Accepting request 87208 from security:apparmor:factory

- add patch with upstream changes since 2.7.0 beta2 release - add example parser.conf - print warning if profile cache directory doesn't exist - remove initscript for no longer existing aa-eventd (bnc#720617) - set correct $HOME in aa-notify - enable caching of profiles (= massive speedup) (bnc#689458) - add comments for patches in .spec and comments in some patches - run spec-cleaner - add libtool as buildrequire to make the spec file more reliable OBS-URL: https://build.opensuse.org/request/show/87208 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=24
2011-10-10 12:10:08 +00:00 · 2011-10-10 12:10:08 +00:00 · 86ade05802
commit 86ade05802
parent 57ed84dd83
6 changed files with 239 additions and 21 deletions
--- a/apparmor-2.5.1-ldapclient-profile
+++ b/apparmor-2.5.1-ldapclient-profile
@ -1,3 +1,9 @@
+Thu Jan  6 16:23:19 UTC 2011 - rhafer@suse.de
+
+- Splitted ldap related things from nameservice into separate
+  profile and added some missing paths (bnc#662761)
+
+
 ---
 profiles/apparmor.d/abstractions/ldapclient  |   21 +++++++++++++++++++++
 profiles/apparmor.d/abstractions/nameservice |    8 +++-----
--- a/apparmor-2.7-changes-since-beta2.diff
+++ b/apparmor-2.7-changes-since-beta2.diff
@ -0,0 +1,155 @@
+bzr diff -r1829..1834
+also create parser/parser.conf (forgotten in r1834, will probably be in r1835)
+
+=== modified file 'parser/Makefile'
+--- parser/Makefile	2011-09-01 18:57:54 +0000
+++ parser/Makefile	2011-10-07 21:43:54 +0000
+@@ -246,17 +246,14 @@
+ install-redhat:
+ 	install -m 755 -d $(DESTDIR)/etc/init.d
+ 	install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor
+-	install -m 755 rc.aaeventd.redhat $(DESTDIR)/etc/init.d/aaeventd
+ 
+ .PHONY: install-suse
+ install-suse:
+ 	install -m 755 -d $(DESTDIR)/etc/init.d
+ 	install -m 755 rc.apparmor.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/boot.apparmor
+-	install -m 755 rc.aaeventd.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/aaeventd
+ 	install -m 755 -d $(DESTDIR)/sbin
+ 	ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor
+ 	ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain
+-	ln -sf /etc/init.d/aaeventd $(DESTDIR)/sbin/rcaaeventd
+ 
+ .PHONY: install-slackware
+ install-slackware:
+@@ -288,6 +285,7 @@
+ install-indep:
+ 	install -m 755 -d $(INSTALL_CONFDIR)
+ 	install -m 644 subdomain.conf $(INSTALL_CONFDIR)
+	install -m 644 parser.conf $(INSTALL_CONFDIR)
+ 	install -m 755 -d ${DESTDIR}/var/lib/apparmor
+ 	install -m 755 -d $(APPARMOR_BIN_PREFIX)
+ 	install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
+
+=== modified file 'parser/apparmor-parser.spec.in'
+--- parser/apparmor-parser.spec.in	2010-12-20 20:29:10 +0000
+++ parser/apparmor-parser.spec.in	2011-10-07 21:43:54 +0000
+@@ -103,6 +103,7 @@
+   /etc/init.d/aaeventd
+ %endif
+ %config(noreplace) /etc/apparmor/subdomain.conf
+%config(noreplace) /etc/apparmor/parser.conf
+ /var/lib/apparmor
+ %dir %attr(-, root, root) %{apparmor_bin_prefix}
+ %{apparmor_bin_prefix}/rc.apparmor.functions
+
+=== modified file 'parser/parser_main.c'
+--- parser/parser_main.c	2011-08-09 13:52:43 +0000
+++ parser/parser_main.c	2011-10-07 21:42:55 +0000
+@@ -1007,8 +1007,7 @@
+ 		}
+ 		else {
+ 			unlink(cachetemp);
+-			if (show_cache)
+-				PERROR("Removed cache attempt: %s\n", cachetemp);
+			PERROR("Warning failed to create cache: %s\n", basename);
+ 		}
+ 		free(cachetemp);
+ 	}
+--- /dev/null
+++ parser/parser.conf
+@@ -0,0 +1,58 @@
+# parser.conf is a global AppArmor config file for the apparmor_parser
+#
+# It can be used to specify the default options for the parser, which
