diff --git a/apparmor-changes-since-2.9.1.diff b/apparmor-changes-since-2.9.1.diff new file mode 100644 index 0000000..3ec6534 --- /dev/null +++ b/apparmor-changes-since-2.9.1.diff @@ -0,0 +1,374 @@ +------------------------------------------------------------ +revno: 2839 +committer: Christian Boltz +branch nick: 2.9 +timestamp: Sun 2015-01-18 14:57:10 +0100 +message: + Add some tests for logparser.py based on the log lines from + https://bugs.launchpad.net/apparmor/+bug/1399027 + + Also move some existing tests from aa_test.py to test-logparser.py and + adds checks for RE_LOG_v2_6_audit and RE_LOG_v2_6_syslog to them. + + + Acked-by: Steve Beattie for trunk and 2.9 +------------------------------------------------------------ +revno: 2838 +committer: Christian Boltz +branch nick: 2.9 +timestamp: Sat 2015-01-17 14:35:38 +0100 +message: + update logparser.py to support the changed syslog format by adding + (audit:\s+)? to RE_LOG_v2_6_syslog + + References: https://bugs.launchpad.net/apparmor/+bug/1399027 + + + Acked-by: Seth Arnold (for trunk) + + Acked-by: Steve Beattie for 2.9 as well +------------------------------------------------------------ +revno: 2837 +committer: Christian Boltz +branch nick: 2.9 +timestamp: Mon 2014-12-22 17:57:40 +0100 +message: + Fix the dnsmasq profile to allow executing bash to run the --dhcp-script + argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt + leasehelper script to run even on x86_64. + + References: https://bugzilla.opensuse.org/show_bug.cgi?id=911001 + + Patch by "Cédric Bosdonnat" + + Note: the original patch used {lib,lib64} - I changed it to lib{,64} to + match the style we typically use. + + Acked-by: John Johansen + + (backport of trunk r2841) +------------------------------------------------------------ +revno: 2836 +committer: Christian Boltz +branch nick: 2.9 +timestamp: Mon 2014-12-22 17:51:02 +0100 +message: + update and cleanup usr.sbin.dovecot profile + + Add #include to the usr.sbin.dovecot + profile. Effectively this adds "deny capability block_suspend," which + is the only missing part from + https://bugs.launchpad.net/apparmor/+bug/1296667/ + + Also remove "capability setgid," (covered by + abstractions/dovecot-common) and "@{PROC}/filesystems r," (part of + abstractions/base). + + Acked-by: John Johansen + + (backport of trunk r2840) +------------------------------------------------------------ +revno: 2835 +committer: Christian Boltz +branch nick: 2.9 +timestamp: Mon 2014-12-22 17:43:54 +0100 +message: + Add some missing /run/dovecot/* to usr.lib.dovecot.imap{, -login} + + Add the needed permissions as reported in + https://bugs.launchpad.net/apparmor/+bug/1296667/ comment #1 + to the usr.lib.dovecot.imap and imap-login profiles. + + Acked-by: John Johansen + + (backport of trunk r2839) +------------------------------------------------------------ +revno: 2834 +committer: Christian Boltz +branch nick: 2.9 +timestamp: Mon 2014-12-22 17:39:29 +0100 +message: + update the mysqld profile in the extras directory to + something that works on my servers ;-) + + Acked-by: John Johansen + + (backport of trunk r2838) +------------------------------------------------------------ +revno: 2833 +committer: Christian Boltz +branch nick: 2.9 +timestamp: Fri 2014-12-19 13:57:12 +0100 +message: + fix network rule description in apparmor.d.pod + + (backport from trunk r2837) + + Acked-by: John Johansen (for trunk) + + Acked-by: Steve Beattie (for 2.9) +------------------------------------------------------------ + + +=== modified file 'parser/apparmor.d.pod' +--- parser/apparmor.d.pod 2014-12-12 14:20:31 +0000 ++++ parser/apparmor.d.pod 2014-12-19 12:57:12 +0000 +@@ -61,7 +61,7 @@ + B = (lowercase capability name without 'CAP_' prefix; see + capabilities(7)) + +-B = 'network' [ [ I ] [ I ] [ I ] ] ',' ++B = 'network' [ [ I [ I | I ] ] | [ I ] ] ',' + + B = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' ) ',' + + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' +--- profiles/apparmor.d/usr.lib.dovecot.imap 2014-09-25 22:37:14 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-12-22 16:43:54 +0000 +@@ -26,6 +26,7 @@ + + @{HOME} r, # ??? + /usr/lib/dovecot/imap mr, ++ /{,var/}run/dovecot/auth-master rw, + + # Site-specific additions and overrides. See local/README for details. + #include + +=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login' +--- profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-06-27 19:14:53 +0000 ++++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-12-22 16:43:54 +0000 +@@ -24,6 +24,7 @@ + network inet6 stream, + + /usr/lib/dovecot/imap-login mr, ++ /{,var/}run/dovecot/anvil rw, + /{,var/}run/dovecot/login/ r, + /{,var/}run/dovecot/login/* rw, + + +=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq' +--- profiles/apparmor.d/usr.sbin.dnsmasq 2014-12-02 17:46:26 +0000 ++++ profiles/apparmor.d/usr.sbin.dnsmasq 2014-12-22 16:57:40 +0000 +@@ -45,6 +45,8 @@ + + /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage + ++ /bin/bash ix, # Required to execute --dhcp-script argument ++ + # access to iface mtu needed for Router Advertisement messages in IPv6 + # Neighbor Discovery protocol (RFC 2461) + @{PROC}/sys/net/ipv6/conf/*/mtu r, +@@ -64,7 +66,7 @@ + /{,var/}run/libvirt/network/*.pid rw, + + # libvirt lease helper +- /usr/lib/libvirt/libvirt_leaseshelper ix, ++ /usr/lib{,64}/libvirt/libvirt_leaseshelper ix, + /{,var/}run/leaseshelper.pid rwk, + + # NetworkManager integration + +=== modified file 'profiles/apparmor.d/usr.sbin.dovecot' +--- profiles/apparmor.d/usr.sbin.dovecot 2014-09-03 19:45:56 +0000 ++++ profiles/apparmor.d/usr.sbin.dovecot 2014-12-22 16:51:02 +0000 +@@ -15,6 +15,7 @@ + /usr/sbin/dovecot { + #include + #include ++ #include + #include + #include + #include +@@ -25,7 +26,6 @@ + capability fsetid, + capability kill, + capability net_bind_service, +- capability setgid, + capability setuid, + capability sys_chroot, + +@@ -34,7 +34,6 @@ + /etc/lsb-release r, + /etc/SuSE-release r, + @{PROC}/@{pid}/mounts r, +- @{PROC}/filesystems