Accepting request 65172 from security:apparmor:factory
Accepted submit request 65172 from user licensedigger OBS-URL: https://build.opensuse.org/request/show/65172 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=14
This commit is contained in:
parent
477fa21390
commit
b5a1419370
@ -1,705 +0,0 @@
|
||||
=== added file '.bzrignore'
|
||||
--- a/.bzrignore 1970-01-01 00:00:00 +0000
|
||||
+++ b/.bzrignore 2011-01-10 18:12:33 +0000
|
||||
@@ -0,0 +1,1 @@
|
||||
+parser/tst/simple_tests/generated_x/*.sd
|
||||
|
||||
=== modified file 'libraries/libapparmor/testsuite/Makefile.am'
|
||||
--- a/libraries/libapparmor/testsuite/Makefile.am 2008-05-19 22:48:31 +0000
|
||||
+++ b/libraries/libapparmor/testsuite/Makefile.am 2011-01-10 18:12:33 +0000
|
||||
@@ -12,7 +12,7 @@
|
||||
test_multi_multi_SOURCES = test_multi.c
|
||||
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
|
||||
test_multi_multi_LDFLAGS = $(LDFLAGS)
|
||||
-test_multi_multi_LDADD = ../src/.libs/libapparmor.a
|
||||
+test_multi_multi_LDADD = -L../src/.libs -lapparmor
|
||||
|
||||
clean-local:
|
||||
rm -f tmp.err.* tmp.out.* site.exp site.bak
|
||||
|
||||
=== modified file 'parser/Makefile'
|
||||
--- a/parser/Makefile 2009-11-11 18:58:57 +0000
|
||||
+++ b/parser/Makefile 2011-01-10 18:12:33 +0000
|
||||
@@ -45,11 +45,14 @@
|
||||
echo "$${warning}"; \
|
||||
fi ; \
|
||||
done)
|
||||
-CFLAGS = -O2 -pipe
|
||||
+ifndef CFLAGS
|
||||
+CFLAGS = -g -O2 -pipe
|
||||
|
||||
ifdef DEBUG
|
||||
CFLAGS = -g
|
||||
endif
|
||||
+endif #CFLAGS
|
||||
+
|
||||
EXTRA_CFLAGS = ${CFLAGS} ${WARNINGS} -D_GNU_SOURCE
|
||||
|
||||
#LEXLIB := -lfl
|
||||
@@ -125,9 +128,20 @@
|
||||
techdoc.txt: techdoc/index.html
|
||||
w3m -dump $< > $@
|
||||
|
||||
-all: $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf
|
||||
+# targets arranged this way so that people who don't want full docs can
|
||||
+# pick specific targets they want.
|
||||
+main: $(TOOLS)
|
||||
$(Q)make -C po all
|
||||
- $(Q)make -s tests
|
||||
+
|
||||
+manpages: $(MANPAGES)
|
||||
+
|
||||
+htmlmanpages: $(HTMLMANPAGES)
|
||||
+
|
||||
+pdf: techdoc.pdf
|
||||
+
|
||||
+docs: manpages htmlmanpages pdf
|
||||
+
|
||||
+all: main docs tests
|
||||
|
||||
apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS)
|
||||
rm -f ./libstdc++.a
|
||||
@@ -191,7 +205,7 @@
|
||||
af_names.h: /usr/include/bits/socket.h
|
||||
LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n# define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" $< > $@
|
||||
LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)[ \\t]\\+.*/#define AA_AF_MAX \\1\n/p" $< >> $@
|
||||
- cat $@
|
||||
+ # cat $@
|
||||
|
||||
cap_names.h: /usr/include/linux/capability.h
|
||||
LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
|
||||
@@ -224,7 +238,7 @@
|
||||
.SILENT: $(AAREOBJECTS)
|
||||
.PHONY: $(AAREOBJECTS)
|
||||
$(AAREOBJECTS):
|
||||
- make -C $(AAREDIR)
|
||||
+ make -C $(AAREDIR) CFLAGS="$(CFLAGS)"
|
||||
|
||||
.SILENT: $(PCREOBJECTS)
|
||||
.PHONY: $(PCREOBJECTS)
|
||||
|
||||
=== modified file 'parser/immunix.h'
|
||||
--- a/parser/immunix.h 2009-08-20 15:41:10 +0000
|
||||
+++ b/parser/immunix.h 2011-01-10 18:12:33 +0000
|
||||
@@ -148,12 +148,12 @@
|
||||
#include <stdio.h>
|
||||
static inline int is_merged_x_consistent(int a, int b)
|
||||
{
|
||||
- if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
|
||||
+ if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
|
||||
((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
