From 86ade05802d90ec1df724cc87c07a147b2596aee65602f56c4afe7021677aaec Mon Sep 17 00:00:00 2001 From: Ruediger Oertel Date: Mon, 10 Oct 2011 12:10:08 +0000 Subject: [PATCH] Accepting request 87208 from security:apparmor:factory - add patch with upstream changes since 2.7.0 beta2 release - add example parser.conf - print warning if profile cache directory doesn't exist - remove initscript for no longer existing aa-eventd (bnc#720617) - set correct $HOME in aa-notify - enable caching of profiles (= massive speedup) (bnc#689458) - add comments for patches in .spec and comments in some patches - run spec-cleaner - add libtool as buildrequire to make the spec file more reliable OBS-URL: https://build.opensuse.org/request/show/87208 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=24 --- apparmor-2.5.1-ldapclient-profile | 6 + apparmor-2.7-changes-since-beta2.diff | 155 ++++++++++++++++++++++++++ apparmor-enable-profile-cache.diff | 23 ++++ apparmor-utils-string-split | 2 +- apparmor.changes | 17 +++ apparmor.spec | 57 ++++++---- 6 files changed, 239 insertions(+), 21 deletions(-) create mode 100644 apparmor-2.7-changes-since-beta2.diff create mode 100644 apparmor-enable-profile-cache.diff diff --git a/apparmor-2.5.1-ldapclient-profile b/apparmor-2.5.1-ldapclient-profile index 76454ca..6d9e614 100644 --- a/apparmor-2.5.1-ldapclient-profile +++ b/apparmor-2.5.1-ldapclient-profile @@ -1,3 +1,9 @@ +Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de + +- Splitted ldap related things from nameservice into separate + profile and added some missing paths (bnc#662761) + + --- profiles/apparmor.d/abstractions/ldapclient | 21 +++++++++++++++++++++ profiles/apparmor.d/abstractions/nameservice | 8 +++----- diff --git a/apparmor-2.7-changes-since-beta2.diff b/apparmor-2.7-changes-since-beta2.diff new file mode 100644 index 0000000..08eacf3 --- /dev/null +++ b/apparmor-2.7-changes-since-beta2.diff @@ -0,0 +1,155 @@ +bzr diff -r1829..1834 +also create parser/parser.conf (forgotten in r1834, will probably be in r1835) + +=== modified file 'parser/Makefile' +--- parser/Makefile 2011-09-01 18:57:54 +0000 ++++ parser/Makefile 2011-10-07 21:43:54 +0000 +@@ -246,17 +246,14 @@ + install-redhat: + install -m 755 -d $(DESTDIR)/etc/init.d + install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor +- install -m 755 rc.aaeventd.redhat $(DESTDIR)/etc/init.d/aaeventd + + .PHONY: install-suse + install-suse: + install -m 755 -d $(DESTDIR)/etc/init.d + install -m 755 rc.apparmor.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/boot.apparmor +- install -m 755 rc.aaeventd.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/aaeventd + install -m 755 -d $(DESTDIR)/sbin + ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor + ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain +- ln -sf /etc/init.d/aaeventd $(DESTDIR)/sbin/rcaaeventd + + .PHONY: install-slackware + install-slackware: +@@ -288,6 +285,7 @@ + install-indep: + install -m 755 -d $(INSTALL_CONFDIR) + install -m 644 subdomain.conf $(INSTALL_CONFDIR) ++ install -m 644 parser.conf $(INSTALL_CONFDIR) + install -m 755 -d ${DESTDIR}/var/lib/apparmor + install -m 755 -d $(APPARMOR_BIN_PREFIX) + install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX) + +=== modified file 'parser/apparmor-parser.spec.in' +--- parser/apparmor-parser.spec.in 2010-12-20 20:29:10 +0000 ++++ parser/apparmor-parser.spec.in 2011-10-07 21:43:54 +0000 +@@ -103,6 +103,7 @@ + /etc/init.d/aaeventd + %endif + %config(noreplace) /etc/apparmor/subdomain.conf ++%config(noreplace) /etc/apparmor/parser.conf + /var/lib/apparmor + %dir %attr(-, root, root) %{apparmor_bin_prefix} + %{apparmor_bin_prefix}/rc.apparmor.functions + +=== modified file 