From 34919fc720fb01c9bea70b2aa54a0362d020345df9a3e6b1c731451b3f547b29 Mon Sep 17 00:00:00 2001
From: Christian Boltz <suse-beta@cboltz.de>
Date: Sat, 28 Sep 2019 15:13:31 +0000
Subject: [PATCH 1/2] Accepting request 733763 from
 home:luizluca:branches:security:apparmor

- add apparmor-krb5-conf-d.diff for kerberos client

Since https://build.opensuse.org/package/rdiff/network/krb5?linkrev=base&rev=204, it is possible to use configuration snippets for krb5.conf. However, any service under apparmor will not be able to read it.

As /etc/krb5.conf.d is default for SUSE but not for upstream apparmor, the patch might not be accepted upstream.

LEAP15(.1) should also get this fix.

OBS-URL: https://build.opensuse.org/request/show/733763
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=249
---
 apparmor-krb5-conf-d.diff | 28 ++++++++++++++++++++++++++++
 apparmor.changes          |  5 +++++
 apparmor.spec             |  4 ++++
 3 files changed, 37 insertions(+)
 create mode 100644 apparmor-krb5-conf-d.diff

diff --git a/apparmor-krb5-conf-d.diff b/apparmor-krb5-conf-d.diff
new file mode 100644
index 0000000..e960e2f
--- /dev/null
+++ b/apparmor-krb5-conf-d.diff
@@ -0,0 +1,28 @@
+From 1e37af227ec977efe1a6b6454f5a801c4c04e886 Mon Sep 17 00:00:00 2001
+From: Luiz Angelo Daros de Luca <luizluca@gmail.com>
+Date: Fri, 27 Sep 2019 18:34:20 -0300
+Subject: [PATCH] abstractions/kerberosclient: allow /etc/krb5.conf.d
+
+Permit the use of /etc/krb5.conf.d configuration snippets
+
+Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
+---
+ profiles/apparmor.d/abstractions/kerberosclient | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/profiles/apparmor.d/abstractions/kerberosclient b/profiles/apparmor.d/abstractions/kerberosclient
+index 8b08c146..7cb1f9e0 100644
+--- a/profiles/apparmor.d/abstractions/kerberosclient
++++ b/profiles/apparmor.d/abstractions/kerberosclient
+@@ -22,6 +22,8 @@
+ 
+   /etc/krb5.keytab            rk,
+   /etc/krb5.conf              r,
++  /etc/krb5.conf.d/           r,
++  /etc/krb5.conf.d/*          r,
+ 
+   # config files found via strings on libs
+   /etc/krb.conf               r,
+-- 
+2.23.0
+
diff --git a/apparmor.changes b/apparmor.changes
index dc1c35f..73b460d 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Sep 27 21:43:55 UTC 2019 - Luiz Angelo Daros de Luca <luizluca@tre-sc.jus.br>
+
+- add apparmor-krb5-conf-d.diff for kerberos client
+
 -------------------------------------------------------------------
 Tue Jun 18 20:51:07 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
 
diff --git a/apparmor.spec b/apparmor.spec
index 02f2daa..921e396 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -65,6 +65,9 @@ Patch4:         apparmor-lessopen-profile.patch
 # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
 Patch5:         apparmor-lessopen-nfs-workaround.diff
 
+# allow /etc/krb5.conf.d/ for kerberos client
+Patch6:         apparmor-krb5-conf-d.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@@ -353,6 +356,7 @@ SubDomain.
 %patch3 -p1
 %patch4
 %patch5
+%patch6 -p1
 
 %build
 %define _lto_cflags %{nil}

From 433977903f7c8bb676fd5eb92f66fa4c37592d8edb6dd4731c512940db8925e1 Mon Sep 17 00:00:00 2001
From: Christian Boltz <suse-beta@cboltz.de>
Date: Sat, 28 Sep 2019 15:36:36 +0000
Subject: [PATCH 2/2] Accepting request 733857 from home:cboltz

- add abstractions-ssl-certbot-paths.diff - add certbot paths to
  abstractions/ssl_certs and abstractions/ssl_keys

