Accepting request 266151 from security:apparmor

- Fix dnsmasq profile to allow executing bash to run the --dhcp-script argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt leasehealper script to run even on x86_64. dnsmasq-profile-fixes.patch. boo#911001 (forwarded request 266140 from cbosdonnat) OBS-URL: https://build.opensuse.org/request/show/266151 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=78
2014-12-23 10:50:25 +00:00 · 2014-12-23 10:50:25 +00:00 · acd9516c4d
commit acd9516c4d
parent 4c862d16ae 7a29d85d80
4 changed files with 94 additions and 0 deletions
--- a/apparmor-lessopen-profile.patch
+++ b/apparmor-lessopen-profile.patch
@ -0,0 +1,44 @@
+Index: apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen
+===================================================================
+--- /dev/null
+++ apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen.sh
+@@ -0,0 +1,39 @@
+# Last Modified: Fri Nov 28 08:01:09 2014
+#include <tunables/global>
+
+/usr/bin/lessopen.sh {
+  #include <abstractions/base>
+  #include <abstractions/bash>
+  #include <abstractions/consoles>
+  #include <abstractions/perl>
+
+  /** rk,
+  /bin/bash ix,
+  /bin/rpm rix,
+  /bin/tar rix,
+  /tmp/less.* rw,
+  /usr/bin/bzip2 rix,
+  /usr/bin/cabextract rix,
+  /usr/bin/cat rix,
+  /usr/bin/colordiff rix,
+  /usr/bin/dvi2tty rix,
+  /usr/bin/file rix,
+  /usr/bin/grep rix,
+  /usr/bin/groff rix,
+  /usr/bin/gzip rix,
+  /usr/bin/head rix,
+  /usr/bin/lynx rix,
+  /usr/bin/mktemp rix,
+  /usr/bin/nm rix,
+  /usr/bin/pdftotext rix,
+  /usr/bin/ps2ascii rix,
+  /usr/bin/rm rix,
+  /usr/bin/seq rix,
+  /usr/bin/tar rix,
+  /usr/bin/unzip rix,
+  /usr/bin/w3m rix,
+  /usr/bin/which rix,
+  /usr/bin/xz rix,
+
+  #include <local/usr.bin.lessopen.sh>
+}
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Mon Dec 22 10:26:15 UTC 2014 - cbosdonnat@suse.com
+
+- Fix dnsmasq profile to allow executing bash to run the --dhcp-script
+  argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt
+  leasehealper script to run even on x86_64.
+  dnsmasq-profile-fixes.patch. boo#911001
+
+-------------------------------------------------------------------
+Sun Dec 21 16:22:27 UTC 2014 - opensuse@cboltz.de
+
+- rename lessopen.sh profile file to usr.bin.lessopen.sh to match the
+  script filename
+
+-------------------------------------------------------------------
+Wed Dec 10 10:15:16 UTC 2014 - meissner@suse.com
+
+- add apparmor-lessopen-profile.patch: /usr/bin/lessopen.sh needs
+  confinement. bnc#906858
+
 -------------------------------------------------------------------
 Sun Nov 16 16:28:14 UTC 2014 - opensuse@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@ -92,6 +92,12 @@ Patch5:         ruby-2_0-mkmf-destdir.patch
 # (bnc#900013, not for upstream)
 Patch6:         apparmor-abstractions-no-multiline.diff

+# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
+Patch7:         apparmor-lessopen-profile.patch
+
+# boo#911001 - Allow executing --dhcp-client script
+Patch8:         dnsmasq-profile-fixes.patch
+
 Url:            https://launchpad.net/apparmor
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -430,6 +436,8 @@ SubDomain.
 %endif

 %patch6
+%patch7 -p1
+%patch8 -p1
 # search for left-over multiline rules
 test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"

--- a/dnsmasq-profile-fixes.patch
+++ b/dnsmasq-profile-fixes.patch
@ -0,0 +1,22 @@
+Index: apparmor-2.9.0/profiles/apparmor.d/usr.sbin.dnsmasq
+===================================================================
+--- apparmor-2.9.0.orig/profiles/apparmor.d/usr.sbin.dnsmasq
+++ apparmor-2.9.0/profiles/apparmor.d/usr.sbin.dnsmasq
+@@ -44,6 +44,8 @@
+ 
+   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+ 
+  /bin/bash ix, # Required to execute --dhcp-script argument
+
+   # access to iface mtu needed for Router Advertisement messages in IPv6
+   # Neighbor Discovery protocol (RFC 2461)
+   @{PROC}/sys/net/ipv6/conf/*/mtu r,
+@@ -63,7 +65,7 @@
+   /{,var/}run/libvirt/network/*.pid rw,
+ 
+   # libvirt lease helper
+-  /usr/lib/libvirt/libvirt_leaseshelper ix,
+  /usr/{lib,lib64}/libvirt/libvirt_leaseshelper ix,
+   /{,var/}run/leaseshelper.pid rwk,
+ 
+   # NetworkManager integration