Accepting request 660711 from security:apparmor

Note: please accept before SR 660554 - or put this SR into Staging:F and accept them together. - netconfig: write resolv.conf to /run with link to /etc (fate#325872, boo#1097370) [patch apparmor-nameservice-resolv-conf-link.patch] - update to AppArmor 2.13.2 - add profile names to most profiles - update dnsmasq profile (pid file and logfile path) (boo#1111342) - add vulkan abstraction - add letsencrypt certificate path to abstractions/ssl_* - ignore *.orig and *.rej files when loading profiles - fix aa-complain etc. to handle named profiles - several bugfixes and small profile improvements - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.2 for the detailed upstream changelog - remove upstreamed fix-syntax-error-in-rc.apparmor.functions.patch - update to 2.13.1 - add qt5 and qt5-compose-cache-write abstractions - add @{uid} and @{uids} kernel var placeholders - several profile and abstraction updates - ignore "abi" rules in parser and tools (instead of erroring out) - utils: fix overwriting of child profile flags if they differ from the main profile - several bugfixes (including boo#1100779) - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.1 for the detailed upstream changelog - remove upstream(ed) patches: - aa-teardown-path.diff - fix-apparmor-systemd-perms.diff - logprof-skip-cache-d.diff - fix-samba-profiles.patch - make-pyflakes-happy.diff - dnsmasq-Add-permission-to-open-log-files.patch - refresh apparmor-samba-include-permissions-for-shares.diff - add fix-syntax-error-in-rc.apparmor.functions.patch - update to AppArmor 2.13.2 - no changes in libapparmor - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.2 for the detailed upstream changelog - update to AppArmor 2.13.1 - several bug fixes - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.1 for the detailed upstream changelog OBS-URL: https://build.opensuse.org/request/show/660711 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=120
2018-12-28 11:31:20 +00:00 · 2018-12-28 11:31:20 +00:00 · 977a9e1434
commit 977a9e1434
parent e366113b1d 018cfefbdb
16 changed files with 98 additions and 165 deletions
--- a/aa-teardown-path.diff
+++ b/aa-teardown-path.diff
@ -1,15 +0,0 @@
-Index: parser/Makefile
-===================================================================
--- parser/Makefile.orig	2018-04-15 15:48:53.000000000 +0200
-+++ parser/Makefile	2018-04-15 23:21:13.677508654 +0200
-@@ -384,8 +384,8 @@ install-systemd:
- 	install -m 755 -d $(SYSTEMD_UNIT_DIR)
- 	install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
- 	install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX)
-	install -m 755 -d $(DESTDIR)/sbin
-	install -m 755 aa-teardown $(DESTDIR)/sbin
-+	install -m 755 -d $(DESTDIR)/usr/sbin
-+	install -m 755 aa-teardown $(DESTDIR)/usr/sbin
- 
- ifndef VERBOSE
- .SILENT: clean
--- a/apparmor-2.13.2.tar.gz
+++ b/apparmor-2.13.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30
+size 7369240
--- a/apparmor-2.13.2.tar.gz.asc
+++ b/apparmor-2.13.2.tar.gz.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAlwczB8aHGFwcGFybW9y
+QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLtQ7BAAkhe2XlK/VUYTLHDYp9Ku
+v7F8fNsUAl+fAnUBr8zyqHqUDhcJuknE097DO1SIqkqYwn3wm4SC9otEwodHLXpQ
+ruDPLd1id1+440toHDDD0vEJD3AOPTyxrH5Py3OwulZ5AmVdzGiiqy2u57dHucqQ
+wg6ZJqXC+HeiaGWvEeh0vWAVrg/NyLNCHV6nAvYW1QoS/86MkbPJygA2srVWME3n
+EFiTJdHuRUVqAus2a48tGnLmg0jokF8iUK27HBJVYb38md9Ve3483BfUc0eaWDqb
+2x48PK1U3qEw/p7kwhmXKCsMwpFN2+2kjxTYm0htwYwAempKfqDAqdQa3J1C6XLL
+g0x4QtXdIwjdr3/gKyYH5ZoAxSYEfRqA4jRg7jh4mNCsNvdIfhbtexJwiSBQbugw
+5WygriBvHcxeYlWzLVwKfYqsuvZH+MaL+6XKraIzSz1WhooRGXqYCsAksXFNVVeP
+fAGSsZyC3XRKnj2EGe7vAnpc28vZa+Yg2MUiaAeqldP8/mIjw/v/flABP2BhCB6
+yAa7UrXvheG3cu/RzMGfMVs5fdhMaK49/YR4FL7i/CpLOCLTDeP+wIzQWeObY0CU
+IwhVwz90PZklvEWsUchApzjKLAuEv2avY81Ij47BkPfjcKf3Q2VPTP34uTnw0axT
+RIP58VSpAJmOYwgdcxzph2s=
+=uFF9
+-----END PGP SIGNATURE-----
--- a/apparmor-2.13.tar.gz
+++ b/apparmor-2.13.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:49f0b65a60c1eb5b7b4316023811bf1785875567e0e0c4c8a26cb1f1c3ac5858
-size 7352564
--- a/apparmor-2.13.tar.gz.asc
+++ b/apparmor-2.13.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQI3BAABCgAhBQJa01juGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
-5k49NmS7w7sP/jWzBwvWn4NySOdncM+/h83AIb0Kx2mBPFCqLrZ3low73riA/LtJ
-mq7JN/qiBYM/lB/6fiEJZV5eUTvN9IFOtJkJVbEYOhIe5IjBkkOoxDfmnpnrkTvK
-GYkoIjSpsJDepvzqpBeQ44exH7XGkhpZRULlgJZkpJXvYE0nb9JDQgOuPWP56Q0F
-t773uEIYME/7sveQtHYbUVrB2ncnMO4ppcFhNo2VEz7q1xl+s0D9b5qAvRNMjA/9
-vgx8ZXSGbhsIUhMf5RgZd3j2hVs2LI+Qg6jM+ULzB+C9PtXefSe802gREoSkKxvQ
-f88sPuOL1DX2aiIu5GFUQqziP9u+Xp/2YkQs0WSJEGUbs2+HfKDJHVF/610B4i6L
-jpBIja9cYRacINU4beTNvZulyAAZHQ0CsRf1eyRzUrwNIi76eLlmhkBve40mtVq0
-6CKWkKllTmEk94D3CEFPzzDV7rpA9hcif71WGwNbMBj4HOlLK/pNAedAccdWwNbo
-4EExDyMQrOeHQsUmppaiH/ulwMKd6HGQOMiLm1kPesBqpW+bbI1PMP0O/Kpb/tVQ
-Kesr9tTYiTrSXeQUoWeaCZ5xV2yq6xr9RWLSLkLj3B2F9WF9RcR8jj1K7796ervi
-Ybm7VwdnmSi/fRV+8lUUjy1NPksTZ4iem26GJ0YsQqxCz3phH9wAvW1c
-=oH+3
-----END PGP SIGNATURE-----
--- a/apparmor-nameservice-resolv-conf-link.patch
+++ b/apparmor-nameservice-resolv-conf-link.patch
@ -0,0 +1,11 @@
+--- apparmor-2.13/profiles/apparmor.d/abstractions/nameservice
+++ apparmor-2.13/profiles/apparmor.d/abstractions/nameservice
+@@ -39,7 +39,7 @@
+   /etc/resolv.conf        r,
+   # On systems where /etc/resolv.conf is managed programmatically, it is
+   # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
+-  /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r,
+  /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
+   /etc/resolvconf/run/resolv.conf r,
+   /{,var/}run/systemd/resolve/stub-resolv.conf r,
+ 
--- a/apparmor-samba-include-permissions-for-shares.diff
+++ b/apparmor-samba-include-permissions-for-shares.diff
@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
 === modified file 'profiles/apparmor.d/usr.sbin.smbd'
 --- profiles/apparmor.d/usr.sbin.smbd	2011-08-27 18:50:42 +0000
 +++ profiles/apparmor.d/usr.sbin.smbd	2011-10-19 09:37:04 +0000
-@@ -53,6 +53,10 @@
+@@ -55,6 +55,10 @@
 