|
||||
{ fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
|
||||
return 0;
|
||||
}
|
||||
- if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
|
||||
+ if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
|
||||
((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
|
||||
{ fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
|
||||
return 0;
|
||||
|
||||
=== modified file 'parser/libapparmor_re/regexp.y'
|
||||
--- a/parser/libapparmor_re/regexp.y 2010-07-24 14:16:14 +0000
|
||||
+++ b/parser/libapparmor_re/regexp.y 2011-01-10 18:12:33 +0000
|
||||
@@ -720,17 +720,19 @@
|
||||
Node *i = t->child[!dir];
|
||||
for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
|
||||
if (t->child[dir]->eq(i->child[dir])) {
|
||||
+ Node *old = t;
|
||||
t->child[!dir]->dup();
|
||||
- t->release();
|
||||
t = t->child[!dir];
|
||||
+ old->release();
|
||||
continue;
|
||||
}
|
||||
}
|
||||
// last altnode of chain check other dir as well
|
||||
if (t->child[dir]->eq(p->child[!dir])) {
|
||||
+ Node *old = t;
|
||||
t->child[!dir]->dup();
|
||||
- t->release();
|
||||
t = t->child[!dir];
|
||||
+ old->release();
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -2581,9 +2583,9 @@
|
||||
#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
|
||||
MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
|
||||
DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
|
||||
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
|
||||
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
|
||||
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
|
||||
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
|
||||
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
|
||||
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
|
||||
|
||||
extern "C" void aare_reset_matchflags(void)
|
||||
{
|
||||
@@ -2644,8 +2646,8 @@
|
||||
flip_tree(tree);
|
||||
|
||||
|
||||
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
|
||||
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
|
||||
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
|
||||
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
|
||||
|
||||
//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
|
||||
// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
|
||||
|
||||
=== modified file 'parser/tst/Makefile'
|
||||
--- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000
|
||||
+++ b/parser/tst/Makefile 2011-01-10 18:12:33 +0000
|
||||
@@ -11,8 +11,11 @@
|
||||
|
||||
all: tests
|
||||
|
||||
-.PHONY: tests error_output parser_sanity caching
|
||||
-tests: error_output parser_sanity caching
|
||||
+.PHONY: tests error_output gen_xtrans parser_sanity caching
|
||||
+tests: error_output gen_xtrans parser_sanity caching
|
||||
+
|
||||
+gen_xtrans:
|
||||
+ perl ./gen-xtrans.pl
|
||||
|
||||
error_output: $(PARSER)
|
||||
$(PARSER) -S -I errors >/dev/null errors/okay.sd
|
||||
@@ -34,3 +37,6 @@
|
||||
|
||||
$(PARSER):
|
||||
make -C $(PARSER_DIR) $(PARSER_BIN)
|
||||
+
|
||||
+clean:
|
||||
+ rm -f simple_tests/generated_x/*
|
||||
|
||||
=== added file 'parser/tst/gen-xtrans.pl'
|
||||
--- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000
|
||||
+++ b/parser/tst/gen-xtrans.pl 2011-01-10 18:12:33 +0000
|
||||
@@ -0,0 +1,152 @@
|
||||
+#!/usr/bin/perl
|
||||
+
|
||||
+use strict;
|
||||
+use Locale::gettext;
|
||||
+use POSIX;
|
||||
+
|
||||
+setlocale(LC_MESSAGES, "");
|
||||
+
|
||||
+my $prefix="simple_tests/generated_x";
|
||||
+
|
||||
