pool/apparmor
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 303872 from security:apparmor

Browse Source 
- update to AppArmor 2.9.2 (2.9 branch r2911)
  - lots of bugfixes in the parser and the aa-* tools (including
    boo#918787)
  - update dovecot and dnsmasq profiles and several abstractions
    (including boo#911001)
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_2 for the
    full changelog
- remove upstream(ed) patches apparmor-changes-since-2.9.1.diff and
  apparmor-fix-stl-ostream.diff
- replace GPG key with new AppArmor GPG signing key, see
  https://launchpad.net/apparmor/+announcement/13404 (forwarded request 303871 from cboltz)

OBS-URL: https://build.opensuse.org/request/show/303872
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=85
This commit is contained in:
Stephan Kulow 2015-04-27 05:46:11 +00:00 committed by Git OBS Bridge
commit a1f2018efc
10 changed files with 98 additions and 507 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apparmor-2.9.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a63b8724c36c29ed438c9e3ca403bfeeb6c998a45990e300aa1b10faa23a0a22
size 2326385

7
apparmor-2.9.1.tar.gz.asc
View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlSQnFwACgkQgTeYuayTEnFcvwCeI9W6R1FcXVc1idSM49d4NbJq
em8AoLL3ZThgKwyHdo1W17iuJuWNmYDs
=N8ne
-----END PGP SIGNATURE-----

3
apparmor-2.9.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d01156e1ec50deada519fd4e8821677274b1d43418fda3bc4b25f1d38ea75ed5
size 2336566

17
apparmor-2.9.2.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCgAGBQJVOV6LAAoJEGaJ5k49NmS7yj8P/Am7QAfhveBAfHy1xbUTHdWy
Y/LRsM0x4uebNr7ZK1Zy31WqecJLhzXhli58SPf4lvrfb2fOTp9txI3YHYrmB5Lg
Mn3DhyRcr8Cov6WqPdYmG3dj/fUZSrs1wz6Ryt0zg9SMxu1CGiaZvD34QS0dGBbs
1JB5PhjqbM54JfsjsMtmqZKviVq7k9+k4Wojzb1MIXD9w70uUj1PiJHJ5nryHFy5
2KdBNxVTbG9QJCFeBqpchbW6VvunG7NQIRovpRYqEMOJF/UCcBRGdBRLWETCSdfu
pDy+Sj30VJ9ik7cxRkxB0kn1U1UqGwUMHekjtdSX4Dm8LCSYQR0Wa9KAoiyoh787
o2cSeeonI0uF5xXzEqLvaVrWsGPucdWfokN1SjuppWPHrSY50Tgtl1791gnTWTw+
CbLeOP6fVq2iwJ8jPVDdGL3T8xZ7yBGH44XOB4r5rUbNSw8pau86RC+pSf/McHQ7
WmShsVNDAfWxuLBDvfr9bGCSPL3Hk7SrSgOM5CZS2OspABllFmqXdIn6fuySO73I
AyCDwr9qGAbQMIvNGn1DmF4GyVc1LPRctBRwz91j6//hjVewSpgtRT45BYdRp3mO
cy/5XWdXbVFg/srctH91YNeUt0/F/fepEbqLR7MQ55q8cCQNo28/9PfL0JEovu1x
tnGkNHea0o2YNxv2NZfK
=gIwg
-----END PGP SIGNATURE-----

2
apparmor-abstractions-no-multiline.diff
View File

@ -3,7 +3,7 @@ Index: profiles/apparmor.d/abstractions/X
===================================================================
--- profiles/apparmor.d/abstractions/X.orig 2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/X 2014-10-18 13:11:31.097494817 +0200
@@ -23,9 +23,7 @@
@@ -24,9 +24,7 @@
# the unix socket to use to connect to the display
/tmp/.X11-unix/* w,