r, + /usr/bin/doveconf rix, + /usr/lib/dovecot/anvil Px, + /usr/lib/dovecot/auth Px, + +=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.mysqld' +--- profiles/apparmor/profiles/extras/usr.sbin.mysqld 2007-05-16 18:51:46 +0000 ++++ profiles/apparmor/profiles/extras/usr.sbin.mysqld 2014-12-22 16:39:29 +0000 +@@ -1,6 +1,9 @@ ++# Last Modified: Mon Dec 1 22:23:12 2014 ++ + # ------------------------------------------------------------------ + # + # Copyright (C) 2002-2005 Novell/SUSE ++# Copyright (C) 2014 Christian Boltz + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -8,12 +11,12 @@ + # + # ------------------------------------------------------------------ + # vim:syntax=apparmor +-# Last Modified: Wed Aug 17 14:28:07 2005 + + #include + + /usr/sbin/mysqld { + #include ++ #include + #include + #include + +@@ -21,8 +24,22 @@ + capability setgid, + capability setuid, + ++ /etc/hosts.allow r, ++ /etc/hosts.deny r, + /etc/my.cnf r, ++ /etc/my.cnf.d/ r, ++ /etc/my.cnf.d/*.cnf r, ++ /root/.my.cnf r, ++ /usr/lib{,32,64}/**.so mr, + /usr/sbin/mysqld r, ++ /usr/share/mariadb/*/errmsg.sys r, ++ /usr/share/mysql-community-server/*/errmsg.sys r, + /usr/share/mysql/** r, +- /var/lib/mysql/** lrw, ++ /var/lib/mysql/ r, ++ /var/lib/mysql/** rwl, ++ /var/log/mysql/mysqld-upgrade-run.log w, ++ /var/log/mysql/mysqld.log w, ++ /var/log/mysql/mysqld.log-20* w, ++ /{,var/}run/mysql/mysqld.pid w, ++ + } + +=== modified file 'utils/apparmor/logparser.py' +--- utils/apparmor/logparser.py 2014-08-20 22:55:44 +0000 ++++ utils/apparmor/logparser.py 2015-01-17 13:35:38 +0000 +@@ -25,7 +25,7 @@ + _ = init_translation() + + class ReadLog: +- RE_LOG_v2_6_syslog = re.compile('kernel:\s+(\[[\d\.\s]+\]\s+)?type=\d+\s+audit\([\d\.\:]+\):\s+apparmor=') ++ RE_LOG_v2_6_syslog = re.compile('kernel:\s+(\[[\d\.\s]+\]\s+)?(audit:\s+)?type=\d+\s+audit\([\d\.\:]+\):\s+apparmor=') + RE_LOG_v2_6_audit = re.compile('type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=') + # Used by netdomain to identify the operation types + # New socket names + +=== modified file 'utils/test/aa_test.py' +--- utils/test/aa_test.py 2014-07-26 00:49:06 +0000 ++++ utils/test/aa_test.py 2015-01-18 13:57:10 +0000 +@@ -86,29 +86,6 @@ + for path in globs.keys(): + self.assertEqual(apparmor.aa.glob_path_withext(path), globs[path], 'Unexpected glob generated for path: %s'%path) + +- def test_parse_event(self): +- parser = apparmor.logparser.ReadLog('', '', '', '', '') +- event = 'type=AVC msg=audit(1345027352.096:499): apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name=2F686F6D652F7777772F666F6F2E6261722E696E2F68747470646F63732F61707061726D6F722F696D616765732F746573742F696D61676520312E6A7067 pid=20143 comm="httpd2-prefork" requested_mask="wc" denied_mask="wc" fsuid=30 ouid=30' +- parsed_event = parser.parse_event(event) +- self.assertEqual(parsed_event['name'], '/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg', 'Incorrectly parsed/decoded name') +- self.assertEqual(parsed_event['profile'], '/usr/sbin/httpd2-prefork//vhost_foo', 