+# can then be overriden by options passed on the command line.
+#
+# Leading whitespace is ignored and lines that begin with # are treated
+# as comments.
+#
+# Config options are specified one per line using the same format as the
+# longform command line options (without the preceding --).
+#
+# If a value is specified twice the last version to appear is used.
+
+## Suppress Warnings
+#quiet
+
+## Be verbose
+#verbose
+
+## Set include path
+#Include /etc/apparmor.d/abstractions
+
+## Set location of apparmor filesystem
+#subdomainfs /sys/kernel/security/apparmor
+
+## Set match-string to use - for forcing compiler to treat different kernels
+## the same
+# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
+
+## Turn creating/updating of the cache on by default
+#write-cache
+
+## Show cache hits
+#show-cache
+
+## skip cached policy
+#skip-cache
+
+## skip reading cache but allow updating
+#skip-read-cache
+
+
+#### Set Optimizaions.  Multiple Optimizations can be set, one per line ####
+# For supported optimizations see
+#   apparmor_parser --help=O
+
+## Turn on equivalence classes
+#equiv
+
+## Turn off expr tree simplification
+#Optimize=no-expr-simplify
+
+## Turn off DFA minimization
+#Optimize=no-minimize
+
+## Adjust compression
+#Optimize=compress-small
+#Optimize=compress-fast
+=== modified file 'utils/aa-notify'
+--- utils/aa-notify	2011-08-17 14:48:12 +0000
+++ utils/aa-notify	2011-09-30 23:00:52 +0000
+@@ -36,6 +36,8 @@
+ my $conf = "/etc/apparmor/notify.conf";
+ my $user_conf = "$ENV{HOME}/.apparmor/notify.conf";
+ my $notify_exe = "/usr/bin/notify-send";
+my $notify_home = "";
+my $notify_display = "";
+ my $last_exe = "/usr/bin/last";
+ my $ps_exe = "/bin/ps";
+ my $url = "https://wiki.ubuntu.com/DebuggingApparmor";
+@@ -154,6 +156,12 @@
+ 
+ if ($opt_p) {
+     -x "$notify_exe" or _error("Could not find '$notify_exe'. Please install libnotify-bin. Aborting");
+
+    # we need correct values for $HOME and $DISPLAY environment variables,
+    # otherwise $notify_exe won't be able to connect to DBUS to display the
+    # message. Do this here to avoid excessive lookups.
+    $notify_home = (getpwuid $>)[7]; # homedir of the user
+# TODO: set $notify_display;
+ } elsif ($opt_l) {
+     -x "$last_exe" or _error("Could not find '$last_exe'. Aborting");
+ }
+@@ -305,6 +313,9 @@
+         # notify-send needs $< to be the unprivileged user
+         $< = $>;
+ 
+        $notify_home ne "" and $ENV{'HOME'} = $notify_home;
+        $notify_display ne "" and $ENV{'DISPLAY'} = $notify_display;
+
+         # 'system' uses execvp() so no shell metacharacters here.
+         # $notify_exe is an absolute path so execvp won't search PATH.
+         system "$notify_exe", "-i", "gtk-dialog-warning", "-u", "critical", "--", "AppArmor Message", "$msg";
+
--- a/apparmor-enable-profile-cache.diff
+++ b/apparmor-enable-profile-cache.diff
@ -0,0 +1,23 @@
+Enable caching of profiles.
+
+This speeds up loading the (unchanged) profiles about 20 times.
+
+Upstream doesn't enable caching because the cache directory is not 
+writeable at the time profiles are loaded in Ubuntu.
+
+See also bnc#689458
+
+
+Signed-off by: Christian Boltz <apparmor@cboltz.de>
+
+--- a/parser/parser.conf_ORIG	2011-10-09 20:59:31.000000000 +0200
+++ b/parser/parser.conf	2011-10-09 21:00:15.000000000 +0200
+@@ -28,7 +28,7 @@
+ # match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
+ 
+ ## Turn creating/updating of the cache on by default
+-#write-cache
+write-cache
+ 
+ ## Show cache hits
+ #show-cache
--- a/2
+++ b/2
@ -1,5 +1,5 @@
 From: Jeff Mahoney <jeffm@suse.com>
-Subject: SubDomain.pm: Split long string
+Subject: AppArmor.pm: Split long string