374
apparmor-changes-since-2.9.1.diff
View File

@ -1,374 +0,0 @@
------------------------------------------------------------
revno: 2839
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.9
timestamp: Sun 2015-01-18 14:57:10 +0100
message:
Add some tests for logparser.py based on the log lines from
https://bugs.launchpad.net/apparmor/+bug/1399027
Also move some existing tests from aa_test.py to test-logparser.py and
adds checks for RE_LOG_v2_6_audit and RE_LOG_v2_6_syslog to them.
Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
------------------------------------------------------------
revno: 2838
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.9
timestamp: Sat 2015-01-17 14:35:38 +0100
message:
update logparser.py to support the changed syslog format by adding
(audit:\s+)? to RE_LOG_v2_6_syslog
References: https://bugs.launchpad.net/apparmor/+bug/1399027
Acked-by: Seth Arnold <seth.arnold@canonical.com> (for trunk)
Acked-by: Steve Beattie <steve@nxnw.org> for 2.9 as well
------------------------------------------------------------
revno: 2837
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.9
timestamp: Mon 2014-12-22 17:57:40 +0100
message:
Fix the dnsmasq profile to allow executing bash to run the --dhcp-script
argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt
leasehelper script to run even on x86_64.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=911001
Patch by "Cédric Bosdonnat" <cbosdonnat@suse.com>
Note: the original patch used {lib,lib64} - I changed it to lib{,64} to
match the style we typically use.
Acked-by: John Johansen <john.johansen@canonical.com>
(backport of trunk r2841)
------------------------------------------------------------
revno: 2836
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.9
timestamp: Mon 2014-12-22 17:51:02 +0100
message:
update and cleanup usr.sbin.dovecot profile
Add #include <abstractions/dovecot-common> to the usr.sbin.dovecot
profile. Effectively this adds "deny capability block_suspend," which
is the only missing part from
https://bugs.launchpad.net/apparmor/+bug/1296667/
Also remove "capability setgid," (covered by
abstractions/dovecot-common) and "@{PROC}/filesystems r," (part of
abstractions/base).
Acked-by: John Johansen <john.johansen@canonical.com>
(backport of trunk r2840)
------------------------------------------------------------
revno: 2835
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.9
timestamp: Mon 2014-12-22 17:43:54 +0100
message:
Add some missing /run/dovecot/* to usr.lib.dovecot.imap{, -login}
Add the needed permissions as reported in
https://bugs.launchpad.net/apparmor/+bug/1296667/ comment #1
to the usr.lib.dovecot.imap and imap-login profiles.
Acked-by: John Johansen <john.johansen@canonical.com>
(backport of trunk r2839)
------------------------------------------------------------
revno: 2834
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.9
timestamp: Mon 2014-12-22 17:39:29 +0100
message:
update the mysqld profile in the extras directory to
something that works on my servers ;-)
Acked-by: John Johansen <john.johansen@canonical.com>
(backport of trunk r2838)
------------------------------------------------------------
revno: 2833
committer: Christian Boltz <apparmor@cboltz.de>
branch nick: 2.9
timestamp: Fri 2014-12-19 13:57:12 +0100
message:
fix network rule description in apparmor.d.pod
(backport from trunk r2837)
Acked-by: John Johansen <john.johansen@canonical.com> (for trunk)
Acked-by: Steve Beattie <steve@nxnw.org> (for 2.9)
------------------------------------------------------------
=== modified file 'parser/apparmor.d.pod'
--- parser/apparmor.d.pod 2014-12-12 14:20:31 +0000
+++ parser/apparmor.d.pod 2014-12-19 12:57:12 +0000
@@ -61,7 +61,7 @@
B<CAPABILITY> = (lowercase capability name without 'CAP_' prefix; see
capabilities(7))
-B<NETWORK RULE> = 'network' [ [ I<DOMAIN> ] [ I<TYPE> ] [ I<PROTOCOL> ] ] ','
+B<NETWORK RULE> = 'network' [ [ I<DOMAIN> [ I<TYPE> | I<PROTOCOL> ] ] | [ I<PROTOCOL> ] ] ','
B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' ) ','
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
--- profiles/apparmor.d/usr.lib.dovecot.imap 2014-09-25 22:37:14 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap 2014-12-22 16:43:54 +0000
@@ -26,6 +26,7 @@
@{HOME} r, # ???
/usr/lib/dovecot/imap mr,
+ /{,var/}run/dovecot/auth-master rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.dovecot.imap>
=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login'
--- profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login 2014-12-22 16:43:54 +0000
@@ -24,6 +24,7 @@
network inet6 stream,
/usr/lib/dovecot/imap-login mr,
+ /{,var/}run/dovecot/anvil rw,
/{,var/}run/dovecot/login/ r,
/{,var/}run/dovecot/login/* rw,
=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
--- profiles/apparmor.d/usr.sbin.dnsmasq 2014-12-02 17:46:26 +0000
+++ profiles/apparmor.d/usr.sbin.dnsmasq 2014-12-22 16:57:40 +0000
@@ -45,6 +45,8 @@
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+ /bin/bash ix, # Required to execute --dhcp-script argument
+
# access to iface mtu needed for Router Advertisement messages in IPv6
# Neighbor Discovery protocol (RFC 2461)
@{PROC}/sys/net/ipv6/conf/*/mtu r,
@@ -64,7 +66,7 @@
/{,var/}run/libvirt/network/*.pid rw,
# libvirt lease helper
- /usr/lib/libvirt/libvirt_leaseshelper ix,
+ /usr/lib{,64}/libvirt/libvirt_leaseshelper ix,
/{,var/}run/leaseshelper.pid rwk,
# NetworkManager integration
=== modified file 'profiles/apparmor.d/usr.sbin.dovecot'
--- profiles/apparmor.d/usr.sbin.dovecot 2014-09-03 19:45:56 +0000
+++ profiles/apparmor.d/usr.sbin.dovecot 2014-12-22 16:51:02 +0000
@@ -15,6 +15,7 @@
/usr/sbin/dovecot {
#include <abstractions/authentication>
#include <abstractions/base>
+ #include <abstractions/dovecot-common>
#include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
@@ -25,7 +26,6 @@
capability fsetid,
capability kill,
capability net_bind_service,
- capability setgid,
capability setuid,
capability sys_chroot,
@@ -34,7 +34,6 @@
/etc/lsb-release r,
/etc/SuSE-release r,
@{PROC}/@{pid}/mounts r,
- @{PROC}/filesystems r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/anvil Px,
/usr/lib/dovecot/auth Px,
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.mysqld'
--- profiles/apparmor/profiles/extras/usr.sbin.mysqld 2007-05-16 18:51:46 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.mysqld 2014-12-22 16:39:29 +0000
@@ -1,6 +1,9 @@
+# Last Modified: Mon Dec 1 22:23:12 2014
+
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2014 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -8,12 +11,12 @@
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
-# Last Modified: Wed Aug 17 14:28:07 2005
#include <tunables/global>
/usr/sbin/mysqld {
#include <abstractions/base>
+ #include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
@@ -21,8 +24,22 @@
capability setgid,
capability setuid,
+ /etc/hosts.allow r,
+ /etc/hosts.deny r,
/etc/my.cnf r,