OBS-URL: https://build.opensuse.org/request/show/733857
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=250
---
 abstractions-ssl-certbot-paths.diff | 38 +++++++++++++++++++++++++++++
 apparmor.changes                    |  6 +++++
 apparmor.spec                       |  6 ++++-
 3 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 abstractions-ssl-certbot-paths.diff

diff --git a/abstractions-ssl-certbot-paths.diff b/abstractions-ssl-certbot-paths.diff
new file mode 100644
index 0000000..5b64659
--- /dev/null
+++ b/abstractions-ssl-certbot-paths.diff
@@ -0,0 +1,38 @@
+commit b5772e29efbc3c2325b4a2ba312bb4cf0c78f181
+Author: Christian Boltz <gitlab2@cboltz.de>
+Date:   Sun Jun 30 07:14:42 2019 +0000
+
+    Merge branch 'cboltz-2.13-certbot' into 'apparmor-2.13'
+    
+    [2.10..2.13] Add for Certbot on openSUSE Leap
+    
+    See merge request apparmor/apparmor!398
+    
+    Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..2.13
+    
+    (cherry picked from commit 14a11e67a5b8e06a5ba5080d9824df8010e28552)
+    
+    8b766451 Add for Certbot on openSUSE Leap
+
+diff --git a/profiles/apparmor.d/abstractions/ssl_certs b/profiles/apparmor.d/abstractions/ssl_certs
+index b5382ec9..789efc58 100644
+--- a/profiles/apparmor.d/abstractions/ssl_certs
++++ b/profiles/apparmor.d/abstractions/ssl_certs
+@@ -38,3 +38,7 @@
+   /etc/letsencrypt/archive/*/cert*.pem r,
+   /etc/letsencrypt/archive/*/chain*.pem r,
+   /etc/letsencrypt/archive/*/fullchain*.pem r,
++
++  /etc/certbot/archive/*/cert*.pem r,
++  /etc/certbot/archive/*/chain*.pem r,
++  /etc/certbot/archive/*/fullchain*.pem r,
+diff --git a/profiles/apparmor.d/abstractions/ssl_keys b/profiles/apparmor.d/abstractions/ssl_keys
+index 84f5c503..2de760b5 100644
+--- a/profiles/apparmor.d/abstractions/ssl_keys
++++ b/profiles/apparmor.d/abstractions/ssl_keys
+@@ -26,3 +26,5 @@
+ 
+   # certbot / letsencrypt
+   /etc/letsencrypt/archive/*/privkey*.pem r,
++
++  /etc/certbot/archive/*/privkey*.pem r,
diff --git a/apparmor.changes b/apparmor.changes
index 73b460d..dadc216 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sat Sep 28 15:20:10 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
+
+- add abstractions-ssl-certbot-paths.diff - add certbot paths to
+  abstractions/ssl_certs and abstractions/ssl_keys
+
 -------------------------------------------------------------------
 Fri Sep 27 21:43:55 UTC 2019 - Luiz Angelo Daros de Luca <luizluca@tre-sc.jus.br>
 
diff --git a/apparmor.spec b/apparmor.spec
index 921e396..2d2c09b 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -65,9 +65,12 @@ Patch4:         apparmor-lessopen-profile.patch
 # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
 Patch5:         apparmor-lessopen-nfs-workaround.diff
 
-# allow /etc/krb5.conf.d/ for kerberos client
+# allow /etc/krb5.conf.d/ for kerberos client (submitted upstream 2019-09-28 https://gitlab.com/apparmor/apparmor/merge_requests/425)
 Patch6:         apparmor-krb5-conf-d.diff
 
+# add certbot paths to abstractions/ssl_keys and abstractions/ssl_certs (from upstream https://gitlab.com/apparmor/apparmor/merge_requests/398, merged 2019-06-30)
+Patch7:         abstractions-ssl-certbot-paths.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@@ -357,6 +360,7 @@ SubDomain.
 %patch4
 %patch5
 %patch6 -p1
+%patch7 -p1
 
 %build
 %define _lto_cflags %{nil}