diff --git a/aa-unconfined-fix-netstat-call-2.10r3380.diff b/aa-unconfined-fix-netstat-call-2.10r3380.diff new file mode 100644 index 0000000..b23de6d --- /dev/null +++ b/aa-unconfined-fix-netstat-call-2.10r3380.diff @@ -0,0 +1,39 @@ +------------------------------------------------------------ +revno: 3380 +committer: Steve Beattie +branch nick: 2.10 +timestamp: Mon 2017-01-09 09:22:58 -0800 +message: + Subject: utils/aa-unconfined: fix netstat invocation regression + + It was reported that converting the netstat command to examine + processes bound to ipv6 addresses broke on OpenSUSE due to the version + of nettools not supporting the short -4 -6 arguments. + + This patch fixes the invocation of netstat to use the "--protocol + inet,inet6" arguments instead, which should return the same results + as the short options. + + Signed-off-by: Steve Beattie + Acked-by: Christian Boltz + + +=== modified file 'utils/aa-unconfined' +--- utils/aa-unconfined 2016-12-05 09:21:27 +0000 ++++ utils/aa-unconfined 2017-01-09 17:22:58 +0000 +@@ -46,10 +46,10 @@ + regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)") + import subprocess + if sys.version_info < (3, 0): +- output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n") ++ output = subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True).split("\n") + else: + #Python3 needs to translate a stream of bytes to string with specified encoding +- output = str(subprocess.check_output("LANG=C netstat -nlp46", shell=True), encoding='utf8').split("\n") ++ output = str(subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True), encoding='utf8').split("\n") + + for line in output: + match = regex_tcp_udp.search(line) + + +vim:ft=diff diff --git a/apparmor-2.10.1.tar.gz b/apparmor-2.10.1.tar.gz deleted file mode 100644 index cdb8c22..0000000 --- a/apparmor-2.10.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:07a76f338304baadc4ad69d025fe000b1ab4779a251ae8f338afdc13ef1e0f24 -size 4494037 diff --git a/apparmor-2.10.1.tar.gz.asc b/apparmor-2.10.1.tar.gz.asc deleted file mode 100644 index 893771f..0000000 --- a/apparmor-2.10.1.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQIcBAABCgAGBQJXF0iqAAoJEGaJ5k49NmS7uXAP/Rz605sXSgJ0ZwZQq/kyP4L6 -Z7nz7Bv5dgRiVP47C1c/Fv+uJkOxJ5nJKRog6KzaLHrjcRMlyAvWRq+F3MtrwE2j -6OlhWL3NaPrUwe8Pchgzf89ogssvioD7+qUf/Rg6e7owL8SlWRFkRcOJFAoxqiF1 -B0itE7geuj6jxADxfo0OUOGW92tH5y31FZcYCCpebUfvalN9JzwYnF9Y6qH2Af3G -gX4Xh8tyIIZGyTtQYexPnDle6DQFONsUzmRYaFIpZRYpKHz9HoM13KZTUY4TAZJL -VmzxbHS5FzRIOegZVrpydpYkupvQ5CndywaIGDC/7iPQ1cNxdQoxGY4qI/+dB6LZ -0ZfRS88TqE/+OglyfLHgxtxPw369PnvB+kWsND5Nqx77q7/UOQUZJZL0A3nKVcUG -YlJnV/SIKGSUE4TjQ+xjPMlI8EJgv42rVSRhi3H6g7+02Q1S9VHuzU8byQsx3fw0 -PzAeBVBoB0i1MduwpZp1kO7L0Yfl+1zyrue8Bd5A5183lbriaSYRqB6MYSKUgf4f -rSdEs8azwmqD2jZsIAAuTgZxCf5LKlkKz/u52fKKG9Pa30OC2bSdHz9LLjVKj+OL -Lh8lO1hy3nnReLdsh4TKAQsTBsYTZuHXIbqfMxc0oykuRbwBHAjGO22t4wi6vdtp -E7Wco+q0mMZzKGjQm6H/ -=M5Cf ------END PGP SIGNATURE----- diff --git a/apparmor-2.10.2.tar.gz b/apparmor-2.10.2.tar.gz new file mode 100644 index 0000000..4a4bae7 --- /dev/null +++ b/apparmor-2.10.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c253656820a2e6b0127af0ba8ceda36ffec1ae5c9dc0ee8793c3fe97121feac3 +size 4497918 diff --git a/apparmor-2.10.2.tar.gz.asc b/apparmor-2.10.2.tar.gz.asc new file mode 100644 index 0000000..cd50488 --- /dev/null +++ b/apparmor-2.10.2.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQI3BAABCgAhBQJYcxByGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ +5k49NmS7KLcQAKNtJ8N81T/oOL05bZ6M1g4kjYZ1vIyTx8tFj8iBNBnxWGrWfIMj +EJJeaGFUwbAN9LeTxlbwaGHHukLzQa4rihXPgpmQZl3tYWqwMzMtgtzbjWFIRtGA +cZunTA0i5kOm0N/IEl1hR2JbDMopPgOWEyV7lZxklKYUavo5+8jrYloXKaSzbQGi +KMIms8RF7v4ANOGoqvl6vv3y11JMvvV2VZniPf+myVDcmHjk8jzdzdGEOFRcHvoY +Zg7ZMXbPjPh1VQYbzgdpK95SEXDM9X+4fJtcL2A0ofZQrO9rmFWOrtjxSz88DgWi +qdfepwIGN7uMBLeL2UMlp8OJVOgcsjY2E9XHzVaSUJYRVuPFa/z3fKzEkMh96HQa +xYnsicuQe6HUXxbRoXd/J12Rzla1Bkkvq2NYOwmh4kpZczGGaUK17GxlUryz7C/1 +VodpZd7pFzKmPuoCinKtO0VsQkDJ4qfKUiMSZOutDMR8eHyNxtVS6Qb5GycViLiF +mtHiTipqv0q1HIFZVj3bpbq8Jji9pNHJWI1pwiafYEAqh1hyfGtWGkH3muMROQgL +Qmjuoaw2x2VgPk+nnBSFwgOv4TUO/xVa95VD8HwCFjEHulpzlo8lx6k/9t5fZO6T +kaS6NBQWIQ8hunIKMifKgi+8fFk2FTaUhgZJUP91MiUm5rwPU0y48RY3 +=l0m2 +-----END PGP SIGNATURE----- diff --git a/apparmor-abstractions-no-multiline.diff b/apparmor-abstractions-no-multiline.diff index 75e008a..2469a54 100644 --- a/apparmor-abstractions-no-multiline.diff +++ b/apparmor-abstractions-no-multiline.diff @@ -3,10 +3,10 @@ Index: profiles/apparmor.d/abstractions/X =================================================================== --- profiles/apparmor.d/abstractions/X.orig 2016-04-22 22:35:12.416535187 +0200 +++ profiles/apparmor.d/abstractions/X 2016-04-22 22:35:46.556500929 +0200 -@@ -24,12 +24,8 @@ +@@ -25,12 +25,8 @@ # the unix socket to use to connect to the display - /tmp/.X11-unix/* w, + /tmp/.X11-unix/* rw, - unix (connect, receive, send) - type=stream - peer=(addr="@/tmp/.X11-unix/X[0-9]*"), @@ -122,7 +122,7 @@ Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base # Allow connecting to system bus and where to connect to services. Put these # here so we don't need to repeat these rules in multiple places (actual -@@ -58,108 +33,47 @@ +@@ -58,108 +36,47 @@ # allow apps to brute-force enumerate system services, but our system # services aren't a secret. /{,var/}run/dbus/system_bus_socket rw, @@ -282,7 +282,7 @@ Index: profiles/apparmor.d/abstractions/gnome =================================================================== --- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200 +++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200 -@@ -88,6 +88,4 @@ +@@ -91,6 +91,4 @@ # Allow connecting to the GNOME vfs socket (still need corresponding DBus # rules) diff --git a/apparmor.changes b/apparmor.changes index d7fe392..3fd65f0 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Tue Jan 10 22:15:56 UTC 2017 - suse-beta@cboltz.de + +- update to AppArmor 2.10.2 maintenance release + - lots of bugfixes and profile updates (including boo#1000201, + boo#1009964, boo#1014463) + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_2 for details +- add aa-unconfined-fix-netstat-call-2.10r3380.diff to fix a regression + in aa-unconfined +- drop upstream(ed) patches: + - changes-since-2.10.1--r3326..3346.diff + - changes-since-2.10.1--r3347..3353.diff + - libapparmor-fix-import-path.diff (upstream fix is slightly different) + - nscd-var-lib.diff +- refresh apparmor-abstractions-no-multiline.diff + ------------------------------------------------------------------- Sun Oct 23 13:18:43 UTC 2016 - suse-beta@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 9b67610..b2c6bae 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -1,8 +1,8 @@ # # spec file for package apparmor # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. -# Copyright (c) 2011-2016 