Accepting request 991158 from security:apparmor

- update to AppArmor 3.0.5 - several additions to profiles and abstractions - bugfixes in parser and utils - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.5 for the detailed upstream changelog - remove upstream(ed) patchs: - apparmor-setuptools61-mr897.patch - dovecot-profiles-boo1199535-mr881.diff - php8-fpm-mr876.patch - python310-help-mr848.patch - samba-new-dcerpcd.patch - samba_deny_net_admin.patch - update-samba-bgqd.diff - update-usr-sbin-smbd.diff - apparmor-samba-include-permissions-for-shares.diff: remove upstreamed part - add dirtest-sort-mr900.diff to fix random test failures - change apache-extra-profile-include-if-exists.diff to the post-mv path (new quilt executes mv) - stop disabling lto (fixed upstream) (boo#1133091) - package profile-load script in -parser (forwarded request 991157 from cboltz) OBS-URL: https://build.opensuse.org/request/show/991158 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=177
2022-07-29 14:47:00 +00:00 · 2022-07-29 14:47:00 +00:00 · a411472626
commit a411472626
parent ba1c18f43f 4312257819
18 changed files with 109 additions and 602 deletions
--- a/apache-extra-profile-include-if-exists.diff
+++ b/apache-extra-profile-include-if-exists.diff
@ -8,10 +8,10 @@ profile at its new location (extra profiles directory)
 Fixes https://bugzilla.opensuse.org/show_bug.cgi?id=1178527
-Index: profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2
+Index: profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2
 ===================================================================
--- profiles/apparmor.d//usr.lib.apache2.mpm-prefork.apache2.orig	2020-12-02 12:01:37.000000000 +0100
+--- profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2.orig	2020-12-02 12:01:37.000000000 +0100
-+++ profiles/apparmor.d//usr.lib.apache2.mpm-prefork.apache2	2021-01-22 12:19:45.964708670 +0100
+++ profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2	2021-01-22 12:19:45.964708670 +0100
@@ -75,7 +75,7 @@ include <tunables/global>
   # This directory contains web application
   # package-specific apparmor files.
--- a/apparmor-3.0.4.tar.gz
+++ b/apparmor-3.0.4.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:09bf48d7a171f9790c39a1404bad105a788934cfe77b7490c7f5c63c2576b725
 size 7796852
--- a/apparmor-3.0.4.tar.gz.asc
+++ b/apparmor-3.0.4.tar.gz.asc
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmIEYPoaHGFwcGFybW9y
 QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLsuXRAAwUfR2mTa8T1f9JKDV9oI
 VyHMNPx4UQ8UGHPjdggPZpgU8tdLgIeTzrVB9IFmUNxREmeQURyr12lWJiL7rUjp
 uICigANNZPtfYDB8PNF6OPbwZ61A44RZ26SZJauKQg/iP1c/m3NH24TReUqB2UgC
 Zrjx4KBH30m0+wc2Ca5f017CRDRL6oPjbUnCdY6S8XdVzbbd4x/4K0yoaS8mNLde
 GUbs4cMJnuMndVPhNVIiKvRt/qmYl2nB3HBzU9VXmq/GBR9wDpb1G6N3IuB7Oaak
 WrB32ymgllwi5av3L1vXQhisZ1LAaH7GNElCX5c4rJa/6Bsfru5kTecEXSIJXf2H
 P8XmwUkdrl7idfAbSg/jW1h02uD99WTymii2SCwYWhNX9s0BRuSMPASA9TgrYOZN
 oTshsA8lYaAafdAU6OboaeS91WL65hTr3GUcGgYl+qYcYTdyU6IG4MooCwATM2st
 SHt7HPOJLNntMt8CGcPx1Q9UA8ta3kNlcf6YSycWCqWvPEvCkpex23gVUVIXzVKr
 bs2tvJO59BsCxiL6umsksv5otIXDrm4yay1QaYl+KUEOvU051SUyXey7pQ/qO0LY
 leifVmldlLfPosAKiJqiQ3RAKp7Zr/YrvKLLxeLj5MrKUmSR2UQ5xC8aXfYYhDqh
 +PPpcMO9Io9UyHHofXB7dlA=
 =rXSS
 -----END PGP SIGNATURE-----
--- a/apparmor-3.0.5.tar.gz
+++ b/apparmor-3.0.5.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:8c01879f60bf7e11028e2177981971f8288ce0a6f20ce8c12fd7cb111da1a624
