Accepting request 663646 from security:apparmor

- add apparmor-lessopen-nfs-workaround.diff: allow network access in lessopen.sh for reading files on NFS (workaround for boo#1119937 / lp#1784499) (forwarded request 663645 from cboltz) OBS-URL: https://build.opensuse.org/request/show/663646 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=122
2019-01-15 12:15:06 +00:00 · 2019-01-15 12:15:06 +00:00 · 9fced15774
commit 9fced15774
parent 368f578969 f6659d8de7
3 changed files with 26 additions and 0 deletions
--- a/apparmor-lessopen-nfs-workaround.diff
+++ b/apparmor-lessopen-nfs-workaround.diff
@ -0,0 +1,15 @@
+Index: profiles/apparmor.d/usr.bin.lessopen.sh
+===================================================================
+--- profiles/apparmor.d/usr.bin.lessopen.sh.orig	2019-01-06 20:05:38.582356924 +0100
+++ profiles/apparmor.d/usr.bin.lessopen.sh	2019-01-06 20:08:26.885706133 +0100
+@@ -10,6 +10,10 @@
+   capability dac_override,
+   capability dac_read_search,
+ 
+  # workaround for https://bugzilla.opensuse.org/show_bug.cgi?id=1119937 / https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499
+  network inet stream,
+  network inet6 stream,
+
+   /** rk,
+   /bin/bash mrix,
+   /{usr/,}bin/rpm mrix,
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sun Jan  6 19:10:58 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
+
+- add apparmor-lessopen-nfs-workaround.diff: allow network access in
+  lessopen.sh for reading files on NFS (workaround for boo#1119937 /
+  lp#1784499)
+
 -------------------------------------------------------------------
 Wed Jan  2 19:11:16 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -69,6 +69,9 @@ Patch8:         apparmor-nameservice-resolv-conf-link.patch
 # submitted upstream 2019-01-02 - https://gitlab.com/apparmor/apparmor/merge_requests/296 (master + 2.13) and https://gitlab.com/apparmor/apparmor/merge_requests/297 (2.12)
 Patch9:         profile_filename_cornercase.diff

+# workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
+Patch10:        apparmor-lessopen-nfs-workaround.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@ -358,6 +361,7 @@ SubDomain.
 %patch7
 %patch8 -p1
 %patch9 -p1
+%patch10

 %build
 export SUSE_ASNEEDED=0