+ /etc/my.cnf.d/ r,
+ /etc/my.cnf.d/*.cnf r,
+ /root/.my.cnf r,
+ /usr/lib{,32,64}/**.so mr,
/usr/sbin/mysqld r,
+ /usr/share/mariadb/*/errmsg.sys r,
+ /usr/share/mysql-community-server/*/errmsg.sys r,
/usr/share/mysql/** r,
- /var/lib/mysql/** lrw,
+ /var/lib/mysql/ r,
+ /var/lib/mysql/** rwl,
+ /var/log/mysql/mysqld-upgrade-run.log w,
+ /var/log/mysql/mysqld.log w,
+ /var/log/mysql/mysqld.log-20* w,
+ /{,var/}run/mysql/mysqld.pid w,
+
}
=== modified file 'utils/apparmor/logparser.py'
--- utils/apparmor/logparser.py 2014-08-20 22:55:44 +0000
+++ utils/apparmor/logparser.py 2015-01-17 13:35:38 +0000
@@ -25,7 +25,7 @@
_ = init_translation()
class ReadLog:
- RE_LOG_v2_6_syslog = re.compile('kernel:\s+(\[[\d\.\s]+\]\s+)?type=\d+\s+audit\([\d\.\:]+\):\s+apparmor=')
+ RE_LOG_v2_6_syslog = re.compile('kernel:\s+(\[[\d\.\s]+\]\s+)?(audit:\s+)?type=\d+\s+audit\([\d\.\:]+\):\s+apparmor=')
RE_LOG_v2_6_audit = re.compile('type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=')
# Used by netdomain to identify the operation types
# New socket names
=== modified file 'utils/test/aa_test.py'
--- utils/test/aa_test.py 2014-07-26 00:49:06 +0000
+++ utils/test/aa_test.py 2015-01-18 13:57:10 +0000
@@ -86,29 +86,6 @@
for path in globs.keys():
self.assertEqual(apparmor.aa.glob_path_withext(path), globs[path], 'Unexpected glob generated for path: %s'%path)
- def test_parse_event(self):
- parser = apparmor.logparser.ReadLog('', '', '', '', '')
- event = 'type=AVC msg=audit(1345027352.096:499): apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name=2F686F6D652F7777772F666F6F2E6261722E696E2F68747470646F63732F61707061726D6F722F696D616765732F746573742F696D61676520312E6A7067 pid=20143 comm="httpd2-prefork" requested_mask="wc" denied_mask="wc" fsuid=30 ouid=30'
- parsed_event = parser.parse_event(event)
- self.assertEqual(parsed_event['name'], '/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg', 'Incorrectly parsed/decoded name')
- self.assertEqual(parsed_event['profile'], '/usr/sbin/httpd2-prefork//vhost_foo', 'Incorrectly parsed/decode profile name')
- self.assertEqual(parsed_event['aamode'], 'PERMITTING')
- self.assertEqual(parsed_event['request_mask'], set(['w', 'a', '::w', '::a']))
- #print(parsed_event)
-
- #event = 'type=AVC msg=audit(1322614912.304:857): apparmor="ALLOWED" operation="getattr" parent=16001 profile=74657374207370616365 name=74657374207370616365 pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0'
- #parsed_event = apparmor.aa.parse_event(event)
- #print(parsed_event)
-
- event = 'type=AVC msg=audit(1322614918.292:4376): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=666F6F20626172 name="/home/foo/.bash_history" pid=17011 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000'
- parsed_event = parser.parse_event(event)
- self.assertEqual(parsed_event['name'], '/home/foo/.bash_history', 'Incorrectly parsed/decoded name')
- self.assertEqual(parsed_event['profile'], 'foo bar', 'Incorrectly parsed/decode profile name')
- self.assertEqual(parsed_event['aamode'], 'PERMITTING')
- self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a','::r' , '::w', '::a']))
- #print(parsed_event)
-
-
def test_modes_to_string(self):
for string in self.MODE_TEST.keys():
=== added file 'utils/test/test-logparser.py'
--- utils/test/test-logparser.py 1970-01-01 00:00:00 +0000
+++ utils/test/test-logparser.py 2015-01-18 13:57:10 +0000
@@ -0,0 +1,71 @@
+# ----------------------------------------------------------------------
+# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
+# Copyright (C) 2015 Christian Boltz <apparmor@cboltz.de>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# ----------------------------------------------------------------------
+import unittest
+
+from apparmor.logparser import ReadLog
+
+class TestParseEvent(unittest.TestCase):
+ def setUp(self):
+ self.parser = ReadLog('', '', '', '', '')
+
+ def test_parse_event_audit_1(self):
+ event = 'type=AVC msg=audit(1345027352.096:499): apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name=2F686F6D652F7777772F666F6F2E6261722E696E2F68747470646F63732F61707061726D6F722F696D616765732F746573742F696D61676520312E6A7067 pid=20143 comm="httpd2-prefork" requested_mask="wc" denied_mask="wc" fsuid=30 ouid=30'
+ parsed_event = self.parser.parse_event(event)
+ self.assertEqual(parsed_event['name'], '/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg')
+ self.assertEqual(parsed_event['profile'], '/usr/sbin/httpd2-prefork//vhost_foo')
+ self.assertEqual(parsed_event['aamode'], 'PERMITTING')
+ self.assertEqual(parsed_event['request_mask'], set(['w', 'a', '::w', '::a']))
+
+ self.assertIsNotNone(ReadLog.RE_LOG_v2_6_audit.search(event))
+ self.assertIsNone(ReadLog.RE_LOG_v2_6_syslog.search(event))
+
+ def test_parse_event_audit_2(self):
+ event = 'type=AVC msg=audit(1322614918.292:4376): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=666F6F20626172 name="/home/foo/.bash_history" pid=17011 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000'
+ parsed_event = self.parser.parse_event(event)
+ self.assertEqual(parsed_event['name'], '/home/foo/.bash_history')
+ self.assertEqual(parsed_event['profile'], 'foo bar')
+ self.assertEqual(parsed_event['aamode'], 'PERMITTING')
+ self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a','::r' , '::w', '::a']))
+
+ self.assertIsNotNone(ReadLog.RE_LOG_v2_6_audit.search(event))
+ self.assertIsNone(ReadLog.RE_LOG_v2_6_syslog.search(event))
+
+ def test_parse_event_syslog_1(self):
+ # from https://bugs.launchpad.net/apparmor/+bug/1399027
+ event = '2014-06-09T20:37:28.975070+02:00 geeko kernel: [21028.143765] type=1400 audit(1402339048.973:1421): apparmor="ALLOWED" operation="open" profile="/home/cb/linuxtag/apparmor/scripts/hello" name="/dev/tty" pid=14335 comm="hello" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0'
+ parsed_event = self.parser.parse_event(event)
+ self.assertEqual(parsed_event['name'], '/dev/tty')
+ self.assertEqual(parsed_event['profile'], '/home/cb/linuxtag/apparmor/scripts/hello')
+ self.assertEqual(parsed_event['aamode'], 'PERMITTING')
+ self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a', '::r', '::w', '::a']))
+
+ self.assertIsNone(ReadLog.RE_LOG_v2_6_audit.search(event))
+ self.assertIsNotNone(ReadLog.RE_LOG_v2_6_syslog.search(event))
+
+ def test_parse_event_syslog_2(self):
+ # from https://bugs.launchpad.net/apparmor/+bug/1399027
+ event = 'Dec 7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
+ parsed_event = self.parser.parse_event(event)
+ self.assertEqual(parsed_event['name'], '/usr/bin/')
+ self.assertEqual(parsed_event['profile'], '/home/simi/bin/aa-test')
+ self.assertEqual(parsed_event['aamode'], 'PERMITTING')
+ self.assertEqual(parsed_event['request_mask'], set(['r', '::r']))
+
+ self.assertIsNone(ReadLog.RE_LOG_v2_6_audit.search(event))
+ self.assertIsNotNone(ReadLog.RE_LOG_v2_6_syslog.search(event))
+
+
+if __name__ == "__main__":
+ unittest.main(verbosity=2)

