Accepting request 844157 from home:cboltz

- update to AppArmor 3.0.0
  - introduce feature abi declaration in profiles to enable use of
    new rule types (for openSUSE: dbus and unix rules)
  - support xattr attachment conditionals
  - experimental support for kill and unconfined profile modes
  - rewritten aa-status (in C), including support for new profile modes
  - rewritten aa-notify (in python), finally dropping the perl
    requirement at runtime
  - new tool aa-features-abi for extracting feature abis from the kernel
  - update profiles to have profile names and to use 3.0 feature abi
  - introduce @{etc_ro} and @{etc_rw} profile variables
  - new profile for php-fpm
  - several updates to profiles and abstractions (including boo#1166007)
  - fully support 'include if exists' in the aa-* tools
  - rewrite handling of alias, include, link and variable rules in
    the aa-* tools
  - rewrite and simplify log handling in the aa-logprof and aa-genprof
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0
    for the detailed upstream changelog
- patches:
  - add changes-since-3.0.0.diff with upstream fixes since the 3.0.0
    release up to 3e18c0785abc03ee42a022a67a27a085516a7921
  - drop upstreamed usr-etc-abstractions-base-nameservice.diff
  - drop 2.13-only libapparmor-so-number.diff
  - refresh apparmor-enable-profile-cache.diff - partially upstreamed
  - update apparmor-samba-include-permissions-for-shares.diff and
    apparmor-lessopen-profile.patch - switch to "include if exists"
  - apparmor-lessopen-profile.patch: add abi rule to lessopen profile
  - refresh apparmor-lessopen-nfs-workaround.diff
- move away very loose apache profile that doesn't even match the
  apache2 binary path in openSUSE to avoid confusion (boo#872984)
- move rewritten aa-status from utils to parser subpackage
- add aa-features-abi to parser subpackage
- replace perl and libnotify-tools requires with requiring
  python3-notify2 and python3-psutil (needed by the rewritten
  aa-notify)
- drop ancient cleanup for /etc/init.d/subdomain from parser %pre
- drop (never enabled) conditionals to build with python2 and to
  build the python-apparmor subpackage (upstream dropped python2
  support)
- drop setting PYTHON and PYTHON_VERSIONS env variable, no longer needed
- set PYFLAKES path for utils check
- add precompiled_cache build conditional to allow faster local
  builds without using kvm
- remove duplicated BuildRequires: swig

libapparmor:
- update to AppArmor 3.0.0
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0
    for the detailed upstream changelog
- add changes-since-3.0.0.diff with upstream fixes since the 3.0.0
  release up to 3e18c0785abc03ee42a022a67a27a085516a7921
- drop 2.13-only patch libapparmor-so-number.diff

OBS-URL: https://build.opensuse.org/request/show/844157
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=281

apparmor-2.13.5.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:637e2a14d844e53e0f0b31dc8fe8821f7bb36908c709ccc23e29033053caa717
-size 7399437

apparmor-2.13.5.tar.gz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl+IIdIaHGFwcGFybW9y
-QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLvg3A//aLD6j+QfyQws0vgP502C
-u806LuXLugkXJIYF2ITO2hiBHkrEDwMQchKggFDnDT15x7we6iOfSiZPyD7ltGap
-Kruwx3pkfwM/NHtBU2Q+eZiJbxkOnKquRMx6YKeJtnUNPOb8q+QK/KO+bkG8dBjA
-3uHIC0ytp+OvKSVjPfOj2N0KoKVYep+HjARkZBqeFstjXggGMD4yJDvkFmlSDho6
-Tq9Bx5jFkckiBKrQRI2j+0pKAmkp3eGdguSButRNohq01DAvfT+1SIZC7aye1T8F
-by8sXZBDkEJbDjaAW4mdzzfk/XX5xOjstNJlaT4Ld2WiiXtipQ502ibrvBjLKANi
-5Wa9gmcHa830ak9n7aRraq7AJ5DgcjXa+5XjHFjdDdRtYMDcImeopg9EttJkBosp
-D9ZhmiLXVb2GBFj5thc1h8ZQ5Y2gBKzUSO37DyReIRBRo0PqLQNzjObaQWg5mXf1
-EIhU2+mEplKKwpO2k0Xb14vnwfUTmJv+aKcx7oPjgeBypT+s0M2GaYOMrXKBH+Ky
-VTo/Y4ZzrOCqLKSE64ziH+1LH6eaQhPf7vnd9kjhcD/kjotDHrEGNiHHwDMH5hPd
-1KD/i+0aYdBsNoqGEfEhMjut2DmL+Tn8PYXORtVUWksOIlvoirGKzA/V/dscSxuM
-QF5dHbSaF1/Uy5jtKgurV7Q=
-=Yxgq
------END PGP SIGNATURE-----

