Accepting request 1176504 from home:cboltz
- Update to AppArmor 4.0.1 Too many changes to list them here. See https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1 for the detailed upstream release notes - add tools-fix-redefinition.diff: fix redefinition of _ in tools - add test-aa-notify.diff: relax test-aa-notify to avoid a mismatch with argparse on Leap 15.5 - drop upstreamed patches: - apparmor-abstractions-openssl-allow-version-specific-en.patch - dovecot-unix_chkpwd.diff - smbd-unix_chkpwd.diff - apparmor-lessopen-profile.patch: update lessopen profile to abi/4.0 - mark local/* as %ghost so that these dummy files don't get installed anymore (changed existing local/files will be kept, unchanged files will be deleted) - switch to gitlab tarballs (without pregenerated libapparmor configure script and prebuilt techdoc.pdf) - run libapparmor autogen.sh (needs additional BuildRequires autoconf, autoconf-archive, automake and libtool) - no longer package techdoc.pdf - old documentation, not worth the texlive BuildRequires we would need to build it - drop old (up to 2.12) cache location /var/lib/apparmor/ and the /etc/apparmor.d/cache symlink pointing to it - drop apparmor-samba-include-permissions-for-shares.diff - no longer needed, update-apparmor-samba-profile in Tumbleweed works without a pre-existing local/usr.sbin.smbd-shares file - drop ruby-2_0-mkmf-destdir.patch - this ancient patch doesn't change a single bit in the resulting build (anymore?) - drop apparmor-lessopen-nfs-workaround.diff - no longer needed OBS-URL: https://build.opensuse.org/request/show/1176504 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=404
This commit is contained in:
parent
0696aaace6
commit
8f0fcf5e40
BIN
apparmor-3.1.7.tar.gz
(Stored with Git LFS)
BIN
apparmor-3.1.7.tar.gz
(Stored with Git LFS)
Binary file not shown.
@ -1,17 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmXBWL0aHGFwcGFybW9y
|
||||
QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLuerQ//QCW7GNO++nu3fv4lH7qy
|
||||
Fz8FRIdbzsZx0jnWcj07xoRBiGhPijdGXzv7SH0PQL2rBhIZqXUZO/nEAzkJzwXd
|
||||
DUIFyospmNTcd+CXd+Xj6u/oq7lSWu+XxcepWWyw5I9mU+IdpGhIhW5RtgMl/khx
|
||||
sSfhPgO5mymnQ6CZBazTnxmKlIvyuqO+TAZTupK7ce1ld+dETDM8XzAnbwAYHocl
|
||||
tELqIoQyGCyicdFHDEJM5aDJGyY8pWVaOblLmlB0xBPuyL1reaUyVv1Ru097E/5n
|
||||
TRPAEtlFBlMFAQs19sY7lXbM4vTmuZP6nAn2A3sQMqTwBqaJ/DRi2ujrE++hYFmF
|
||||
ltQQ8UwUKf2PsUfCUp9kvVjyL3orGal3vhbSn+6ohpRVzzmF4I23gLiV8bS1dod9
|
||||
FUKcMpN+8qffowgCaTo6GwbNW4vD6nqQkfIwJaY+TjVN2TMwskfj/XUulwSiYicT
|
||||
wycP8rWdKCbZ/HXZlYEOVs/tS3pEDlU3fLIYzEJ9m857rYb1etldN8zR8ws5cuQy
|
||||
ZBbAqmpB8QRh4tvGbysqLLxQZYfUWDotKI/IStHLZ2MfWFiQNR6lCawpptC/ah4C
|
||||
T4OruJAByicSiDI1ini41UwD53sgEZ2SOXdaB5DjGfLDzzw36JfFpYNKLRSiJuW2
|
||||
6fXO9jCqPrweMYfr6ImGBF4=
|
||||
=C8pg
|
||||
-----END PGP SIGNATURE-----
|
@ -1,43 +0,0 @@
|
||||
From 00efed1f35e2bb3f01c1914a4968e48562612fd4 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Boltz <apparmor@cboltz.de>
|
||||
Date: Wed, 7 Feb 2024 08:49:58 +0000
|
||||
Subject: [PATCH] Merge abstractions/openssl: allow version specific engdef &
|
||||
engines paths
|
||||
|
||||
Some openssl distributions use version specific engdef and engines paths
|
||||
to support multi-version installations.