   @{HOMEDIRS}/** lrwk,
 
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Fri Dec 21 13:41:32 UTC 2018 - mt@suse.de
+
+- netconfig: write resolv.conf to /run with link to /etc (fate#325872,
+  boo#1097370) [patch apparmor-nameservice-resolv-conf-link.patch]
+
+-------------------------------------------------------------------
+Fri Dec 21 12:59:00 UTC 2018 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 2.13.2
+  - add profile names to most profiles
+  - update dnsmasq profile (pid file and logfile path) (boo#1111342)
+  - add vulkan abstraction
+  - add letsencrypt certificate path to abstractions/ssl_*
+  - ignore *.orig and *.rej files when loading profiles
+  - fix aa-complain etc. to handle named profiles
+  - several bugfixes and small profile improvements
+  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.2
+    for the detailed upstream changelog
+- remove upstreamed fix-syntax-error-in-rc.apparmor.functions.patch
+
+-------------------------------------------------------------------
+Sun Oct 14 11:02:58 UTC 2018 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to 2.13.1
+  - add qt5 and qt5-compose-cache-write abstractions
+  - add @{uid} and @{uids} kernel var placeholders
+  - several profile and abstraction updates
+  - ignore "abi" rules in parser and tools (instead of erroring out)
+  - utils: fix overwriting of child profile flags if they differ from
+    the main profile
+  - several bugfixes (including boo#1100779)
+  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.1
+    for the detailed upstream changelog
+- remove upstream(ed) patches:
+  - aa-teardown-path.diff
+  - fix-apparmor-systemd-perms.diff
+  - logprof-skip-cache-d.diff
+  - fix-samba-profiles.patch
+  - make-pyflakes-happy.diff
+  - dnsmasq-Add-permission-to-open-log-files.patch
+- refresh apparmor-samba-include-permissions-for-shares.diff
+- add fix-syntax-error-in-rc.apparmor.functions.patch
+
 -------------------------------------------------------------------
 Wed Oct 10 18:01:16 UTC 2018 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -35,7 +35,7 @@
 %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)