apparmor-3.0.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:66fd751fe51eb427d2aa864ee035b12d01d212fd595579275219b0148c43755e
+size 7780686

apparmor-3.0.0.tar.gz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl92CWIaHGFwcGFybW9y
+QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLta4BAAvMbcNifGq1QyWUyakBno
+ty5R8vcsrRCVzMdD4G78m+dtRlKWjSXCJyFO4LKope3p+zZKHl/q+ANJa80yK8OD
+E+eXqBRZ0NYTOgPg7Z/mNVk/qRW3EZd+ltxCjHH2uWazLxCKHH4qI9WeG1lHQTmX
+I/CsK1X1X6u2fEXdKYeBa3fjo0E4iSrR9pu5zJ+hApLcP6E4/kPzfKSaiDMa7Tnu
+IdJE4HNf62v83zxxdN72eYQjk1TD+xn1WO7zzKQwMrQDdIEXAnN0B4nomxaVlLAc
+A/54SgacgDTm79peK6eAfzx3ujRvqoZW5nV9TEgQ/M5CkLSrbMVR/hdyh+FHbqIE
+nkvrbfma2DBo7zwCe/NzctA5886jdj2bowSJ2Xo+RbYakbDzkjJjAUdI57JG2PdH
+Cbc21SPk/8qFSvPOmqHpXe5ToDoUMLOhG7WuscHSUlPsdmYFqBYGQvzWAydIRUL2
+EP+vchFv46KwM5j7KTrI5ASlnSYjP2tZNUDHpTrSPKE1UytB0qx8Jx/qU6KTZaSM
+i182UCbdBWhzluD7HRqQj21UoD+qqCq4+oOPOkaNplDvpYjDNTIuhU5WQNj8MhZg
+oW6sWlBLO/dp6Kh4rGeEGwPYtUxDDcr/Qwy66ce5RogsuShnpSEDezt3f/HUxGP1
+2JewH5WTV523nOIQuvGoAfs=
+=P633
+-----END PGP SIGNATURE-----

apparmor-enable-profile-cache.diff

@@ -9,8 +9,7 @@ See also bnc#689458
 
 
 Also set the cache location to /var/cache/apparmor/ (writeable) and
-/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust
-the mount requirements in apparmor.service accordingly.
+/usr/share/apparmor/cache/ (packaged precompiled cache).
 
 See boo#1069906 and boo#1074429
 
@@ -33,14 +32,4 @@ Index: parser/parser.conf
  
  ## Show cache hits
  #show-cache
---- parser/apparmor.service_ORIG	2018-04-19 22:58:12.631443321 +0200
-+++ parser/apparmor.service	2018-04-19 22:58:47.903343044 +0200
-@@ -4,7 +4,7 @@ DefaultDependencies=no
- Before=sysinit.target
- After=systemd-journald-audit.socket
- # profile cache
--After=var.mount var-lib.mount
-+After=var.mount var-cache.mount usr.mount usr-share.mount
- ConditionSecurity=apparmor
- 
- [Service]
+

apparmor-lessopen-nfs-workaround.diff

@@ -2,7 +2,7 @@ Index: profiles/apparmor.d/usr.bin.lessopen.sh
 ===================================================================
 --- profiles/apparmor.d/usr.bin.lessopen.sh.orig	2019-01-06 20:05:38.582356924 +0100
 +++ profiles/apparmor.d/usr.bin.lessopen.sh	2019-01-06 20:08:26.885706133 +0100
-@@ -10,6 +10,10 @@
+@@ -13,6 +13,10 @@
    capability dac_override,
    capability dac_read_search,
  

