From 9a2a40f1bad8c4e110035bbdda10c13936876d8a454fb320d241f050b3522400 Mon Sep 17 00:00:00 2001
From: Christian Boltz <suse-beta@cboltz.de>
Date: Sun, 10 Apr 2022 13:52:36 +0000
Subject: [PATCH] Accepting request 968252 from home:cboltz

- add profile for zgrep and xzgrep to prevent CVE-2022-1271
  (zgrep-profile-mr870.diff)

OBS-URL: https://build.opensuse.org/request/show/968252
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=322
---
 apparmor.changes         |  6 ++++
 apparmor.spec            |  5 +++
 zgrep-profile-mr870.diff | 77 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 88 insertions(+)
 create mode 100644 zgrep-profile-mr870.diff

diff --git a/apparmor.changes b/apparmor.changes
index 65d53de..b399561 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sun Apr 10 13:08:56 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
+
+- add profile for zgrep and xzgrep to prevent CVE-2022-1271
+  (zgrep-profile-mr870.diff)
+
 -------------------------------------------------------------------
 Tue Mar 29 20:04:22 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
 
diff --git a/apparmor.spec b/apparmor.spec
index a8a9f06..d096337 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -86,6 +86,9 @@ Patch7:         update-samba-bgqd.diff
 # see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862)
 Patch8:         update-usr-sbin-smbd.diff
 
+# add zgrep and xzgrep profile (submitted upstream 2022-04-10 https://gitlab.com/apparmor/apparmor/-/merge_requests/870)
+Patch9:         zgrep-profile-mr870.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@@ -350,6 +353,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch5
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 %define _lto_cflags %{nil}
@@ -580,6 +584,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
 %config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe
 %config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm
 %config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd
+%config(noreplace) %{_sysconfdir}/apparmor.d/zgrep
 %config(noreplace) %{_sysconfdir}/apparmor.d/local/*
 %dir /usr/share/apparmor/
 %if %{with precompiled_cache}
diff --git a/zgrep-profile-mr870.diff b/zgrep-profile-mr870.diff
new file mode 100644
index 0000000..7cfc07f
--- /dev/null
+++ b/zgrep-profile-mr870.diff
@@ -0,0 +1,77 @@
+From 3a3b49ccd93d00cbc373319b90c6acecdd6f45fa Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor@cboltz.de>
+Date: Sun, 10 Apr 2022 15:03:08 +0200
+Subject: [PATCH] Add zgrep and xzgrep profile
+
+This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2
+(code execution via "funny" filenames)
+---
+ profiles/apparmor.d/zgrep | 59 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 59 insertions(+)
+ create mode 100644 profiles/apparmor.d/zgrep
+
+diff --git a/profiles/apparmor.d/zgrep b/profiles/apparmor.d/zgrep
+new file mode 100644
+index 000000000..0bf0765d1
+--- /dev/null
++++ b/profiles/apparmor.d/zgrep
+@@ -0,0 +1,59 @@
++# ------------------------------------------------------------------
++#
++#    Copyright (C) 2021 Christian Boltz
++#
++#    This program is free software; you can redistribute it and/or
++#    modify it under the terms of version 2 of the GNU General Public
++#    License published by the Free Software Foundation.
++#
++# ------------------------------------------------------------------
++
++abi <abi/3.0>,
++
++include <tunables/global>
++
++profile zgrep /usr/bin/{x,}zgrep {
++  include <abstractions/base>
++  include <abstractions/bash>
++
++  /dev/tty rw,
++  /usr/bin/bash ix,
++  /usr/bin/bzip2 Cx -> helper,
++  /usr/bin/cat ix,
++  /usr/bin/grep Cx -> helper,
++  /usr/bin/gzip Cx -> helper,
++  /usr/bin/mktemp ix,
++  /usr/bin/rm ix,
++  /usr/bin/sed Cx -> sed,
++  /usr/bin/xz Cx -> helper,
++  /usr/bin/xzgrep r,
++  /usr/bin/zgrep Cx -> helper,
++  owner /tmp/zgrep* rw,
++  /usr/bin/zgrep r,
++
++  include if exists <local/zgrep>
++
++  profile helper {
++    include <abstractions/base>
++
++    capability dac_override,
++    capability dac_read_search,
++
++    /usr/bin/bash ix,
++    /usr/bin/bzip2 mr,
++    /usr/bin/grep mr,
++    /usr/bin/gzip mr,
++    /usr/bin/xz mr,
++    /{,**} r,
++
++  }
++
++  profile sed {
++    include <abstractions/base>
++
++    /dev/tty rw,
++    /usr/bin/bash ix,
++    /usr/bin/sed mr,
++
++  }
++}