35
apparmor-fix-stl-ostream.diff
View File

@ -1,35 +0,0 @@
Index: parser/dbus.cc
===================================================================
--- parser/dbus.cc.orig 2014-10-08 22:20:20.000000000 +0200
+++ parser/dbus.cc 2015-02-24 14:10:15.656288643 +0100
@@ -149,7 +149,7 @@ ostream &dbus_rule::dump(ostream &os)
if (interface)
os << " interface=\"" << interface << "\"";
if (member)
- os << " member=\"" << member << os << "\"";
+ os << " member=\"" << member << "\"";
if (!(mode & AA_DBUS_BIND) && (peer_label || name)) {
os << " peer=( ";
Index: parser/af_rule.cc
===================================================================
--- parser/af_rule.cc.orig 2014-09-03 22:34:10.000000000 +0200
+++ parser/af_rule.cc 2015-02-24 14:14:31.851251654 +0100
@@ -148,11 +148,14 @@ ostream &af_rule::dump_peer(ostream &os)
ostream &af_rule::dump(ostream &os)
{
- os << dump_prefix(os);
+ dump_prefix(os);
os << af_name;
- os << dump_local(os);
+ dump_local(os);
if (has_peer_conds())
- os << " peer=(" << dump_peer(os) << ")";
+ {
+ os << " peer=(";
+ dump_peer(os) << ")";
+ }
os << ",\n";
return os;

15
apparmor.changes
View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Fri Apr 24 20:21:32 UTC 2015 - opensuse@cboltz.de
- update to AppArmor 2.9.2 (2.9 branch r2911)
- lots of bugfixes in the parser and the aa-* tools (including
boo#918787)
- update dovecot and dnsmasq profiles and several abstractions
(including boo#911001)
- see http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_2 for the
full changelog
- remove upstream(ed) patches apparmor-changes-since-2.9.1.diff and
apparmor-fix-stl-ostream.diff
- replace GPG key with new AppArmor GPG signing key, see
https://launchpad.net/apparmor/+announcement/13404
-------------------------------------------------------------------
Fri Apr 17 18:46:08 UTC 2015 - opensuse@cboltz.de