 size 7946342
--- a/apparmor-3.0.5.tar.gz.asc
+++ b/apparmor-3.0.5.tar.gz.asc
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmLeRbsaHGFwcGFybW9y
 QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLsAKQ//b3RWTRdJM/S1b49RQd6p
 /gltAIlOD2Ne3jBUVXeKiGlsNEN8Os37D+3t9wMfXphoM+JbrUO/2gm52M/7w4Ov
 xZJOVGC1SA72R2h6CObNZ3gqsc6/HuOW+/NLahFikZWdKs4mHwKhSlKkZU8g1bVS
 KA3hrwyct4oO2XSQARc+V9n6a6y8shvBolUbB7Jm2HSomMjHkiW11wfHECroW4v+
 YZv4JwwojOvYE0J+1WEJeOhv1SfzQMnYAn2BdtoSbO3pYHTXmblVXKpiB30cHtJ7
 Rbm+a2FbRsH1giTtq48cvBl7euBEXP27uM7cQSSbqukEJtWkIJTRpnJxGV5bUS+a
 tI3J4uneuicJxc6snAmO58PXnp1O9WGeHVtPg3ERYZQQ5UoaYpxlEpMFQJV44M4U
 s7g2iTZ6+z0I4gcjnfm/uKcdLyYN2KJSQTD/bgQv6C5t94ofoZ1HCt7Ra/VHIG+Q
 0pSDN/RSu2LI3tJdDq2/KFU1e0YzElSaHNb+sUn+rQOrpMB0FJZK1KzrBn0TxjTj
 JONny5WnVaTmbBfdjIvGbpWMMbKX/3Ob5kHmgY8TYuo/Bllgr2l6rWURK1MTHO64
 narFxIqOBj0Kb+kJPhA8+55R7gA1ioW6JtQQLlbz2NgRMaOeBWiprmaxRv1xY9e3
 NYdyzQRgu/zOEM5v/J5VecQ=
 =FsDG
 -----END PGP SIGNATURE-----
--- a/apparmor-samba-include-permissions-for-shares.diff
+++ b/apparmor-samba-include-permissions-for-shares.diff
@ -1,15 +1,21 @@
 Samba generates a profile sniplet with permissions for all shares at
 start using the update-apparmor-samba-profile script.
-This patch includes the autogenerated profile sniplet it in the smbd 
+After the include rules were upstreamed in AppArmor 3.0.5 (MR 838), this
-profile. It also creates a dummy profile sniplet to avoid "file not 
+patch was shortened. Now it "only" creates a dummy profile sniplet
-found" errors when AppArmor is started before samba was started.
+because update-apparmor-samba-profiles on Leap 15.3 and 15.4 aborts if
 the local/ sniplet doesn't exist.
 Tumbleweed does not rely on a pre-existing local/usr.sbin.smbd-shares
 anymore, therefore the patch gets skipped there in the spec.
 References: https://bugzilla.novell.com/show_bug.cgi?id=688040
 Signed-off-by: Christian Boltz <apparmor@cboltz.de>
 === added file 'profiles/apparmor.d/local/usr.sbin.smbd-shares'
 --- profiles/apparmor.d/local/usr.sbin.smbd-shares	1970-01-01 00:00:00 +0000
 +++ profiles/apparmor.d/local/usr.sbin.smbd-shares	2011-10-19 09:40:05 +0000
@ -17,18 +23,4 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
 +# This file will be replaced by rules for all samba shares at samba start.
 +# Do not edit!
 === modified file 'profiles/apparmor.d/usr.sbin.smbd'
 --- profiles/apparmor.d/usr.sbin.smbd	2011-08-27 18:50:42 +0000
 +++ profiles/apparmor.d/usr.sbin.smbd	2011-10-19 09:37:04 +0000
@@ -59,6 +59,10 @@
   @{HOMEDIRS}/** lrwk,
   /var/lib/samba/usershares/{,**} lrwk,
 +  # permissions for all configured shares
 +  # autogenerated by update-apparmor-samba-profile at samba start
 +  include <local/usr.sbin.smbd-shares>
 +
   # Site-specific additions and overrides. See local/README for details.
   include if exists <local/usr.sbin.smbd>
 }
--- a/apparmor-setuptools61-mr897.patch
+++ b/apparmor-setuptools61-mr897.patch
@ -1,136 +0,0 @@
 Index: apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.am
 ===================================================================
 --- apparmor-3.0.4.orig/libraries/libapparmor/swig/python/test/Makefile.am
 +++ apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.am
@@ -10,8 +10,7 @@ test_python.py: test_python.py.in $(top_
 CLEANFILES = test_python.py
 -# bah, how brittle is this?