apparmor-lessopen-profile.patch

@@ -2,8 +2,11 @@ Index: profiles/apparmor.d/usr.bin.lessopen.sh
 ===================================================================
 --- /dev/null	1970-01-01 00:00:00.000000000 +0000
 +++ profiles/apparmor.d/usr.bin.lessopen.sh	2017-10-28 14:15:12.624358664 +0200
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,52 @@
 +# vim: ft=apparmor
++
++abi <abi/3.0>,
++
 +#include <tunables/global>
 +
 +/usr/bin/lessopen.sh {
@@ -50,5 +53,5 @@ Index: profiles/apparmor.d/usr.bin.lessopen.sh
 +  /usr/bin/which mrix,
 +  /usr/bin/xz mrix,
 +
-+  #include <local/usr.bin.lessopen.sh>
++  include if exists <local/usr.bin.lessopen.sh>
 +}

apparmor-samba-include-permissions-for-shares.diff

@@ -20,15 +20,15 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
 === modified file 'profiles/apparmor.d/usr.sbin.smbd'
 --- profiles/apparmor.d/usr.sbin.smbd	2011-08-27 18:50:42 +0000
 +++ profiles/apparmor.d/usr.sbin.smbd	2011-10-19 09:37:04 +0000
-@@ -55,6 +55,10 @@
- 
+@@ -56,6 +56,10 @@
    @{HOMEDIRS}/** lrwk,
+   /var/lib/samba/usershares/{,**} lrwk,
  
 +  # permissions for all configured shares
 +  # autogenerated by update-apparmor-samba-profile at samba start
-+  #include <local/usr.sbin.smbd-shares>
++  include <local/usr.sbin.smbd-shares>
 +
    # Site-specific additions and overrides. See local/README for details.
-   #include <local/usr.sbin.smbd>
+   include if exists <local/usr.sbin.smbd>
  }
 

apparmor.changes

@@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Sun Oct 25 11:32:16 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 3.0.0
+  - introduce feature abi declaration in profiles to enable use of
+    new rule types (for openSUSE: dbus and unix rules)
+  - support xattr attachment conditionals
+  - experimental support for kill and unconfined profile modes
+  - rewritten aa-status (in C), including support for new profile modes
+  - rewritten aa-notify (in python), finally dropping the perl
+    requirement at runtime
+  - new tool aa-features-abi for extracting feature abis from the kernel
+  - update profiles to have profile names and to use 3.0 feature abi
+  - introduce @{etc_ro} and @{etc_rw} profile variables
+  - new profile for php-fpm
+  - several updates to profiles and abstractions (including boo#1166007)
+  - fully support 'include if exists' in the aa-* tools
+  - rewrite handling of alias, include, link and variable rules in
+    the aa-* tools
+  - rewrite and simplify log handling in the aa-logprof and aa-genprof
+  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0
+    for the detailed upstream changelog
+- patches:
+  - add changes-since-3.0.0.diff with upstream fixes since the 3.0.0
+    release up to 3e18c0785abc03ee42a022a67a27a085516a7921
+  - drop upstreamed usr-etc-abstractions-base-nameservice.diff
+  - drop 2.13-only libapparmor-so-number.diff
+  - refresh apparmor-enable-profile-cache.diff - partially upstreamed
+  - update apparmor-samba-include-permissions-for-shares.diff and
+    apparmor-lessopen-profile.patch - switch to "include if exists"
+  - apparmor-lessopen-profile.patch: add abi rule to lessopen profile
+  - refresh apparmor-lessopen-nfs-workaround.diff
+- move away very loose apache profile that doesn't even match the
+  apache2 binary path in openSUSE to avoid confusion (boo#872984)
+- move rewritten aa-status from utils to parser subpackage
+- add aa-features-abi to parser subpackage
+- replace perl and libnotify-tools requires with requiring
+  python3-notify2 and python3-psutil (needed by the rewritten
+  aa-notify)
+- drop ancient cleanup for /etc/init.d/subdomain from parser %pre
+- drop (never enabled) conditionals to build with python2 and to
+  build the python-apparmor subpackage (upstream dropped python2
+  support)
+- drop setting PYTHON and PYTHON_VERSIONS env variable, no longer needed
+- set PYFLAKES path for utils check
+- add precompiled_cache build conditional to allow faster local
+  builds without using kvm
+- remove duplicated BuildRequires: swig
+
 -------------------------------------------------------------------
 Sat Oct 17 15:46:01 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
 

apparmor.spec

@@ -24,9 +24,9 @@
 %bcond_without pam
 %bcond_without apache
 %bcond_without perl
-%bcond_with python
 %bcond_without python3
 %bcond_without ruby
+%bcond_without precompiled_cache
 