139
apparmor.keyring
View File

@ -1,82 +1,65 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQGiBEPw2O4RBAD8PZ+0NfCEIBjuDXQjdb6vi642wRIrN7v67GTfNQ+uggGKESRe
grFumlArz5MbJVLinyIsCqigwyBpspXeyP6cMrzTudmmwQJJN9caejoAu5029wjX
WTrfwsPbqavwcQSfZlVJOKjLplUCzOcb808UOMYISz5mZmFGzfJpPLTMtwCg4CH+
e9ZoyqMz1GrkPqjWeOVHgjMD/1D/PW8c1DzBar6zaxNXtQOLtlWn5eqLwWJX7XhG
DM2YPD0vWyPYnx/5agg6YyouO6xiNi4lPDvEUu8+PqHHZz7Cl9Iu36ruAuhc87vQ
U10frmHHcdNoko/aetFfNSrXwD+mEhhrob0kIEEIe4K+KfTPKC+aQuUVwciuDiM1
+7ukA/46YWHIwkqFCUzjhJwu5hb4kGeYS1bcMrD5xCMcVzUdJPFcmz1AVclwAZ61
PYRRUs4xOJ5QeQty/1n4L5ylOJ8mfzXartC4ZY0OqDrXgLg/HhxPfvLfKvZ9xvBq
AIIJeqGmN2Dq/+Q70kA/5Ck4hUABBoTMQZABWQkCh3POwMCwhbRMQXBwQXJtb3Ig
RGV2ZWxvcG1lbnQgVGVhbSAoQXBwQXJtb3Igc2lnbmluZyBrZXkpIDxhcHBhcm1v
ckBsaXN0cy51YnVudHUuY29tPohqBBMRCgAqAhsDAh4BAheAAhkBBQsJCAcDBRUK
CQgLBRYCAwEABQJNXEDoBQkPDwJtAAoJEIE3mLmskxJxVFgAnjSeh2O03PKF0UJz
T13Fn1yK1IvaAJ9bQ3EuAw03b/RkIQUx5SQSXyDDdIhqBBMRCgAqAhsDBQkJZgGA
Ah4BAheAAhkBBQJMjkjTBQsJCAcDBRUKCQgLBRYCAwEAAAoJEIE3mLmskxJxQ4wA
oMb9+wVfGopVNTM/pwAFH+vcE1MaAKCUq/IOsOI0yRY7QVre3Rinzpy2/ohqBBMR
CgAqAhsDBQkJZgGAAh4BAheAAhkBBQJMoOLLBQsJCAcDBRUKCQgLBRYCAwEAAAoJ
EIE3mLmskxJxy6UAoN0PvpcVaBF9j6s46I6y5p12MBH3AJ0aiUVZj78cjyEprsJ6
nuWqDm+dS4kCIAQQAQoACgUCTI5JiAMFAXgACgkQLwmejQBegfQtjw//ZVFIv/UR
CsfamtmqEE/nZ7XfTh495SjHGQy3q4nZvLyfHHiF+XVQtD7JIlHzYpwGz4kla73c
aM/tLts6bhNgVKQPqazi59NwrHV5dwCiP9B+pX2wdBsjNfgGROiPcVugO+R3hJst
6JwbQ7P0wKM0MelySPaYL67K69/NsSCrhR4ds5DF0if7yIwKCZF5U9B2PTwe1UOt
U09JP0mk0rMuZSe/nqgM4DCIa1zk2NwXxRG3EC7S4oEl9/yez7EgNRh54sRPFXXb
craW5oosZRo1bJtp3Pn9cQPH8acObmw7B5lqRQD5lgpdTi4KewqFpTbgKFOqyMrB
0Dk3ZR8K968yEdsVJnp9kjSMCkcETszi4bODBqF+dsLErZxr1WPXY77Hbt8hlAEK
sX+ebsHFDKM95IMKbMKawdnw+RBDU/b5B5N6z7WokFY6G0/l0xI4B1mAi2kqNo6b
vtZ1Ss6Y3yHzRxL1+qfEZQ4XsMQ7raMZ2zZnnVxH0amF4JD4iPVxt882VwABys/F
abwh39NZVjz/39VA3cCNdwys/AO1fGJ9SvhiZrhORP/17qXH+zV9EqZyoLB3oAZG
UAyFo2Wzdk/m2lJhk3+2DAzxojvp8xrjhZg6GsQW98dHOVg3lWL3KdwK7hR7nV6Z
M5N9xawzkjwM6GJJ81ewk1l5L3IuCTdU0WGIagQTEQoAKgIbAwIeAQIXgAIZAQUL
CQgHAwUVCgkICwUWAgMBAAUCUwFh/gUJEPG8hQAKCRCBN5i5rJMScanlAKDWnPJE
GRDtnSgFmBTIb7qTGfyGOgCgn2twDY+VYYACfjfL5wSzBIvbplOJARwEEAECAAYF
AlIOZ2YACgkQ8yFyWZ2NLpf95AgAqLVKvGMe9AU6bOKN9EdI6NPIDBYIqVMq2cmK
xJ6k8PDSwJlLefCXo+V4Fo0FAgI6lQma6PpjNKfB2RwJzBRr90wDeDf4LopSYLTp
tXF7R/IZ1apx5xn54sQobdHDQNGCprkljSJmyZlvpXJNbyAJNPU90Cbj52ZnEuaY
LKqE5TOfvr4hQ49DFyVU7CFsFzWqjDKo4+2d3DDMcDC658h10jqkNGuW0kvIn1sL
B/WysMcXXe4Uj+mlvBT+aCYSmQhqjiDx7mEaDyq0g/wVI16JvfOj/snL1RE629DE
dGLiSJiyppXUKN7uUPtBTfGVcaQl+37MOi6DJ7KkKF0Sd0OYHbRQQXBwQXJtb3Ig
