Accepting request 1092351 from security:apparmor

- update to AppArmor 3.1.5
  - fix handling of mount rules in apparmor_parser
  - minor additions to abstractions/base and snap_browsers
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.5
    for the full upstream changelog
- remove upstreamed aa-status-fix-json-mr1046.patch
- split off apparmor-enable-precompiled-cache.diff from
  apparmor-enable-profile-cache.diff so that the precompiled cache
  path doesn't get added in parser.conf for Tumbleweed builds.
  This prevents a warning about the non-existing directory when
  loading profiles. (forwarded request 1092349 from cboltz)

OBS-URL: https://build.opensuse.org/request/show/1092351
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=192

aa-status-fix-json-mr1046.patch

@@ -1,27 +0,0 @@
-From 29b21b09d43955f20c75a5f09cc5455e2c9fafcc Mon Sep 17 00:00:00 2001
-From: Christian Boltz <apparmor@cboltz.de>
-Date: Tue, 6 Jun 2023 23:29:14 +0200
-Subject: [PATCH] Fix invalid aa-status --json
-
-The previous patch changed the final  }}  to  }  - which is correct in
-master, but breaks the code in the 3.x branches.
----
- binutils/aa_status.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/binutils/aa_status.c b/binutils/aa_status.c
-index 40a854beb..092bee55b 100644
---- a/binutils/aa_status.c
-+++ b/binutils/aa_status.c
-@@ -548,7 +548,7 @@ static int detailed_output(FILE *json) {
- 		if (need_finish > 0) {
- 			fprintf(json, "]");
- 		}
--		fprintf(json, "}\n");
-+		fprintf(json, "}}\n");
- 	}
- 
- exit:
--- 
-GitLab
-

apparmor-3.1.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6bee0c3941836dae2c635fe82f09b666123fcac16563aa0fedf4a63c22b91f40
-size 7965268

apparmor-3.1.4.tar.gz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmRtkDEaHGFwcGFybW9y
-QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLvHLQ//bQLpZLUN5tk61ViS59Uu
-evN3ZpGlQ14KRY3vA5YHyrerLOqN0s0xv/jpBxdwryXrE9t9tmWQoU1d6RdaSZpb
-+SptQodED5M9bg+B1JmVSmN6Mb6r717NYFsnC20Osz9cpWP+vmD7XBDyPFVZ40gn
-jsEu4h/gVm/LTxcBuo36c2e3qZHQg8tDjoY3wZ8mtIcG7DnEUsF8wKpU8mdylEY+
-8FP99o92EjZVu0oVh6ziZvW/VIVrA75XdnTwFSjFHMDz3Yj4fvDQkLqWnKx/TnxF
-qzRPZnWlPKFkw8J11qERzUjXnXGRkuSokYtN7pdxGX7pVItQRFIJiwmM9HoNOah2
-hpztepuSaE4+eNDus5+sa8mDOu7XqN3fXyxZ/OxjluOBfwzXw4PFDiaDoc/WF7nJ
-O9WdRfZc89+I2J/AtpjPJYzqG6TwLZ6ougZt1O7LAg+rSB/BWNfNYJ3Ur+A6zqbH
-dzp1P7IaueBbeWj3ZkZzzB1Wh+2ItTbrZhA1e9MPv4u1nhKBZOYtoOOPTqK21BlQ
-HxDhJhvvNWwILe1EdCPs7ZAOvdwYh5lyUKdNzPgcFJODIuUmZkR7SkuD0MNS8d0B
-A3N03YNJtKaLHVxlovmkJweApHU5+KkdXSsCOEVWn5WcTo5bpAD/FrQuYWFxNQIG
-nV9NCl16zd74Y0qI25k+Nho=
-=gA0X
------END PGP SIGNATURE-----

apparmor-3.1.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a7cf4b792dd88eb1ac18104b246529662a8a66b733c3392daa2b384bbfa064f8
+size 7965686

apparmor-3.1.5.tar.gz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmSCy4gaHGFwcGFybW9y
+QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLt4HRAAizIl7wOoP9ULvfpSYTXD
+2hs0s0Mel/kO1ZMe33F/AC3D73lQ+sClVfnBeIBfk9rvcKwhcNKhmwVTZr+Rqgcp
+EWen0xJ/h9RG13G8SCjyEN6er7ZwpHkEYO3FcWJQBdMy6KfiH1iyhpkXf37GMPQS
+wSpGL7VD47B5OJq1kad4pOxx/ikvRvBcRxStEFcfUpMmvZAWnlk/MBXdo98yYbUj
+RfgVpjSMTcPWAO/2aKA1WTRqJyPsacnWgDbeoHThSNV+QVopXX0Cxeh6lhgWLq7e
+d6/wPlKWscCr7A4iI1I40U3mLWxi8HXYy5NReVkpHfjOZIjqSphthFc7WCaA6ASg
+2scmWV56kEO+Xyrbki1MgRjL+/KAgyyPkru4yQH2ACnNzyos+ABDQi8eTz4Iy/FQ
+DDjUo858jPrSFcfP+E4KgYZas4I1SB+KjfwlWH31X6BAOqNBc/sOcviToOpo5OoP
+fZMZD7Leakwto5y61AXjYwgjD+VLGXafYspnLCSCqwZL5JWR8yidrFHRZ7fNMjgX
+wlx66Y3ATzK7YOtz9ol2evrdmLCC3firXyiwoG7ADknZnOiEdwB8xUxL6duHZlOC
+6ToNR96rUx+5xIH5VkOCtxoU0IBltodqZbsmqI2ES9kcAqjuVoR1s6rOYT65CFr5
+7/WI6tQXdFVok+GpqKZAaIQ=
+=p4cf
+-----END PGP SIGNATURE-----