'parser/parser_main.c' +--- parser/parser_main.c 2011-08-09 13:52:43 +0000 ++++ parser/parser_main.c 2011-10-07 21:42:55 +0000 +@@ -1007,8 +1007,7 @@ + } + else { + unlink(cachetemp); +- if (show_cache) +- PERROR("Removed cache attempt: %s\n", cachetemp); ++ PERROR("Warning failed to create cache: %s\n", basename); + } + free(cachetemp); + } +--- /dev/null ++++ parser/parser.conf +@@ -0,0 +1,58 @@ ++# parser.conf is a global AppArmor config file for the apparmor_parser ++# ++# It can be used to specify the default options for the parser, which ++# can then be overriden by options passed on the command line. ++# ++# Leading whitespace is ignored and lines that begin with # are treated ++# as comments. ++# ++# Config options are specified one per line using the same format as the ++# longform command line options (without the preceding --). ++# ++# If a value is specified twice the last version to appear is used. ++ ++## Suppress Warnings ++#quiet ++ ++## Be verbose ++#verbose ++ ++## Set include path ++#Include /etc/apparmor.d/abstractions ++ ++## Set location of apparmor filesystem ++#subdomainfs /sys/kernel/security/apparmor ++ ++## Set match-string to use - for forcing compiler to treat different kernels ++## the same ++# match-string "pattern=aadfa audit perms=crwxamlk/ user::other" ++ ++## Turn creating/updating of the cache on by default ++#write-cache ++ ++## Show cache hits ++#show-cache ++ ++## skip cached policy ++#skip-cache ++ ++## skip reading cache but allow updating ++#skip-read-cache ++ ++ ++#### Set Optimizaions. Multiple Optimizations can be set, one per line #### ++# For supported optimizations see ++# apparmor_parser --help=O ++ ++## Turn on equivalence classes ++#equiv ++ ++## Turn off expr tree simplification ++#Optimize=no-expr-simplify ++ ++## Turn off DFA minimization ++#Optimize=no-minimize ++ ++## Adjust compression ++#Optimize=compress-small ++#Optimize=compress-fast +=== modified file 'utils/aa-notify' +--- utils/aa-notify 2011-08-17 14:48:12 +0000 ++++ utils/aa-notify 2011-09-30 23:00:52 +0000 +@@ -36,6 +36,8 @@ + my $conf = "/etc/apparmor/notify.conf"; + my $user_conf = "$ENV{HOME}/.apparmor/notify.conf"; + my $notify_exe = "/usr/bin/notify-send"; ++my $notify_home = ""; ++my $notify_display = ""; + my $last_exe = "/usr/bin/last"; + my $ps_exe = "/bin/ps"; + my $url = "https://wiki.ubuntu.com/DebuggingApparmor"; +@@ -154,6 +156,12 @@ + + if ($opt_p) { + -x "$notify_exe" or _error("Could not find '$notify_exe'. Please install libnotify-bin. Aborting"); ++ ++ # we need correct values for $HOME and $DISPLAY environment variables, ++ # otherwise $notify_exe won't be able to connect to DBUS to display the ++ # message. Do this here to avoid excessive lookups. ++ $notify_home = (getpwuid $>)[7]; # homedir of the user ++# TODO: set $notify_display; + } elsif ($opt_l) { + -x "$last_exe" or _error("Could not find '$last_exe'. Aborting"); + } +@@ -305,6 +313,9 @@ + # notify-send needs $< to be the unprivileged user + $< = $>; + ++ $notify_home ne "" and $ENV{'HOME'} = $notify_home; ++ $notify_display ne "" and $ENV{'DISPLAY'} = $notify_display; ++ + # 'system' uses execvp() so no shell metacharacters here. + # $notify_exe is an absolute path so execvp won't search PATH. + system "$notify_exe", "-i", "gtk-dialog-warning", "-u", "critical", "--", "AppArmor Message", "$msg"; + diff --git a/apparmor-enable-profile-cache.diff b/apparmor-enable-profile-cache.diff new file mode 100644 index 0000000..821d8b8 --- /dev/null +++ b/apparmor-enable-profile-cache.diff @@ -0,0 +1,23 @@ +Enable caching of profiles. + +This speeds up loading the (unchanged) profiles about 20 times. + +Upstream doesn't enable caching because the cache directory is not +writeable at the time profiles are loaded in