Christian Boltz +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2011-2017 Christian Boltz # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -60,7 +60,7 @@ Name: apparmor %if ! %{?distro:1}0 %define distro suse %endif -Version: 2.10.1 +Version: 2.10.2 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0+ @@ -82,8 +82,8 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. Patch3: apparmor-utils-string-split -# upstream changes/fixes from 2.10 branch r3326..3346 -Patch4: changes-since-2.10.1--r3326..3346.diff +# fix regression in aa-unconfined netstat call (taken from upstream 2.10 branch r3380) +Patch4: aa-unconfined-fix-netstat-call-2.10r3380.diff # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de Patch5: ruby-2_0-mkmf-destdir.patch @@ -95,15 +95,6 @@ Patch6: apparmor-abstractions-no-multiline.diff # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch -# fix import path for LibAppArmor for newer swig versions (boo#987607, not upstreamed yet) -Patch8: libapparmor-fix-import-path.diff - -# upstream changes/fixes from 2.10 branch r3347..3353 -Patch9: changes-since-2.10.1--r3347..3353.diff - -# update nscd profile and abstractions/nameservice to allow /var/lib/nscd/ paths (submitted upstream 2016-10-23) -Patch10: nscd-var-lib.diff - Url: https://launchpad.net/apparmor PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -453,9 +444,6 @@ SubDomain. %patch6 %patch7 -p1 -%patch8 -%patch9 -%patch10 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" diff --git a/changes-since-2.10.1--r3326..3346.diff b/changes-since-2.10.1--r3326..3346.diff deleted file mode 100644 index 6fa36ef..0000000 --- a/changes-since-2.10.1--r3326..3346.diff +++ /dev/null @@ -1,875 +0,0 @@ ------------------------------------------------------------- -revno: 3346 -behebt den Fehler: https://launchpad.net/bugs/1538306 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Mon 2016-08-15 22:06:47 +0200 -message: - Fix aa-logprof "add hat" endless loop - - This turned out to be a simple case of misinterpreting the promptUser() - result - it returns the answer and the selected option, and - "surprisingly" something like - ('CMD_ADDHAT', 0) - never matched - 'CMD_ADDHAT' - ;-) - - I also noticed that the new hat doesn't get initialized as - profile_storage(), and that the changed profile doesn't get marked as - changed. This is also fixed by this patch. - - - References: https://bugs.launchpad.net/apparmor/+bug/1538306 - - - Acked-by: Steve Beattie for trunk, 2.10 and 2.9 ------------------------------------------------------------- -revno: 3345 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Fri 2016-08-12 12:02:43 +0200 -message: - type_is_str(): make pyflakes3 happy - - pyflakes3 doesn't check sys.version and therefore complains about - 'unicode' being undefined. - - This patch defines unicode as alias of str to make pyflakes3 happy, and - as a side effect, simplifies type_is_str(). - - - Acked-by: Seth Arnold for trunk and 2.10. ------------------------------------------------------------- -revno: 3344 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Mon 2016-08-08 23:16:12 +0200 -message: - delete_duplicates(): don't modify self.rules while looping over it - - By calling self.delete() inside the delete_duplicates() loop, the - self.rules list was modified. This resulted in some rules not being - checked and therefore (some, not all) superfluous rules not being - removed. - - This patch switches to a temporary variable to loop over, and rebuilds - self.rules with the rules that are not superfluous. - - This also fixes some strange issues already marked with a "Huh?" comment - in the tests. - - - Acked-by: Seth Arnold for trunk and 2.10. - - Note that in 2.10 cleanprof_test.* doesn't contain a ptrace rule, - therefore the cleanprof_test.out change doesn't make sense for 2.10. ------------------------------------------------------------- -revno: 3343 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Wed 2016-08-03 21:53:06 +0200 -message: - winbindd profile: allow dac_override - - This is needed to delete kerberos ccache files, for details see - https://bugzilla.opensuse.org/show_bug.cgi?id=990006#c5 - - - Acked-by: Seth Arnold for trunk, 2.10 and 2.9. - Acked-by: Steve Beattie for trunk, 2.10 and 2.9. ------------------------------------------------------------- -revno: 3342 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Sun 2016-07-31 17:15:42 +0200 -message: - logparser: store network-related params if an event looks like network - - Network events can come with an operation= that looks like a file event. - Nevertheless, if the event has a typical network parameter (like - net_protocol) set, make sure to store the network-related flags in ev. - - This fixes the test failure introduced in my last commit. - - - Acked-by: Kshitij Gupta for trunk, 2.10 and 2.9 ------------------------------------------------------------- -revno: 3341 -behebt den Fehler: https://launchpad.net/bugs/1577051 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Sat 2016-07-30 00:44:18 +0200 -message: - logparser.py: ignore network events with 'send receive' - - We already ignore network events that look like file events (based on - the operation keyword) if they have a request_mask of 'send' or - 'receive' to avoid aa-logprof crashes because of "unknown" permissions. - It turned out that both can happen at once, so we should also ignore - this case. - - Also add the now-ignored log event as test_multi testcase. - - - References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13 - - - Acked-by: Tyler Hicks for trunk, 2.10 and 2.9. ------------------------------------------------------------- -revno: 3340 -committer: Seth Arnold -branch nick: 2.10 -timestamp: Fri 2016-07-29 11:46:16 -0700 -message: - add ld.so.preload to , thanks to Uzair Shamim ------------------------------------------------------------- -revno: 3339 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Tue 2016-07-26 21:13:49 +0200 -message: - Allow mr for /usr/lib*/ldb/*.so in samba abstractions - - This is needed for winbindd (since samba 4.4.x), but smbd could also need it. - - References: https://bugzilla.opensuse.org/show_bug.cgi?id=990006 - - - Acked-by: Seth Arnold for trunk, 2.10 and 2.9. ------------------------------------------------------------- -revno: 3338 -committer: Seth Arnold -branch nick: 2.10 -timestamp: Fri 2016-06-24 10:36:42 -0700 -message: - intrigeri@boum.org 2016-06-24 mod_apparmor manpage: fix "documenation" typo. ------------------------------------------------------------- -revno: 3337 -committer: Seth Arnold -branch nick: 2.10 -timestamp: Wed 2016-06-22 15:15:42 -0700 -message: - From: Simon McVittie - Date: Tue, 21 Jun 2016 18:18:45 +0100 - Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf - - Follow the same logic we already did for