 The string split here ends up not displaying well in yast.
 ---
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Sun Oct  9 19:42:05 UTC 2011 - opensuse@cboltz.de
+
+- add patch with upstream changes since 2.7.0 beta2 release
+  - add example parser.conf
+  - print warning if profile cache directory doesn't exist
+  - remove initscript for no longer existing aa-eventd (bnc#720617)
+  - set correct $HOME in aa-notify
+- enable caching of profiles (= massive speedup) (bnc#689458)
+- add comments for patches in .spec and comments in some patches
+- run spec-cleaner
+
+-------------------------------------------------------------------
+Fri Sep 30 20:07:41 UTC 2011 - coolo@suse.com
+
+- add libtool as buildrequire to make the spec file more reliable
+
 -------------------------------------------------------------------
 Fri Sep 16 15:25:19 UTC 2011 - opensuse@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@ -53,7 +53,13 @@ Source1:        %{name}-profile-editor.png
 Source2:        %{name}-profile-editor.desktop
 Source3:        update-trans.sh

-# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
+# upstream changes since 2.7beta2 release
+Patch:          apparmor-2.7-changes-since-beta2.diff
+
+# enable caching of profiles (= massive performance speedup when loading profiles)
+Patch1:         apparmor-enable-profile-cache.diff
+
+# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
 Patch5:         apparmor-utils-string-split

 # use autobuild everywhere. Patch applies to 2.6.1 only and probably won't be accepted upstream.
@ -61,15 +67,15 @@ Patch10:        apparmor-2.5.1-unified-build
 # requires Patch10
 Patch11:        apparmor-2.5.1-rpmlint-asprintf

-# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
+# Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions
 Patch12:        apparmor-2.5.1-edirectory-profile
-# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
+# split ldap related things from abstractions/nameservice to abstractions/ldapclient and add sasl support. TODO: send upstream
 Patch13:        apparmor-2.5.1-ldapclient-profile

 # obsolete, upstream implemented this in another way
 Patch15:        apparmor-remove-repo

-# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines
+# remove after 12.1 release - bnc#720617 #c7
 Patch21:        apparmor-utils-subdomain-compat

 License:        GPLv2+
@ -85,6 +91,7 @@ BuildRequires:  bison
 BuildRequires:  flex
 BuildRequires:  gcc-c++
 BuildRequires:  latex2html
+BuildRequires:  libtool
 BuildRequires:  pcre-devel
 BuildRequires:  pkg-config
 BuildRequires:  texlive-latex
@ -225,13 +232,13 @@ Group:          Development/Libraries/Perl
 Requires:       libapparmor1 = %{version}
 Requires:       perl = %{perl_version}
 Requires:       perl(DBD::SQLite)
+Requires:       perl(Locale::gettext)
 Requires:       perl(RPC::XML)
+Requires:       perl(RPC::XML)
+Requires:       perl(Term::ReadKey)
 Requires:       perl(Term::ReadKey)
 Provides:       perl-libapparmor
 Obsoletes:      perl-libapparmor < 2.5
-Requires:       perl(Locale::gettext)
-Requires:       perl(RPC::XML)
-Requires:       perl(Term::ReadKey)

 %description -n perl-apparmor
 This package provides the perl interface to AppArmor. It is used for perl
@ -302,9 +309,8 @@ BuildArch:      noarch
 %description utils
 This package provides the aa-logprof, aa-genprof, aa-autodep,
 aa-enforce, and aa-complain tools to assist with profile authoring.
-Besides it provides the aa-unconfined server information tool and the
-aa-eventd event reporting system. It is part of a suite of tools that
-used to be named SubDomain.
+Besides it provides the aa-unconfined server information tool. 
+It is part of a suite of tools that used to be named SubDomain.