|
||||
|
||||
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1219571
|
||||
|
||||
Signed-off-by: David Disseldorp <ddiss@suse.de>
|
||||
|
||||
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1147
|
||||
Approved-by: Christian Boltz <apparmor@cboltz.de>
|
||||
Merged-by: Christian Boltz <apparmor@cboltz.de>
|
||||
|
||||
|
||||
(cherry picked from commit 2577fbf0770784e531f9210856208a774ae92af0)
|
||||
|
||||
2b8cf1be abstractions/openssl: allow version specific engdef & engines paths
|
||||
---
|
||||
profiles/apparmor.d/abstractions/openssl | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/profiles/apparmor.d/abstractions/openssl b/profiles/apparmor.d/abstractions/openssl
|
||||
index 65939ae4..e2c5955c 100644
|
||||
--- a/profiles/apparmor.d/abstractions/openssl
|
||||
+++ b/profiles/apparmor.d/abstractions/openssl
|
||||
@@ -12,8 +12,8 @@
|
||||
|
||||
/etc/ssl/openssl.cnf r,
|
||||
/etc/ssl/openssl-*.cnf r,
|
||||
- /etc/ssl/{engdef,engines}.d/ r,
|
||||
- /etc/ssl/{engdef,engines}.d/*.cnf r,
|
||||
+ /etc/ssl/{engdef*,engines*}.d/ r,
|
||||
+ /etc/ssl/{engdef*,engines*}.d/*.cnf r,
|
||||
/usr/share/ssl/openssl.cnf r,
|
||||
|
||||
# Include additions to the abstraction
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,17 +0,0 @@
|
||||
Index: profiles/apparmor.d/usr.bin.lessopen.sh
|
||||
===================================================================
|
||||
--- profiles/apparmor.d/usr.bin.lessopen.sh.orig 2021-09-18 15:15:00.967216031 +0200
|
||||
+++ profiles/apparmor.d/usr.bin.lessopen.sh 2021-09-18 15:18:35.731065782 +0200
|
||||
@@ -13,6 +13,12 @@ abi <abi/3.0>,
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
|
||||
+ # workaround for https://bugzilla.opensuse.org/show_bug.cgi?id=1119937 / http://bugzilla.opensuse.org/show_bug.cgi?id=1190552 / https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499
|
||||
+ network inet dgram,
|
||||
+ network inet6 dgram,
|
||||
+ network inet stream,
|
||||
+ network inet6 stream,
|
||||
+
|
||||
/** rk,
|
||||
/{usr/,}bin/bash mrix,
|
||||
/{usr/,}bin/rpm mrix,
|
@ -5,7 +5,7 @@ Index: profiles/apparmor.d/usr.bin.lessopen.sh
|
||||
@@ -0,0 +1,52 @@
|
||||
+# vim: ft=apparmor
|
||||
+
|
||||
+abi <abi/3.0>,
|
||||
+abi <abi/4.0>,
|
||||
+
|
||||
+#include <tunables/global>
|
||||
+
|
||||
|
@ -1,26 +0,0 @@
|
||||
Samba generates a profile sniplet with permissions for all shares at
|
||||
start using the update-apparmor-samba-profile script.
|
||||
|
||||
After the include rules were upstreamed in AppArmor 3.0.5 (MR 838), this
|
||||
patch was shortened. Now it "only" creates a dummy profile sniplet
|
||||
because update-apparmor-samba-profiles on Leap 15.3 and 15.4 aborts if
|
||||
the local/ sniplet doesn't exist.
|
||||
|
||||
Tumbleweed does not rely on a pre-existing local/usr.sbin.smbd-shares
|
||||
anymore, therefore the patch gets skipped there in the spec.
|
||||
|
||||
|
||||
References: https://bugzilla.novell.com/show_bug.cgi?id=688040
|
||||
|
||||
|
||||
Signed-off-by: Christian Boltz <apparmor@cboltz.de>
|
||||
|
||||
|
||||
=== added file 'profiles/apparmor.d/local/usr.sbin.smbd-shares'
|
||||
--- profiles/apparmor.d/local/usr.sbin.smbd-shares 1970-01-01 00:00:00 +0000
|
||||
+++ profiles/apparmor.d/local/usr.sbin.smbd-shares 2011-10-19 09:40:05 +0000
|
||||
@@ -0,0 +1,2 @@
|
||||
+# This file will be replaced by rules for all samba shares at samba start.
|
||||
+# Do not edit!
|
||||
|
||||
|
3
apparmor-v4.0.1.tar.gz
Normal file
3
apparmor-v4.0.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:b0d72cedc48e533d189ea415bde721ad597101c77fa398fdd2858ec4f58f7e26
|
||||
size 6984984
|
18
apparmor-v4.0.1.tar.gz.asc
Normal file
18
apparmor-v4.0.1.tar.gz.asc
Normal file
@ -0,0 +1,18 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmYYxToaHGFwcGFybW9y
|
||||
QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLuLfBAA1lpdyEcNhLvw0Ff0rkt7
|
||||
Zoj/TgxYal/6FwuJ10eUnHrZhwGjhiX8zin2gbZaM7X8kscsSwelEqquSliu6lqp
|
||||
O63B8cGa6/eu0CnJ2s5aLteeEDWqt1SjD9CBufGtTjNpCvSKR59Hl4quj2zwGF8P
|
||||
+XHAxpnXOzdaxZtbi8h18ehtOxz23A2QJvKJYavIpTNwVPIvwnS2ryKrXnF8NjH+
|
||||
s89xMc2ZE1JT+bjWA+DwcvjXPGmMBacijbfuKLrV77dYoML2dmPNvDJyuJpnvKQU
|
||||
5FhfUjUILHmRYZJF5eT9f2KVt6cYzVlIUP9yxjbkrGoaAHGYijcASNZSQeRWvGER
|
||||
S9T6TW7QO2TzetBT68xstHZBmcSEyKF+uQ9hoJjGAJJo6L1R2SQK8ILg3voyoF48
|
||||
Hi+Ud5i9w7vF+UFVphVt+904nmruVzJ57oLlDts+q0jEODM6+YwQODgBR4JeXF6T
|
||||
PJAXKpUBmYc12GzRSu6zlTDQIGJ0LewKtt/u1NLEDym3hWHs/2P2ISAO+/RLDv0U
|
||||
klc3MndlgH1Ua9Gu6crLg9YrDxIguCooT1GQKnpOiic80n8VgMMViT3FsnMVGtmK
|
||||
VQ9XVyotbZrni7ctWRywPpQIwZuKEs3J9A3wbCX/fwuKgTiB5XQvl7EHLypAbWUp
|
||||
6X11aT86R3L9vOckHjywgLY=
|
||||
=eji6
|
||||
-----END PGP SIGNATURE-----
|
||||
|
@ -1,3 +1,39 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun May 5 19:53:21 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>
|
||||
|
||||
- Update to AppArmor 4.0.1
|
||||
Too many changes to list them here. See
|
||||
https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1
|
||||
for the detailed upstream release notes
|
||||
- add tools-fix-redefinition.diff: fix redefinition of _ in tools
|
||||
- add test-aa-notify.diff: relax test-aa-notify to avoid a mismatch
|
||||
with argparse on Leap 15.5
|
||||
- drop upstreamed patches:
|
||||
- apparmor-abstractions-openssl-allow-version-specific-en.patch
|
||||
- dovecot-unix_chkpwd.diff
|
||||
- smbd-unix_chkpwd.diff
|
||||
- apparmor-lessopen-profile.patch: update lessopen profile to
|
||||
abi/4.0
|
||||
- mark local/* as %ghost so that these dummy files don't get
|
||||
installed anymore (changed existing local/files will be kept,
|
||||
unchanged files will be deleted)
|
||||
- switch to gitlab tarballs (without pregenerated libapparmor
|
||||
configure script and prebuilt techdoc.pdf)
|
||||
- run libapparmor autogen.sh (needs additional BuildRequires
|
||||
autoconf, autoconf-archive, automake and libtool)
|
||||
- no longer package techdoc.pdf - old documentation, not worth
|
||||
the texlive BuildRequires we would need to build it
|
||||
- drop old (up to 2.12) cache location /var/lib/apparmor/ and the
|
||||
/etc/apparmor.d/cache symlink pointing to it
|
||||
- drop apparmor-samba-include-permissions-for-shares.diff - no
|
||||
longer needed, update-apparmor-samba-profile in Tumbleweed works
|
||||
without a pre-existing local/usr.sbin.smbd-shares file
|
||||
- drop ruby-2_0-mkmf-destdir.patch - this ancient patch doesn't
|
||||
change a single bit in the resulting build (anymore?)