NetworkManager, - resolvconf and systemd-resolved. The wonderful thing about - standards is that there are so many to choose from. - - Signed-off-by: Simon McVittie - - [modified by sarnold to fit the surroundings] ------------------------------------------------------------- -revno: 3336 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Sun 2016-06-05 23:43:55 +0200 -message: - Add a note about still enforcing deny rules to aa-complain manpage - - This behaviour makes sense (for example to force the confined program to - use a fallback path), but is probably surprising for users, so we should - document it. - - References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218#37 - - - Acked-by: John Johansen for trunk, 2.10 and 2.9 ------------------------------------------------------------- -revno: 3335 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Sun 2016-06-05 20:07:33 +0200 -message: - honor 'chown' file events in logparser.py - - Also add a testcase to libapparmor's log collection - - - Acked-by: Kshitij Gupta for trunk, 2.10 and 2.9 ------------------------------------------------------------- -revno: 3334 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Wed 2016-06-01 21:06:25 +0200 -message: - aa-genprof: ask about profiles in extra dir (again) - - Thanks to reading the wrong directory in read_inactive_profiles() - (profile_dir instead of extra_profile_dir), aa-genprof never asked about - using a profile from the extra_profile_dir. - - Sounds like an easy fix, right? ;-) - - After fixing this (last chunk), several other errors popped up, one - after the other: - - get_profile() missed a required parameter in a serialize_profile() call - - when saving the profile, it was written to extra_profile_dir, not to - profile_dir where it (as a now-active profile) should be. This is - fixed by removing the filename from existing_profiles{} so that it can - pick up the default name. - - CMD_FINISHED (when asking if the extra profile should be used or a new - one) behaved exactly like CMD_CREATE_PROFILE, but this is surprising - for the user. Remove it to avoid confusion. - - displaying the extra profile was only implemented in YaST mode - - get_pager() returned None, not an actual pager. Since we have 'less' - hardcoded at several places, also return it in get_pager() - - Finally, also remove CMD_FINISHED from the get_profile() test in - test-translations.py. - - - (test-translations.py is only in trunk, therefore this part of the patch - is obviously trunk-only.) - - - - - Acked-by: Seth Arnold for trunk - Acked-by: John Johansen for trunk + a 50% ACK for 2.10 and 2.9 - Acked-by: Kshitij Gupta for trunk, 2.10 and 2.9 ------------------------------------------------------------- -revno: 3333 -behebt die Fehler: https://launchpad.net/bugs/1577051 https://launchpad.net/bugs/1582374 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Mon 2016-05-23 23:32:23 +0200 -message: - Ignore file events with a request mask of 'send' or 'receive' - - Those events are actually network events, so ideally we should map them - as such. Unfortunately this requires bigger changes, so here is a hotfix - that ignores those events and thus avoids crashing aa-logprof. - - References: https://bugs.launchpad.net/apparmor/+bug/1577051 - https://bugs.launchpad.net/apparmor/+bug/1582374 - - - Acked-by: Seth Arnold for trunk, 2.10 and 2.9 ------------------------------------------------------------- -revno: 3332 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Sun 2016-05-22 14:51:55 +0200 -message: - Document empty quotes ("") as empty value of a variable - - - Acked-by: Seth Arnold for all branches where this makes sense :) ------------------------------------------------------------- -revno: 3331 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Wed 2016-05-18 21:18:34 +0200 -message: - allow inet6 in ping profile - - The latest iputils merged ping and ping6 into a single binary that does - both IPv4 and IPv6 pings (by default, it really does both). - This means we need to allow network inet6 raw in the ping profile. - - References: https://bugzilla.opensuse.org/show_bug.cgi?id=980596 - (contains more details and example output) - - - Acked-by: Steve Beattie for trunk, 2.10 and 2.9 ------------------------------------------------------------- -revno: 3330 -committer: Seth Arnold -branch nick: 2.10 -timestamp: Wed 2016-05-11 17:23:22 -0700 -message: - dbus-session-strict: allow access to the user bus socket - - From: Simon McVittie - Date: Wed, 4 May 2016 13:48:36 +0100 - Subject: dbus-session-strict: allow access to the user bus socket - - If dbus is configured with --enable-user-bus (for example in the - dbus-user-session package in Debian and its derivatives), and the user - session is started with systemd, then the "dbus-daemon --session" will be - started by "systemd --user" and listen on $XDG_RUNTIME_DIR/bus. Similarly, - on systems where dbus-daemon has been replaced with kdbus, the - bridge/proxy used to provide compatibility with the traditional D-Bus - protocol listens on that same socket. - - In practice, $XDG_RUNTIME_DIR is /run/user/$uid on all systemd systems, - where $uid represents the numeric uid. I have not used /{var/,}run here, - because systemd does not support configurations where /var/run and /run - are distinct; in practice, /var/run is a symbolic link. - - Based on a patch by Sjoerd Simons, which originally used the historical - path /run/user/*/dbus/user_bus_socket. That path was popularized by the - user-session-units git repository, but has never been used in a released - version of dbus and should be considered unsupported. - - Signed-off-by: Simon McVittie ------------------------------------------------------------- -revno: 3329 -committer: Seth Arnold -branch nick: 2.10 -timestamp: Wed 2016-05-11 16:30:29 -0700 -message: - syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n - - From: Simon McVittie - Date: Wed, 11 May 2016 13:52:56 +0100 - Subject: syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n - - This test attempts to auto-skip the sysctl() part if that syscall - was not compiled into the current kernel, via - CONFIG_SYSCTL_SYSCALL=n. Unfortunately, this didn't actually work, - for two reasons: - - * Because "${test} ro" wasn't in "&&", "||", a pipeline or an "if", - and it had nonzero exit status, the trap on ERR was triggered, - causing execution of the error_handler() shell function, which - aborts the test with a failed status. The rules for ERR are the - same as for "set -e", so we can circumvent it in the same ways. - * Because sysctl_syscall.c prints its diagnostic message to stderr, - but the $() operator only captures stdout, it never matched - in the string comparison. This is easily solved by redirecting - its stderr to stdout. - - Signed-off-by: Simon McVittie ------------------------------------------------------------- -revno: 3328 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Tue 2016-05-10 14:34:40 +0200 -message: - load variables in ask_the_questions() - - Variables can be used in several rule types (from the existing *Rule - classes: change_profile, dbus, ptrace, signal). It seems nobody uses - variables with those rules, otherwise we'd have received a bugreport ;-) - - I noticed this while working on FileRule, where usage of variables is - more common. The file code in bzr (not using a *Rule class) already - loads the variables, so old versions don't need changes for file rule - handling. - - However, 2.10 already has ChangeProfileRule and therefore also needs - this fix. - - - Acked-by: Seth Arnold for trunk and 2.10. ------------------------------------------------------------- -revno: 3327 -behebt den Fehler: https://launchpad.net/bugs/1453300 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Thu 2016-05-05 12:02:11 +0200 -message: - accept hostname with dots - - Some people have the full hostname in their syslog messages, so - libapparmor needs to accept hostnames that contain dots. - - - References: https://bugs.launchpad.net/apparmor/+bug/1453300 comments - #1 and #2 (the log samples reported by scrx in #apparmor) - - - - Acked-by: Seth Arnold - Acked-by: John Johansen - for trunk, 2.10 and 2.9. ------------------------------------------------------------- -revno: 3326 -tags: apparmor_2.10.1 -committer: John Johansen -branch nick: 2.10 -timestamp: Wed 2016-04-20 02:07:34 -0700 -message: - common/Version: prepare for 2.10.1 release -=== modified file 'changehat/mod_apparmor/mod_apparmor.pod' ---- changehat/mod_apparmor/mod_apparmor.pod 2014-09-15 18:30:47 +0000 -+++ changehat/mod_apparmor/mod_apparmor.pod 2016-06-24 17:36:42 +0000 -@@ -65,7 +65,7 @@ - - AAHatName allows you to specify a hat to be used for a given Apache - EDirectoryE, EDirectoryMatchE, ELocationE or --ELocationMatchE directive (see the Apache documenation for more -+ELocationMatchE directive (see the Apache documentation for more - details). Note that mod_apparmor behavior can become confused if - EDirectory*E and ELocation*E directives are intermingled - and it is recommended to use one type of directive. If the hat specified by - -=== modified file 'libraries/libapparmor/src/scanner.l' ---- libraries/libapparmor/src/scanner.l 2015-06-02 08:00:29 +0000 -+++ libraries/libapparmor/src/scanner.l 2016-05-05 10:02:11 +0000 -@@ -178,7 +178,7 @@ - hhmmss {digit}{2}{colon}{digit}{2}{colon}{digit}{2} - timezone ({plus}|{minus}){digit}{2}{colon}{digit}{2} - syslog_time {hhmmss}({period}{digits})?{timezone}? --syslog_hostname [[:alnum:]_-]+ -+syslog_hostname [[:alnum:]._-]+ - dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\] - - %x single_quoted_string - -=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.err' -=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.in' ---- libraries/libapparmor/testsuite/test_multi/file_chown.in 1970-01-01 00:00:00 +0000 -+++ libraries/libapparmor/testsuite/test_multi/file_chown.in 2016-06-05 18:07:33 +0000 -@@ -0,0 +1,1 @@ -+type=AVC msg=audit(1465133533.431:728): apparmor="DENIED" operation="chown" profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=8515 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=4 - -=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.out' ---- libraries/libapparmor/testsuite/test_multi/file_chown.out 1970-01-01 00:00:00 +0000 -+++ libraries/libapparmor/testsuite/test_multi/file_chown.out 2016-06-05 18:07:33 +0000 -@@ -0,0 +1,15 @@ -+START -+File: file_chown.in -+Event type: AA_RECORD_DENIED -+Audit ID: 1465133533.431:728 -+Operation: chown -+Mask: w -+Denied Mask: w -+fsuid: 0 -+ouid: 4 -+Profile: /usr/sbin/cupsd -+Name: /run/cups/certs/ -+Command: cupsd -+PID: 8515 -+Epoch: 1465133533 -+Audit subid: 728 - -=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.err' -=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in' ---- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 1970-01-01 00:00:00 +0000 -+++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 2016-05-05 10:02:11 +0000 -@@ -0,0 +1,1 @@ -+Sep 14 18:49:13 mfa-mia-74-app-rabbitmq-1.mia.ix.int kernel: [964718.247816] type=1400 audit(1442256553.643:40143): apparmor="ALLOWED" operation="open" profile="/opt/evoke/venv/bin/gunicorn" name="/opt/evoke/venv/lib/python2.7/warnings.pyc" pid=28943 comm="gunicorn" requested_mask="r" denied_mask="r" fsuid=1000 ouid=110 - -=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out' ---- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 1970-01-01 00:00:00 +0000 -+++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 2016-05-05 10:02:11 +0000 -@@ -0,0 +1,15 @@ -+START -+File: syslog_hostname_with_dot.in -+Event type: AA_RECORD_ALLOWED -+Audit ID: 1442256553.643:40143 -+Operation: open -+Mask: r -+Denied Mask: r -+fsuid: 1000 -+ouid: 110 -+Profile: /opt/evoke/venv/bin/gunicorn -+Name: /opt/evoke/venv/lib/python2.7/warnings.pyc -+Command: gunicorn -+PID: 28943 -+Epoch: 1442256553 -+Audit subid: 40143 - -=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err' -=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in' ---- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 1970-01-01 00:00:00 +0000 -+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 2016-07-29 22:44:18 +0000 -@@ -0,0 +1,1 @@ -+Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive" - -=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out' ---- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 1970-01-01 00:00:00 +0000 -+++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 2016-07-29 22:44:18 +0000 -@@ -0,0 +1,19 @@ -+START -+File: testcase_network_send_receive.in -+Event type: AA_RECORD_ALLOWED -+Audit ID: 1469785325.122:21021 -+Operation: file_inherit -+Mask: send receive -+Denied Mask: send receive -+Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash -+Command: sh -+PID: 18239 -+Network family: inet -+Socket type: stream -+Protocol: tcp -+Local addr: 192.168.10.3 -+Foreign addr: 54.153.70.241 -+Local port: 50758 -+Foreign port: 443 -+Epoch: 1469785325 -+Audit subid: 21021 - -=== modified file 'parser/apparmor.d.pod' ---- parser/apparmor.d.pod 2016-02-12 20:43:42 +0000 -+++ parser/apparmor.d.pod 2016-05-22 12:51:55 +0000 -@@ -1234,7 +1234,8 @@ - - The parser will automatically expand variables to include all values - that they have been assigned; it is an error to reference a variable --without setting at least one value. -+without setting at least one value. You can use empty quotes ("") to -+explicitly add an empty value. - - At the time of this writing, the following variables are defined in the - provided AppArmor policy: - -=== modified file 'profiles/apparmor.d/abstractions/base' ---- profiles/apparmor.d/abstractions/base 2015-08-23 13:20:20 +0000 -+++ profiles/apparmor.d/abstractions/base 2016-07-29 18:46:16 +0000 -@@ -47,6 +47,7 @@ - # ld.so.cache and ld are used to load shared libraries; they are best - # available everywhere - /etc/ld.so.cache mr, -+ /etc/ld.so.preload r, - /lib{,32,64}/ld{,32,64}-*.so mrix, - /lib{,32,64}/**/ld{,32,64}-*.so mrix, - /lib/@{multiarch}/ld{,32,64}-*.so mrix, - -=== modified file 'profiles/apparmor.d/abstractions/dbus-session-strict' ---- profiles/apparmor.d/abstractions/dbus-session-strict 2014-09-03 20:11:05 +0000 -+++ profiles/apparmor.d/abstractions/dbus-session-strict 2016-05-12 00:23:22 +0000 -@@ -17,6 +17,9 @@ - type=stream - peer=(addr="@/tmp/dbus-*"), - -+ # dbus with systemd and --enable-user-session -+ owner /run/user/[0-9]*/bus rw, -+ - dbus send - bus=session - path=/org/freedesktop/DBus - -=== modified file 'profiles/apparmor.d/abstractions/nameservice' ---- profiles/apparmor.d/abstractions/nameservice 2016-01-05 23:04:34 +0000 -+++ profiles/apparmor.d/abstractions/nameservice 2016-06-22 22:15:42 +0000 -@@ -33,14 +33,10 @@ - /var/lib/sss/pipes/nss rw, - - /etc/resolv.conf r, -- # on systems using resolvconf, /etc/resolv.conf is a symlink to -- # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in -- # /etc/resolvconf/run/resolv.conf -- /{,var/}run/resolvconf/resolv.conf r, -+ # On systems where /etc/resolv.conf is managed programmatically, it is -+ # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf. -+ /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r, - /etc/resolvconf/run/resolv.conf r, -- # on systems using systemd's networkd, /etc/resolv.conf is a symlink to -- # /run/systemd/resolve/resolv.conf -- /{,var/}run/systemd/resolve/resolv.conf r, - - /etc/samba/lmhosts r, - /etc/services r, - -=== modified file 'profiles/apparmor.d/abstractions/samba' ---- profiles/apparmor.d/abstractions/samba 2015-05-18 23:25:26 +0000 -+++ profiles/apparmor.d/abstractions/samba 2016-07-26 19:13:49 +0000 -@@ -10,6 +10,7 @@ - # ------------------------------------------------------------------ - - /etc/samba/* r, -+ /usr/lib*/ldb/*.so mr, - /usr/share/samba/*.dat r, - /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, - /var/cache/samba/ w, - -=== modified file 'profiles/apparmor.d/bin.ping' ---- profiles/apparmor.d/bin.ping 2015-10-20 21:12:35 +0000 -+++ profiles/apparmor.d/bin.ping 2016-05-18 19:18:34 +0000 -@@ -18,6 +18,7 @@ - capability net_raw, - capability setuid, - network inet raw, -+ network inet6 raw, - - /{,usr/}bin/ping mixr, - /etc/modules.conf r, - -=== modified file 'profiles/apparmor.d/usr.sbin.winbindd' ---- profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000 -+++ profiles/apparmor.d/usr.sbin.winbindd 2016-08-03 19:53:06 +0000 -@@ -7,6 +7,7 @@ - - deny capability block_suspend, - -+ capability dac_override, - capability ipc_lock, - capability setuid, - - -=== modified file 'tests/regression/apparmor/syscall_sysctl.sh' ---- tests/regression/apparmor/syscall_sysctl.sh 2014-03-20 18:23:10 +0000 -+++ tests/regression/apparmor/syscall_sysctl.sh 2016-05-11 23:30:29 +0000 -@@ -149,8 +149,7 @@ - # generally we want to encourage kernels to disable it, but if it's - # enabled we want to test against it - settest syscall_sysctl --res=$(${test} ro) --if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then -+if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then - echo " WARNING: syscall sysctl not implemented, skipping tests ..." - else - test_syscall_sysctl - -=== modified file 'utils/aa-complain.pod' ---- utils/aa-complain.pod 2014-09-15 18:30:47 +0000 -+++ utils/aa-complain.pod 2016-06-05 21:43:55 +0000 -@@ -41,6 +41,8 @@ - In this mode security policy is not enforced but rather access violations - are logged to the system log. - -+Note that 'deny' rules will be enforced even in complain mode. -+ - =head1 BUGS - - If you find any bugs, please report them at - -=== modified file 'utils/aa-mergeprof' ---- utils/aa-mergeprof 2015-07-06 20:02:34 +0000 -+++ utils/aa-mergeprof 2016-05-10 12:34:40 +0000 -@@ -1,6 +1,7 @@ - #! /usr/bin/env python - # ---------------------------------------------------------------------- - # Copyright (C) 2013 Kshitij Gupta -+# Copyright (C) 2014-2016 Christian Boltz - # - # This program is free software; you can redistribute it and/or - # modify it under the terms of version 2 of the GNU General Public -@@ -17,7 +18,7 @@ - import os - - import apparmor.aa --from apparmor.aa import available_buttons, combine_name, delete_duplicates, is_known_rule, match_includes -+from apparmor.aa import available_buttons, combine_name, delete_duplicates, get_profile_filename, is_known_rule, match_includes - import apparmor.aamode - from apparmor.common import AppArmorException - from apparmor.regex import re_match_include -@@ -283,6 +284,9 @@ - if not sev_db: - sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown')) - -+ sev_db.unload_variables() -+ sev_db.load_variables(get_profile_filename(profile)) -+ - for hat in sorted(other.aa[profile].keys()): - #Add the includes from the other profile to the user profile - done = False - -=== modified file 'utils/apparmor/aa.py' ---- utils/apparmor/aa.py 2016-03-01 20:25:29 +0000 -+++ utils/apparmor/aa.py 2016-08-15 20:06:47 +0000 -@@ -1,6 +1,6 @@ - # ---------------------------------------------------------------------- - # Copyright (C) 2013 Kshitij Gupta --# Copyright (C) 2014-2015 Christian Boltz -+# Copyright (C) 2014-2016 Christian Boltz - # - # This program is free software; you can redistribute it and/or - # modify it under the terms of version 2 of the GNU General Public -@@ -557,8 +557,11 @@ - inactive_profile[prof_name][prof_name].pop('filename') - profile_hash[uname]['username'] = uname - profile_hash[uname]['profile_type'] = 'INACTIVE_LOCAL' -- profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name) -+ profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name, None) - profile_hash[uname]['profile_data'] = inactive_profile -+ -+ existing_profiles.pop(prof_name) # remove profile filename from list to force storing in /etc/apparmor.d/ instead of extra_profile_dir -+ - # If no profiles in repo and no inactive profiles - if not profile_hash.keys(): - return None -@@ -579,18 +582,13 @@ - - q = aaui.PromptQuestion() - q.headers = ['Profile', prof_name] -- q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', -- 'CMD_ABORT', 'CMD_FINISHED'] -+ q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT'] - q.default = "CMD_VIEW_PROFILE" - q.options = options - q.selected = 0 - - ans = '' - while 'CMD_USE_PROFILE' not in ans and 'CMD_CREATE_PROFILE' not in ans: -- if ans == 'CMD_FINISHED': -- save_profiles() -- return -- - ans, arg = q.promptUser() - p = profile_hash[options[arg]] - q.selected = options.index(options[arg]) -@@ -602,12 +600,13 @@ - 'profile_type': p['profile_type'] - }) - ypath, yarg = GetDataFromYast() -- #else: -- # pager = get_pager() -- # proc = subprocess.Popen(pager, stdin=subprocess.PIPE) -+ else: -+ pager = get_pager() -+ proc = subprocess.Popen(pager, stdin=subprocess.PIPE) - # proc.communicate('Profile submitted by %s:\n\n%s\n\n' % - # (options[arg], p['profile'])) -- # proc.kill() -+ proc.communicate(p['profile'].encode()) -+ proc.kill() - elif ans == 'CMD_USE_PROFILE': - if p['profile_type'] == 'INACTIVE_LOCAL': - profile_data = p['profile_data'] -@@ -658,6 +657,7 @@ - if not profile_data: - profile_data = create_new_profile(pname) - file = get_profile_filename(pname) -+ profile_data[pname][pname]['filename'] = None # will be stored in /etc/apparmor.d when saving, so it shouldn't carry the extra_profile_dir filename - attach_profile_data(aa, profile_data) - attach_profile_data(original_aa, profile_data) - if os.path.isfile(profile_dir + '/tunables/global'): -@@ -1095,7 +1095,7 @@ - - seen_events += 1 - -- ans = q.promptUser() -+ ans = q.promptUser()[0] - - if ans == 'CMD_FINISHED': - save_profiles() -@@ -1105,7 +1105,9 @@ - - if ans == 'CMD_ADDHAT': - hat = uhat -+ aa[profile][hat] = profile_storage(profile, hat, 'handle_children addhat') - aa[profile][hat]['flags'] = aa[profile][profile]['flags'] -+ changed[profile] = True - elif ans == 'CMD_USEDEFAULT': - hat = default_hat - elif ans == 'CMD_DENY': -@@ -1590,6 +1592,10 @@ - UI_SelectUpdatedRepoProfile(profile, p) - - found += 1 -+ -+ sev_db.unload_variables() -+ sev_db.load_variables(get_profile_filename(profile)) -+ - # Sorted list of hats with the profile name coming first - hats = list(filter(lambda key: key != profile, sorted(log_dict[aamode][profile].keys()))) - if log_dict[aamode][profile].get(profile, False): -@@ -2305,7 +2311,7 @@ - reload_base(profile_name) - - def get_pager(): -- pass -+ return 'less' - - def generate_diff(oldprofile, newprofile): - oldtemp = tempfile.NamedTemporaryFile('w') -@@ -2504,7 +2510,7 @@ - except: - fatal_error(_("Can't read AppArmor profiles in %s") % extra_profile_dir) - -- for file in os.listdir(profile_dir): -+ for file in os.listdir(extra_profile_dir): - if os.path.isfile(extra_profile_dir + '/' + file): - if is_skippable_file(file): - continue - -=== modified file 'utils/apparmor/common.py' ---- utils/apparmor/common.py 2015-12-17 22:38:02 +0000 -+++ utils/apparmor/common.py 2016-08-12 10:02:43 +0000 -@@ -245,11 +245,12 @@ - return False - return True - -+if sys.version_info[0] > 2: -+ unicode = str # python 3 dropped the unicode type. To keep type_is_str() simple (and pyflakes3 happy), re-create it as alias of str. -+ - def type_is_str(var): - ''' returns True if the given variable is a str (or unicode string when using python 2)''' -- if type(var) == str: -- return True -- elif sys.version_info[0] < 3 and type(var) == unicode: # python 2 sometimes uses the 'unicode' type -+ if type(var) in [str, unicode]: # python 2 sometimes uses the 'unicode' type - return True - else: - return False - -=== modified file 'utils/apparmor/logparser.py' ---- utils/apparmor/logparser.py 2016-02-10 18:09:57 +0000 -+++ utils/apparmor/logparser.py 2016-07-31 15:15:42 +0000 -@@ -133,7 +133,7 @@ - ev['denied_mask'] = event.denied_mask - ev['request_mask'] = event.requested_mask - ev['magic_token'] = event.magic_token -- if ev['operation'] and self.op_type(ev['operation']) == 'net': -+ if ev['operation'] and (self.op_type(ev['operation']) == 'net' or event.net_protocol): - ev['family'] = event.net_family - ev['protocol'] = event.net_protocol - ev['sock_type'] = event.net_sock_type -@@ -278,7 +278,7 @@ - self.debug_logger.debug('parse_event_for_tree: dropped exec event in %s' % e['profile']) - - elif ( e['operation'].startswith('file_') or e['operation'].startswith('inode_') or -- e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'rename_src', -+ e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'chown', 'rename_src', - 'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link', - 'sysctl', 'getattr', 'setattr', 'xattr'] ): - -@@ -289,6 +289,13 @@ - self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e) - return None - -+ # sometimes network events come with an e['operation'] that matches the list of file operations -+ # see https://bugs.launchpad.net/apparmor/+bug/1577051 and https://bugs.launchpad.net/apparmor/+bug/1582374 -+ # XXX these events are network events, so we should map them as such -+ if 'send' in e['request_mask'] or 'receive' in e['request_mask']: -+ self.debug_logger.debug('UNHANDLED (request_mask is send or receive): %s' % e) -+ return None -+ - # Map c (create) and d (delete) to w (logging is more detailed than the profile language) - rmask = e['request_mask'] - rmask = rmask.replace('c', 'w') - -=== modified file 'utils/apparmor/rule/__init__.py' ---- utils/apparmor/rule/__init__.py 2016-01-25 22:42:45 +0000 -+++ utils/apparmor/rule/__init__.py 2016-08-08 21:16:12 +0000 -@@ -312,10 +312,13 @@ - - # delete rules that are covered by include files - if include_rules: -- for rule in self.rules: -- if include_rules.is_covered(rule, True, True): -- self.delete(rule) -+ oldrules = self.rules -+ self.rules = [] -+ for rule in oldrules: -+ if include_rules.is_covered(rule, True, False): - deleted += 1 -+ else: -+ self.rules.append(rule) - - # de-duplicate rules inside the profile - deleted += self.delete_in_profile_duplicates() - -=== modified file 'utils/test/test-capability.py' ---- utils/test/test-capability.py 2015-11-23 23:22:37 +0000 -+++ utils/test/test-capability.py 2016-08-08 21:16:12 +0000 -@@ -817,7 +817,6 @@ - inc.add(CapabilityRule.parse(rule)) - - expected_raw = [ -- ' allow capability sys_admin,', # XXX huh? should be deleted! - ' deny capability chgrp, # example comment', - '', - ] -@@ -825,11 +824,9 @@ - expected_clean = [ - ' deny capability chgrp, # example comment', - '', -- ' allow capability sys_admin,', # XXX huh? should be deleted! -- '', - ] - -- self.assertEqual(self.ruleset.delete_duplicates(inc), 1) -+ self.assertEqual(self.ruleset.delete_duplicates(inc), 2) - self.assertEqual(expected_raw, self.ruleset.get_raw(1)) - self.assertEqual(expected_clean, self.ruleset.get_clean(1)) - - diff --git a/changes-since-2.10.1--r3347..3353.diff b/changes-since-2.10.1--r3347..3353.diff deleted file mode 100644 index 8b85e8f..0000000 --- a/changes-since-2.10.1--r3347..3353.diff +++ /dev/null @@ -1,324 +0,0 @@ ------------------------------------------------------------- -revno: 3353 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Thu 2016-10-13 20:29:59 +0200 -message: - syslog-ng profile: allow writing *.qf files - - These files are needed for disk-based buffering (added in syslog-ng 3.8). - This was reported to me by Peter Czanik, one of the syslog-ng developers. - - Note: I'm not sure about adding @{CHROOT_BASE} to this rule, so for now - I prefer not to do it - adding it later is easy, but finding out if it - could be removed is