'Incorrectly parsed/decode profile name') +- self.assertEqual(parsed_event['aamode'], 'PERMITTING') +- self.assertEqual(parsed_event['request_mask'], set(['w', 'a', '::w', '::a'])) +- #print(parsed_event) +- +- #event = 'type=AVC msg=audit(1322614912.304:857): apparmor="ALLOWED" operation="getattr" parent=16001 profile=74657374207370616365 name=74657374207370616365 pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0' +- #parsed_event = apparmor.aa.parse_event(event) +- #print(parsed_event) +- +- event = 'type=AVC msg=audit(1322614918.292:4376): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=666F6F20626172 name="/home/foo/.bash_history" pid=17011 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000' +- parsed_event = parser.parse_event(event) +- self.assertEqual(parsed_event['name'], '/home/foo/.bash_history', 'Incorrectly parsed/decoded name') +- self.assertEqual(parsed_event['profile'], 'foo bar', 'Incorrectly parsed/decode profile name') +- self.assertEqual(parsed_event['aamode'], 'PERMITTING') +- self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a','::r' , '::w', '::a'])) +- #print(parsed_event) +- +- + def test_modes_to_string(self): + + for string in self.MODE_TEST.keys(): + +=== added file 'utils/test/test-logparser.py' +--- utils/test/test-logparser.py 1970-01-01 00:00:00 +0000 ++++ utils/test/test-logparser.py 2015-01-18 13:57:10 +0000 +@@ -0,0 +1,71 @@ ++# ---------------------------------------------------------------------- ++# Copyright (C) 2013 Kshitij Gupta ++# Copyright (C) 2015 Christian Boltz ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of version 2 of the GNU General Public ++# License as published by the Free Software Foundation. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# ---------------------------------------------------------------------- ++import unittest ++ ++from apparmor.logparser import ReadLog ++ ++class TestParseEvent(unittest.TestCase): ++ def setUp(self): ++ self.parser = ReadLog('', '', '', '', '') ++ ++ def test_parse_event_audit_1(self): ++ event = 'type=AVC msg=audit(1345027352.096:499): apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name=2F686F6D652F7777772F666F6F2E6261722E696E2F68747470646F63732F61707061726D6F722F696D616765732F746573742F696D61676520312E6A7067 pid=20143 comm="httpd2-prefork" requested_mask="wc" denied_mask="wc" fsuid=30 ouid=30' ++ parsed_event = self.parser.parse_event(event) ++ self.assertEqual(parsed_event['name'], '/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg') ++ self.assertEqual(parsed_event['profile'], '/usr/sbin/httpd2-prefork//vhost_foo') ++ self.assertEqual(parsed_event['aamode'], 'PERMITTING') ++ self.assertEqual(parsed_event['request_mask'], set(['w', 'a', '::w', '::a'])) ++ ++ self.assertIsNotNone(ReadLog.RE_LOG_v2_6_audit.search(event)) ++ self.assertIsNone(ReadLog.RE_LOG_v2_6_syslog.search(event)) ++ ++ def test_parse_event_audit_2(self): ++ event = 'type=AVC msg=audit(1322614918.292:4376): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=666F6F20626172 