Ubuntu. + +See also bnc#689458 + + +Signed-off by: Christian Boltz + +--- a/parser/parser.conf_ORIG 2011-10-09 20:59:31.000000000 +0200 ++++ b/parser/parser.conf 2011-10-09 21:00:15.000000000 +0200 +@@ -28,7 +28,7 @@ + # match-string "pattern=aadfa audit perms=crwxamlk/ user::other" + + ## Turn creating/updating of the cache on by default +-#write-cache ++write-cache + + ## Show cache hits + #show-cache diff --git a/apparmor-utils-string-split b/apparmor-utils-string-split index 9c14a45..921854c 100644 --- a/apparmor-utils-string-split +++ b/apparmor-utils-string-split @@ -1,5 +1,5 @@ From: Jeff Mahoney -Subject: SubDomain.pm: Split long string +Subject: AppArmor.pm: Split long string The string split here ends up not displaying well in yast. --- diff --git a/apparmor.changes b/apparmor.changes index 8cd3206..056145b 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Sun Oct 9 19:42:05 UTC 2011 - opensuse@cboltz.de + +- add patch with upstream changes since 2.7.0 beta2 release + - add example parser.conf + - print warning if profile cache directory doesn't exist + - remove initscript for no longer existing aa-eventd (bnc#720617) + - set correct $HOME in aa-notify +- enable caching of profiles (= massive speedup) (bnc#689458) +- add comments for patches in .spec and comments in some patches +- run spec-cleaner + +------------------------------------------------------------------- +Fri Sep 30 20:07:41 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to make the spec file more reliable + ------------------------------------------------------------------- Fri Sep 16 15:25:19 UTC 2011 - opensuse@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 3b79921..77241ac 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -53,7 +53,13 @@ Source1: %{name}-profile-editor.png Source2: %{name}-profile-editor.desktop Source3: update-trans.sh -# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines +# upstream changes since 2.7beta2 release +Patch: apparmor-2.7-changes-since-beta2.diff + +# enable caching of profiles (= massive performance speedup when loading profiles) +Patch1: apparmor-enable-profile-cache.diff + +# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. Patch5: apparmor-utils-string-split # use autobuild everywhere. Patch applies to 2.6.1 only and probably won't be accepted upstream. @@ -61,15 +67,15 @@ Patch10: apparmor-2.5.1-unified-build # requires Patch10 Patch11: apparmor-2.5.1-rpmlint-asprintf -# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines +# Add support for eDirectory calls in abstractions/nameservice. Not accepted upstream (yet) because of open questions Patch12: apparmor-2.5.1-edirectory-profile -# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines +# split ldap related things from abstractions/nameservice to abstractions/ldapclient and add sasl support. TODO: send upstream Patch13: apparmor-2.5.1-ldapclient-profile # obsolete, upstream implemented this in another way Patch15: apparmor-remove-repo -# PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines +# remove after 12.1 release - bnc#720617 #c7 Patch21: apparmor-utils-subdomain-compat License: GPLv2+ @@ -85,6 +91,7 @@ BuildRequires: bison BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: latex2html +BuildRequires: libtool BuildRequires: pcre-devel BuildRequires: pkg-config BuildRequires: texlive-latex @@ -225,13 +232,13 @@ Group: Development/Libraries/Perl Requires: libapparmor1 = %{version} Requires: perl = %{perl_version} Requires: perl(DBD::SQLite) +Requires: perl(Locale::gettext) Requires: perl(RPC::XML) +Requires: perl(RPC::XML) +Requires: perl(Term::ReadKey) Requires: perl(Term::ReadKey) Provides: perl-libapparmor Obsoletes: perl-libapparmor < 2.5 -Requires: