Accepting request 824912 from home:cboltz

- sevdb-caps-mr589.diff: add new capabilities CAP_BPF and CAP_PERFMON to severity.db (lp#1890547) OBS-URL: https://build.opensuse.org/request/show/824912 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=270
2020-08-07 21:09:36 +00:00 · 2020-08-07 21:09:36 +00:00 · a56c5e56bc
commit a56c5e56bc
parent d925988ada
3 changed files with 50 additions and 0 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Aug  7 21:01:02 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
+
+- sevdb-caps-mr589.diff: add new capabilities CAP_BPF and CAP_PERFMON
+  to severity.db (lp#1890547)
+
 -------------------------------------------------------------------
 Mon Jul 20 18:42:02 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -74,6 +74,9 @@ Patch10:        ./usr-etc-abstractions-base-nameservice.diff
 # allow /{,var/}run/user/*/xauth_* r, in abstractions/X (submitted upstream 2020-07-20 https://gitlab.com/apparmor/apparmor/-/merge_requests/581 (master), https://gitlab.com/apparmor/apparmor/-/merge_requests/582 (2.11..2.13))
 Patch11:        abstractions-X-xauth-mr582.diff

+# add CAP_BPF and CAP_PERFMON to severity.db (merged upstream 2020-08-07 https://gitlab.com/apparmor/apparmor/-/merge_requests/589 (2.11..master))
+Patch12:        sevdb-caps-mr589.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@ -370,6 +373,7 @@ SubDomain.
 %endif

 %patch11 -p1
+%patch12 -p1

 %build
 %define _lto_cflags %{nil}
--- a/sevdb-caps-mr589.diff
+++ b/sevdb-caps-mr589.diff
@ -0,0 +1,40 @@
+https://gitlab.com/apparmor/apparmor/-/merge_requests/589
+
+commit ae012502095596df4675555da635c868e3b3c04a
+Author: Christian Boltz <apparmor@cboltz.de>
+Date:   Fri Aug 7 22:37:19 2020 +0200
+
+    Add CAP_BPF and CAP_PERFMON to severity.db
+    
+    These capabilities were introduced in Linux 5.8
+    
+    References: https://bugs.launchpad.net/bugs/1890547
+
+diff --git a/utils/severity.db b/utils/severity.db
+index 3c028400..3e07d44e 100644
+--- a/utils/severity.db
+++ b/utils/severity.db
+@@ -2,6 +2,7 @@
+ #
+ #    Copyright (C) 2002-2005 Novell/SUSE
+ #    Copyright (C) 2014 Canonical Ltd.
+#    Copyright (C) 2020 Christian Boltz
+ #
+ #    This program is free software; you can redistribute it and/or
+ #    modify it under the terms of version 2 of the GNU General Public
+@@ -28,6 +29,7 @@
+        CAP_SETGID 9
+        CAP_SETUID 9
+        CAP_FOWNER 9
+       CAP_BPF 9
+ # Denial of service, bypass audit controls, information leak
+        CAP_SYS_TIME 8
+        CAP_NET_ADMIN 8
+@@ -49,6 +51,7 @@
+        CAP_BLOCK_SUSPEND 8
+        CAP_DAC_READ_SEARCH 7
+        CAP_AUDIT_READ 7
+       CAP_PERFMON 7
+ # unused
+        CAP_NET_BROADCAST 0
+