name="/home/foo/.bash_history" pid=17011 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000' ++ parsed_event = self.parser.parse_event(event) ++ self.assertEqual(parsed_event['name'], '/home/foo/.bash_history') ++ self.assertEqual(parsed_event['profile'], 'foo bar') ++ self.assertEqual(parsed_event['aamode'], 'PERMITTING') ++ self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a','::r' , '::w', '::a'])) ++ ++ self.assertIsNotNone(ReadLog.RE_LOG_v2_6_audit.search(event)) ++ self.assertIsNone(ReadLog.RE_LOG_v2_6_syslog.search(event)) ++ ++ def test_parse_event_syslog_1(self): ++ # from https://bugs.launchpad.net/apparmor/+bug/1399027 ++ event = '2014-06-09T20:37:28.975070+02:00 geeko kernel: [21028.143765] type=1400 audit(1402339048.973:1421): apparmor="ALLOWED" operation="open" profile="/home/cb/linuxtag/apparmor/scripts/hello" name="/dev/tty" pid=14335 comm="hello" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0' ++ parsed_event = self.parser.parse_event(event) ++ self.assertEqual(parsed_event['name'], '/dev/tty') ++ self.assertEqual(parsed_event['profile'], '/home/cb/linuxtag/apparmor/scripts/hello') ++ self.assertEqual(parsed_event['aamode'], 'PERMITTING') ++ self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a', '::r', '::w', '::a'])) ++ ++ self.assertIsNone(ReadLog.RE_LOG_v2_6_audit.search(event)) ++ self.assertIsNotNone(ReadLog.RE_LOG_v2_6_syslog.search(event)) ++ ++ def test_parse_event_syslog_2(self): ++ # from https://bugs.launchpad.net/apparmor/+bug/1399027 ++ event = 'Dec 7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0' ++ parsed_event = self.parser.parse_event(event) ++ self.assertEqual(parsed_event['name'], '/usr/bin/') ++ self.assertEqual(parsed_event['profile'], '/home/simi/bin/aa-test') ++ self.assertEqual(parsed_event['aamode'], 'PERMITTING') ++ self.assertEqual(parsed_event['request_mask'], set(['r', '::r'])) ++ ++ self.assertIsNone(ReadLog.RE_LOG_v2_6_audit.search(event)) ++ self.assertIsNotNone(ReadLog.RE_LOG_v2_6_syslog.search(event)) ++ ++ ++if __name__ == "__main__": ++ unittest.main(verbosity=2) + diff --git a/apparmor.changes b/apparmor.changes index 14172bc..9aaaf7e 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,11 +1,24 @@ +------------------------------------------------------------------- +Tue Jan 20 20:33:55 UTC 2015 - opensuse@cboltz.de + +- add apparmor-changes-since-2.9.1.diff with upstream fixes since the + 2.9.1 release + - update logparser.py to support changed syslog format (lp#1399027) + - update usr.sbin.dovecot and usr.lib.dovecot.imap{, -login} profiles + (lp#1296667) + - update the mysqld profile + - fix network rule description in apparmor.d(5) manpage +- drop upstreamed dnsmasq-profile-fixes.patch +- update expired GPG key + ------------------------------------------------------------------- Thu Jan 1 16:07:25 UTC 2015 - opensuse@cboltz.de - update to AppArmor 2.9.1 (2.9 branch r2831) - fix log parsing for 3.16 kernels and syslog-style logs (boo#905368) - several fixes and performance improvements