Accepting request 595790 from security:apparmor

- add dovecot-stats.diff: - add dovecot/stats profile and allow dovecot to run it (boo#1088161) - allow dovecot/auth to write /run/dovecot/old-stats-user (part of boo#1087753) - update 32-bit-no-uid.diff with upstream fix (forwarded request 595789 from cboltz) OBS-URL: https://build.opensuse.org/request/show/595790 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=113
2018-04-17 09:08:40 +00:00 · 2018-04-17 09:08:40 +00:00 · 8f49295555
commit 8f49295555
parent bd040c33d1 01604b0fc7
4 changed files with 104 additions and 3 deletions
--- a/32-bit-no-uid.diff
+++ b/32-bit-no-uid.diff
@ -2,12 +2,20 @@ diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py
 index 0e74c3f5..5738bb10 100644
 --- a/utils/apparmor/logparser.py
 +++ b/utils/apparmor/logparser.py
+@@ -12,6 +12,7 @@
+ #    GNU General Public License for more details.
+ #
+ # ----------------------------------------------------------------------
+import ctypes
+ import os
+ import re
+ import sys
@@ -118,7 +118,7 @@ class ReadLog:
         ev['protocol'] = event.net_protocol
         ev['sock_type'] = event.net_sock_type
 
 -        if event.ouid != 18446744073709551615:  # 2^64 - 1
-+        if event.ouid != 18446744073709551615 and event.ouid != 4294967295:  # 2^64 - 1 and 2^32 - 1
+        if event.ouid != ctypes.c_ulong(-1).value:  # ULONG_MAX
             ev['fsuid'] = event.fsuid
             ev['ouid'] = event.ouid
 
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Apr 11 20:28:13 UTC 2018 - suse-beta@cboltz.de
+
+- add dovecot-stats.diff:
+  - add dovecot/stats profile and allow dovecot to run it (boo#1088161)
+  - allow dovecot/auth to write /run/dovecot/old-stats-user (part of boo#1087753)
+- update 32-bit-no-uid.diff with upstream fix
+
 -------------------------------------------------------------------
 Fri Mar  2 12:29:06 UTC 2018 - rgoldwyn@suse.com

--- a/apparmor.spec
+++ b/apparmor.spec
@ -64,15 +64,18 @@ Patch5:         ruby-2_0-mkmf-destdir.patch
 # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
 Patch7:         apparmor-lessopen-profile.patch

-# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a log event on 32 bit systems (submitted upstream 2017-12-26)
+# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a log event on 32 bit systems (fixed upstream 2018-03-07)
 Patch8:         32-bit-no-uid.diff

 # make cache write failures a warning instead of an error - (patch from https://gitlab.com/apparmor/apparmor/merge_requests/49 2018-01-04)
 Patch9:         parser-write-cache-warn-only.diff

-# Disable write cache if filesystem is read-only, don't abort
+# Disable write cache if filesystem is read-only, don't abort (merged upstream 2018-01-16 to 2.10..trunk)
 Patch10:        disable-cache-on-ro-fs.diff

+# allow dovecot to run dovecot/stats, and add that profile (submitted upstream 2018-04-11 https://gitlab.com/apparmor/apparmor/merge_requests/90)
+Patch11:        dovecot-stats.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@ -363,6 +366,7 @@ SubDomain.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p0
+%patch11 -p1

 %build
 export SUSE_ASNEEDED=0
@ -429,6 +433,7 @@ make check -C parser
 make check -C binutils

 # profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
+# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/80 should allow to switch to make -C
 # also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
 (cd profiles && make check-parser)

@ -509,6 +514,7 @@ test ! -f %{buildroot}%{apparmor_bin_prefix}/apparmor.systemd
 install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix}
 test ! -f %{buildroot}%{_sbindir}/aa-teardown
 install -m0755 %{S:10} %{buildroot}%{_sbindir}
+# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/79 obsoletes the next 3 lines
 rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor
 rm %{buildroot}/sbin/rcsubdomain
 ln -sf service %{buildroot}/sbin/rcapparmor
--- a/dovecot-stats.diff
+++ b/dovecot-stats.diff
@ -0,0 +1,79 @@
+commit d7cb151eb0da3ce6ac152b37ca84435266d34c88
+Author: Christian Boltz <apparmor@cboltz.de>
+Date:   Wed Apr 11 22:17:29 2018 +0200
+
+    allow dovecot/auth to write /run/dovecot/old-stats-user
+    
+    References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c4
+                (3rd bullet point)
+
+commit 3521edc41c3f01ebdd7681b107b5c5daa40fe896
+Author: Christian Boltz <apparmor@cboltz.de>
+Date:   Wed Apr 11 21:34:51 2018 +0200
+
+    add dovecot/stats profile, and allow dovecot to run it
+    
+    References: https://bugzilla.opensuse.org/show_bug.cgi?id=1088161
+diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth
+index fcb54364..b44441e2 100644
+--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
+@@ -1,6 +1,6 @@
+ # ------------------------------------------------------------------
+ #
+-#    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2013-2018 Christian Boltz
+ #    Copyright (C) 2014 Christian Wittmer
+ #
+ #    This program is free software; you can redistribute it and/or
+@@ -43,6 +43,7 @@
+   /run/dovecot/auth-worker rw,
+   /run/dovecot/login/login rw,
+   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
+  /{var/,}run/dovecot/old-stats-user w,
+   /{var/,}run/dovecot/stats-user rw,
+   /{var/,}run/dovecot/anvil-auth-penalty rw,
+ 
+diff --git a/profiles/apparmor.d/usr.lib.dovecot.stats b/profiles/apparmor.d/usr.lib.dovecot.stats
+new file mode 100644
+index 00000000..151e4ed6
+--- /dev/null
+++ b/profiles/apparmor.d/usr.lib.dovecot.stats
+@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2018 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/stats {
+  #include <abstractions/base>
+  #include <abstractions/dovecot-common>
+
+  capability setuid,
+  capability sys_chroot,
+
+  /usr/lib/dovecot/stats mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.stats>
+}
+diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot
+index c0b180b4..e3a85fa0 100644
+--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
+@@ -54,6 +54,7 @@
+   /usr/lib/dovecot/pop3-login Pxmr,
+   /usr/lib/dovecot/ssl-build-param rix,
+   /usr/lib/dovecot/ssl-params mrPx,
+  /usr/lib/dovecot/stats Px,
+   /usr/sbin/dovecot mrix,
+   /usr/share/dovecot/protocols.d/   r,
+   /usr/share/dovecot/protocols.d/** r,