apparmor-enable-precompiled-cache.diff

@@ -0,0 +1,26 @@
+Set the cache location to /var/cache/apparmor/ (writeable) and
+/usr/share/apparmor/cache/ (packaged precompiled cache).
+
+See boo#1069906 and boo#1074429
+
+Note that Tumbleweed packages don't include precompiled profile cache on
+Tumbleweed as long as it's purely validated based on timestamps (boo#1205659)
+
+
+Signed-off by: Christian Boltz <apparmor@cboltz.de>
+
+Index: parser/parser.conf
+===================================================================
+--- parser/parser.conf_ORIG	2018-04-19 22:47:18.485179998 +0200
++++ parser/parser.conf	2018-04-19 22:51:12.084588654 +0200
+@@ -31,6 +31,9 @@
+ 
+ ## Turn creating/updating of the cache on by default
+ write-cache
++
++# cache location (cache writes go to the first directory in the list)
++cache-loc /var/cache/apparmor,/usr/share/apparmor/cache
+ 
+ ## Show cache hits
+ #show-cache
+

apparmor-enable-profile-cache.diff

@@ -8,27 +8,18 @@ writeable at the time profiles are loaded in Ubuntu.
 See also bnc#689458
 
 
-Also set the cache location to /var/cache/apparmor/ (writeable) and
-/usr/share/apparmor/cache/ (packaged precompiled cache).
-
-See boo#1069906 and boo#1074429
-
-
 Signed-off by: Christian Boltz <apparmor@cboltz.de>
 
 Index: parser/parser.conf
 ===================================================================
 --- parser/parser.conf_ORIG	2018-04-19 22:47:18.485179998 +0200
 +++ parser/parser.conf	2018-04-19 22:51:12.084588654 +0200
-@@ -31,7 +31,10 @@
+@@ -31,7 +31,7 @@
  # match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
  
  ## Turn creating/updating of the cache on by default
 -#write-cache
 +write-cache
-+
-+# cache location (cache writes go to the first directory in the list)
-+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache
  
  ## Show cache hits
  #show-cache

apparmor.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Sun Jun 11 14:13:18 UTC 2023 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 3.1.5
+  - fix handling of mount rules in apparmor_parser
+  - minor additions to abstractions/base and snap_browsers
+  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.5
+    for the full upstream changelog
+- remove upstreamed aa-status-fix-json-mr1046.patch
+- split off apparmor-enable-precompiled-cache.diff from
+  apparmor-enable-profile-cache.diff so that the precompiled cache
+  path doesn't get added in parser.conf for Tumbleweed builds.
+  This prevents a warning about the non-existing directory when
+  loading profiles.
+
 -------------------------------------------------------------------
 Tue Jun  6 21:39:15 UTC 2023 - Christian Boltz <suse-beta@cboltz.de>
 

apparmor.spec

@@ -54,7 +54,7 @@
 %define JAR_FILE changeHatValve.jar
 
 Name:           apparmor
-Version:        3.1.4
+Version:        3.1.5
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@@ -88,8 +88,8 @@ Patch5:         apparmor-lessopen-nfs-workaround.diff
 # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
 Patch6:         apache-extra-profile-include-if-exists.diff
 
-# fix aa-status --json / --pretty-json output (merged upstream 2023-06-06 for 3.0 and 3.1 branch [not needed/suiting for master] - https://gitlab.com/apparmor/apparmor/-/merge_requests/1046)
-Patch10:        aa-status-fix-json-mr1046.patch
+# add path for precompiled cache (only done/applied if precompiled_cache is enabled)
+Patch7:         apparmor-enable-precompiled-cache.diff
 
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -355,7 +355,9 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch4
 %patch5
 %patch6
-%patch10 -p1
+%if %{with precompiled_cache}
+%patch7
+%endif
 
 %build
 export SUSE_ASNEEDED=0

libapparmor.spec

@@ -18,7 +18,7 @@
 
 
 Name:           libapparmor
-Version:        3.1.4
+Version:        3.1.5
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later