 %define CATALINA_HOME /usr/share/tomcat6
 #define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
@@ -35,7 +35,7 @@
 %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
 
 Name:           apparmor
-Version:        2.13.5
+Version:        3.0.0
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@@ -65,11 +65,8 @@ Patch4:         apparmor-lessopen-profile.patch
 # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
 Patch5:         apparmor-lessopen-nfs-workaround.diff
 
-# update abstractions/base and nameservice for /usr/etc (submitted upstream 2020-01-25 https://gitlab.com/apparmor/apparmor/merge_requests/447, only merged to master, not 2.13.x)
-Patch10:        ./usr-etc-abstractions-base-nameservice.diff
-
-# fix libapparmor so version (submitted upstream 2020-10-17 https://gitlab.com/apparmor/apparmor/-/merge_requests/658)
-Patch11:        libapparmor-so-number.diff
+# changes since 3.0.0 release up to 3e18c0785abc03ee42a022a67a27a085516a7921
+Patch6:         changes-since-3.0.0.diff
 
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -86,19 +83,14 @@ BuildRequires:  perl(Locale::gettext)
 
 BuildRequires:  swig
 
-%if %{with python}
-BuildRequires:  python-devel
-BuildRequires:  swig
-%endif
-
 %if %{with python3}
 BuildRequires:  python3-devel
-BuildRequires:  swig
+BuildRequires:  python3-notify2
+BuildRequires:  python3-psutil
 %endif
 
 %if %{with ruby}
 BuildRequires:  ruby-devel
-BuildRequires:  swig
 %endif
 
 %if %{with apache}
@@ -186,25 +178,6 @@ applications interfacing with AppArmor.
 
 %endif
 
-%if %{with python}
-
-%package -n python-apparmor
-Summary:        Python 2 interface for libapparmor functions
-License:        GPL-2.0-only AND LGPL-2.1-or-later
-Group:          Development/Libraries/Python
-BuildRequires:  python
-Requires:       libapparmor1 = %{version}
-Requires:       python = %{python_version}
-Requires:       python(abi) = %{python_version}
-Provides:       python-libapparmor = %{version}
-Obsoletes:      python-libapparmor < 2.5
-
-%description -n python-apparmor
-This package provides the python interface to AppArmor. It is used for python
-applications interfacing with AppArmor.
-
-%endif
-
 %if %{with python3}
 
 %package -n python3-apparmor
@@ -282,20 +255,12 @@ Summary:        AppArmor User-Level Utilities Useful for Creating AppArmor Profi
 License:        GPL-2.0-only AND LGPL-2.1-or-later
 Group:          Productivity/Security
 Requires:       libapparmor1 = %{version}
-# some of the tools are still perl-based (aa-decode and aa-notify)
-Requires:       perl = %{perl_version}
-Requires:       perl-apparmor = %{version}
-%if %{with python3}
 Requires:       python3-apparmor = %{version}
 Requires:       python3-base
-%else
-Requires:       python-apparmor = %{version}
-Requires:       python-base
-%endif
+Requires:       python3-notify2
+Requires:       python3-psutil
 # aa-unconfined needs ss
 Recommends:     iproute2
-# aa-notify -p needs notify-send (only "Suggests", see boo#1067477)
-Suggests:       libnotify-tools
 BuildArch:      noarch
 
 %description utils
@@ -354,27 +319,21 @@ SubDomain.
 