RGV2ZWxvcG1lbnQgVGVhbSAoQXBwQXJtb3Igc2lnbmluZyBrZXkpIDxhcHBhcm1v
ci1kZXZAZm9yZ2Uubm92ZWxsLmNvbT6IRgQQEQIABgUCQ/DcnQAKCRCq4Ef4O5hq
8zHbAKCdvXzNIDqtgYk1f/bsuPkeS3kX7QCeI8eHe/s7pK4BNJ+LP8fIsXQPpwmI
TAQQEQIADAUCQ/DrnQWDCWXu0QAKCRD72e4z2bCgmU6AAJ4gd95sCBuJrT41eKfF
jJgbKkk3PQCdF/v8Hx6UKbwU2QTnXZvTDt54gcmITAQQEQIADAUCQ/Dr5QWDCWXu
iQAKCRCv5SzGOaalP97MAKDo/w3w/13SGGhddksiJx6CsIydmACgnZM8wQf+uQCn
D05sP8IWMVVU18CIZgQTEQIAJgUCQ/DY7gIbAwUJCWYBgAYLCQgHAwIEFQIIAwQW
AgMBAh4BAheAAAoJEIE3mLmskxJxgCsAn0tuS2wJQ1OIz+Uy1xiVidW0q6u/AJ9J
ElRNwTFgvK4+fmVJWTyvLxUBZYhnBBMRAgAnAhsDAh4BAheABQsJCAcDBRUKCQgL
BRYCAwEABQJNXEEDBQkPDwJtAAoJEIE3mLmskxJxAD0An1LlCGM3KFMx6esXKwBV
7wKrOItGAJ9XA/0RTuFYxlUcHgjnpgbbpnro0YhnBBMRAgAnAhsDBQkJZgGAAh4B
AheABQJMoOLgBQsJCAcDBRUKCQgLBRYCAwEAAAoJEIE3mLmskxJxKxIAoJS5dvwi
iylcYdF1O/k6exULYN6lAKCnIDB/prGCAsNI5Q4u7MO607fLL4hnBBMRAgAnAhsD
Ah4BAheABQsJCAcDBRUKCQgLBRYCAwEABQJTAWIsBQkQ8byFAAoJEIE3mLmskxJx
wgAAn0ubiW6hY0nSav7+U4V9gklKhvViAJ9Bx6SgTw4NzJhulZKOCr8TrrCuM7kE
DQRD8NsGEBAAgakVLKVcf5Q1//PvVRy9xEYjLrao27eOrj39O/RFqk/Tex2H9dmt
ZApN5eXDo4ckWiDrveW8gKp3wLk7z/ZB4Tz5zgeM7VB3BSVjnOJiTE4Szf4eADRE
2lYfu1kIBgV/4sHUnwXFMb25Rh9k4E37ZRA+jpq6L71xtGmqHN9OQUKojz9TRDew
nzXzdOiPiJRNLHxIx5U2LFmcwx72dvTIDKdA8i91nlo4I0VBOMv8sIkVu+1jniff
G4jcMoGzZGKc70BG8ZcXgZnYh8wjCxb6l9t/iD5lVbRtGJPtonjUfc4i+AMRhPlb
2rgDBpMlS2QxPm01aca2BkW1u4jAzc1+NBUlFSxQ1hULVmmGn4VgB5guFB4rb1ru
LWMUkOfUZUFGi08ZD3qeEqjrYpq+Q5IAhnflxWNVIOxnvHBlbRrA5RTHBmy9kn6J
QZxgYKViTk8fjpr37Dyb9McL+4yxq+fydYUA0sLJSeg/vNqm7tS3KtBsN9vKiPTi
tT1fb+DAz0VglV/4Jk6H4VWPNjaJRYdqh8rZSdcQXUUJjSZZDHTbUh7Oa5l33sPf
aaru1zfPuhcjecJX3trS1ZkjfX17CUmMt/WzIeP44MObtktsJdqX0LaGsgMSOP/O
wjr53nHc1y1OZFL/ScO6MHJnYDZVz03mW9VHzB8ZYLdA+BSBUiBH7S8ABA0P/jcl
vD9ycltAPNWmG/q2gmW8BOLcaYmjfiDZ/sWig1w2A3yoglIGDX3l10K1laXIjQtD
O3rylXZw2x/fBaslAhObQsaarXcPidYuo3h1rQXTy+0wshpMU97V1H6XQVDKJlvE
ajyS6j0PidjS1PvxXjaF0wD68vpXJsfK69mthIhM1cQFoLlUjz4GzntfOqhQWt24
MIk+y3KRChzWN21XXHbBtoFhlFMwU6So0tgGCgwVXZom1jNdZnhchy/1Ek2wsXxs
dd6FX80n7RGNJ5IqHw2fE7k8sN6AGuaxf3FDVSJOMb4ApxH87k7DDWxBuRRuleu9
fNHOKh3InOxsAHbwy1ljg2BAWnl5XnTZpczajkO0MuxHqX64WsBYrfMB2dtpyjx6
GplDcguL699pVuWs0iMq6Vs4sgJaR464ns1WfUwkKy2riCtrDLwnNldCORQtUodV
x9wkmp8G7OzhARbDOG6uiawjkVAMrFrP1ut27qLOs/83/PKCMJ/iQ1h/esfJWqal
xVPvXwQl5A5ny7QpWx7G4cyLxyd8VvwsU87HMnn8buhDj/QALsZCAtauGqM9w1GR
Y3fnVcNKCloDgoBy/zGmpFSAMo4OZbj4y+Vnt175MWQ3KHVxYkwbsjzZYgDYWMOB
O8BlV41xSc8sqWM8Xm7+EUzbsk6hgkKqD+R2YSveiE8EGBECAA8FAkPw2wYCGwwF
CQlmAYAACgkQgTeYuayTEnHTiACgr3VoPwEFWOubuBM8cj/7fGWtmN0AnAqZiEd0