hard ;-) - - - Acked-by: John Johansen for trunk, 2.10 and 2.9. ------------------------------------------------------------- -revno: 3352 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Wed 2016-10-05 20:53:37 +0200 -message: - Add missing permissions to dovecot profiles - - - dovecot/auth: allow to read stats-user - - dovecot/config: allow to read /usr/share/dovecot/** - - dovecot/imap: allow to ix doveconf, read /etc/dovecot/ and - /usr/share/dovecot/** - - These things were reported by FĂ©lix Sipma in Debian Bug#835826 - (with some help from sarnold on IRC) - - References: https://bugs.debian.org/835826 - - - Acked-by: Seth Arnold for trunk, 2.10 and 2.9. - - - - Also allow reading ~/.dovecot.svbin (that's the default filename in the - dovecot config) in dovecot/lmtp profile. - (*.svbin files can probably also appear inside @{DOVECOT_MAILSTORE}, but - that's already covered by the existing rules.) - - References: https://bugs.debian.org/835826 (again) - - - Acked-by: John Johansen for trunk, 2.10 and 2.9 ------------------------------------------------------------- -revno: 3351 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Mon 2016-10-03 21:02:15 +0200 -message: - Drop CMD_CONTINUE from ui.py (twice) - - The latest version of pyflakes (1.3.0 / python 3.5) complains that - CMD_CONTINUE is defined twice in ui.py (with different texts). - - Funnily CMD_CONTINUE isn't used anywhere, so we can just drop both. - - - - Acked-by: Seth Arnold for trunk, 2.10 and 2.9 ------------------------------------------------------------- -revno: 3350 -behebt den Fehler: https://launchpad.net/bugs/1379874 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Sat 2016-10-01 20:25:51 +0200 -message: - [39/38] Ignore exec events for non-existing profiles - - The switch to FileRule made some bugs visible that survived unnoticed - with hasher for years. - - If aa-logprof sees an exec event for a non-existing profile _and_ a - profile file matching the expected profile filename exists in - /etc/apparmor.d/, it asks for the exec mode nevertheless (instead of - being silent). In the old code, this created a superfluous entry - somewhere in the aa hasher, and caused the existing profile to be - rewritten (without changes). - - However, with FileRule it causes a crash saying - - File ".../utils/apparmor/aa.py", line 1335, in handle_children - aa[profile][hat]['file'].add(FileRule(exec_target, file_perm, exec_mode, rule_to_name, owner=False, log_event=True)) - AttributeError: 'collections.defaultdict' object has no attribute 'add' - - This patch makes sure exec events for unknown profiles get ignored. - - - - Reproducer: - - python3 aa-logprof -f <(echo 'type=AVC msg=audit(1407865079.883:215): apparmor="ALLOWED" operation="exec" profile="/sbin/klogd" name="/does/not/exist" pid=11832 comm="foo" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="/sbin/klogd//null-1"') - - This causes a crash without this patch because - /etc/apparmor.d/sbin.klogd exists, but has - profile klogd /{usr/,}sbin/klogd { - - - - References: https://bugs.launchpad.net/bugs/1379874 - - - - Acked-by: Steve Beattie for trunk, 2.10 and 2.9 - - - *** *** *** backport - *** *** *** --fixes lp:1379874 ------------------------------------------------------------- -revno: 3349 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Fri 2016-09-30 00:08:08 +0200 -message: - Allow both paths in traceroute profile - - In 2011 (r1803), the traceroute profile was changed to also match - /usr/bin/traceroute.db: - /usr/{sbin/traceroute,bin/traceroute.db} { - - However, permissions for /usr/bin/traceroute.db were never added. - This patch fixes this. - - - While on it, also change the /usr/sbin/traceroute permissions from - rmix to the less confusing mrix. - - - Acked-by: Seth Arnold for trunk, 2.10 and 2.9. ------------------------------------------------------------- -revno: 3348 -committer: Tyler Hicks -branch nick: apparmor-2.10 -timestamp: Wed 2016-09-14 12:50:43 -0500 -message: - libapparmor: Force libtoolize to replace existing files - - Fixes build error when attempting to build and test the 2.10.95 release - on Ubuntu 14.04: - - $ (cd libraries/libapparmor/ && ./autogen.sh && ./configure && \ - make && make check) > /dev/null - ... - libtool: Version mismatch error. This is libtool 2.4.6 Debian-2.4.6-0.1, but the - libtool: definition of this LT_INIT comes from libtool 2.4.2. - libtool: You should recreate aclocal.m4 with macros from libtool 2.4.6 Debian-2.4.6-0.1 - libtool: and run autoconf again. - make[2]: *** [grammar.lo] Error 63 - make[1]: *** [all] Error 2 - make: *** [all-recursive] Error 1 - - The --force option is needed to regenerate the libtool file in - libraries/libapparmor/. - - Signed-off-by: Tyler Hicks - Acked-by: Steve Beattie ------------------------------------------------------------- -revno: 3347 -committer: Christian Boltz -branch nick: 2.10 -timestamp: Mon 2016-09-12 23:35:00 +0200 -message: - Allow 'kcm' in network rules - - This is probably - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/plain/Documentation/networking/kcm.txt - - - Acked-by: Seth Arnold for trunk and 2.10. - - - - - - - -=== modified file 'libraries/libapparmor/autogen.sh' ---- libraries/libapparmor/autogen.sh 2014-01-03 23:13:26 +0000 -+++ libraries/libapparmor/autogen.sh 2016-09-14 17:50:43 +0000 -@@ -38,6 +38,6 @@ - echo "Running autoconf" - autoconf --force - echo "Running libtoolize" --libtoolize --automake -c -+libtoolize --automake -c --force - echo "Running automake" - automake -ac - -=== modified file 'profiles/apparmor.d/sbin.syslog-ng' ---- profiles/apparmor.d/sbin.syslog-ng 2015-11-11 15:44:47 +0000 -+++ profiles/apparmor.d/sbin.syslog-ng 2016-10-13 18:29:59 +0000 -@@ -48,6 +48,7 @@ - /{usr/,}sbin/syslog-ng mr, - /sys/devices/system/cpu/online r, - /usr/share/syslog-ng/** r, -+ /var/lib/syslog-ng/syslog-ng-?????.qf rw, - # chrooted applications - @{CHROOT_BASE}/var/lib/*/dev/log w, - @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw, - -=== modified file 'profiles/apparmor.d/usr.lib.dovecot.auth' ---- profiles/apparmor.d/usr.lib.dovecot.auth 2016-04-06 22:53:30 +0000 -+++ profiles/apparmor.d/usr.lib.dovecot.auth 2016-10-05 18:53:37 +0000 -@@ -38,7 +38,7 @@ - /var/tmp/smtp_* rw, - - /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw, -- /{var/,}run/dovecot/stats-user w, -+ /{var/,}run/dovecot/stats-user rw, - - # Site-specific additions and overrides. See local/README for details. - #include - -=== modified file 'profiles/apparmor.d/usr.lib.dovecot.config' ---- profiles/apparmor.d/usr.lib.dovecot.config 2014-06-27 19:14:53 +0000 -+++ profiles/apparmor.d/usr.lib.dovecot.config 2016-10-05 18:53:37 +0000 -@@ -23,6 +23,7 @@ - /usr/bin/doveconf rix, - /usr/lib/dovecot/config mr, - /usr/lib/dovecot/managesieve Px, -+ /usr/share/dovecot/** r, - - # Site-specific additions and overrides. See local/README for details. - #include - -=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap' ---- profiles/apparmor.d/usr.lib.dovecot.imap 2015-09-03 16:27:00 +0000 -+++ profiles/apparmor.d/usr.lib.dovecot.imap 2016-10-05 18:53:37 +0000 -@@ -25,7 +25,14 @@ - @{DOVECOT_MAILSTORE}/** rwkl, - - @{HOME} r, # ??? -- /usr/lib/dovecot/imap mr, -+ -+ /etc/dovecot/dovecot.conf r, -+ /etc/dovecot/conf.d/ r, -+ /etc/dovecot/conf.d/** r, -+ -+ /usr/bin/doveconf rix, -+ /usr/lib/dovecot/imap mrix, -+ /usr/share/dovecot/** r, - /{,var/}run/dovecot/auth-master rw, - /{,var/}run/dovecot/mounts r, - - -=== modified file 'profiles/apparmor.d/usr.lib.dovecot.lmtp' ---- profiles/apparmor.d/usr.lib.dovecot.lmtp 2015-04-27 19:33:06 +0000 -+++ profiles/apparmor.d/usr.lib.dovecot.lmtp 2016-10-05 18:53:37 +0000 -@@ -25,6 +25,8 @@ - @{DOVECOT_MAILSTORE}/ rw, - @{DOVECOT_MAILSTORE}/** rwkl, - -+ @{HOME}/.dovecot.svbin r, -+ - /proc/*/mounts r, - /tmp/dovecot.lmtp.