 -PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")'
 +PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)'
 TESTS	= test_python.py
 TESTS_ENVIRONMENT = \
 Index: apparmor-3.0.4/libraries/libapparmor/swig/python/test/testbuildpath.py
 ===================================================================
 --- /dev/null
 +++ apparmor-3.0.4/libraries/libapparmor/swig/python/test/buildpath.py
@@ -0,0 +1,10 @@
 +#!/usr/bin/env python3
 +# the build path has changed in setuptools 61.2
 +import sys
 +import sysconfig
 +import setuptools
 +if tuple(map(int,setuptools.__version__.split("."))) >= (61, 2):
 +    identifier = sys.implementation.cache_tag
 +else:
 +    identifier = "%d.%d" % sys.version_info[:2]
 +print("lib.%s-%s" % (sysconfig.get_platform(), identifier))
 Index: apparmor-3.0.4/utils/test/Makefile
 ===================================================================
 --- apparmor-3.0.4.orig/utils/test/Makefile
 +++ apparmor-3.0.4/utils/test/Makefile
@@ -27,8 +27,8 @@ ifdef USE_SYSTEM
     BASEDIR=
     PARSER=
 else
 -    # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
 -    PYTHON_DIST_BUILD_PATH = ../../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")
 +    # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/buildpath.py
 +    PYTHON_DIST_BUILD_PATH = ../../libraries/libapparmor/swig/python/build/$$($(PYTHON) ../../libraries/libapparmor/swig/python/test/buildpath.py)
     LIBAPPARMOR_PATH=../../libraries/libapparmor/src/.libs/
     LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
     PYTHONPATH=..:$(PYTHON_DIST_BUILD_PATH)
 Index: apparmor-3.0.4/utils/test/README.md
 ===================================================================
 --- apparmor-3.0.4.orig/utils/test/README.md
 +++ apparmor-3.0.4/utils/test/README.md
@@ -7,7 +7,7 @@ For more information, refer to the [unit
 Make sure to set the environment variables pointing to the in-tree apparmor modules, and the in-tree libapparmor and its python wrapper:
 ```bash
 -$ export PYTHONPATH=..:../../libraries/libapparmor/swig/python/build/$(/usr/bin/python3 -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")
 +$ export PYTHONPATH=..:../../libraries/libapparmor/swig/python/build/$(/usr/bin/python3 ../../libraries/libapparmor/swig/python/test/buildpath.py)
 $ export __AA_CONFDIR=.
 ```
@@ -15,4 +15,4 @@ To execute the test individually, run:
 ```bash
 $ python3 ./test-tile.py ClassFoo.test_bar
 -```
 \ No newline at end of file
 +```
 Index: apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.in
 ===================================================================
 --- apparmor-3.0.4.orig/libraries/libapparmor/swig/python/test/Makefile.in
 +++ apparmor-3.0.4/libraries/libapparmor/swig/python/test/Makefile.in
@@ -1,7 +1,7 @@
 -# Makefile.in generated by automake 1.16.1 from Makefile.am.
 +# Makefile.in generated by automake 1.16.5 from Makefile.am.
 # @configure_input@
 -# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 +# Copyright (C) 1994-2021 Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -301,6 +301,7 @@ am__set_TESTS_bases = \
   bases='$(TEST_LOGS)'; \
   bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \
   bases=`echo $$bases`
 +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)'
 RECHECK_LOGS = $(TEST_LOGS)
 AM_RECURSIVE_TARGETS = check recheck
 TEST_SUITE_LOG = test-suite.log
@@ -336,8 +337,9 @@ AWK = @AWK@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
 -CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 +CSCOPE = @CSCOPE@
 +CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
@@ -348,8 +350,10 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
 +ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 +FILECMD = @FILECMD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -470,9 +474,7 @@ top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 @HAVE_PYTHON_TRUE@CLEANFILES = test_python.py
 -
 -# bah, how brittle is this?
 -@HAVE_PYTHON_TRUE@PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) -c "import sysconfig; print(\"lib.%s-%s\" %(sysconfig.get_platform(), sysconfig.get_python_version()))")'
 +@HAVE_PYTHON_TRUE@PYTHON_DIST_BUILD_PATH = '$(builddir)/../build/$$($(PYTHON) buildpath.py)'
 @HAVE_PYTHON_TRUE@TESTS = test_python.py
 @HAVE_PYTHON_TRUE@TESTS_ENVIRONMENT = \
 @HAVE_PYTHON_TRUE@  LD_LIBRARY_PATH='$(top_builddir)/src/.libs:$(PYTHON_DIST_BUILD_PATH)' \
@@ -631,7 +633,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
 	  test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG);		\
 	fi;								\
 	echo "$${col}$$br$${std}"; 					\
 -	echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}";	\
 +	echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}";	\
 	echo "$${col}$$br$${std}"; 					\
 	create_testsuite_report --maybe-color;				\
 	echo "$$col$$br$$std";						\
@@ -686,7 +688,6 @@ test_python.py.log: test_python.py
 @am__EXEEXT_TRUE@	--log-file $$b.log --trs-file $$b.trs \