 Name:           apparmor
-Version:        2.13
+Version:        2.13.2
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@ -62,23 +62,8 @@ Patch5:         ruby-2_0-mkmf-destdir.patch
 # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
 Patch7:         apparmor-lessopen-profile.patch

-# install aa-teardown to /usr/sbin, not /sbin (merged upstream 2018-04-15 https://gitlab.com/apparmor/apparmor/merge_requests/97)
-Patch8:         aa-teardown-path.diff
-
-# fix permissions of apparmor.systemd (boo#1090545, merged upstream 2018-04-27 https://gitlab.com/apparmor/apparmor/merge_requests/106)
-Patch9:         fix-apparmor-systemd-perms.diff
-
-# exclude the /etc/apparmor.d/cache.d directory from aa-logprof parsing (merged upstream 2018-04-30 https://gitlab.com/apparmor/apparmor/merge_requests/110/diffs)
-Patch10:        logprof-skip-cache-d.diff
-
-# bug 1092099 - Allow smbd to load new shared libraries. Allow Winbindd to read and write new kerberos cache location (accepted upstream 2018-05-09 https://gitlab.com/apparmor/apparmor/merge_requests/121 - slightly different patch)
-Patch11:        fix-samba-profiles.patch
-
-# SR 629206 - make pyflakes 2.0 happy (unused variable) (accepted upstream 2018-08-22)
-Patch12:        make-pyflakes-happy.diff
-
-# boo#1111342 Backport fix for dnsmasq into Tumbleweed (add permission to open log files) (from upstream 2018-10-08)
-Patch13:        dnsmasq-Add-permission-to-open-log-files.patch
+# fate#325872 netconfig: write resolv.conf to /run with link to /etc - submitted upstream 2018-12-22 https://gitlab.com/apparmor/apparmor/merge_requests/294
+Patch8:         apparmor-nameservice-resolv-conf-link.patch

 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -367,12 +352,7 @@ SubDomain.
 %patch2
 %patch5 -p1
 %patch7
-%patch8
-%patch9 -p1
-%patch10
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
+%patch8 -p1