 %prep
 %setup -q
+
+# very loose profile that doesn't even match the apache2 binary path in openSUSE. Move it away instead of confusing people (boo#872984)
+mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/profiles/extras/
+
 %patch1
 %patch2
 %patch3 -p1
 %patch4
 %patch5
-
-%if 0%{?suse_version} > 1500
-# /usr/etc/ changes in abstractions, apply only to Tumbleweed, but not to Leap 15.x
-%patch10 -p1
-%endif
-
-%patch11 -p1
+%patch6 -p1
 
 %build
 %define _lto_cflags %{nil}
 export SUSE_ASNEEDED=0
 
-%if %{with python3}
-export PYTHON=/usr/bin/python3
-%endif
-
 # libapparmor:
 (
   cd ./libraries/libapparmor
@@ -382,7 +341,7 @@ export PYTHON=/usr/bin/python3
 %if %{with perl}
   --with-perl \
 %endif
-%if %{with python}%{with python3}
+%if %{with python3}
   --with-python \
 %else
   --without-python \
@@ -424,33 +383,27 @@ make -C profiles
 
 # pre-build profile cache
 # note that -L only works with an absolute path, therefore prefix it with $(pwd)
-parser/apparmor_parser --write-cache -QT  -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
-
-%check
-%if %{with python3}
-export PYTHON=/usr/bin/python3
-export PYTHON_VERSIONS=python3
+%if %{with precompiled_cache}
+parser/apparmor_parser --config-file $(pwd)/parser/parser.conf --write-cache -QT  -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
 %endif
 
+%check
 make check -C libraries/libapparmor
 make check -C parser
 make check -C binutils
 
-# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
+# profiles make check fails for the utils (they expect /sbin/apparmor_parser to exist), therefore only do parser-based check
 make -C profiles check-parser
 
 # test for a few files that should exist in the cache
+%if %{with precompiled_cache}
 test -f profiles/cache/*/bin.ping
 test -f profiles/cache/*/.features
-
-make check -C utils
-
-%install
-
-%if %{with python3}
-export PYTHON=/usr/bin/python3
 %endif
 
+make check -C utils PYFLAKES=/usr/bin/pyflakes-%{py3_ver}
+
+%install
 # libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec
 %makeinstall -C libraries/libapparmor/swig
 
@@ -465,11 +418,13 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
 
 %makeinstall -C profiles
 
+%if %{with precompiled_cache}
 install -d -m 755 %{buildroot}/usr/share/apparmor/cache
-echo "*** WARNING: precompiling cache is known to fail under 'osc build' - use 'osc build --vm-type kvm' instead ***"
+echo -e "\n\n    *** WARNING: precompiling cache is known to fail under 'osc build' - use 'osc build --vm-type kvm' instead or skip building the precompiled cache with 'osc build --without precompiled_cache' ***\n\n"
 cp -a profiles/cache/* %{buildroot}/usr/share/apparmor/cache
 test -f %{buildroot}/usr/share/apparmor/cache/*/.features
 test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
+%endif
 
 %makeinstall -C parser
 # default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location.
@@ -523,12 +478,6 @@ done
 # remove *.la files
 rm -fv %{buildroot}%{_libdir}/libapparmor.la
 
-echo -------------------------------------------------------------------
-#find -ls
-echo -------------------------------------------------------------------
-#find %{buildroot} -ls
-echo -------------------------------------------------------------------
-
 %files docs
 %defattr(-,root,root)
 %doc parser/*.[1-9].html
@@ -546,6 +495,10 @@ echo -------------------------------------------------------------------
 /sbin/apparmor_parser
 %{_bindir}/aa-enabled
 %{_bindir}/aa-exec
+%{_bindir}/aa-features-abi
+%{_sbindir}/aa-status
+%{_sbindir}/apparmor_status
+%{_sbindir}/status
 %{_sbindir}/aa-teardown
 %{_sbindir}/exec
 %dir %attr(-, root, root) %{_sysconfdir}/apparmor
@@ -554,7 +507,6 @@ echo -------------------------------------------------------------------
 %{_sysconfdir}/apparmor.d/cache.d
 /sbin/rcapparmor
 %{_unitdir}/apparmor.service
-%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
 %config(noreplace) %{_sysconfdir}/apparmor/parser.conf
 %{_localstatedir}/lib/apparmor
 %{_localstatedir}/cache/apparmor
@@ -563,18 +515,18 @@ echo -------------------------------------------------------------------
 %{apparmor_bin_prefix}/apparmor.systemd
 %doc %{_mandir}/man1/aa-enabled.1.gz
 %doc %{_mandir}/man1/aa-exec.1.gz
+%doc %{_mandir}/man1/aa-features-abi.1.gz
 %doc %{_mandir}/man1/exec.1.gz
 %doc %{_mandir}/man5/apparmor.d.5.gz
 %doc %{_mandir}/man5/apparmor.vim.5.gz
-%doc %{_mandir}/man5/subdomain.conf.5.gz
 %doc %{_mandir}/man7/apparmor.7.gz
+%doc %{_mandir}/man7/apparmor_xattrs.7.gz
+%doc %{_mandir}/man8/aa-status.8.gz
 %doc %{_mandir}/man8/aa-teardown.8.gz
 %doc %{_mandir}/man8/apparmor_parser.8.gz
+%doc %{_mandir}/man8/apparmor_status.8.gz
 
