Accepting request 668473 from security:apparmor

IMPORTANT: the dnsmasq profile update is needed by the updated libvirtd profile in SR 668191, so please include this SR in Staging:H. - add dnsmasq-libvirtd.diff: allow peer=libvirtd in the dnsmasq profile to match the newly added libvirtd profile name (boo#1118952#c3) - Use %license instead of %doc [bsc#1082318] OBS-URL: https://build.opensuse.org/request/show/668473 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=123
2019-02-04 20:24:08 +00:00 · 2019-02-04 20:24:08 +00:00 · b44801e295
commit b44801e295
parent 9fced15774 c0b44a6d8f
3 changed files with 44 additions and 1 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Thu Jan 24 21:13:43 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
+
+- add dnsmasq-libvirtd.diff: allow peer=libvirtd in the dnsmasq profile
+  to match the newly added libvirtd profile name (boo#1118952#c3)
+
+-------------------------------------------------------------------
+Mon Jan 14 14:41:14 CET 2019 - kukuk@suse.de
+
+- Use %license instead of %doc [bsc#1082318]
+
 -------------------------------------------------------------------
 Sun Jan  6 19:10:58 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -72,6 +72,9 @@ Patch9:         profile_filename_cornercase.diff
 # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
 Patch10:        apparmor-lessopen-nfs-workaround.diff

+# add peer=libvirtd to dnsmasq profile (from upstream 20fe099cede7cb5ec7dcf62a5427936766a6d4e4)
+Patch11:        dnsmasq-libvirtd.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@ -362,6 +365,7 @@ SubDomain.
 %patch8 -p1
 %patch9 -p1
 %patch10
+%patch11 -p1

 %build
 export SUSE_ASNEEDED=0
@ -536,7 +540,8 @@ echo -------------------------------------------------------------------

 %files parser
 %defattr(-,root,root)
-%doc parser/README parser/COPYING.GPL
+%license parser/COPYING.GPL
+%doc parser/README
 /sbin/apparmor_parser
 %{_bindir}/aa-enabled
 %{_bindir}/aa-exec
--- a/dnsmasq-libvirtd.diff
+++ b/dnsmasq-libvirtd.diff
@ -0,0 +1,27 @@
+commit 20fe099cede7cb5ec7dcf62a5427936766a6d4e4
+Author: Christian Boltz <apparmor@cboltz.de>
+Date:   Sun Jan 13 17:38:09 2019 +0100
+
+    dnsmasq: allow peer=libvirtd to support named profile
+    
+    The /usr/sbin/libvirtd profile will get a profile name ("libvirtd").
+    
+    This patch adjusts the dnsmasq profile to support the named profile in
+    addition to the "old" path-based profile name.
+    
+    References: https://bugzilla.opensuse.org/show_bug.cgi?id=1118952#c3
+
+diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
+index a308e3f7..2627f6d6 100644
+--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
+@@ -28,7 +28,9 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
+   network inet6 raw,
+ 
+   signal (receive) peer=/usr/{bin,sbin}/libvirtd,
+  signal (receive) peer=libvirtd,
+   ptrace (readby) peer=/usr/{bin,sbin}/libvirtd,
+  ptrace (readby) peer=libvirtd,
+ 
+   owner /dev/tty rw,
+