qr4ei1P//IqrpJif8SI4iE8EGBECAA8FAkPw2wcCGwwFCQlmAYAACgkQgTeYuayT
EnFVPACg0VjGyWMniZ94t/EKcNziWd/01Z8An2vIS4inaHCws74JVV8vUNSVRajP
=nbr7
mQINBFUwHrABEADZVFn6TF2SxrpMiknHVeUHW7l4mOjHcxtULlEOQ3yaxyNxA0iE
GFWnbP7ek2cjzrfNIA1HNiS0FNsKipRAd5EfRUvJO3lrVfPBRBMLExeyA5h8vXtc
fcp9zpmKAlNVkx85LtVHxch6eUZapNPwqxKJFiDCrFM/zGk4vbRODy2KO3C8XWiy
gHQEW4mjPEsJw6xhyNC63LpCRol7qQu8j6rLJur7GWzSaLKgcUpDktsMJhNRPmCd
Dzb4mbEsbSmWUZ0C2e4HqTs6yjkc3HCIPCsxi4Y8e55qVJRvmOvlx0vGqfUrZyXD
cUQb8PX02V7sjA1DvE4PnZ8yHj1bS7/Q9x+R5ZjTMkqQ0cYXFnMb8pJ/oZucwl41
RM7Nc57J7XLJmLRv/E7OL4v9DrobIPMOLvAU+PPdYzw+mUZx0jElOo84135nR/0K
EC7twaZxXVfF79iCY3OEhbHlPUH+62ucfcIdiV+TBKMhx70XJb4qDn1iDo2XW++N
8LF+7sZNLJnfJ7QfHUwVodWIXNaMsGOfknrZ4mcYbhETk2t6RpfmWUp61nVGeXgo
t1k3DXH93rFyccnEkGI8Y/+zFNN2QuZUx56kq6OF4Z3bhk7tSwA1/RubDRoNEQgF
94eGrKMgCfHhwPcV6KCtigtmXbdzhFQS5hJkvGOBHhVht9KbMrs9zh4RLQARAQAB
tExBcHBBcm1vciBEZXZlbG9wbWVudCBUZWFtIChBcHBBcm1vciBzaWduaW5nIGtl
eSkgPGFwcGFybW9yQGxpc3RzLnVidW50dS5jb20+iQI9BBMBCgAnBQJVMB6wAhsD
BQkPCZwABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEGaJ5k49NmS7Lp4QAIS3
D070h7N/giZLUsciLedixqLW8bDzDNFLLturd9ng3x3GwEGdEzibh4TASE6fAQAR
x6oW51ndgI5o7ZoNU3I0I/uLPM1B6YscmN9W2SD5oK8uQ7/K5//b8OGLq/cg1ych
O2lAh5jaGAhmfHy1MS4ZPQ9zbuwARddB7ESD81P4XIRvd/XzfsB2xW+k/7IR/P3M
ZQg+GZm6PxgbK6iwlVyWKj1NyTppzxCWu1yljlbq+Noi5LiucbRdG5qCrymnjgwR
kTeFlvBLYP7NDUifP6JsHgxwKbmvrMmFVJTRx2QnsmGv5DA0Evyz8Bof78S4lJQJ
TkfiiBmWUc6VNv3IQ56PqMQ6RlsKdaGUxXlcPekyeWKC5K6r80m8YjJNBQ+RQMlh
OC7AIckqcB/wPk3/iHvuNbJ0oNd/x/BFBgCs1Wlkktah+tc1aYVPvN1MKhChKD++
RJYZE+BzR3HSgwBE2Oth7s53D+7ZZPtQoQvhxgKBLAlO7rvhlZi1G0id2BaAqris
Bwj/zFztNewOFCplM4cIXN2pRthgTJYSv/lCarnHsenTZ9zqqkWj3OsFPcMeWhtI
p3jyHXbGC9PtzodG51Aefmz0TqUwIvQxXQ6gOTVlGxMK64MweypYLxMOh9bQOMpS
29XKiX1dKB9ThjTJ6cDBKS7tnZ3cRxAHD3ZOGtiIiEYEEBEKAAYFAlUwIioACgkQ
gTeYuayTEnF41wCfVgK6+6dvch7YdkxGYOzkyt2G/EEAoIJq94o9guRD5OWVKS6N
gkjXvKQtiQIcBBABCgAGBQJVMCJMAAoJEC8Jno0AXoH0orQP/Rjx0Mdsorjfir+Y
ahNk5g4y4ZH425usPRMxRARNpZeGu58RLWOmSW5Fv//I95V0GnK8vyl5YuquHBJM
BRN4PR1XqHUqXdzG8zPZLG5elcqyV3cs58QSUyO+6Nbh4OY/VxqcawZYFaL5XE8N
y0qo2zeFcACIgsmuPMGBgkB3LAEJQxYZab6n2uIuMnJVai2DSIO5Ql2XC4mrKZOW
2GG6vlvM/MmrKKD+gFKCoGvoea9wYYb/3Lu/DU7nARGcCYyvX2zRTuasUO95Anm5
zYxeXMvSJEq36U+xPLliTcT+bZrzf/dK93SSi/B6txYdM1KQhU0/vLQtdtDDQPFO
edvHIVo+UFrve/lNYSmNEcjgd7iAGwFPe7y6dAQs3KQvE70g10KuSVQuYqSVHJ7t
AC0AGHHsBcijFLzsSn9hOve8DSo/Jwjgvb1Rx1wl8RsmegATOik7FnWRsU+2OM9f
/BU3sLXuKWRQFXiVHsEpRO+vKVFVtcdu7BGzuFBnLS26SNP2jKRYIWJ1ea177w82