 %pre parser
-if [ -f %{_sysconfdir}/init.d/subdomain ] ; then
-  chkconfig --del subdomain
-fi
 %service_add_pre apparmor.service
 
 %files parser-lang -f apparmor-parser.lang -f aa-binutils.lang
@@ -583,6 +535,10 @@ fi
 %files abstractions
 %defattr(644,root,root,755)
 %dir %{_sysconfdir}/apparmor.d/
+%dir %{_sysconfdir}/apparmor.d/abi
+%config(noreplace) %{_sysconfdir}/apparmor.d/abi/3.0
+%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-outoftree-network
+%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-vanilla
 %dir %{_sysconfdir}/apparmor.d/abstractions
 %config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/*
 %dir %{_sysconfdir}/apparmor.d/disable
@@ -599,9 +555,12 @@ fi
 %config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
 %config(noreplace) %{_sysconfdir}/apparmor.d/lsb_release
 %config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe
+%config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm
 %config(noreplace) %{_sysconfdir}/apparmor.d/local/*
 %dir /usr/share/apparmor/
+%if %{with precompiled_cache}
 /usr/share/apparmor/cache/
+%endif
 /usr/share/apparmor/extra-profiles/
 
 %files utils
@@ -623,9 +582,7 @@ fi
 %{_sbindir}/aa-mergeprof
 %{_sbindir}/aa-notify
 %{_sbindir}/aa-remove-unknown
-%{_sbindir}/aa-status
 %{_sbindir}/aa-unconfined
-%{_sbindir}/apparmor_status
 %{_sbindir}/audit
 %{_sbindir}/autodep
 %{_sbindir}/complain
@@ -635,7 +592,6 @@ fi
 %{_sbindir}/genprof
 %{_sbindir}/logprof
 %{_sbindir}/notify
-%{_sbindir}/status
 %{_sbindir}/unconfined
 %{_bindir}/aa-easyprof
 %dir %{_datadir}/apparmor
@@ -656,10 +612,7 @@ fi
 %doc %{_mandir}/man8/aa-mergeprof.8.gz
 %doc %{_mandir}/man8/aa-notify.8.gz
 %doc %{_mandir}/man8/aa-remove-unknown.8.gz
-%doc %{_mandir}/man8/aa-status.8.gz
 %doc %{_mandir}/man8/aa-unconfined.8.gz
-
-%doc %{_mandir}/man8/apparmor_status.8.gz
 %doc %{_mandir}/man8/audit.8.gz
 %doc %{_mandir}/man8/autodep.8.gz
 %doc %{_mandir}/man8/complain.8.gz
@@ -681,19 +634,6 @@ fi
 %{perl_vendorarch}/LibAppArmor.pm
 %endif
 
-%if %{with python}
-
-%files -n python-apparmor
-%defattr(-,root,root)
-%{python_sitearch}/LibAppArmor-%{version}-py%{python_version}.egg-info
-%dir %{python_sitearch}/LibAppArmor
-%{python_sitearch}/LibAppArmor/_LibAppArmor.so
-%{python_sitearch}/LibAppArmor/__init__.py
-%{python_sitearch}/LibAppArmor/__init__.pyc
-%{python_sitelib}/apparmor/
-%{python_sitelib}/apparmor-%{version}-py%{python_version}.egg-info
-%endif
-
 %if %{with python3}
 