perl(Locale::gettext) -Requires: perl(RPC::XML) -Requires: perl(Term::ReadKey) %description -n perl-apparmor This package provides the perl interface to AppArmor. It is used for perl @@ -302,9 +309,8 @@ BuildArch: noarch %description utils This package provides the aa-logprof, aa-genprof, aa-autodep, aa-enforce, and aa-complain tools to assist with profile authoring. -Besides it provides the aa-unconfined server information tool and the -aa-eventd event reporting system. It is part of a suite of tools that -used to be named SubDomain. +Besides it provides the aa-unconfined server information tool. +It is part of a suite of tools that used to be named SubDomain. %if %{with tomcat} @@ -397,6 +403,8 @@ SubDomain. %prep %setup -q -n %{name}-%{versiondir} +%patch -p0 +%patch1 -p1 %patch5 -p1 #%patch10 -p1 # disabled, see above #%patch11 -p1 # disabled, see above @@ -482,9 +490,16 @@ make -C profiles # utilities %makeinstall -C utils -mkdir -p %{buildroot}/var/log/apparmor +mkdir -p %{buildroot}%{_localstatedir}/log/apparmor + +%makeinstall -C profiles +mkdir %{buildroot}%{_sysconfdir}/apparmor.d/disable %makeinstall -C parser +# default cache dir is /etc/apparmor.d/cache - not the best location. +# Use /var/cache/apparmor and make /etc/apparmor.d/cache a symlink to it +mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor +( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache ) %if %{with apache} %makeinstall -C changehat/mod_apparmor @@ -494,8 +509,6 @@ mkdir -p %{buildroot}/var/log/apparmor %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security %endif -%makeinstall -C profiles - %if %{with tomcat} mkdir -p %{buildroot}/%{CATALINA_HOME} %makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME} @@ -549,18 +562,19 @@ echo ------------------------------------------------------------------- %doc parser/README parser/COPYING.GPL /sbin/apparmor_parser %dir %attr(-, root, root) %{_sysconfdir}/apparmor +%dir %{_sysconfdir}/apparmor.d +%{_sysconfdir}/apparmor.d/cache +%dir %{_localstatedir}/cache/apparmor %if %{distro} == "suse" /sbin/rcsubdomain /sbin/rcapparmor %{_sysconfdir}/init.d/boot.apparmor - /sbin/rcaaeventd - %{_sysconfdir}/init.d/aaeventd %else %{_sysconfdir}/init.d/apparmor - %{_sysconfdir}/init.d/aaeventd %endif %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf -/var/lib/apparmor +%config(noreplace) %{_sysconfdir}/apparmor/parser.conf +%{_localstatedir}/lib/apparmor %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions %doc %{_mandir}/man5/apparmor.d.5.gz @@ -605,6 +619,7 @@ fi %files profiles %defattr(644,root,root,755) %config(noreplace) %{_sysconfdir}/apparmor.d/ +%exclude %{_sysconfdir}/apparmor.d/cache %dir %{_sysconfdir}/apparmor/ %dir %{_sysconfdir}/apparmor/profiles %config %{_sysconfdir}/apparmor/profiles/extras/ @@ -616,8 +631,8 @@ fi %config(noreplace) %{_sysconfdir}/apparmor/notify.conf %config(noreplace) %{_sysconfdir}/apparmor/severity.db %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf -%{_prefix}/sbin/* -%dir /var/log/apparmor +%{_sbindir}/* +%dir %{_localstatedir}/log/apparmor %doc %{_mandir}/man2/aa_change_profile.2.gz %doc %{_mandir}/man5/logprof.conf.5.gz %doc %{_mandir}/man8/apparmor_notify.8.gz @@ -749,10 +764,12 @@ fi %preun parser if [ "$1" = 0 ] ; then %if %{distro} == "suse" + # TODO: aaeventd no longer exists - how to handle it? %{stop_on_removal aaeventd} %{stop_on_removal boot.apparmor} %endif %if %{distro} == "redhat" || %{distro} == "rhel4" + # TODO: aaeventd no longer exists - how to handle it? chkconfig --del aaeventd chkconfig --del apparmor %endif @@ -760,7 +777,7 @@ fi %postun parser %if %{distro} == "suse" - %restart_on_update aaeventd boot.apparmor + %restart_on_update boot.apparmor %{insserv_cleanup} || true %endif