pool/apparmor
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 974768 from security:apparmor

Browse Source 
- add php8-fpm-mr876.patch so that php8 php-fpm can read its config
  (boo#1186267#c11)
- parser: add conflict with apparmor-utils < 3.0 to avoid aa-status
  file conflict on upgrade (boo#1198958)
- utils: add missing dependency on apparmor-parser (boo#1198958#c4)

OBS-URL: https://build.opensuse.org/request/show/974768
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=171
This commit is contained in:
Dominique Leuenberger 2022-05-05 21:04:38 +00:00 committed by Git OBS Bridge
commit b47766d0bd
3 changed files with 73 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apparmor.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Fri Apr 29 11:48:14 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
- add php8-fpm-mr876.patch so that php8 php-fpm can read its config
(boo#1186267#c11)
- parser: add conflict with apparmor-utils < 3.0 to avoid aa-status
file conflict on upgrade (boo#1198958)
- utils: add missing dependency on apparmor-parser (boo#1198958#c4)
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 27 10:07:47 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org> Wed Apr 27 10:07:47 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>

23
apparmor.spec
View File

@ -77,24 +77,32 @@ Patch5: apparmor-lessopen-nfs-workaround.diff
# make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527) # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
Patch6: apache-extra-profile-include-if-exists.diff Patch6: apache-extra-profile-include-if-exists.diff
# bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd # bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd
# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/860) # merged upstream 3.0+master 2022-03-14 https://gitlab.com/apparmor/apparmor/-/merge_requests/860
# bsc#1195463 add rule to allow reading of openssl.cnf # bsc#1195463 add rule to allow reading of openssl.cnf
# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862) # merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862
Patch7: update-samba-bgqd.diff Patch7: update-samba-bgqd.diff
# bsc#1195463 add rule to allow reading of openssl.cnf # bsc#1195463 add rule to allow reading of openssl.cnf
# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862) # merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862
Patch8: update-usr-sbin-smbd.diff Patch8: update-usr-sbin-smbd.diff
# add zgrep and xzgrep profile (submitted upstream 2022-04-10 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + 2022-04-16 https://gitlab.com/apparmor/apparmor/-/merge_requests/873) # add zgrep and xzgrep profile (merged upstream 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + 2022-04-18 https://gitlab.com/apparmor/apparmor/-/merge_requests/873 - master only)
Patch9: zgrep-profile-mr870.diff Patch9: zgrep-profile-mr870.diff
# squash noisy setsockopt calls https://gitlab.com/apparmor/apparmor/-/merge_requests/867
# squash noisy setsockopt calls - merged upstream master+3.0 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/867
# bsc#1196850 # bsc#1196850
Patch10: samba_deny_net_admin.patch Patch10: samba_deny_net_admin.patch
# support for new dcerpcd subsytem in >= samba-4.16 # support for new dcerpcd subsytem in >= samba-4.16
# https://gitlab.com/apparmor/apparmor/-/merge_requests/871 # merged upstream 2022-04-15 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/871
# bsc#1198309 # bsc#1198309
Patch11: samba-new-dcerpcd.patch Patch11: samba-new-dcerpcd.patch
# allow php8 php-fpm to read its config (from upstream master+3.0 https://gitlab.com/apparmor/apparmor/-/merge_requests/876)
Patch12: php8-fpm-mr876.patch
PreReq: sed PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@ -135,6 +143,7 @@ BuildRequires: tomcat6
Summary: AppArmor userlevel parser utility Summary: AppArmor userlevel parser utility
License: GPL-2.0-or-later License: GPL-2.0-or-later
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Conflicts: apparmor-utils < 3.0
Obsoletes: libimnxcert < 2.9 Obsoletes: libimnxcert < 2.9
Obsoletes: subdomain-leaf-cert < 2.9 Obsoletes: subdomain-leaf-cert < 2.9
Obsoletes: subdomain-parser < 2.9 Obsoletes: subdomain-parser < 2.9
@ -281,6 +290,7 @@ SubDomain.
Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
License: GPL-2.0-only AND LGPL-2.1-or-later License: GPL-2.0-only AND LGPL-2.1-or-later
Group: Productivity/Security Group: Productivity/Security
Requires: apparmor-parser
Requires: libapparmor1 = %{version} Requires: libapparmor1 = %{version}
Requires: python3-apparmor = %{version} Requires: python3-apparmor = %{version}
Requires: python3-base Requires: python3-base
@ -362,6 +372,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1
%build %build
%define _lto_cflags %{nil} %define _lto_cflags %{nil}

46
php8-fpm-mr876.patch Normal file
View File

@ -0,0 +1,46 @@
From c946f0bf75f9529014c79ff591d6f953ce56b416 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Mon, 18 Apr 2022 20:49:22 +0200
Subject: [PATCH] Allow reading all of /etc/php[578]/** in abstractions/php
... and with that, make a rule in the php-fpm profile (which missed
php8) superfluous.
Fixes: https://gitlab.com/apparmor/apparmor/-/issues/229
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1186267#c11
---
profiles/apparmor.d/abstractions/php | 3 +--
profiles/apparmor.d/php-fpm | 2 --
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/profiles/apparmor.d/abstractions/php b/profiles/apparmor.d/abstractions/php
index ddafb0770..6bf0dc798 100644
--- a/profiles/apparmor.d/abstractions/php
+++ b/profiles/apparmor.d/abstractions/php
@@ -13,8 +13,7 @@
abi <abi/3.0>,
# shared snippets for config files
- /etc/php{,5,7,8}/**/ r,
- /etc/php{,5,7,8}/**.ini r,
+ /etc/php{,5,7,8}/** r,
# Xlibs
/usr/X11R6/lib{,32,64}/lib*.so* mr,
diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm
index b25762c50..14b3c7195 100644
--- a/profiles/apparmor.d/php-fpm
+++ b/profiles/apparmor.d/php-fpm
@@ -16,8 +16,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
# read the system certificates
include <abstractions/ssl_certs>
- /etc/php{,5,7}/** r,
-
capability net_admin,
# change user/group of a pool
capability setuid,
--
GitLab