 @am__EXEEXT_TRUE@	$(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
 @am__EXEEXT_TRUE@	"$$tst" $(AM_TESTS_FD_REDIRECT)
 -
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,28 @@
 -------------------------------------------------------------------
 Mon Jul 25 18:18:04 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
 - update to AppArmor 3.0.5
  - several additions to profiles and abstractions
  - bugfixes in parser and utils
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.5
    for the detailed upstream changelog
 - remove upstream(ed) patchs:
  - apparmor-setuptools61-mr897.patch
  - dovecot-profiles-boo1199535-mr881.diff
  - php8-fpm-mr876.patch
  - python310-help-mr848.patch
  - samba-new-dcerpcd.patch
  - samba_deny_net_admin.patch
  - update-samba-bgqd.diff
  - update-usr-sbin-smbd.diff
 - apparmor-samba-include-permissions-for-shares.diff: remove
  upstreamed part
 - add dirtest-sort-mr900.diff to fix random test failures
 - change apache-extra-profile-include-if-exists.diff to the post-mv
  path (new quilt executes mv)
 - stop disabling lto (fixed upstream) (boo#1133091)
 - package profile-load script in -parser
 -------------------------------------------------------------------
 Fri Jul 15 23:01:42 UTC 2022 - Ben Greiner <code@bnavigator.de>
--- a/apparmor.spec
+++ b/apparmor.spec
@ -45,7 +45,7 @@
 %define JAR_FILE changeHatValve.jar
 Name:           apparmor
-Version:        3.0.4
+Version:        3.0.5
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@ -63,7 +63,8 @@ Source7:        apparmor-rpmlintrc
 # and set cache-loc in parser.conf and apparmor.service accordingly
 Patch1:         apparmor-enable-profile-cache.diff
-# include autogenerated profile sniplet for samba shares (bnc#688040) - upstreamed as part of https://gitlab.com/apparmor/apparmor/-/merge_requests/838 2022-02-16 (master + 3.0 branch)
+# include autogenerated profile sniplet for samba shares (bnc#688040) - include rule upstreamed in 3.0.5 (MR 838), now "just" creates the local/ sniplet
 # (technically only needed in Leap 15.x, the samba script in Tumbleweed also works if the local/ sniplet doesn't exist - but dropping the local/ sniplet will move existing autogenerated sniplets to *.rpmsave)
 Patch2:         apparmor-samba-include-permissions-for-shares.diff
 # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
@ -78,41 +79,12 @@ Patch5:         apparmor-lessopen-nfs-workaround.diff
 # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
 Patch6:         apache-extra-profile-include-if-exists.diff
 # bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd
 # merged upstream 3.0+master 2022-03-14 https://gitlab.com/apparmor/apparmor/-/merge_requests/860
 # bsc#1195463 add rule to allow reading of openssl.cnf
 # merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862
 Patch7:         update-samba-bgqd.diff
 # bsc#1195463 add rule to allow reading of openssl.cnf
 # merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862
 Patch8:         update-usr-sbin-smbd.diff
 # add zgrep and xzgrep profile (merged upstream 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + merged upstream 2022-04-18 https://gitlab.com/apparmor/apparmor/-/merge_requests/873
-#                               + 2022-06-28 https://gitlab.com/apparmor/apparmor/-/merge_requests/892 - master only)
+#                               + merged upstream 2022-06-29 https://gitlab.com/apparmor/apparmor/-/merge_requests/892 - master only)
 Patch9:         zgrep-profile-mr870.diff
-# squash noisy setsockopt calls - merged upstream master+3.0 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/867
+# dirtest.sh: sort output to avoid random test failures (from upstream, merged 3.0+master 2022-07-25 https://gitlab.com/apparmor/apparmor/-/merge_requests/900)
-# bsc#1196850
+Patch10:        dirtest-sort-mr900.diff
 Patch10:        samba_deny_net_admin.patch
 # support for new dcerpcd subsytem in >= samba-4.16
 # merged upstream 2022-04-15 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/871
 # merged upstream 2022-05-11 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/880
 # bsc#1198309
 Patch11:        samba-new-dcerpcd.patch
 # allow php8 php-fpm to read its config (from upstream master+3.0 https://gitlab.com/apparmor/apparmor/-/merge_requests/876)
 Patch12:        php8-fpm-mr876.patch
 # allow python 3.10 --help output (from the branch-3.0 backport of https://gitlab.com/apparmor/apparmor/-/merge_requests/848)
 Patch13:        python310-help-mr848.patch
 # extend dovecot profiles for latest dovecot (boo 1199535, submitted upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/881)
 Patch14:        dovecot-profiles-boo1199535-mr881.diff
 # https://gitlab.com/apparmor/apparmor/-/merge_requests/897
 Patch15:        apparmor-setuptools61-mr897.patch
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -371,8 +343,6 @@ SubDomain.