|
||||
- drop apparmor-lessopen-nfs-workaround.diff - no longer needed
|
||||
since Kernel 6.0 (see https://bugs.launchpad.net/bugs/1784499)
|
||||
- drop ancient, unused update-trans.sh
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 5 15:16:04 UTC 2024 - Atri Bhattacharya <badshah400@gmail.com>
|
||||
|
||||
|
204
apparmor.spec
204
apparmor.spec
@ -49,22 +49,23 @@
|
||||
%endif
|
||||
|
||||
%define CATALINA_HOME /usr/share/tomcat6
|
||||
#define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
|
||||
#define JNI_SO libJNIChangeHat.so
|
||||
%define JAR_FILE changeHatValve.jar
|
||||
|
||||
%define tarversion v4.0.1
|
||||
%define pyeggversion 4.0.1
|
||||
|
||||
Name: apparmor
|
||||
Version: 3.1.7
|
||||
Version: 4.0.1
|
||||
Release: 0
|
||||
Summary: AppArmor userlevel parser utility
|
||||
License: GPL-2.0-or-later
|
||||
Group: Productivity/Networking/Security
|
||||
URL: https://launchpad.net/apparmor
|
||||
Source0: https://launchpad.net/apparmor/3.1/%{version}/+download/apparmor-%{version}.tar.gz
|
||||
Source1: https://launchpad.net/apparmor/3.1/%{version}/+download/apparmor-%{version}.tar.gz.asc
|
||||
URL: https://gitlab.com/apparmor/apparmor/
|
||||
Source0: https://gitlab.com/apparmor/apparmor/-/archive/%{tarversion}/apparmor-%{tarversion}.tar.gz
|
||||
# from https://gitlab.com/apparmor/apparmor/-/wikis/%{version}_Signatures
|
||||
Source1: apparmor-%{tarversion}.tar.gz.asc
|
||||
Source2: %{name}.keyring
|
||||
|
||||
Source5: update-trans.sh
|
||||
Source6: baselibs.conf
|
||||
Source7: apparmor-rpmlintrc
|
||||
|
||||
@ -72,49 +73,37 @@ Source7: apparmor-rpmlintrc
|
||||
# and set cache-loc in parser.conf and apparmor.service accordingly
|
||||
Patch1: apparmor-enable-profile-cache.diff
|
||||
|
||||
# include autogenerated profile sniplet for samba shares (bnc#688040) - include rule upstreamed in 3.0.5 (MR 838), now "just" creates the local/ sniplet
|
||||
# (technically only needed in Leap 15.x, the samba script in Tumbleweed also works if the local/ sniplet doesn't exist - but dropping the local/ sniplet will move existing autogenerated sniplets to *.rpmsave)
|
||||
Patch2: apparmor-samba-include-permissions-for-shares.diff
|
||||
|
||||
# Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
|
||||
Patch3: ruby-2_0-mkmf-destdir.patch
|
||||
|
||||
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
|
||||
Patch4: apparmor-lessopen-profile.patch
|
||||
|
||||
# workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
|
||||
# fixed in Kernel 6.0 and later (see comment in https://bugs.launchpad.net/bugs/1784499)
|
||||
Patch5: apparmor-lessopen-nfs-workaround.diff
|
||||
|
||||
# make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
|
||||
Patch6: apache-extra-profile-include-if-exists.diff
|
||||
|
||||
# add path for precompiled cache (only done/applied if precompiled_cache is enabled)
|
||||
Patch7: apparmor-enable-precompiled-cache.diff
|
||||
|
||||
# allow dovecot-auth to execute unix_chkpwd, and add a profile for unix_chkpwd. This is needed for PAM 1.6 (boo#1219139)
|
||||
Patch9: dovecot-unix_chkpwd.diff
|
||||
# fix redefinition of _ in tools (merged upstream 2024-04-22 https://gitlab.com/apparmor/apparmor/-/merge_requests/1218)
|
||||
Patch10: tools-fix-redefinition.diff
|
||||
|
||||
# abstractions/openssl: allow version specific engdef & engines paths (boo#1219571)
|
||||
Patch10: apparmor-abstractions-openssl-allow-version-specific-en.patch
|
||||
|
||||
# allow smbd to execute unix_chkpwd (boo#1220032)
|
||||
# https://gitlab.com/apparmor/apparmor/-/merge_requests/1159
|
||||
Patch11: smbd-unix_chkpwd.diff
|
||||
# make test-aa-notify a bit more relaxed to allow different argparse wording on Leap 15.5 (merged upstream 2024-05-06 (4.0 and master) https://gitlab.com/apparmor/apparmor/-/merge_requests/1226)
|
||||
Patch11: test-aa-notify.diff
|
||||
|
||||
PreReq: sed
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: automake
|
||||
BuildRequires: bison
|
||||
BuildRequires: dejagnu
|
||||
BuildRequires: flex
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: iproute2
|
||||
BuildRequires: libtool
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: pkg-config
|
||||
BuildRequires: python3
|
||||
BuildRequires: perl(Locale::gettext)
|
||||
|
||||
BuildRequires: swig
|
||||
BuildRequires: perl(Locale::gettext)
|
||||
|
||||
%if %{with python3}
|
||||
BuildRequires: python-rpm-macros
|
||||
@ -355,21 +344,17 @@ SubDomain.
