From a56c5e56bc85d1ad9ddba69371447392669e203f07ab76a8f3f76efe3e506aa2 Mon Sep 17 00:00:00 2001
From: Christian Boltz <suse-beta@cboltz.de>
Date: Fri, 7 Aug 2020 21:09:36 +0000
Subject: [PATCH] Accepting request 824912 from home:cboltz

- sevdb-caps-mr589.diff: add new capabilities CAP_BPF and CAP_PERFMON
  to severity.db (lp#1890547)

OBS-URL: https://build.opensuse.org/request/show/824912
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=270
---
 apparmor.changes      |  6 ++++++
 apparmor.spec         |  4 ++++
 sevdb-caps-mr589.diff | 40 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+)
 create mode 100644 sevdb-caps-mr589.diff

diff --git a/apparmor.changes b/apparmor.changes
index 9bdedfc..ecc4823 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Aug  7 21:01:02 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
+
+- sevdb-caps-mr589.diff: add new capabilities CAP_BPF and CAP_PERFMON
+  to severity.db (lp#1890547)
+
 -------------------------------------------------------------------
 Mon Jul 20 18:42:02 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
 
diff --git a/apparmor.spec b/apparmor.spec
index 55d94d6..7aa66cf 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -74,6 +74,9 @@ Patch10:        ./usr-etc-abstractions-base-nameservice.diff
 # allow /{,var/}run/user/*/xauth_* r, in abstractions/X (submitted upstream 2020-07-20 https://gitlab.com/apparmor/apparmor/-/merge_requests/581 (master), https://gitlab.com/apparmor/apparmor/-/merge_requests/582 (2.11..2.13))
 Patch11:        abstractions-X-xauth-mr582.diff
 
+# add CAP_BPF and CAP_PERFMON to severity.db (merged upstream 2020-08-07 https://gitlab.com/apparmor/apparmor/-/merge_requests/589 (2.11..master))
+Patch12:        sevdb-caps-mr589.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@@ -370,6 +373,7 @@ SubDomain.
 %endif
 
 %patch11 -p1
+%patch12 -p1
 
 %build
 %define _lto_cflags %{nil}
diff --git a/sevdb-caps-mr589.diff b/sevdb-caps-mr589.diff
new file mode 100644
index 0000000..edf2218
--- /dev/null
+++ b/sevdb-caps-mr589.diff
@@ -0,0 +1,40 @@
+https://gitlab.com/apparmor/apparmor/-/merge_requests/589
+
+commit ae012502095596df4675555da635c868e3b3c04a
+Author: Christian Boltz <apparmor@cboltz.de>
+Date:   Fri Aug 7 22:37:19 2020 +0200
+
+    Add CAP_BPF and CAP_PERFMON to severity.db
+    
+    These capabilities were introduced in Linux 5.8
+    
+    References: https://bugs.launchpad.net/bugs/1890547
+
+diff --git a/utils/severity.db b/utils/severity.db
+index 3c028400..3e07d44e 100644
+--- a/utils/severity.db
++++ b/utils/severity.db
+@@ -2,6 +2,7 @@
+ #
+ #    Copyright (C) 2002-2005 Novell/SUSE
+ #    Copyright (C) 2014 Canonical Ltd.
++#    Copyright (C) 2020 Christian Boltz
+ #
+ #    This program is free software; you can redistribute it and/or
+ #    modify it under the terms of version 2 of the GNU General Public
+@@ -28,6 +29,7 @@
+        CAP_SETGID 9
+        CAP_SETUID 9
+        CAP_FOWNER 9
++       CAP_BPF 9
+ # Denial of service, bypass audit controls, information leak
+        CAP_SYS_TIME 8
+        CAP_NET_ADMIN 8
+@@ -49,6 +51,7 @@
+        CAP_BLOCK_SUSPEND 8
+        CAP_DAC_READ_SEARCH 7
+        CAP_AUDIT_READ 7
++       CAP_PERFMON 7
+ # unused
+        CAP_NET_BROADCAST 0
+