 %setup -q
 # very loose profile that doesn't even match the apache2 binary path in openSUSE. Move it away instead of confusing people (boo#872984)
 # (patch to change <apache.d> include to "include if exists" needs to be applied before moving the file to avoid breaking quilt)
 %patch6
 mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/profiles/extras/
 %patch1
@ -380,18 +350,11 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch3 -p1
 %patch4
 %patch5
-%patch7 -p1
+%patch6
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
 %build
 %define _lto_cflags %{nil}
 export SUSE_ASNEEDED=0
 # libapparmor:
@ -575,6 +538,7 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la
 %dir %attr(-, root, root) %{apparmor_bin_prefix}
 %{apparmor_bin_prefix}/rc.apparmor.functions
 %{apparmor_bin_prefix}/apparmor.systemd
 %{apparmor_bin_prefix}/profile-load
 %doc %{_mandir}/man1/aa-enabled.1.gz
 %doc %{_mandir}/man1/aa-exec.1.gz
 %doc %{_mandir}/man1/aa-features-abi.1.gz
--- a/dirtest-sort-mr900.diff
+++ b/dirtest-sort-mr900.diff
@ -0,0 +1,42 @@
 From c0815d0e0f1c68397b8ce04d81c48940e4b2c63b Mon Sep 17 00:00:00 2001
 From: intrigeri <intrigeri@boum.org>
 Date: Mon, 25 Jul 2022 10:04:13 +0000
 Subject: [PATCH] dirtest.sh: don't rely on apparmor_parser -N's output sort
 order to be deterministic
 I've seen this test fail because "apparmor_parser -N" returned the expected
 lines, but in a different order than what's expected (dirtest.out).
 To fix this, sort both the expected and actual output.
 ---
 parser/tst/dirtest.sh          | 3 ++-
 parser/tst/dirtest/dirtest.out | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)
 diff --git a/parser/tst/dirtest.sh b/parser/tst/dirtest.sh
 index 8c94dbd68..95c108371 100755
 --- a/parser/tst/dirtest.sh
 +++ b/parser/tst/dirtest.sh
@@ -31,8 +31,9 @@ do_tst() {
 	shift 2
 	#global tmpdir
 -	${APPARMOR_PARSER} "$@" > "$tmpdir/out" 2>/dev/null
 +	${APPARMOR_PARSER} "$@" > "$tmpdir/out.unsorted" 2>/dev/null
 	rc=$?
 +	LC_ALL=C sort "$tmpdir/out.unsorted" > "$tmpdir/out"
 	if [ $rc -ne 0 ] && [ "$expected" != "fail" ] ; then
 		echo "failed: expected \"$expected\" but parser returned error"
 		return 1
 diff --git a/parser/tst/dirtest/dirtest.out b/parser/tst/dirtest/dirtest.out
 index e82188b84..5b4cc30aa 100644
 --- a/parser/tst/dirtest/dirtest.out
 +++ b/parser/tst/dirtest/dirtest.out
@@ -1,3 +1,3 @@
 -good_target
 a_profile
 b_profile
 +good_target
 -- 
 GitLab
--- a/dovecot-profiles-boo1199535-mr881.diff
+++ b/dovecot-profiles-boo1199535-mr881.diff
@ -1,54 +0,0 @@
 From https://gitlab.com/apparmor/apparmor/-/merge_requests/881
 From ad8df7f88fdac5cf230da07bb0f45761a22202b3 Mon Sep 17 00:00:00 2001
 From: Christian Boltz <apparmor@cboltz.de>
 Date: Sun, 15 May 2022 20:53:35 +0200
 Subject: [PATCH] Add missing permissions for dovecot-{imap,lmtp,pop3}
 References: https://bugzilla.opensuse.org/show_bug.cgi?id=1199535
 ---
 profiles/apparmor.d/usr.lib.dovecot.imap | 1 +
 profiles/apparmor.d/usr.lib.dovecot.lmtp | 2 ++
 profiles/apparmor.d/usr.lib.dovecot.pop3 | 1 +
 3 files changed, 4 insertions(+)
 diff --git a/profiles/apparmor.d/usr.lib.dovecot.imap b/profiles/apparmor.d/usr.lib.dovecot.imap
 index ade0e4157..8ee2d5a4e 100644
 --- a/profiles/apparmor.d/usr.lib.dovecot.imap
 +++ b/profiles/apparmor.d/usr.lib.dovecot.imap
@@ -35,6 +35,7 @@ profile dovecot-imap /usr/lib/dovecot/imap {
   owner /tmp/dovecot.imap.* rw,
   @{PROC}/@{pid}/attr/{apparmor/,}current rw,
 +  @{PROC}/@{pid}/stat r,
   /usr/bin/doveconf rix,
   /usr/lib/dovecot/imap mrix,
   /usr/share/dovecot/** r,
 diff --git a/profiles/apparmor.d/usr.lib.dovecot.lmtp b/profiles/apparmor.d/usr.lib.dovecot.lmtp
 index 7b2e5599b..ad26eff3e 100644
 --- a/profiles/apparmor.d/usr.lib.dovecot.lmtp
 +++ b/profiles/apparmor.d/usr.lib.dovecot.lmtp
@@ -31,6 +31,8 @@ profile dovecot-lmtp /usr/lib/dovecot/lmtp {
   @{HOME}/.dovecot.svbin r,
   @{PROC}/@{pid}/attr/{apparmor/,}current rw,
 +  owner @{PROC}/@{pid}/io r,
 +  owner @{PROC}/@{pid}/stat r,
   @{PROC}/*/mounts r,
   /tmp/dovecot.lmtp.* rw,
   /usr/lib/dovecot/lmtp mr,
 diff --git a/profiles/apparmor.d/usr.lib.dovecot.pop3 b/profiles/apparmor.d/usr.lib.dovecot.pop3
 index a593d6b1a..ed010ddaf 100644
 --- a/profiles/apparmor.d/usr.lib.dovecot.pop3
 +++ b/profiles/apparmor.d/usr.lib.dovecot.pop3
@@ -26,6 +26,7 @@ profile dovecot-pop3 /usr/lib/dovecot/pop3 {
   @{DOVECOT_MAILSTORE}/** rwkl,
   @{HOME} r, # ???