in the aa-* utils - - profile updates for dnsmasq (boo#907870), nscd (boo#904620#c14), - useradd, sendmail, man and passwd + - profile updates for dnsmasq (boo#907870), nscd (boo#904620#c14 and + bnc#908856), useradd, sendmail, man and passwd - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_1 for full release notes - refresh dnsmasq-profile-fixes.patch diff --git a/apparmor.keyring b/apparmor.keyring index b70c1b2..7ef77b6 100644 --- a/apparmor.keyring +++ b/apparmor.keyring @@ -1,10 +1,5 @@ -pub 1024D/AC931271 2006-02-13 [expires: 2014-02-15] -uid AppArmor Development Team (AppArmor signing key) -uid AppArmor Development Team (AppArmor signing key) -sub 4096g/79C0E55B 2006-02-13 [expires: 2011-02-12] - -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.19 (GNU/Linux) +Version: GnuPG v2 mQGiBEPw2O4RBAD8PZ+0NfCEIBjuDXQjdb6vi642wRIrN7v67GTfNQ+uggGKESRe grFumlArz5MbJVLinyIsCqigwyBpspXeyP6cMrzTudmmwQJJN9caejoAu5029wjX @@ -18,33 +13,70 @@ AIIJeqGmN2Dq/+Q70kA/5Ck4hUABBoTMQZABWQkCh3POwMCwhbRMQXBwQXJtb3Ig RGV2ZWxvcG1lbnQgVGVhbSAoQXBwQXJtb3Igc2lnbmluZyBrZXkpIDxhcHBhcm1v ckBsaXN0cy51YnVudHUuY29tPohqBBMRCgAqAhsDAh4BAheAAhkBBQsJCAcDBRUK CQgLBRYCAwEABQJNXEDoBQkPDwJtAAoJEIE3mLmskxJxVFgAnjSeh2O03PKF0UJz -T13Fn1yK1IvaAJ9bQ3EuAw03b/RkIQUx5SQSXyDDdLRQQXBwQXJtb3IgRGV2ZWxv -cG1lbnQgVGVhbSAoQXBwQXJtb3Igc2lnbmluZyBrZXkpIDxhcHBhcm1vci1kZXZA -Zm9yZ2Uubm92ZWxsLmNvbT6IZwQTEQIAJwIbAwIeAQIXgAULCQgHAwUVCgkICwUW -AgMBAAUCTVxBAwUJDw8CbQAKCRCBN5i5rJMScQA9AJ9S5QhjNyhTMenrFysAVe8C -qziLRgCfVwP9EU7hWMZVHB4I56YG26Z66NG5BA0EQ/DbBhAQAIGpFSylXH+UNf/z -71UcvcRGIy62qNu3jq49/Tv0RapP03sdh/XZrWQKTeXlw6OHJFog673lvICqd8C5 -O8/2QeE8+c4HjO1QdwUlY5ziYkxOEs3+HgA0RNpWH7tZCAYFf+LB1J8FxTG9uUYf -ZOBN+2UQPo6aui+9cbRpqhzfTkFCqI8/U0Q3sJ8183Toj4iUTSx8SMeVNixZnMMe -9nb0yAynQPIvdZ5aOCNFQTjL/LCJFbvtY54n3xuI3DKBs2RinO9ARvGXF4GZ2IfM -IwsW+pfbf4g+ZVW0bRiT7aJ41H3OIvgDEYT5W9q4AwaTJUtkMT5tNWnGtgZFtbuI -wM3NfjQVJRUsUNYVC1Zphp+FYAeYLhQeK29a7i1jFJDn1GVBRotPGQ96nhKo62Ka -vkOSAIZ35cVjVSDsZ7xwZW0awOUUxwZsvZJ+iUGcYGClYk5PH46a9+w8m/THC/uM -savn8nWFANLCyUnoP7zapu7UtyrQbDfbyoj04rU9X2/gwM9FYJVf+CZOh+FVjzY2 -iUWHaofK2UnXEF1FCY0mWQx021IezmuZd97D32mq7tc3z7oXI3nCV97a0tWZI319 -ewlJjLf1syHj+ODDm7ZLbCXal9C2hrIDEjj/zsI6+d5x3NctTmRS/0nDujByZ2A2 -Vc9N5lvVR8wfGWC3QPgUgVIgR+0vAAQND/43Jbw/cnJbQDzVphv6toJlvATi3GmJ -o34g2f7FooNcNgN8qIJSBg195ddCtZWlyI0LQzt68pV2cNsf3wWrJQITm0LGmq13 -D4nWLqN4da0F08vtMLIaTFPe1dR+l0FQyiZbxGo8kuo9D4nY0tT78V42hdMA+vL6 -VybHyuvZrYSITNXEBaC5VI8+Bs57XzqoUFrduDCJPstykQoc1jdtV1x2wbaBYZRT -MFOkqNLYBgoMFV2aJtYzXWZ4XIcv9RJNsLF8bHXehV/NJ+0RjSeSKh8NnxO5PLDe -gBrmsX9xQ1UiTjG+AKcR/O5Oww1sQbkUbpXrvXzRziodyJzsbAB28MtZY4NgQFp5 -eV502aXM2o5DtDLsR6l+uFrAWK3zAdnbaco8ehqZQ3ILi+vfaVblrNIjKulbOLIC -WkeOuJ7NVn1MJCstq4grawy8JzZXQjkULVKHVcfcJJqfBuzs4QEWwzhuromsI5FQ -DKxaz9brdu6izrP/N/zygjCf4kNYf3rHyVqmpcVT718EJeQOZ8u0KVsexuHMi8cn -fFb8LFPOxzJ5/G7oQ4/0AC7GQgLWrhqjPcNRkWN351XDSgpaA4KAcv8xpqRUgDKO -DmW4+MvlZ7de+TFkNyh1cWJMG7I82WIA2FjDgTvAZVeNcUnPLKljPF5u/hFM27JO -oYJCqg/kdmEr3ohPBBgRAgAPBQJD8NsGAhsMBQkJZgGAAAoJEIE3mLmskxJx04gA -oK91aD8BBVjrm7gTPHI/+3xlrZjdAJwKmYhHdKq+HotT//yKq6SYn/EiOA== -=Cn3y +T13Fn1yK1IvaAJ9bQ3EuAw03b/RkIQUx5SQSXyDDdIhqBBMRCgAqAhsDBQkJZgGA +Ah4BAheAAhkBBQJMjkjTBQsJCAcDBRUKCQgLBRYCAwEAAAoJEIE3mLmskxJxQ4wA +oMb9+wVfGopVNTM/pwAFH+vcE1MaAKCUq/IOsOI0yRY7QVre3Rinzpy2/ohqBBMR +CgAqAhsDBQkJZgGAAh4BAheAAhkBBQJMoOLLBQsJCAcDBRUKCQgLBRYCAwEAAAoJ +EIE3mLmskxJxy6UAoN0PvpcVaBF9j6s46I6y5p12MBH3AJ0aiUVZj78cjyEprsJ6 +nuWqDm+dS4kCIAQQAQoACgUCTI5JiAMFAXgACgkQLwmejQBegfQtjw//ZVFIv/UR +CsfamtmqEE/nZ7XfTh495SjHGQy3q4nZvLyfHHiF+XVQtD7JIlHzYpwGz4kla73c +aM/tLts6bhNgVKQPqazi59NwrHV5dwCiP9B+pX2wdBsjNfgGROiPcVugO+R3hJst +6JwbQ7P0wKM0MelySPaYL67K69/NsSCrhR4ds5DF0if7yIwKCZF5U9B2PTwe1UOt +U09JP0mk0rMuZSe/nqgM4DCIa1zk2NwXxRG3EC7S4oEl9/yez7EgNRh54sRPFXXb +craW5oosZRo1bJtp3Pn9cQPH8acObmw7B5lqRQD5lgpdTi4KewqFpTbgKFOqyMrB +0Dk3ZR8K968yEdsVJnp9kjSMCkcETszi4bODBqF+dsLErZxr1WPXY77Hbt8hlAEK +sX+ebsHFDKM95IMKbMKawdnw+RBDU/b5B5N6z7WokFY6G0/l0xI4B1mAi2kqNo6b +vtZ1Ss6Y3yHzRxL1+qfEZQ4XsMQ7raMZ2zZnnVxH0amF4JD4iPVxt882VwABys/F +abwh39NZVjz/39VA3cCNdwys/AO1fGJ9SvhiZrhORP/17qXH+zV9EqZyoLB3oAZG +UAyFo2Wzdk/m2lJhk3+2DAzxojvp8xrjhZg6GsQW98dHOVg3lWL3KdwK7hR7nV6Z +M5N9xawzkjwM6GJJ81ewk1l5L3IuCTdU0WGIagQTEQoAKgIbAwIeAQIXgAIZAQUL +CQgHAwUVCgkICwUWAgMBAAUCUwFh/gUJEPG8hQAKCRCBN5i5rJMScanlAKDWnPJE +GRDtnSgFmBTIb7qTGfyGOgCgn2twDY+VYYACfjfL5wSzBIvbplOJARwEEAECAAYF +AlIOZ2YACgkQ8yFyWZ2NLpf95AgAqLVKvGMe9AU6bOKN9EdI6NPIDBYIqVMq2cmK +xJ6k8PDSwJlLefCXo+V4Fo0FAgI6lQma6PpjNKfB2RwJzBRr90wDeDf4LopSYLTp +tXF7R/IZ1apx5xn54sQobdHDQNGCprkljSJmyZlvpXJNbyAJNPU90Cbj52ZnEuaY +LKqE5TOfvr4hQ49DFyVU7CFsFzWqjDKo4+2d3DDMcDC658h10jqkNGuW0kvIn1sL +B/WysMcXXe4Uj+mlvBT+aCYSmQhqjiDx7mEaDyq0g/wVI16JvfOj/snL1RE629DE +dGLiSJiyppXUKN7uUPtBTfGVcaQl+37MOi6DJ7KkKF0Sd0OYHbRQQXBwQXJtb3Ig +RGV2ZWxvcG1lbnQgVGVhbSAoQXBwQXJtb3Igc2lnbmluZyBrZXkpIDxhcHBhcm1v +ci1kZXZAZm9yZ2Uubm92ZWxsLmNvbT6IRgQQEQIABgUCQ/DcnQAKCRCq4Ef4O5hq +8zHbAKCdvXzNIDqtgYk1f/bsuPkeS3kX7QCeI8eHe/s7pK4BNJ+LP8fIsXQPpwmI +TAQQEQIADAUCQ/DrnQWDCWXu0QAKCRD72e4z2bCgmU6AAJ4gd95sCBuJrT41eKfF +jJgbKkk3PQCdF/v8Hx6UKbwU2QTnXZvTDt54gcmITAQQEQIADAUCQ/Dr5QWDCWXu +iQAKCRCv5SzGOaalP97MAKDo/w3w/13SGGhddksiJx6CsIydmACgnZM8wQf+uQCn +D05sP8IWMVVU18CIZgQTEQIAJgUCQ/DY7gIbAwUJCWYBgAYLCQgHAwIEFQIIAwQW +AgMBAh4BAheAAAoJEIE3mLmskxJxgCsAn0tuS2wJQ1OIz+Uy1xiVidW0q6u/AJ9J +ElRNwTFgvK4+fmVJWTyvLxUBZYhnBBMRAgAnAhsDAh4BAheABQsJCAcDBRUKCQgL +BRYCAwEABQJNXEEDBQkPDwJtAAoJEIE3mLmskxJxAD0An1LlCGM3KFMx6esXKwBV +7wKrOItGAJ9XA/0RTuFYxlUcHgjnpgbbpnro0YhnBBMRAgAnAhsDBQkJZgGAAh4B +AheABQJMoOLgBQsJCAcDBRUKCQgLBRYCAwEAAAoJEIE3mLmskxJxKxIAoJS5dvwi +iylcYdF1O/k6exULYN6lAKCnIDB/prGCAsNI5Q4u7MO607fLL4hnBBMRAgAnAhsD +Ah4BAheABQsJCAcDBRUKCQgLBRYCAwEABQJTAWIsBQkQ8byFAAoJEIE3mLmskxJx +wgAAn0ubiW6hY0nSav7+U4V9gklKhvViAJ9Bx6SgTw4NzJhulZKOCr8TrrCuM7kE +DQRD8NsGEBAAgakVLKVcf5Q1//PvVRy9xEYjLrao27eOrj39O/RFqk/Tex2H9dmt +ZApN5eXDo4ckWiDrveW8gKp3wLk7z/ZB4Tz5zgeM7VB3BSVjnOJiTE4Szf4eADRE +2lYfu1kIBgV/4sHUnwXFMb25Rh9k4E37ZRA+jpq6L71xtGmqHN9OQUKojz9TRDew +nzXzdOiPiJRNLHxIx5U2LFmcwx72dvTIDKdA8i91nlo4I0VBOMv8sIkVu+1jniff +G4jcMoGzZGKc70BG8ZcXgZnYh8wjCxb6l9t/iD5lVbRtGJPtonjUfc4i+AMRhPlb +2rgDBpMlS2QxPm01aca2BkW1u4jAzc1+NBUlFSxQ1hULVmmGn4VgB5guFB4rb1ru +LWMUkOfUZUFGi08ZD3qeEqjrYpq+Q5IAhnflxWNVIOxnvHBlbRrA5RTHBmy9kn6J +QZxgYKViTk8fjpr37Dyb9McL+4yxq+fydYUA0sLJSeg/vNqm7tS3KtBsN9vKiPTi +tT1fb+DAz0VglV/4Jk6H4VWPNjaJRYdqh8rZSdcQXUUJjSZZDHTbUh7Oa5l33sPf +aaru1zfPuhcjecJX3trS1ZkjfX17CUmMt/WzIeP44MObtktsJdqX0LaGsgMSOP/O +wjr53nHc1y1OZFL/ScO6MHJnYDZVz03mW9VHzB8ZYLdA+BSBUiBH7S8ABA0P/jcl +vD9ycltAPNWmG/q2gmW8BOLcaYmjfiDZ/sWig1w2A3yoglIGDX3l10K1laXIjQtD +O3rylXZw2x/fBaslAhObQsaarXcPidYuo3h1rQXTy+0wshpMU97V1H6XQVDKJlvE +ajyS6j0PidjS1PvxXjaF0wD68vpXJsfK69mthIhM1cQFoLlUjz4GzntfOqhQWt24 +MIk+y3KRChzWN21XXHbBtoFhlFMwU6So0tgGCgwVXZom1jNdZnhchy/1Ek2wsXxs +dd6FX80n7RGNJ5IqHw2fE7k8sN6AGuaxf3FDVSJOMb4ApxH87k7DDWxBuRRuleu9 +fNHOKh3InOxsAHbwy1ljg2BAWnl5XnTZpczajkO0MuxHqX64WsBYrfMB2dtpyjx6 +GplDcguL699pVuWs0iMq6Vs4sgJaR464ns1WfUwkKy2riCtrDLwnNldCORQtUodV +x9wkmp8G7OzhARbDOG6uiawjkVAMrFrP1ut27qLOs/83/PKCMJ/iQ1h/esfJWqal +xVPvXwQl5A5ny7QpWx7G4cyLxyd8VvwsU87HMnn8buhDj/QALsZCAtauGqM9w1GR +Y3fnVcNKCloDgoBy/zGmpFSAMo4OZbj4y+Vnt175MWQ3KHVxYkwbsjzZYgDYWMOB +O8BlV41xSc8sqWM8Xm7+EUzbsk6hgkKqD+R2YSveiE8EGBECAA8FAkPw2wYCGwwF +CQlmAYAACgkQgTeYuayTEnHTiACgr3VoPwEFWOubuBM8cj/7fGWtmN0AnAqZiEd0 +qr4ei1P//IqrpJif8SI4iE8EGBECAA8FAkPw2wcCGwwFCQlmAYAACgkQgTeYuayT +EnFVPACg0VjGyWMniZ94t/EKcNziWd/01Z8An2vIS4inaHCws74JVV8vUNSVRajP +=nbr7 -----END PGP PUBLIC KEY BLOCK----- diff --git a/apparmor.spec b/apparmor.spec index 4054520..8a021a0 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -95,8 +95,8 @@ Patch6: apparmor-abstractions-no-multiline.diff # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch -# boo#911001 - Allow executing --dhcp-client script (commited upstream trunk r2841, 2.9 r2837, {lib,lib64} changed to lib{,64}) -Patch8: dnsmasq-profile-fixes.patch +# upstream changes since the 2.9.1 release - bzr diff -r2832..2839 (2.9 branch) +Patch8: apparmor-changes-since-2.9.1.diff Url: https://launchpad.net/apparmor PreReq: sed @@ -437,7 +437,7 @@ SubDomain. %patch6 %patch7 -p1 -%patch8 -p1 +%patch8 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" diff --git a/dnsmasq-profile-fixes.patch b/dnsmasq-profile-fixes.patch deleted file mode 100644 index ee06e4f..0000000 --- a/dnsmasq-profile-fixes.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: apparmor-2.9.0/profiles/apparmor.d/usr.sbin.dnsmasq -=================================================================== ---- apparmor-2.9.0.orig/profiles/apparmor.d/usr.sbin.dnsmasq -+++ apparmor-2.9.0/profiles/apparmor.d/usr.sbin.dnsmasq -@@ -45,6 +44,8 @@ - - /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage - -+ /bin/bash ix, # Required to execute --dhcp-script argument -+ - # access to iface mtu needed for Router Advertisement messages in IPv6 - # Neighbor Discovery protocol (RFC 2461) - @{PROC}/sys/net/ipv6/conf/*/mtu r, -@@ -64,7 +66,7 @@ - /{,var/}run/libvirt/network/*.pid rw, - - # libvirt lease helper -- /usr/lib/libvirt/libvirt_leaseshelper ix, -+ /usr/{lib,lib64}/libvirt/libvirt_leaseshelper ix, - /{,var/}run/leaseshelper.pid rwk, - - # NetworkManager integration