 %files -n python3-apparmor

libapparmor-so-number.diff

@@ -1,42 +0,0 @@
-commit 145136f6041aba4fffbbf8d1a5df368998b81ca1
-Author: Christian Boltz <apparmor@cboltz.de>
-Date:   Sat Oct 17 17:30:39 2020 +0200
-
-    Fix 2.13 libapparmor so version
-    
-    ab0f4ab2ed7e734827b143cd32dace4444875e9b increased AA_LIB_REVISION and
-    AA_LIB_AGE, with the result that 2.13.5 builds libapparmor.so.0.7.3,
-    while 2.13.4 had libapparmor-1.6.2
-    
-    This patch reverts the AA_LIB_AGE increase to fix the so name so that
-    we'll get libapparmor-1.6.3.
-    
-    Note: If you want to apply this fix on top of the 2.13.5 tarball, you'll
-    need to also apply the patch to Makefile.in.
-
-diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am
-index b59b2d1c..6d9c6296 100644
---- a/libraries/libapparmor/src/Makefile.am
-+++ b/libraries/libapparmor/src/Makefile.am
-@@ -28,7 +28,7 @@ INCLUDES = $(all_includes)
- #
- AA_LIB_CURRENT = 7
- AA_LIB_REVISION = 3
--AA_LIB_AGE = 7
-+AA_LIB_AGE = 6
- 
- SUFFIXES = .pc.in .pc
- 
-diff --git a/libraries/libapparmor/src/Makefile.am b/libraries/libapparmor/src/Makefile.am
-index b59b2d1c..6d9c6296 100644
---- a/libraries/libapparmor/src/Makefile.in
-+++ b/libraries/libapparmor/src/Makefile.in
-@@ -587,7 +587,7 @@ INCLUDES = $(all_includes)
- #
- AA_LIB_CURRENT = 7
- AA_LIB_REVISION = 3
--AA_LIB_AGE = 7
-+AA_LIB_AGE = 6
- SUFFIXES = .pc.in .pc
- BUILT_SOURCES = grammar.h scanner.h af_protos.h
- AM_LFLAGS = -v

libapparmor.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Sun Oct 25 11:15:54 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 3.0.0
+  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0
+    for the detailed upstream changelog
+- add changes-since-3.0.0.diff with upstream fixes since the 3.0.0
+  release up to 3e18c0785abc03ee42a022a67a27a085516a7921
+- drop 2.13-only patch libapparmor-so-number.diff
+
 -------------------------------------------------------------------
 Sat Oct 17 15:45:32 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
 

libapparmor.spec

@@ -2,7 +2,7 @@
 # spec file for package libapparmor
 #
 # Copyright (c) 2020 SUSE LLC
-# Copyright (c) 2011-2019 Christian Boltz
+# Copyright (c) 2011-2020 Christian Boltz
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
 
 
 Name:           libapparmor
-Version:        2.13.5
+Version:        3.0.0
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later
@@ -31,9 +31,7 @@ BuildRequires:  dejagnu
 BuildRequires:  flex
 BuildRequires:  pkg-config
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-
-# fix libapparmor so version (submitted upstream 2020-10-17 https://gitlab.com/apparmor/apparmor/-/merge_requests/658
-Patch1:         libapparmor-so-number.diff
+Patch1:         changes-since-3.0.0.diff
 
