Accepting request 974768 from security:apparmor

- add php8-fpm-mr876.patch so that php8 php-fpm can read its config (boo#1186267#c11) - parser: add conflict with apparmor-utils < 3.0 to avoid aa-status file conflict on upgrade (boo#1198958) - utils: add missing dependency on apparmor-parser (boo#1198958#c4) OBS-URL: https://build.opensuse.org/request/show/974768 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=171
2022-05-05 21:04:38 +00:00 · 2022-05-05 21:04:38 +00:00 · b47766d0bd
commit b47766d0bd
parent bd3c466f84 c1b382df0e
3 changed files with 73 additions and 7 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Apr 29 11:48:14 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
+
+- add php8-fpm-mr876.patch so that php8 php-fpm can read its config
+  (boo#1186267#c11)
+- parser: add conflict with apparmor-utils < 3.0 to avoid aa-status
+  file conflict on upgrade (boo#1198958)
+- utils: add missing dependency on apparmor-parser (boo#1198958#c4)
+
 -------------------------------------------------------------------
 Wed Apr 27 10:07:47 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>

@ -17,7 +26,7 @@ Wed Apr 13 13:38:29 UTC 2022 - Noel Power <nopower@suse.com>
  modify the existing smbd/winbind profiles and additionally add a
  new set of profiles to cater for the new functionality;
  (bnc#1198309);
-  
+
 -------------------------------------------------------------------
 Mon Apr 11 14:34:51 UTC 2022 - Noel Power <nopower@suse.com>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -77,24 +77,32 @@ Patch5:         apparmor-lessopen-nfs-workaround.diff

 # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
 Patch6:         apache-extra-profile-include-if-exists.diff
+
 # bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd
-# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/860)
+# merged upstream 3.0+master 2022-03-14 https://gitlab.com/apparmor/apparmor/-/merge_requests/860
 # bsc#1195463 add rule to allow reading of openssl.cnf
-# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862)
+# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862
 Patch7:         update-samba-bgqd.diff
+
 # bsc#1195463 add rule to allow reading of openssl.cnf
-# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862)
+# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862
 Patch8:         update-usr-sbin-smbd.diff

-# add zgrep and xzgrep profile (submitted upstream 2022-04-10 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + 2022-04-16 https://gitlab.com/apparmor/apparmor/-/merge_requests/873)
+# add zgrep and xzgrep profile (merged upstream 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + 2022-04-18 https://gitlab.com/apparmor/apparmor/-/merge_requests/873 - master only)
 Patch9:         zgrep-profile-mr870.diff
-# squash noisy setsockopt calls https://gitlab.com/apparmor/apparmor/-/merge_requests/867
+
+# squash noisy setsockopt calls - merged upstream master+3.0 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/867
 # bsc#1196850
 Patch10:        samba_deny_net_admin.patch
+
 # support for new dcerpcd subsytem in >= samba-4.16
-# https://gitlab.com/apparmor/apparmor/-/merge_requests/871
+# merged upstream 2022-04-15 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/871
 # bsc#1198309
 Patch11:        samba-new-dcerpcd.patch
+
+# allow php8 php-fpm to read its config (from upstream master+3.0 https://gitlab.com/apparmor/apparmor/-/merge_requests/876)
+Patch12:        php8-fpm-mr876.patch
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@ -135,6 +143,7 @@ BuildRequires:  tomcat6
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Security
+Conflicts:      apparmor-utils < 3.0
 Obsoletes:      libimnxcert < 2.9
 Obsoletes:      subdomain-leaf-cert < 2.9
 Obsoletes:      subdomain-parser < 2.9
@ -281,6 +290,7 @@ SubDomain.
 Summary:        AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
 License:        GPL-2.0-only AND LGPL-2.1-or-later
 Group:          Productivity/Security
+Requires:       apparmor-parser
 Requires:       libapparmor1 = %{version}
 Requires:       python3-apparmor = %{version}
 Requires:       python3-base
@ -362,6 +372,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1

 %build
 %define _lto_cflags %{nil}
--- a/php8-fpm-mr876.patch
+++ b/php8-fpm-mr876.patch
@ -0,0 +1,46 @@
+From c946f0bf75f9529014c79ff591d6f953ce56b416 Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor@cboltz.de>
+Date: Mon, 18 Apr 2022 20:49:22 +0200
+Subject: [PATCH] Allow reading all of /etc/php[578]/** in abstractions/php
+
+... and with that, make a rule in the php-fpm profile (which missed
+php8) superfluous.
+
+Fixes: https://gitlab.com/apparmor/apparmor/-/issues/229
+
+Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11
+---
+ profiles/apparmor.d/abstractions/php | 3 +--
+ profiles/apparmor.d/php-fpm          | 2 --
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/profiles/apparmor.d/abstractions/php b/profiles/apparmor.d/abstractions/php
+index ddafb0770..6bf0dc798 100644
+--- a/profiles/apparmor.d/abstractions/php
+++ b/profiles/apparmor.d/abstractions/php
+@@ -13,8 +13,7 @@
+   abi <abi/3.0>,
+ 
+   # shared snippets for config files
+-  /etc/php{,5,7,8}/**/ r,
+-  /etc/php{,5,7,8}/**.ini r,
+  /etc/php{,5,7,8}/** r,
+ 
+   # Xlibs
+   /usr/X11R6/lib{,32,64}/lib*.so* mr,
+diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm
+index b25762c50..14b3c7195 100644
+--- a/profiles/apparmor.d/php-fpm
+++ b/profiles/apparmor.d/php-fpm
+@@ -16,8 +16,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
+   # read the system certificates
+   include <abstractions/ssl_certs>
+ 
+-  /etc/php{,5,7}/** r,
+-
+   capability net_admin,
+   # change user/group of a pool
+   capability setuid,
+-- 
+GitLab
+