 +  @{PROC}/@{pid}/stat r,
   /usr/lib/dovecot/pop3 mr,
   # Site-specific additions and overrides. See local/README for details.
 -- 
 GitLab
--- a/libapparmor.spec
+++ b/libapparmor.spec
@ -18,7 +18,7 @@
 Name:           libapparmor
-Version:        3.0.4
+Version:        3.0.5
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later
@ -66,7 +66,6 @@ AppArmor API.
 %setup -q -n apparmor-%{version}
 %build
 %define _lto_cflags %{nil}
 (
  cd ./libraries/libapparmor
  %configure \
--- a/php8-fpm-mr876.patch
+++ b/php8-fpm-mr876.patch
@ -1,46 +0,0 @@
 From c946f0bf75f9529014c79ff591d6f953ce56b416 Mon Sep 17 00:00:00 2001
 From: Christian Boltz <apparmor@cboltz.de>
 Date: Mon, 18 Apr 2022 20:49:22 +0200
 Subject: [PATCH] Allow reading all of /etc/php[578]/** in abstractions/php
 ... and with that, make a rule in the php-fpm profile (which missed
 php8) superfluous.
 Fixes: https://gitlab.com/apparmor/apparmor/-/issues/229
 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11
 ---
 profiles/apparmor.d/abstractions/php | 3 +--
 profiles/apparmor.d/php-fpm          | 2 --
 2 files changed, 1 insertion(+), 4 deletions(-)
 diff --git a/profiles/apparmor.d/abstractions/php b/profiles/apparmor.d/abstractions/php
 index ddafb0770..6bf0dc798 100644
 --- a/profiles/apparmor.d/abstractions/php
 +++ b/profiles/apparmor.d/abstractions/php
@@ -13,8 +13,7 @@
   abi <abi/3.0>,
   # shared snippets for config files
 -  /etc/php{,5,7,8}/**/ r,
 -  /etc/php{,5,7,8}/**.ini r,
 +  /etc/php{,5,7,8}/** r,
   # Xlibs
   /usr/X11R6/lib{,32,64}/lib*.so* mr,
 diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm
 index b25762c50..14b3c7195 100644
 --- a/profiles/apparmor.d/php-fpm
 +++ b/profiles/apparmor.d/php-fpm
@@ -16,8 +16,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
   # read the system certificates
   include <abstractions/ssl_certs>
 -  /etc/php{,5,7}/** r,
 -
   capability net_admin,
   # change user/group of a pool
   capability setuid,
 -- 
 GitLab
--- a/python310-help-mr848.patch
+++ b/python310-help-mr848.patch
@ -1,57 +0,0 @@
 From 8a21472175501823303a8af270bd38a60ff4ac9c Mon Sep 17 00:00:00 2001
 From: John Johansen <john@jjmx.net>
 Date: Tue, 15 Feb 2022 19:17:30 +0000
 Subject: [PATCH] Merge make test-aa-notify test_help_contents () less strict
 Python 3.10 generates a slightly different --help output.
 Fixes https://gitlab.com/apparmor/apparmor/-/issues/220
 Closes #220
 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/848
 Acked-by: Approved-by: John Johansen <john@jjmx.net>
 Merged-by: John Johansen <john@jjmx.net>
 (cherry picked from commit ba14227bb51a76b416a8da46c241a8d07506badc)
 Signed-off-by: John Johansen <john.johansen@canonical.com>
 ---
 utils/test/test-aa-notify.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)
 diff --git a/utils/test/test-aa-notify.py b/utils/test/test-aa-notify.py
 index 2484c7f97..cfb5fa5a8 100644
 --- a/utils/test/test-aa-notify.py
 +++ b/utils/test/test-aa-notify.py
@@ -148,13 +148,15 @@ Feb  4 13:40:38 XPS-13-9370 kernel: [128552.880347] audit: type=1400 audit({epoc
         '''Test output of help text'''
         expected_return_code = 0
 -        expected_output_is = \
 +        expected_output_1 = \
 '''usage: aa-notify [-h] [-p] [--display DISPLAY] [-f FILE] [-l] [-s NUM] [-v]
                  [-u USER] [-w NUM] [--debug]
 Display AppArmor notifications or messages for DENIED entries.