|
||||
%lang_package -n apparmor-parser
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%setup -q -n %{name}-%{tarversion}
|
||||
|
||||
# very loose profile that doesn't even match the apache2 binary path in openSUSE. Move it away instead of confusing people (boo#872984)
|
||||
mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/profiles/extras/
|
||||
|
||||
%patch -P 1
|
||||
%patch -P 2
|
||||
%patch -P 3 -p1
|
||||
%patch -P 4
|
||||
%patch -P 5
|
||||
%patch -P 6
|
||||
%if %{with precompiled_cache}
|
||||
%patch -P 7
|
||||
%endif
|
||||
%patch -P 9 -p1
|
||||
%patch -P 10 -p1
|
||||
%patch -P 11 -p1
|
||||
|
||||
@ -379,6 +364,7 @@ export SUSE_ASNEEDED=0
|
||||
# libapparmor:
|
||||
(
|
||||
cd ./libraries/libapparmor
|
||||
sh ./autogen.sh && \
|
||||
%configure \
|
||||
%if %{with perl}
|
||||
--with-perl \
|
||||
@ -429,6 +415,20 @@ make -C profiles
|
||||
parser/apparmor_parser --config-file $(pwd)/parser/parser.conf --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
|
||||
%endif
|
||||
|
||||
# create filelist of previously (up to 3.1.x) shipped local/* files
|
||||
# (adding them as %ghost prevents modified files from being moved to *.rpmsave)
|
||||
for oldlocal in \
|
||||
bin.ping lsb_release nvidia_modprobe php-fpm samba-bgqd samba-dcerpcd samba-rpcd samba-rpcd-classic samba-rpcd-spoolss sbin.klogd sbin.syslogd sbin.syslog-ng \
|
||||
usr.bin.lessopen.sh usr.lib.dovecot.anvil usr.lib.dovecot.auth usr.lib.dovecot.config usr.lib.dovecot.deliver usr.lib.dovecot.dict usr.lib.dovecot.director \
|
||||
usr.lib.dovecot.doveadm-server usr.lib.dovecot.dovecot-auth usr.lib.dovecot.dovecot-lda usr.lib.dovecot.imap usr.lib.dovecot.imap-login usr.lib.dovecot.lmtp \
|
||||
usr.lib.dovecot.log usr.lib.dovecot.managesieve usr.lib.dovecot.managesieve-login usr.lib.dovecot.pop3 usr.lib.dovecot.pop3-login usr.lib.dovecot.replicator \
|
||||
usr.lib.dovecot.script-login usr.lib.dovecot.ssl-params usr.lib.dovecot.stats usr.sbin.apache2 usr.sbin.avahi-daemon usr.sbin.dnsmasq usr.sbin.dovecot \
|
||||
usr.sbin.identd usr.sbin.mdnsd usr.sbin.nmbd usr.sbin.nscd usr.sbin.ntpd usr.sbin.smbd usr.sbin.smbd-shares usr.sbin.smbldap-useradd usr.sbin.traceroute \
|
||||
usr.sbin.winbindd zgrep
|
||||
do
|
||||
echo "%ghost /etc/apparmor.d/local/$oldlocal"
|
||||
done > oldlocal.files
|
||||
|
||||
%check
|
||||
make check -C libraries/libapparmor
|
||||
make check -C parser
|
||||
@ -479,10 +479,6 @@ test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
|
||||
%endif
|
||||
|
||||
%makeinstall SBINDIR="%{buildroot}%{sbindir}" APPARMOR_BIN_PREFIX="%{buildroot}%{apparmor_bin_prefix}" -C parser
