse.org/show_bug.cgi?id=945592 + + + Acked-by: Seth Arnold +------------------------------------------------------------ +revno: 3236 +committer: Christian Boltz +branch nick: apparmor +timestamp: Wed 2015-09-09 00:00:23 +0200 +message: + Update the /sbin/dhclient profile + + Add some permissions that I need on my system: + - execute nm-dhcp-helper + - read and write /var/lib/dhcp6/dhclient.leases + - read /var/lib/NetworkManager/dhclient-*.conf + - read and write /var/lib/NetworkManager/dhclient-*.conf + + + Looks-good-by: Steve Beattie + Acked-by: for trunk and 2.9 +------------------------------------------------------------ +revno: 3234 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2015-09-03 18:27:00 +0200 +message: + Dovecot imap needs to read /run/dovecot/mounts + + Acked-by: Steve Beattie for trunk and 2.9. +------------------------------------------------------------ +revno: 3225 +committer: Christian Boltz +branch nick: apparmor +timestamp: Sun 2015-08-23 15:20:20 +0200 +message: + add /usr/share/locale-bundle/ to abstractions/base + + /usr/share/locale-bundle/ contains translations packaged in + bundle-lang-* packages in openSUSE. + + + Acked-by: Steve Beattie for trunk and 2.9 +------------------------------------------------------------ +revno: 3213 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2015-07-30 22:03:02 +0200 +message: + winbindd profile: allow k for /etc/samba/smbd.tmp/msg/* + + References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 starting at comment 15 + + + Acked-by: Steve Beattie for trunk and 2.9 +------------------------------------------------------------ +revno: 3212 +committer: Christian Boltz +branch nick: apparmor +timestamp: Tue 2015-07-28 01:15:31 +0200 +message: + skype profile: allow reading @{PROC}/@{pid}/net/dev + + References: https://bugzilla.opensuse.org/show_bug.cgi?id=939568 + + + Acked-by: Seth Arnold for trunk and 2.9 +------------------------------------------------------------ +revno: 3211 +committer: Jamie Strandboge +branch nick: apparmor +timestamp: Fri 2015-07-24 15:03:30 -0500 +message: + profiles/apparmor.d/usr.sbin.avahi-daemon: allow write access to + /run/systemd/notify which is needed on systems with systemd + + Signed-off-by: Jamie Strandboge + Acked-by: Seth Arnold +------------------------------------------------------------ +revno: 3210 +committer: Jamie Strandboge +branch nick: apparmor +timestamp: Fri 2015-07-24 15:01:46 -0500 +message: + profiles/apparmor.d/abstractions/X: also allow unix connections to + @/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird + + Signed-off-by: Jamie Strandboge + Acked-by: Seth Arnold +------------------------------------------------------------ +revno: 3209 +committer: Jamie Strandboge +branch nick: apparmor +timestamp: Fri 2015-07-24 13:56:27 -0500 +message: + profiles/apparmor.d/usr.sbin.dnsmasq: allow /bin/dash in addition to /bin/bash + + Signed-off-by: Jamie Strandboge + Acked-by: Christian Boltz +------------------------------------------------------------ +revno: 3207 [merge] +committer: Jamie Strandboge +branch nick: apparmor +timestamp: Mon 2015-07-20 10:16:18 -0500 +message: + [ intrigeri ] + dconf abstraction: allow reading /etc/dconf/**. + That's needed e.g. for Totem on current Debian Jessie. + + Acked-By: Jamie Strandboge +------------------------------------------------------------ +Use --include-merged or -n0 to see merged revisions. + + + + +=== modified file 'profiles/apparmor.d/abstractions/X' +--- profiles/apparmor.d/abstractions/X 2015-03-25 21:58:31 +0000 ++++ profiles/apparmor.d/abstractions/X 2015-07-24 20:01:46 +0000 +@@ -27,4 +27,5 @@ + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), ++ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + + /usr/include/X11/ r, + /usr/include/X11/** r, + +=== modified file 'profiles/apparmor.d/abstractions/base' +--- profiles/apparmor.d/abstractions/base 2015-01-21 19:30:46 +0000 ++++ profiles/apparmor.d/abstractions/base 2015-08-23 13:20:20 +0000 +@@ -26,6 +26,7 @@ + /etc/locale/** r, + /etc/locale.alias r, + /etc/localtime r, ++ /usr/share/locale-bundle/** r, + /usr/share/locale-langpack/** r, + /usr/share/locale/** r, + /usr/share/**/locale/** r, + +=== modified