 %build
 export SUSE_ASNEEDED=0
@ -602,6 +582,7 @@ fi
 %config(noreplace) %{_sysconfdir}/apparmor.d/bin.*
 %config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
 %config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
+%config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe
 %config(noreplace) %{_sysconfdir}/apparmor.d/local/*
 %dir /usr/share/apparmor/
 /usr/share/apparmor/cache/
--- a/dnsmasq-Add-permission-to-open-log-files.patch
+++ b/dnsmasq-Add-permission-to-open-log-files.patch
@ -1,28 +0,0 @@
-From 025c7dc6a131da24c31e41ad32753015a0ec0f76 Mon Sep 17 00:00:00 2001
-From: Petr Vorel <pvorel@suse.cz>
-Date: Mon, 8 Oct 2018 16:44:01 +0200
-Subject: [PATCH] dnsmasq: Add permission to open log files
-
--log-facility option needs to have permission to open files.
-Use '*' to allow using more files (for using more dnsmasq instances).
-
-Signed-off-by: Petr Vorel <pvorel@suse.cz>
-Signed-off-by: Jamie Strandboge <jamie@canonical.com>
-Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
---
- profiles/apparmor.d/usr.sbin.dnsmasq | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 2b4b1bfc..f2e6847d 100644
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -43,6 +43,8 @@
- 
-   /usr/sbin/dnsmasq mr,
- 
-+  /var/log/*dnsmasq.log w,
-+
-   /{,var/}run/*dnsmasq*.pid w,
-   /{,var/}run/dnsmasq-forwarders.conf r,
-   /{,var/}run/dnsmasq/ r,
--- a/fix-apparmor-systemd-perms.diff
+++ b/fix-apparmor-systemd-perms.diff
@ -1,13 +0,0 @@
-diff --git a/parser/Makefile b/parser/Makefile
-index 70fb27fe..04996fb7 100644
--- a/parser/Makefile
-+++ b/parser/Makefile
-@@ -383,7 +383,7 @@ install-indep: indep
- install-systemd:
- 	install -m 755 -d $(SYSTEMD_UNIT_DIR)
- 	install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
-	install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX)
-+	install -m 755 apparmor.systemd $(APPARMOR_BIN_PREFIX)
- 	install -m 755 -d $(DESTDIR)/usr/sbin
- 	install -m 755 aa-teardown $(DESTDIR)/usr/sbin
- 
--- a/fix-samba-profiles.patch
+++ b/fix-samba-profiles.patch
@ -1,25 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.smbd b/profiles/apparmor.d/usr.sbin.smbd
-index 8f54e9c0..cbd03bad 100644
--- a/profiles/apparmor.d/usr.sbin.smbd
-+++ b/profiles/apparmor.d/usr.sbin.smbd
-@@ -32,6 +32,8 @@
-   /usr/lib*/samba/charset/*.so mr,
-   /usr/lib*/samba/auth/script.so mr,
-   /usr/lib*/samba/pdb/*.so mr,
-+  /usr/lib*/samba/auth/*.so mr,
-+  /usr/lib*/samba/gensec/*.so mr,
-   /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
-   /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
-   /usr/lib/@{multiarch}/samba/**/ r,
-diff --git a/profiles/apparmor.d/usr.sbin.winbindd b/profiles/apparmor.d/usr.sbin.winbindd
-index f5f8cc08..5a906c0e 100644
--- a/profiles/apparmor.d/usr.sbin.winbindd
-+++ b/profiles/apparmor.d/usr.sbin.winbindd
-@@ -20,6 +20,7 @@
-   @{PROC}/sys/kernel/core_pattern r,
-   /tmp/.winbindd/ w,
-   /tmp/krb5cc_* rwk,
-+  /run/user/*/krb5cc/* rwk,
-   /usr/lib*/samba/gensec/krb*.so mr,
-   /usr/lib*/samba/idmap/*.so mr,
-   /usr/lib*/samba/nss_info/*.so mr,
--- a/libapparmor.changes
+++ b/libapparmor.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Fri Dec 21 12:58:02 UTC 2018 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 2.13.2
+  - no changes in libapparmor
+  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.2
+    for the detailed upstream changelog
+
+-------------------------------------------------------------------
+Sun Oct 14 11:32:31 UTC 2018 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 2.13.1
+  - several bug fixes
+  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.1
+    for the detailed upstream changelog
+
 -------------------------------------------------------------------
 Sun Apr 15 19:02:35 UTC 2018 - suse-beta@cboltz.de

--- a/libapparmor.spec
+++ b/libapparmor.spec
@ -18,7 +18,7 @@


 Name:           libapparmor
-Version:        2.13
+Version:        2.13.2
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later
--- a/logprof-skip-cache-d.diff
+++ b/logprof-skip-cache-d.diff
@ -1,26 +0,0 @@
-diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
-index e28b8495..88bf2172 100644
--- utils/apparmor/aa.py
-+++ utils/apparmor/aa.py
-@@ -2048,7 +2048,7 @@ def is_skippable_file(path):
-     return False
- 
- def is_skippable_dir(path):
-    if re.search('^(.*/)?(disable|cache|force-complain|lxc|\.git)/?$', path):
-+    if re.search('^(.*/)?(disable|cache|cache\.d|force-complain|lxc|\.git)/?$', path):
-         return True
-     return False
- 
-diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py
-index 243283a9..b5f8e94f 100644
--- utils/test/test-aa.py
-+++ utils/test/test-aa.py
-@@ -484,6 +484,8 @@ class AaTest_is_skippable_dir(AATest):
-         ('lxc',                         True),
-         ('force-complain',              True),
-         ('/etc/apparmor.d/cache',       True),
-+        ('/etc/apparmor.d/cache.d',     True),
-+        ('/etc/apparmor.d/cache.d/',    True),
-         ('/etc/apparmor.d/lxc/',        True),
-         ('/etc/apparmor.d/.git/',       True),
- 
--- a/make-pyflakes-happy.diff
+++ b/make-pyflakes-happy.diff
@ -1,13 +0,0 @@
-diff --git a/utils/apparmor/sandbox.py b/utils/apparmor/sandbox.py
-index 51048f6f..17e413ea 100644
--- a/utils/apparmor/sandbox.py
-+++ b/utils/apparmor/sandbox.py
-@@ -718,7 +718,7 @@ def run_xsandbox(command, opt):
-     # aa-exec
-     try:
-         rc, report = aa_exec(command, opt, x.new_environ, required_rules)
-    except Exception as e:
-+    except Exception:
-         x.cleanup()
-         raise
-     x.cleanup()