|
||||
# default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location.
|
||||
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
|
||||
mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
|
||||
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )
|
||||
# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location
|
||||
# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it
|
||||
mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
|
||||
@ -535,7 +531,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||
%doc parser/*.[1-9].html
|
||||
%doc utils/vim/apparmor.vim.5.html
|
||||
%doc common/apparmor.css
|
||||
%doc parser/techdoc.pdf
|
||||
#doc parser/techdoc.pdf
|
||||
# apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file
|
||||
%dir %{_datadir}/apparmor
|
||||
%{_datadir}/apparmor/apparmor.vim
|
||||
@ -548,6 +544,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||
%{_bindir}/aa-enabled
|
||||
%{_bindir}/aa-exec
|
||||
%{_bindir}/aa-features-abi
|
||||
%{_sbindir}/aa-load
|
||||
%{_sbindir}/aa-status
|
||||
%{_sbindir}/apparmor_status
|
||||
%{_sbindir}/status
|
||||
@ -555,12 +552,10 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||
%{_sbindir}/exec
|
||||
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
|
||||
%dir %{_sysconfdir}/apparmor.d
|
||||
%{_sysconfdir}/apparmor.d/cache
|
||||
%{_sysconfdir}/apparmor.d/cache.d
|
||||
%{sbindir}/rcapparmor
|
||||
%{_unitdir}/apparmor.service
|
||||
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
|
||||
%{_localstatedir}/lib/apparmor
|
||||
%{_localstatedir}/cache/apparmor
|
||||
%dir %attr(-, root, root) %{apparmor_bin_prefix}
|
||||
%{apparmor_bin_prefix}/rc.apparmor.functions
|
||||
@ -590,6 +585,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||
%dir %{_sysconfdir}/apparmor.d/
|
||||
%dir %{_sysconfdir}/apparmor.d/abi
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/abi/3.0
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/abi/4.0
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-outoftree-network
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-vanilla
|
||||
%dir %{_sysconfdir}/apparmor.d/abstractions
|
||||
@ -599,23 +595,117 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||
%dir %{_sysconfdir}/apparmor.d/tunables
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/*
|
||||
|
||||
%files profiles
|
||||
%files profiles -f oldlocal.files
|
||||
%defattr(644,root,root,755)
|
||||
%dir %{_sysconfdir}/apparmor.d/apache2.d
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/bin.*
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
|
||||
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/1password
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/Discord
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/MongoDB_Compass
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/QtWebEngineProcess
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/brave
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/buildah
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/busybox
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/cam
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/ch-checkns
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/ch-run
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/chrome
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/code
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/crun
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/devhelp
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/element-desktop
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/epiphany
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/evolution
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/firefox
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/flatpak
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/foliate
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/geary
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/github-desktop
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/goldendict
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/ipa_verify
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/kchmviewer
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/keybase
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/lc-compliance
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/libcamerify
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/linux-sandbox
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/loupe
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/lsb_release
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-attach
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-create
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-destroy
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-execute
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-stop
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-unshare
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/lxc-usernsexec
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/mmdebstrap
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/msedge
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/nautilus
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/notepadqq
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/obsidian
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/opam
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/opera
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/pageedit
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/plasmashell
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/podman
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/polypane
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/privacybrowser
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/qcam
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/qmapshack
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/qutebrowser
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/rootlesskit
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/rpm
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/rssguard
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/runc
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-*
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-abort
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-adduser
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-apt
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-checkpackages
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-clean
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-createchroot
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-destroychroot
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-distupgrade
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-hold
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-shell
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-unhold
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-update
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbuild-upgrade
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/scide
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/signal-desktop
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/slack
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/slirp4netns
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/steam
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/stress-ng
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/surfshark
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/systemd-coredump
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/thunderbird