* rw, - /usr/lib/dovecot/lmtp mr, - -=== modified file 'profiles/apparmor.d/usr.sbin.traceroute' ---- profiles/apparmor.d/usr.sbin.traceroute 2011-11-30 12:15:21 +0000 -+++ profiles/apparmor.d/usr.sbin.traceroute 2016-09-29 22:08:08 +0000 -@@ -20,7 +20,8 @@ - network inet raw, - network inet6 raw, - -- /usr/sbin/traceroute rmix, -+ /usr/sbin/traceroute mrix, -+ /usr/bin/traceroute.db mrix, - @{PROC}/net/route r, - - # Site-specific additions and overrides. See local/README for details. - -=== modified file 'utils/apparmor/aa.py' ---- utils/apparmor/aa.py 2016-08-15 20:06:47 +0000 -+++ utils/apparmor/aa.py 2016-10-01 18:25:51 +0000 -@@ -1168,6 +1168,9 @@ - prelog[aamode][profile][hat]['path'][path] = mode - - if do_execute: -+ if not aa[profile][hat]: -+ continue # ignore log entries for non-existing profiles -+ - if profile_known_exec(aa[profile][hat], 'exec', exec_target): - continue - - -=== modified file 'utils/apparmor/rule/network.py' ---- utils/apparmor/rule/network.py 2016-02-18 22:31:56 +0000 -+++ utils/apparmor/rule/network.py 2016-09-12 21:35:00 +0000 -@@ -27,7 +27,7 @@ - network_domain_keywords = [ 'unspec', 'unix', 'inet', 'ax25', 'ipx', 'appletalk', 'netrom', 'bridge', 'atmpvc', 'x25', 'inet6', - 'rose', 'netbeui', 'security', 'key', 'netlink', 'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna', - 'irda', 'pppox', 'wanpipe', 'llc', 'can', 'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet', -- 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib' ] -+ 'ieee802154', 'caif', 'alg', 'nfc', 'vsock', 'mpls', 'ib', 'kcm' ] - - network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet'] - network_protocol_keywords = ['tcp', 'udp', 'icmp'] - -=== modified file 'utils/apparmor/ui.py' ---- utils/apparmor/ui.py 2014-11-17 12:30:04 +0000 -+++ utils/apparmor/ui.py 2016-10-03 19:02:15 +0000 -@@ -249,7 +249,6 @@ - 'CMD_EXEC_IX_ON': _('(X) ix On'), - 'CMD_EXEC_IX_OFF': _('(X) ix Off'), - 'CMD_SAVE': _('(S)ave Changes'), -- 'CMD_CONTINUE': _('(C)ontinue Profiling'), - 'CMD_NEW': _('(N)ew'), - 'CMD_GLOB': _('(G)lob'), - 'CMD_GLOBEXT': _('Glob with (E)xtension'), -@@ -278,7 +277,6 @@ - 'CMD_NET_FAMILY': _('Allow Network Fa(m)ily'), - 'CMD_OVERWRITE': _('(O)verwrite Profile'), - 'CMD_KEEP': _('(K)eep Profile'), -- 'CMD_CONTINUE': _('(C)ontinue'), - 'CMD_IGNORE_ENTRY': _('(I)gnore') - } - - diff --git a/libapparmor-fix-import-path.diff b/libapparmor-fix-import-path.diff deleted file mode 100644 index f0d9d3c..0000000 --- a/libapparmor-fix-import-path.diff +++ /dev/null @@ -1,42 +0,0 @@ -Index: libraries/libapparmor/swig/python/Makefile.am -=================================================================== ---- libraries/libapparmor/swig/python/Makefile.am.orig 2014-01-06 23:08:55.000000000 +0100 -+++ libraries/libapparmor/swig/python/Makefile.am 2016-08-26 18:03:52.526582753 +0200 -@@ -6,9 +6,8 @@ SUBDIRS = test - - libapparmor_wrap.c: $(srcdir)/../SWIG/libapparmor.i - $(SWIG) -python -I$(srcdir)/../../include -module LibAppArmor -o $@ $(srcdir)/../SWIG/libapparmor.i -- mv LibAppArmor.py __init__.py - --MOSTLYCLEANFILES=libapparmor_wrap.c __init__.py -+MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py - - all-local: libapparmor_wrap.c setup.py - if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi -Index: libraries/libapparmor/swig/python/__init__.py -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ libraries/libapparmor/swig/python/__init__.py 2016-08-26 18:03:16.790763701 +0200 -@@ -0,0 +1 @@ -+from LibAppArmor.LibAppArmor import * -Index: libraries/libapparmor/swig/python/Makefile.in -=================================================================== ---- libraries/libapparmor/swig/python/Makefile.in.orig 2016-04-20 11:09:04.000000000 +0200 -+++ libraries/libapparmor/swig/python/Makefile.in 2016-08-26 18:04:51.770288833 +0200 -@@ -326,7 +326,7 @@ top_builddir = @top_builddir@ - top_srcdir = @top_srcdir@ - @HAVE_PYTHON_TRUE@EXTRA_DIST = libapparmor_wrap.c - @HAVE_PYTHON_TRUE@SUBDIRS = test --@HAVE_PYTHON_TRUE@MOSTLYCLEANFILES = libapparmor_wrap.c __init__.py -+@HAVE_PYTHON_TRUE@MOSTLYCLEANFILES = libapparmor_wrap.c LibAppArmor.py - all: all-recursive - - .SUFFIXES: -@@ -648,7 +648,6 @@ uninstall-am: - - @HAVE_PYTHON_TRUE@libapparmor_wrap.c: $(srcdir)/../SWIG/libapparmor.i - @HAVE_PYTHON_TRUE@ $(SWIG) -python -I$(srcdir)/../../include -module LibAppArmor -o $@ $(srcdir)/../SWIG/libapparmor.i --@HAVE_PYTHON_TRUE@ mv LibAppArmor.py __init__.py - - @HAVE_PYTHON_TRUE@all-local: libapparmor_wrap.c setup.py - @HAVE_PYTHON_TRUE@ if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi diff --git a/nscd-var-lib.diff b/nscd-var-lib.diff deleted file mode 100644 index 0b5f6a9..0000000 --- a/nscd-var-lib.diff +++ /dev/null @@ -1,26 +0,0 @@ -=== modified file 'profiles/apparmor.d/abstractions/nameservice' ---- profiles/apparmor.d/abstractions/nameservice 2016-06-22 22:15:49 +0000 -+++ profiles/apparmor.d/abstractions/nameservice 2016-10-22 19:55:04 +0000 -@@ -46,7 +46,7 @@ - # to vast speed increases when working with network-based lookups. - /{,var/}run/.nscd_socket rw, - /{,var/}run/nscd/socket rw, -- /{var/db,var/cache,var/run,run}/nscd/{passwd,group,services,hosts} r, -+ /{var/db,var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts} r, - # nscd renames and unlinks files in it's operation that clients will - # have open - /{,var/}run/nscd/db* rmix, - -=== modified file 'profiles/apparmor.d/usr.sbin.nscd' ---- profiles/apparmor.d/usr.sbin.nscd 2016-03-21 20:30:19 +0000 -+++ profiles/apparmor.d/usr.sbin.nscd 2016-10-22 19:54:36 +0000 -@@ -28,7 +28,7 @@ - /{,var/}run/nscd/ rw, - /{,var/}run/nscd/db* rwl, - /{,var/}run/nscd/socket wl, -- /{var/cache,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw, -+ /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw, - /{,var/}run/{nscd/,}nscd.pid rwl, - /var/log/nscd.log rw, - @{PROC}/@{pid}/cmdline r, -