 %description
 This package provides the libapparmor library, which contains the

usr-etc-abstractions-base-nameservice.diff

@@ -1,111 +0,0 @@
-commit 395e2e87d7d4a28e4574de5960210b40a7c5ea0d
-Author: Christian Boltz <apparmor@cboltz.de>
-Date:   Sat Jan 25 19:35:50 2020 +0100
-
-    adjust abstractions/base and nameservice for /usr/etc/ move
-    
-    References: http://bugzilla.opensuse.org/show_bug.cgi?id=1161756
-
-diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstractions/base
-index cecb126f..6288da76 100644
---- a/profiles/apparmor.d/abstractions/base
-+++ b/profiles/apparmor.d/abstractions/base
-@@ -27,9 +27,9 @@
-   # time and getrandom()/{,u}random and, when available, runs under an
-   # unprivilged, dedicated user).
-   /run/uuidd/request             r,
--  /etc/locale/**                 r,
--  /etc/locale.alias              r,
--  /etc/localtime                 r,
-+  /{usr/,}etc/locale/**          r,
-+  /{usr/,}etc/locale.alias       r,
-+  /{usr/,}etc/localtime          r,
-   /usr/share/locale-bundle/**    r,
-   /usr/share/locale-langpack/**  r,
-   /usr/share/locale/**           r,
-@@ -52,14 +52,14 @@
-   /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
- 
-   # used by glibc when binding to ephemeral ports
--  /etc/bindresvport.blacklist    r,
-+  /{usr/,}etc/bindresvport.blacklist    r,
- 
-   # ld.so.cache and ld are used to load shared libraries; they are best
-   # available everywhere
--  /etc/ld.so.cache               mr,
--  /etc/ld.so.conf                r,
--  /etc/ld.so.conf.d/{,*.conf}    r,
--  /etc/ld.so.preload             r,
-+  /{usr/,}etc/ld.so.cache               mr,
-+  /{usr/,}etc/ld.so.conf                r,
-+  /{usr/,}etc/ld.so.conf.d/{,*.conf}    r,
-+  /{usr/,}etc/ld.so.preload             r,
-   /{usr/,}lib{,32,64}/ld{,32,64}-*.so   mr,
-   /{usr/,}lib/@{multiarch}/ld{,32,64}-*.so    mr,
-   /{usr/,}lib/tls/i686/{cmov,nosegneg}/ld-*.so     mr,
-diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
-index ec639cda..4024ba1e 100644
---- a/profiles/apparmor.d/abstractions/nameservice
-+++ b/profiles/apparmor.d/abstractions/nameservice
-@@ -13,16 +13,16 @@
-   # looking up users by name or id, groups by name or id, hosts by name
-   # or IP, etc. These operations may be performed through files, dns,
-   # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
--  /etc/group              r,
--  /etc/host.conf          r,
--  /etc/hosts              r,
--  /etc/nsswitch.conf      r,
--  /etc/gai.conf           r,
--  /etc/passwd             r,
--  /etc/protocols          r,
-+  /{usr/,}etc/group          r,
-+  /{usr/,}etc/host.conf      r,
-+  /{usr/,}etc/hosts          r,
-+  /{usr/,}etc/nsswitch.conf  r,
-+  /{usr/,}etc/gai.conf       r,
-+  /{usr/,}etc/passwd         r,
-+  /{usr/,}etc/protocols      r,
- 
-   # libtirpc (used for NIS/YP login) needs this
--  /etc/netconfig r,
-+  /{usr/,}etc/netconfig r,
- 
-   # When using libnss-extrausers, the passwd and group files are merged from
-   # an alternate path
-@@ -41,15 +41,15 @@
-   /var/lib/sss/mc/passwd  r,
-   /var/lib/sss/pipes/nss  rw,
- 
--  /etc/resolv.conf        r,
-+  /{usr/,}etc/resolv.conf r,
-   # On systems where /etc/resolv.conf is managed programmatically, it is
-   # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf.
-   /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r,
--  /etc/resolvconf/run/resolv.conf r,
-+  /{usr/,}etc/resolvconf/run/resolv.conf r,
-   /{,var/}run/systemd/resolve/stub-resolv.conf r,
- 
--  /etc/samba/lmhosts      r,
--  /etc/services           r,
-+  /{usr/,}etc/samba/lmhosts  r,
-+  /{usr/,}etc/services       r,
-   # db backend
-   /var/lib/misc/*.db      r,
-   # The Name Service Cache Daemon can cache lookups, sometimes leading
-@@ -65,14 +65,14 @@
-   # they are available
-   /{usr/,}lib{,32,64}/libnss_*.so*      mr,
-   /{usr/,}lib/@{multiarch}/libnss_*.so*      mr,
--  /etc/default/nss               r,
-+  /{usr/,}etc/default/nss               r,
- 
-   # avahi-daemon is used for mdns4 resolution
-   /{,var/}run/avahi-daemon/socket rw,
- 
-   # libnl-3-200 via libnss-gw-name
-   @{PROC}/@{pid}/net/psched r,
--  /etc/libnl-*/classid r,
-+  /{usr/,}etc/libnl-*/classid r,
- 
-   # nis
-   #include <abstractions/nis>