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/toybox
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/transmission
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/trinity
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/tup
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/tuxedo-control-center
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/unix-chkpwd
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/unprivileged_userns
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/userbindmount
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/uwsgi-core
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/vdens
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/virtiofsd
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/vivaldi-bin
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/vpnns
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/wpcom
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/zgrep
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
|
||||
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/local/README
|
||||
%dir /usr/share/apparmor/
|
||||
%if %{with precompiled_cache}
|
||||
/usr/share/apparmor/cache/
|
||||
@ -697,7 +787,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||
|
||||
%files -n python3-apparmor
|
||||
%defattr(-,root,root)
|
||||
%{python3_sitearch}/LibAppArmor-%{version}-py*.egg-info
|
||||
%{python3_sitearch}/LibAppArmor-%{pyeggversion}-py*.egg-info
|
||||
%dir %{python3_sitearch}/LibAppArmor
|
||||
%dir %{python3_sitearch}/LibAppArmor/__pycache__
|
||||
%{python3_sitearch}/LibAppArmor/_LibAppArmor.cpython-*.so
|
||||
@ -706,7 +796,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||
%{python3_sitearch}/LibAppArmor/__init__.py
|
||||
%{python3_sitearch}/LibAppArmor/LibAppArmor.py
|
||||
%{python3_sitelib}/apparmor/
|
||||
%{python3_sitelib}/apparmor-%{version}-py*.egg-info
|
||||
%{python3_sitelib}/apparmor-%{pyeggversion}-py*.egg-info
|
||||
%endif
|
||||
|
||||
%if %{with ruby}
|
||||
@ -758,24 +848,38 @@ rm -f /var/cache/apparmor/* 2>/dev/null
|
||||
#restart_on_update apparmor - but non-broken (bnc#853019)
|
||||
systemctl is-active -q apparmor && systemctl reload apparmor ||:
|
||||
|
||||
%post profiles
|
||||
# delete old cache (location up to 2.12)
|
||||
rm -f /var/lib/apparmor/cache/* 2>/dev/null
|
||||
|
||||
# cleanup old, unchanged local/* files
|
||||
for oldlocal in \
|
||||
bin.ping lsb_release nvidia_modprobe php-fpm samba-bgqd samba-dcerpcd samba-rpcd samba-rpcd-classic samba-rpcd-spoolss sbin.klogd sbin.syslogd sbin.syslog-ng \
|
||||
usr.bin.lessopen.sh usr.lib.dovecot.anvil usr.lib.dovecot.auth usr.lib.dovecot.config usr.lib.dovecot.deliver usr.lib.dovecot.dict usr.lib.dovecot.director \
|
||||
usr.lib.dovecot.doveadm-server usr.lib.dovecot.dovecot-auth usr.lib.dovecot.dovecot-lda usr.lib.dovecot.imap usr.lib.dovecot.imap-login usr.lib.dovecot.lmtp \
|
||||
usr.lib.dovecot.log usr.lib.dovecot.managesieve usr.lib.dovecot.managesieve-login usr.lib.dovecot.pop3 usr.lib.dovecot.pop3-login usr.lib.dovecot.replicator \
|
||||
usr.lib.dovecot.script-login usr.lib.dovecot.ssl-params usr.lib.dovecot.stats usr.sbin.apache2 usr.sbin.avahi-daemon usr.sbin.dnsmasq usr.sbin.dovecot \
|
||||
usr.sbin.identd usr.sbin.mdnsd usr.sbin.nmbd usr.sbin.nscd usr.sbin.ntpd usr.sbin.smbd usr.sbin.smbd-shares usr.sbin.smbldap-useradd usr.sbin.traceroute \
|
||||
usr.sbin.winbindd zgrep
|
||||
do
|
||||
if [ -f "/etc/apparmor.d/local/$oldlocal" ] && [ "$(cat /etc/apparmor.d/local/$oldlocal)" == "# Site-specific additions and overrides for '$oldlocal'" ] ; then
|
||||
rm "/etc/apparmor.d/local/$oldlocal" || :
|
||||
fi
|
||||
done
|
||||
|
||||
%posttrans profiles
|
||||
# workaround for bnc#904620#c8 / lp#1392042
|
||||
# old cache location up to 2.12
|
||||
rm -f /var/lib/apparmor/cache/* 2>/dev/null
|
||||
# cache location starting with 2.13
|
||||
rm -f /var/cache/apparmor/* 2>/dev/null
|
||||
#restart_on_update apparmor - but non-broken (bnc#853019)
|
||||
systemctl is-active -q apparmor && systemctl reload apparmor ||:
|
||||
|
||||
%if %{with tomcat}
|
||||
|
||||
%post -n tomcat_apparmor -p /sbin/ldconfig
|
||||
|
||||
%postun -n tomcat_apparmor -p /sbin/ldconfig
|
||||
%endif
|
||||
|
||||
%if %{with pam}
|
||||
|
||||
%post -n pam_apparmor
|
||||
if [ $1 -eq 1 ]; then
|
||||
pam-config --add --apparmor || :
|
||||
|
@ -1,57 +0,0 @@
|
||||
Index: apparmor-3.1.7/profiles/apparmor.d/unix-chkpwd
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ apparmor-3.1.7/profiles/apparmor.d/unix-chkpwd
|
||||
@@ -0,0 +1,35 @@
|
||||
+# apparmor.d - Full set of apparmor profiles
|
||||
+# Copyright (C) 2019-2021 Mikhail Morfikov
|
||||
+# SPDX-License-Identifier: GPL-2.0-only
|
||||
+
|
||||
+# The apparmor.d project comes with several variables and abstractions
|
||||
+# that are not part of upstream AppArmor yet. Therefore this profile was
|
||||
+# adopted to use abstractions and variables that are available.
|
||||
+# Copyright (C) Christian Boltz 2024
|
||||
+
|
||||
+abi <abi/3.0>,
|
||||
+
|
||||
+include <tunables/global>
|
||||
+
|
||||
+profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
|
||||
+ include <abstractions/base>
|
||||
+ include <abstractions/nameservice>
|
||||
+
|
||||
+ # To write records to the kernel auditing log.
|
||||
+ capability audit_write,
|
||||
+
|
||||
+ network netlink raw,
|
||||
+
|
||||
+ /{,usr/}{,s}bin/unix_chkpwd mr,
|
||||
+
|
||||
+ /etc/shadow r,
|
||||
+
|
||||
+ # systemd userdb, used in nspawn
|
||||
+ /run/host/userdb/*.user r,
|
||||
+ /run/host/userdb/*.user-privileged r,
|
||||
+
|
||||
+ # file_inherit
|
||||
+ owner /dev/tty[0-9]* rw,
|
||||
+
|
||||
+ include if exists <local/unix-chkpwd>
|
||||
+}
|
||||
Index: apparmor-3.1.7/profiles/apparmor.d/usr.lib.dovecot.auth
|
||||
===================================================================
|
||||
--- apparmor-3.1.7.orig/profiles/apparmor.d/usr.lib.dovecot.auth
|
||||
+++ apparmor-3.1.7/profiles/apparmor.d/usr.lib.dovecot.auth
|
||||
@@ -52,8 +52,12 @@ profile dovecot-auth /usr/lib*/dovecot/a
|
||||
@{run}/dovecot/stats-user rw,
|
||||
@{run}/dovecot/anvil-auth-penalty rw,
|
||||
|
||||
+ owner /proc/@{pid}/loginuid r,
|
||||
+
|
||||
/var/spool/postfix/private/auth rw,
|
||||
|
||||
+ /usr/sbin/unix_chkpwd Px,
|
||||
+
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/usr.lib.dovecot.auth>
|
||||
}
|
@ -17,18 +17,26 @@
|
||||
#
|
||||
|
||||
|
||||
%define tarversion v4.0.1
|
||||
|
||||
Name: libapparmor
|
||||
Version: 3.1.7
|
||||
Version: 4.0.1
|
||||
Release: 0
|
||||
Summary: Utility library for AppArmor
|
||||
License: LGPL-2.1-or-later
|
||||
Group: Development/Libraries/C and C++
|
||||
URL: https://launchpad.net/apparmor
|
||||
Source0: https://launchpad.net/apparmor/3.1/%{version}/+download/apparmor-%{version}.tar.gz
|
||||
Source1: https://launchpad.net/apparmor/3.1/%{version}/+download/apparmor-%{version}.tar.gz.asc
|
||||
URL: https://gitlab.com/apparmor/apparmor/
|
||||
Source0: https://gitlab.com/apparmor/apparmor/-/archive/%{tarversion}/apparmor-%{tarversion}.tar.gz
|
||||
# from https://gitlab.com/apparmor/apparmor/-/wikis/%{version}_Signatures
|
||||
Source1: apparmor-%{tarversion}.tar.gz.asc
|
||||
Source2: apparmor.keyring
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: autoconf-archive
|
||||
BuildRequires: automake
|
||||
BuildRequires: bison
|
||||
BuildRequires: dejagnu
|
||||
BuildRequires: flex
|
||||
BuildRequires: libtool
|
||||
BuildRequires: pkg-config
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
@ -63,11 +71,12 @@ These libraries are needed for developing software that makes use of the
|
||||
AppArmor API.