 %if %{with tomcat}

@ -397,6 +403,8 @@ SubDomain.

 %prep
 %setup -q -n %{name}-%{versiondir}
+%patch -p0
+%patch1 -p1
 %patch5 -p1
 #%patch10 -p1 # disabled, see above
 #%patch11 -p1 # disabled, see above
@ -482,9 +490,16 @@ make -C profiles

 # utilities
 %makeinstall -C utils
-mkdir -p %{buildroot}/var/log/apparmor
+mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
+
+%makeinstall -C profiles
+mkdir %{buildroot}%{_sysconfdir}/apparmor.d/disable

 %makeinstall -C parser
+# default cache dir is /etc/apparmor.d/cache - not the best location. 
+# Use /var/cache/apparmor and make /etc/apparmor.d/cache a symlink to it
+mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
+( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache )

 %if %{with apache}
  %makeinstall -C changehat/mod_apparmor
@ -494,8 +509,6 @@ mkdir -p %{buildroot}/var/log/apparmor
  %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security
 %endif

-%makeinstall -C profiles
-
 %if %{with tomcat}
  mkdir -p %{buildroot}/%{CATALINA_HOME}
  %makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME}
@ -549,18 +562,19 @@ echo -------------------------------------------------------------------
 %doc parser/README parser/COPYING.GPL
 /sbin/apparmor_parser
 %dir %attr(-, root, root) %{_sysconfdir}/apparmor
+%dir %{_sysconfdir}/apparmor.d
+%{_sysconfdir}/apparmor.d/cache
+%dir %{_localstatedir}/cache/apparmor
 %if %{distro} == "suse"
  /sbin/rcsubdomain
  /sbin/rcapparmor
  %{_sysconfdir}/init.d/boot.apparmor
-  /sbin/rcaaeventd
-  %{_sysconfdir}/init.d/aaeventd
 %else
  %{_sysconfdir}/init.d/apparmor
-  %{_sysconfdir}/init.d/aaeventd
 %endif
 %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
-/var/lib/apparmor
+%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
+%{_localstatedir}/lib/apparmor
 %dir %attr(-, root, root) %{apparmor_bin_prefix}
 %{apparmor_bin_prefix}/rc.apparmor.functions
 %doc %{_mandir}/man5/apparmor.d.5.gz
@ -605,6 +619,7 @@ fi
 %files profiles
 %defattr(644,root,root,755)
 %config(noreplace) %{_sysconfdir}/apparmor.d/
+%exclude %{_sysconfdir}/apparmor.d/cache
 %dir %{_sysconfdir}/apparmor/
 %dir %{_sysconfdir}/apparmor/profiles
 %config %{_sysconfdir}/apparmor/profiles/extras/
@ -616,8 +631,8 @@ fi
 %config(noreplace) %{_sysconfdir}/apparmor/notify.conf
 %config(noreplace) %{_sysconfdir}/apparmor/severity.db
 %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
-%{_prefix}/sbin/*
-%dir /var/log/apparmor
+%{_sbindir}/*
+%dir %{_localstatedir}/log/apparmor
 %doc %{_mandir}/man2/aa_change_profile.2.gz
 %doc %{_mandir}/man5/logprof.conf.5.gz
 %doc %{_mandir}/man8/apparmor_notify.8.gz
@ -749,10 +764,12 @@ fi
 %preun parser
 if [ "$1" = 0 ] ; then
 %if %{distro} == "suse"
+  # TODO: aaeventd no longer exists - how to handle it?
  %{stop_on_removal aaeventd}
  %{stop_on_removal boot.apparmor}
 %endif
 %if %{distro} == "redhat" || %{distro} == "rhel4"
+  # TODO: aaeventd no longer exists - how to handle it?
  chkconfig --del aaeventd
  chkconfig --del apparmor
 %endif
@ -760,7 +777,7 @@ fi

 %postun parser
 %if %{distro} == "suse"
-  %restart_on_update aaeventd boot.apparmor
+  %restart_on_update boot.apparmor
  %{insserv_cleanup} || true
 %endif