file 'profiles/apparmor.d/abstractions/dconf' +--- profiles/apparmor.d/abstractions/dconf 2013-10-09 13:18:09 +0000 ++++ profiles/apparmor.d/abstractions/dconf 2015-07-19 13:42:54 +0000 +@@ -3,5 +3,6 @@ + # permissions for querying dconf settings; granting write access should + # be specified in a specific application's profile. + ++ /etc/dconf/** r, + owner /{,var/}run/user/*/dconf/user r, + owner @{HOME}/.config/dconf/user r, + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' +--- profiles/apparmor.d/usr.lib.dovecot.imap 2014-12-22 16:41:59 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.imap 2015-09-03 16:27:00 +0000 +@@ -27,6 +27,7 @@ + @{HOME} r, # ??? + /usr/lib/dovecot/imap mr, + /{,var/}run/dovecot/auth-master rw, ++ /{,var/}run/dovecot/mounts r, + + # Site-specific additions and overrides. See local/README for details. + #include + +=== modified file 'profiles/apparmor.d/usr.sbin.avahi-daemon' +--- profiles/apparmor.d/usr.sbin.avahi-daemon 2014-09-03 19:16:32 +0000 ++++ profiles/apparmor.d/usr.sbin.avahi-daemon 2015-07-24 20:03:30 +0000 +@@ -26,6 +26,7 @@ + /{,var/}run/avahi-daemon/ w, + /{,var/}run/avahi-daemon/pid krw, + /{,var/}run/avahi-daemon/socket w, ++ /{,var/}run/systemd/notify w, + + # Site-specific additions and overrides. See local/README for details. + #include + +=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq' +--- profiles/apparmor.d/usr.sbin.dnsmasq 2015-03-30 03:49:09 +0000 ++++ profiles/apparmor.d/usr.sbin.dnsmasq 2015-09-18 17:06:47 +0000 +@@ -45,7 +45,7 @@ + + /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage + +- /bin/bash ix, # Required to execute --dhcp-script argument ++ /bin/{ba,da,}sh ix, # Required to execute --dhcp-script argument + + # access to iface mtu needed for Router Advertisement messages in IPv6 + # Neighbor Discovery protocol (RFC 2461) + +=== modified file 'profiles/apparmor.d/usr.sbin.ntpd' +--- profiles/apparmor.d/usr.sbin.ntpd 2015-05-18 23:20:49 +0000 ++++ profiles/apparmor.d/usr.sbin.ntpd 2015-09-15 12:24:57 +0000 +@@ -37,6 +37,7 @@ + /etc/ntpd.conf.tmp r, + + /tmp/ntp* rwl, ++ /{usr/,usr/local/,}{s,}bin/ r, + /usr/sbin/ntpd rmix, + /var/lib/ntp/drift rwl, + /var/lib/ntp/drift.TEMP rwl, + +=== modified file 'profiles/apparmor.d/usr.sbin.winbindd' +--- profiles/apparmor.d/usr.sbin.winbindd 2015-05-18 23:25:26 +0000 ++++ profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000 +@@ -15,7 +15,7 @@ + /etc/samba/secrets.tdb rwk, + /etc/samba/smbd.tmp/ rw, + /etc/samba/smbd.tmp/msg/ rw, +- /etc/samba/smbd.tmp/msg/* rw, ++ /etc/samba/smbd.tmp/msg/* rwk, + @{PROC}/sys/kernel/core_pattern r, + /tmp/.winbindd/ w, + /tmp/krb5cc_* rwk, + +=== modified file 'profiles/apparmor/profiles/extras/sbin.dhclient' +--- profiles/apparmor/profiles/extras/sbin.dhclient 2013-01-02 23:34:38 +0000 ++++ profiles/apparmor/profiles/extras/sbin.dhclient 2015-09-08 22:00:23 +0000 +@@ -1,6 +1,7 @@ + # ------------------------------------------------------------------ + # + # Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2015 Christian Boltz + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -25,6 +26,8 @@ + #include + #include + ++ capability net_raw, ++ + network packet packet, + network packet raw, + +@@ -47,13 +50,17 @@ + /usr/bin/uptime mrix, + /usr/bin/vmstat mrix, + /usr/bin/w mrix, ++ /usr/lib/nm-dhcp-helper rix, + /var/lib/dhcp/dhclient.leases rw, + /var/lib/dhcp/dhclient-*.leases rw, ++ /var/lib/dhcp6/dhclient.leases rw, ++ /var/lib/NetworkManager/dhclient-*.conf r, ++ /var/lib/NetworkManager/dhclient-*.lease rw, + /var/log/lastlog r, + /var/log/messages r, + /var/log/wtmp r, +- /{,var/}run/dhclient.pid rw, +- /{,var/}run/dhclient-*.pid rw, ++ /{,var/}run/dhclient.pid rw, ++ /{,var/}run/dhclient-*.pid rw, + /var/spool r, + /var/spool/mail r, + + +=== modified file 'profiles/apparmor/profiles/extras/usr.bin.skype' +--- profiles/apparmor/profiles/extras/usr.bin.skype 2013-01-02 23:34:38 +0000 ++++ profiles/apparmor/profiles/extras/usr.bin.skype 2015-07-27 23:15:31 +0000 +@@ -20,6 +20,7 @@ + + @{PROC}/sys/kernel/{ostype,osrelease} r, + @{PROC}/@{pid}/net/arp r, ++ @{PROC}/@{pid}/net/dev r, + owner @{PROC}/@{pid}/auxv r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, +