|
||||
|
||||
%prep
|
||||
%setup -q -n apparmor-%{version}
|
||||
%setup -q -n apparmor-%{tarversion}
|
||||
|
||||
%build
|
||||
(
|
||||
cd ./libraries/libapparmor
|
||||
sh ./autogen.sh &&
|
||||
%configure \
|
||||
--without-perl \
|
||||
--without-python \
|
||||
|
@ -1,20 +0,0 @@
|
||||
Index: libraries/libapparmor/swig/ruby/extconf.rb
|
||||
===================================================================
|
||||
--- a/libraries/libapparmor/swig/ruby/extconf.rb.orig 2022-02-10 17:54:05.008544807 +0100
|
||||
+++ b/libraries/libapparmor/swig/ruby/extconf.rb 2022-02-10 17:54:21.792506325 +0100
|
||||
@@ -20,7 +20,14 @@ if find_library('apparmor', 'parse_recor
|
||||
# hack 2: strip all rpath references
|
||||
open('Makefile.ruby', 'w') do |out|
|
||||
IO.foreach('Makefile') do |line|
|
||||
- out.puts line.gsub(/-Wl,-R'[^']*'/, '')
|
||||
+ l = line.gsub(/-Wl,-R'[^']*'/, '')
|
||||
+ # oldincludedir = $(DESTDIR)/usr/include
|
||||
+ # -> oldincludedir = /usr/include
|
||||
+ l = l.gsub(/(oldincludedir)\s+=\s+\$\(DESTDIR\)(.*)/) { |m| "#{$1} = #{$2}" }
|
||||
+ # hdrdir = $(includedir)/$(RUBY_VERSION_NAME)
|
||||
+ # -> hdrdir = $(oldincludedir)/$(RUBY_VERSION_NAME)
|
||||
+ l = l.gsub(/(hdrdir)\s+=\s+\$\(includedir\)(.*)/) { |m| "#{$1} = $(oldincludedir)#{$2}" }
|
||||
+ out.puts l
|
||||
end
|
||||
end
|
||||
else
|
@ -1,31 +0,0 @@
|
||||
Index: apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd
|
||||
===================================================================
|
||||
--- apparmor-3.1.7.orig/profiles/apparmor.d/usr.sbin.smbd
|
||||
+++ apparmor-3.1.7/profiles/apparmor.d/usr.sbin.smbd
|
||||
@@ -33,6 +33,9 @@ profile smbd /usr/{bin,sbin}/smbd {
|
||||
/etc/samba/* rwk,
|
||||
@{PROC}/@{pid}/mounts r,
|
||||
@{PROC}/sys/kernel/core_pattern r,
|
||||
+ /usr/etc/environment r,
|
||||
+ /usr/etc/security/limits.d/ r,
|
||||
+ /usr/etc/security/limits.d/*.conf r,
|
||||
/usr/lib*/samba/vfs/*.so mr,
|
||||
/usr/lib*/samba/auth/*.so mr,
|
||||
/usr/lib*/samba/charset/*.so mr,
|
||||
@@ -47,6 +50,7 @@ profile smbd /usr/{bin,sbin}/smbd {
|
||||
/usr/share/samba/** r,
|
||||
/usr/{bin,sbin}/smbd mr,
|
||||
/usr/{bin,sbin}/smbldap-useradd Px,
|
||||
+ /usr/sbin/unix_chkpwd Px,
|
||||
/var/cache/samba/** rwk,
|
||||
/var/{cache,lib}/samba/printing/printers.tdb mrw,
|
||||
/var/lib/nscd/netgroup r,
|
||||
@@ -59,6 +63,8 @@ profile smbd /usr/{bin,sbin}/smbd {
|
||||
@{run}/samba/ncalrpc/** rw,
|
||||
/var/spool/samba/** rw,
|
||||
|
||||
+ owner /proc/@{pid}/loginuid r,
|
||||
+
|
||||
@{HOMEDIRS}/** lrwk,
|
||||
/var/lib/samba/usershares/{,**} lrwk,
|
||||
|
30
test-aa-notify.diff
Normal file
30
test-aa-notify.diff
Normal file
@ -0,0 +1,30 @@
|
||||
https://gitlab.com/apparmor/apparmor/-/merge_requests/1226
|
||||
|
||||
From 715cb711ba26d3ccff490f35f80721cf3678abb6 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Boltz <apparmor@cboltz.de>
|
||||
Date: Sun, 5 May 2024 22:05:43 +0200
|
||||
Subject: [PATCH] Don't rely on argparse saying "options:"
|
||||
|
||||
Some argparse versions (for example on openSUSE Leap 15.5) instead say
|
||||
"optional arguments:"
|
||||
|
||||
Don't rely on the "options:" line to allow both wordings.
|
||||
---
|
||||
utils/test/test-aa-notify.py | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/utils/test/test-aa-notify.py b/utils/test/test-aa-notify.py
|
||||
index 4f3e540e9..abffd0631 100644
|
||||
--- a/utils/test/test-aa-notify.py
|
||||
+++ b/utils/test/test-aa-notify.py
|
||||
@@ -194,7 +194,6 @@ Display AppArmor notifications or messages for DENIED entries.