 +'''
 -optional arguments:
 +        expected_output_2 = \
 +'''
   -h, --help            show this help message and exit
   -p, --poll            poll AppArmor logs and display notifications
   --display DISPLAY     set the DISPLAY environment variable (might be needed if
@@ -174,8 +176,9 @@ optional arguments:
         return_code, output = cmd([aanotify_bin, '--help'])
         result = 'Got return code %d, expected %d\n' % (return_code, expected_return_code)
         self.assertEqual(expected_return_code, return_code, result + output)
 -        result = 'Got output "%s", expected "%s"\n' % (output, expected_output_is)
 -        self.assertEqual(expected_output_is, output, result + output)
 +
 +        self.assertIn(expected_output_1, output)
 +        self.assertIn(expected_output_2, output)
     def test_entries_since_100_days(self):
         '''Test showing log entries since 100 days'''
 -- 
 GitLab
--- a/samba-new-dcerpcd.patch
+++ b/samba-new-dcerpcd.patch
@ -1,179 +0,0 @@
 Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
 ===================================================================
 --- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd
 +++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
@@ -39,6 +39,7 @@ profile smbd /usr/{bin,sbin}/smbd {
   /usr/lib*/samba/gensec/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,
   /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
 +  /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd,
   /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
   /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
   /usr/lib/@{multiarch}/samba/**/ r,
 Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd
 ===================================================================
 --- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.winbindd
 +++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd
@@ -26,6 +26,7 @@ profile winbindd /usr/{bin,sbin}/winbind
   /usr/lib*/samba/idmap/*.so mr,
   /usr/lib*/samba/nss_info/*.so mr,
   /usr/lib*/samba/pdb/*.so mr,
 +  /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd,
   /usr/{bin,sbin}/winbindd mr,
   /var/cache/krb5rcache/* rwk,
   /var/cache/samba/*.tdb rwk,
 Index: apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd
 ===================================================================
 --- /dev/null
 +++ apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd
@@ -0,0 +1,31 @@
 +# ------------------------------------------------------------------
 +#
 +#    Copyright (C) 2022 SUSE LLC
 +#
 +#    This program is free software; you can redistribute it and/or
 +#    modify it under the terms of version 2 of the GNU General Public
 +#    License published by the Free Software Foundation.
 +#
 +# ------------------------------------------------------------------
 +# vim:syntax=apparmor
 +
 +abi <abi/3.0>,
 +
 +include <tunables/global>
 +
 +profile samba-dcerpcd /usr/lib*/samba/samba-dcerpcd {
 +  include <abstractions/samba-rpcd>
 +
 +  @{run}/samba/samba-dcerpcd.pid wk,
 +
 +  /usr/lib*/samba/samba-dcerpcd m,
 +
 +  /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
 +  /usr/lib*/samba/rpcd_classic Px -> samba-rpcd-classic,
 +  /usr/lib*/samba/rpcd_spoolss Px -> samba-rpcd-spoolss,
 +
 +  @{run}/samba/ncalrpc/ rw,
 +  @{run}/samba/ncalrpc/** rw,
 +  # Site-specific additions and overrides. See local/README for details.
 +  include if exists <local/samba-dcerpcd>
 +}
 Index: apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd
 ===================================================================
 --- /dev/null
 +++ apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd
@@ -0,0 +1,30 @@
 +# ------------------------------------------------------------------
 +#
 +#    Copyright (C) 2022 SUSE LLC
 +#
 +#    This program is free software; you can redistribute it and/or
 +#    modify it under the terms of version 2 of the GNU General Public
 +#    License published by the Free Software Foundation.
 +#
 +# ------------------------------------------------------------------
 +# vim:syntax=apparmor
 +
 +# This file contains basic permissions for samba rpcd_xyz services
 +
 +  abi <abi/3.0>,
 +
 +  include <abstractions/base>
 +  include <abstractions/nameservice>
 +  include <abstractions/samba>
 +
 +  capability setgid,
 +  capability setuid,
 +
 +  signal receive set=term peer=smbd,
 +
 +  @{PROC}/sys/kernel/core_pattern r,
 +  owner @{PROC}/@{pid}/fd/ r,
 +
 +  # Include additions to the abstraction
 +  include if exists <abstractions/samba-rpcd.d>
 +
 Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd
 ===================================================================
 --- /dev/null
 +++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd
@@ -0,0 +1,21 @@
 +# ------------------------------------------------------------------
 +#
 +#    Copyright (C) 2022 SUSE LLC
 +#
 +#    This program is free software; you can redistribute it and/or
 +#    modify it under the terms of version 2 of the GNU General Public
 +#    License published by the Free Software Foundation.