vcjX5URSTBSQef0ABuYgzcV3CmTkKmpDmy49X+bpLQjYwX26XVh4Fm8yULTXT+Wc
pyDNf4itO8VSQpzrecBBcNJnyYvKBOuV0ASs4bZ0/ghmfGNHENk18ZQHZQ0pI1vX
eNk5l60Ensk0WWA/sz1732WzhTtRuQINBFUwHrABEACzq2cDh5gGH419PwIGmkxY
rZWyVglmXPI/4sf/dAqyrr/FRkSNW+VZzw/yLVfA4zW9ttYReJsmFKqXpSoF8ci5
RfZf1fba9xv4I5x4WBGNcaUZzdKm7vMW/reJRDsNw7f6zvL9VlUUtlL8lSnsObbE
yCrI8oMUwJzu8ojFMiUfRfmQ0IQrYC8hFgmMkknsG6gQTrKSX3xDmFPeAaN11TA1
9thm+GrcEbKvDMiS5RGG924Lmz+67C+hmKc6HRvDPkNp6prDmiMiLkCun6qQQC5b
jdO3yKlEuhxeNcNAxKIEpv5Syy9gEXXT8DeLQmutSHHb1SYSMB6mzX7b+3wtka+E
uCwWk3VrutpOHD0HCJMMtxbLrtlyq8v+3m8v9tyfNBVaeFyR7IEt9ciGiIe5eNw8
R3E3BRGEIW7ABs55rnA47mmVO6nBGq8VMriLCeVSO7I/D+9enSvcTng78PK99iBW
7e6gbGtGUXLpvx/bu61HpQrnG4DWVJ7jk6W2bbSLclT8DwJDQiN+poamNuoQjqAW
xrxsYPNRsc6/Ro0LJMXAkc0xQqShtXl2pdCdJroj8gXq3i3HpQfDZrjzNbW02gMN
HSCR5QpmGS4UrL8ex+3DYnGUZh/SxMVVVbRQ4dPbO5yTbwDdaQkAenA6Faj4lM7S
jv4ToiG6Ld6c6UMU1B5CVQARAQABiQIlBBgBCgAPBQJVMB6wAhsMBQkPCZwAAAoJ
EGaJ5k49NmS7LfwP/0M+kTh5bviy4rr6OtCUnd/qCob/DBLkbCbHrEZz/+2yUQa1
IS93BjKrU2umD/CcMEU0F6yltHr7QtFufWEkcz1HvfRru2H1B3rrNxr1cab0ek7K
+456gN5Os2/jP/1L4BsAjAPii1wthpH59z8m333L2uDnkkd8cUTaIW+TBPG2wN2C
OJ+Pgyd9SAaqpVFmO0CoLhWixyK42OJTbm12SyeUq2VlVX+v+S2rql64RZJI9Kcn
N/36kWAgMdDuCpa8XEhJP2DxC8QcFyduP7/ZdYJZNWuiny6VP+HKblP6Imnc6xjz
HXSQauDsp5hUuxz+aLaAJSS1yBA23lfdhf+Yfu4ruMGFICdHXAkRXBt2JFIVskt3
cL/tBrNEkDi0JG6FzYAS9gLJIyvlJlElgXXF0OZl60kjh254xRDEH5Q8/spBDdzw
0FkHS3hPWjM3sDSSZuX9YAZDzw0wQGM6sl4y+BX8I2JerhF9SIS606NAaT+06kOH
5wa4S51u6XN+UdXoXa6XSo/fqhVHt/5Mu1A90gMkA65ji0X+Xu/Yoo3Ui1Tx584t
qtHJFnDQa4wJbmjB7uzqbpkk7xKFII1vgLayS8MkFvg+lnmjvgr/ve0hoHZnVCSz
md9kZgGkKQfTaGFIZRc24D44tcIL1K20B+cskRqhpee7EGaba7sazdpVk3A0
=dwg6
-----END PGP PUBLIC KEY BLOCK-----

10
apparmor.spec
View File

@ -60,7 +60,7 @@ Name: apparmor
%if ! %{?distro:1}0
%define distro suse
%endif
Version: 2.9.1
Version: 2.9.2
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0+
@ -97,12 +97,6 @@ Patch6: apparmor-abstractions-no-multiline.diff
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch7: apparmor-lessopen-profile.patch
# upstream changes since the 2.9.1 release - bzr diff -r2832..2839 (2.9 branch)
Patch8: apparmor-changes-since-2.9.1.diff
# fix build with GCC 5 due to bad ostream use
Patch9: apparmor-fix-stl-ostream.diff
# update samba (winbindd and nmb) profiles for samba 4.2 (boo#921098, boo#923201)
Patch10: samba-4.2-profiles.diff
@ -451,8 +445,6 @@ SubDomain.
%patch6
%patch7 -p1
%patch8
%patch9
%patch10
# search for left-over multiline rules
test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"