|
||||
|
||||
expected_output_2 = \
|
||||
'''
|
||||
-options:
|
||||
-h, --help show this help message and exit
|
||||
-p, --poll poll AppArmor logs and display notifications
|
||||
--display DISPLAY set the DISPLAY environment variable (might be needed if
|
||||
--
|
||||
GitLab
|
||||
|
39
tools-fix-redefinition.diff
Normal file
39
tools-fix-redefinition.diff
Normal file
@ -0,0 +1,39 @@
|
||||
From 553acd22324ed013d9f468aa8585518cf68b34f7 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Boltz <apparmor@cboltz.de>
|
||||
Date: Sun, 21 Apr 2024 17:32:24 +0200
|
||||
Subject: [PATCH] Fix redefinition of _
|
||||
|
||||
... which unsurprisingly broke using the translations.
|
||||
|
||||
This was a regression introduced in 4f51c93f9dc2516a32bfccc79b4dcf4985e61f47
|
||||
|
||||
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/387
|
||||
---
|
||||
utils/apparmor/tools.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/utils/apparmor/tools.py b/utils/apparmor/tools.py
|
||||
index e8a99bbe6..f7d4a0d36 100644
|
||||
--- a/utils/apparmor/tools.py
|
||||
+++ b/utils/apparmor/tools.py
|
||||
@@ -90,7 +90,7 @@ class aa_tools:
|
||||
def get_next_for_modechange(self):
|
||||
"""common code for mode/flags changes"""
|
||||
|
||||
- for (program, _, prof_filename) in self.get_next_to_profile():
|
||||
+ for (program, ignored, prof_filename) in self.get_next_to_profile():
|
||||
output_name = prof_filename if program is None else program
|
||||
|
||||
if not os.path.isfile(prof_filename) or is_skippable_file(prof_filename):
|
||||
@@ -162,7 +162,7 @@ class aa_tools:
|
||||
def cmd_autodep(self):
|
||||
apparmor.loadincludes()
|
||||
|
||||
- for (program, _, prof_filename) in self.get_next_to_profile():
|
||||
+ for (program, ignored, prof_filename) in self.get_next_to_profile():
|
||||
if not program:
|
||||
aaui.UI_Info(_('Please pass an application to generate a profile for, not a profile itself - skipping %s.') % prof_filename)
|
||||
continue
|
||||
--
|
||||
GitLab
|
||||
|
@ -1,71 +0,0 @@
|
||||
|
||||
CFILES="
|
||||
deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
|
||||
deprecated/management/applets/apparmorapplet-gnome/src/preferences_dialog.c
|
||||
deprecated/management/applets/apparmorapplet-gnome/src/reject_list.c
|
||||
parser/parser_alias.c
|
||||
parser/parser_include.c
|
||||
parser/parser_interface.c
|
||||
parser/parser_lex.l
|
||||
parser/parser_main.c
|
||||
parser/parser_merge.c
|
||||
parser/parser_misc.c
|
||||
parser/parser_policy.c
|
||||
parser/parser_regex.c
|
||||
parser/parser_symtab.c
|
||||
parser/parser_variable.c
|
||||
parser/parser_yacc.y
|
||||
"
|
||||
|
||||
CPPFILES="
|
||||
deprecated/management/profile-editor/src/AboutDialog.cpp
|
||||
deprecated/management/profile-editor/src/AboutDialog.h
|
||||
deprecated/management/profile-editor/src/Configuration.cpp
|
||||
deprecated/management/profile-editor/src/Preferences.cpp
|
||||
deprecated/management/profile-editor/src/Preferences.h
|
||||
deprecated/management/profile-editor/src/profileeditor.cpp
|
||||
deprecated/management/profile-editor/src/SearchAllProfiles.cpp
|
||||
deprecated/management/profile-editor/src/SearchAllProfiles.h
|
||||
parser/libapparmor_re/regexp.yy
|
||||
"
|
||||
|
||||
PERLFILES="
|
||||
utils/aa-repo.pl
|
||||
utils/audit
|
||||
utils/autodep
|
||||
utils/complain
|
||||
utils/enforce
|
||||
utils/genprof
|
||||
utils/logprof
|
||||
utils/Reports.pm
|
||||
utils/SubDomain.pm
|
||||
utils/unconfined
|
||||
"
|
||||
|
||||
ARGS="--keyword=_ --keyword=N_ -n --force-po"
|
||||
|
||||
xgettext $ARGS --output=apparmor-C.pot -L C $CFILES
|
||||
xgettext $ARGS --output=apparmor-CPP.pot -L C++ $CPPFILES
|
||||
xgettext $ARGS --output=apparmor-PERL.pot -L Perl $PERLFILES
|
||||
msgcat apparmor-*.pot > apparmor.pot
|
||||
|
||||
sed \
|
||||
-e 's/Project-Id-Version: PACKAGE VERSION/Project-Id-Version: apparmor/g' \
|
||||
-e 's/PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE/PO-Revision-Date: 2009-02-05 13:38/' \
|
||||
-e 's/Report-Msgid-Bugs-To: /Report-Msgid-Bugs-To: apparmor-general@forge.novell.com/' \
|
||||
-e 's/Last-Translator: FULL NAME <EMAIL@ADDRESS>/Last-Translator: Novell Language <language@novell.com>/' \
|
||||
-e 's/Language-Team: LANGUAGE <LL@li.org>/Language-Team: Novell Language <language@novell.com>/' \
|
||||
-e 's/Content-Type: text\/plain; charset=CHARSET/Content-Type: text\/plain; charset=UTF-8/' \
|
||||
< apparmor.pot > apparmor.pot.new
|
||||
mv apparmor.pot.new apparmor.pot
|
||||
|
||||
for file in $(find . -name '*.po'); do
|
||||
f=$(basename $file)
|
||||
msgmerge -U apparmor.pot $file
|
||||
if [ -e "po/$f" ]; then
|
||||
msgcat $file po/$f > $f
|
||||
mv $f po/$f
|
||||
else
|
||||
cp $file po/$f
|
||||
fi
|
||||
done
|
Loading…
Reference in New Issue
Block a user