 +#
 +# ------------------------------------------------------------------
 +# vim:syntax=apparmor
 +
 +abi <abi/3.0>,
 +
 +include <tunables/global>
 +
 +profile samba-rpcd /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
 +  include <abstractions/samba-rpcd>
 +  /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} m,
 +  # Site-specific additions and overrides. See local/README for details.
 +  include if exists <local/samba-rpcd>
 +}
 Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic
 ===================================================================
 --- /dev/null
 +++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic
@@ -0,0 +1,24 @@
 +# ------------------------------------------------------------------
 +#
 +#    Copyright (C) 2022 SUSE LLC
 +#
 +#    This program is free software; you can redistribute it and/or
 +#    modify it under the terms of version 2 of the GNU General Public
 +#    License published by the Free Software Foundation.
 +#
 +# ------------------------------------------------------------------
 +# vim:syntax=apparmor
 +
 +abi <abi/3.0>,
 +
 +include <tunables/global>
 +
 +profile samba-rpcd-classic /usr/lib*/samba/rpcd_classic {
 +  include <abstractions/samba-rpcd>
 +  include <abstractions/wutmp>
 +
 +  /usr/lib*/samba/rpcd_classic m,
 +
 +  # Site-specific additions and overrides. See local/README for details.
 +  include if exists <local/samba-rpcd-classic>
 +}
 Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss
 ===================================================================
 --- /dev/null
 +++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss
@@ -0,0 +1,24 @@
 +# ------------------------------------------------------------------
 +#
 +#    Copyright (C) 2022 SUSE LLC
 +#
 +#    This program is free software; you can redistribute it and/or
 +#    modify it under the terms of version 2 of the GNU General Public
 +#    License published by the Free Software Foundation.
 +#
 +# ------------------------------------------------------------------
 +# vim:syntax=apparmor
 +
 +abi <abi/3.0>,
 +
 +include <tunables/global>
 +
 +profile samba-rpcd-spoolss /usr/lib*/samba/rpcd_spoolss {
 +  include <abstractions/samba-rpcd>
 +
 +  /usr/lib*/samba/rpcd_spoolss m,
 +  /usr/lib*/samba/samba-bgqd Px -> samba-bgqd,
 +
 +  # Site-specific additions and overrides. See local/README for details.
 +  include if exists <local/samba-rpcd-spoolss>
 +}
--- a/samba_deny_net_admin.patch
+++ b/samba_deny_net_admin.patch
@ -1,12 +0,0 @@
 Index: apparmor-3.0.4/profiles/apparmor.d/abstractions/samba
 ===================================================================
 --- apparmor-3.0.4.orig/profiles/apparmor.d/abstractions/samba
 +++ apparmor-3.0.4/profiles/apparmor.d/abstractions/samba
@@ -34,5 +34,7 @@
   # required for clustering
   /var/lib/ctdb/** rwk,
 +  deny capability net_admin, # noisy setsockopt() calls from systemd
 +
   # Include additions to the abstraction
   include if exists <abstractions/samba.d>
--- a/update-samba-bgqd.diff
+++ b/update-samba-bgqd.diff
@ -1,19 +0,0 @@
 Index: apparmor-3.0.4/profiles/apparmor.d/samba-bgqd
 ===================================================================
 --- apparmor-3.0.4.orig/profiles/apparmor.d/samba-bgqd
 +++ apparmor-3.0.4/profiles/apparmor.d/samba-bgqd
@@ -6,11 +6,14 @@ profile samba-bgqd /usr/lib*/samba/samba
   include <abstractions/base>
   include <abstractions/cups-client>
   include <abstractions/nameservice>
 +  include <abstractions/openssl>
   include <abstractions/samba>
   signal receive set=term peer=smbd,
   @{PROC}/sys/kernel/core_pattern r,
 +  owner @{PROC}/@{pid}/fd/ r,
 +
   @{run}/samba/samba-bgqd.pid wk,
   /usr/lib*/samba/samba-bgqd m,
--- a/update-usr-sbin-smbd.diff
+++ b/update-usr-sbin-smbd.diff
@ -1,12 +0,0 @@
 Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
 ===================================================================
 --- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd
 +++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
@@ -8,6 +8,7 @@ profile smbd /usr/{bin,sbin}/smbd {
   include <abstractions/consoles>
   include <abstractions/cups-client>
   include <abstractions/nameservice>
 +  include <abstractions/openssl>
   include <abstractions/samba>
   include <abstractions/user-tmp>
   include <abstractions/wutmp>