+my @trans_types = ("p", "P", "c", "C", "u", "i");
|
||||
+my @modifiers = ("i", "u");
|
||||
+my %trans_modifiers = (
|
||||
+ "p" => \@modifiers,
|
||||
+ "P" => \@modifiers,
|
||||
+ "c" => \@modifiers,
|
||||
+ "C" => \@modifiers,
|
||||
+ );
|
||||
+
|
||||
+my @targets = ("", "target", "target2");
|
||||
+my @null_target = ("");
|
||||
+
|
||||
+my %named_trans = (
|
||||
+ "p" => \@targets,
|
||||
+ "P" => \@targets,
|
||||
+ "c" => \@targets,
|
||||
+ "C" => \@targets,
|
||||
+ "u" => \@null_target,
|
||||
+ "i" => \@null_target,
|
||||
+ );
|
||||
+
|
||||
+# audit qualifier disabled for now it really shouldn't affect the conflict
|
||||
+# test but it may be worth checking every once in awhile
|
||||
+#my @qualifiers = ("", "owner", "audit", "audit owner");
|
||||
+my @qualifiers = ("", "owner");
|
||||
+
|
||||
+my $count = 0;
|
||||
+
|
||||
+gen_conflicting_x();
|
||||
+gen_overlap_re_exact();
|
||||
+gen_dominate_re_re();
|
||||
+gen_ambiguous_re_re();
|
||||
+
|
||||
+print "Generated $count xtransition interaction tests\n";
|
||||
+
|
||||
+sub gen_list {
|
||||
+ my @output;
|
||||
+ foreach my $trans (@trans_types) {
|
||||
+ if ($trans_modifiers{$trans}) {
|
||||
+ foreach my $mod (@{$trans_modifiers{$trans}}) {
|
||||
+ push @output, "${trans}${mod}x";
|
||||
+ }
|
||||
+ }
|
||||
+ push @output, "${trans}x";
|
||||
+ }
|
||||
+ return @output;
|
||||
+}
|
||||
+
|
||||
+sub print_rule($$$$) {
|
||||
+ my ($file, $name, $perm, $target) = @_;
|
||||
+ print $file "\t${name} ${perm}";
|
||||
+ if ($target ne "") {
|
||||
+ print $file " -> $target";
|
||||
+ }
|
||||
+ print $file ",\n";
|
||||
+}
|
||||
+
|
||||
+sub gen_file($$$$$$$$) {
|
||||
+ my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
|
||||
+
|
||||
+# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
|
||||
+
|
||||
+ my $file;
|
||||
+ unless (open $file, ">$name") {
|
||||
+ print("couldn't open $name\n");
|
||||
+ exit 1;
|
||||
+ }
|
||||
+
|
||||
+ print $file "#\n";
|
||||
+ print $file "#=DESCRIPTION ${name}\n";
|
||||
+ print $file "#=EXRESULT ${xres}\n";
|
||||
+ print $file "#\n";
|
||||
+ print $file "/usr/bin/foo {\n";
|
||||
+ print_rule($file, $rule1, $perm1, $target1);
|
||||
+ print_rule($file, $rule2, $perm2, $target2);
|
||||
+ print $file "}";
|
||||
+ close($file);
|
||||
+
|
||||
+ $count++;
|
||||
+}
|
||||
+
|
||||
+#NOTE: currently we don't do px to cx, or cx to px conversion
|
||||
+# so
|
||||
+# /foo {
|
||||
+# /* px -> /foo//bar,
|
||||
+# /* cx -> bar,
|
||||
+#
|
||||
+# will conflict
|
||||
+#
|
||||
+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords
|
||||
+# It is assumed that there are extra tests to verify 1 to 1 coorispondance
|
||||
+sub gen_files($$$$) {
|
||||
+ my ($name, $rule1, $rule2, $default) = @_;
|
||||
+
|
||||
+ my @perms = gen_list();
|
||||
+
|
||||
+# print "@perms\n";
|
||||
+
|
||||
+ foreach my $i (@perms) {
|
||||
+ foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
|
||||
+ foreach my $q (@qualifiers) {
|
||||
+ foreach my $j (@perms) {
|
||||
+ foreach my $u (@{$named_trans{substr($j, 0, 1)}}) {
|
||||
+ foreach my $r (@qualifiers) {
|
||||
+ my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd";
|
||||
+# print "$file\n";
|
||||
+
|
||||
+ #override failures when transitions are the same
|
||||
+ my $xres = ${default};
|
||||
+ if ($i eq $j && $t eq $u) {
|
||||
+ $xres = "PASS";
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+# print "foo $xres $rule1 $i $t $rule2 $j $u\n";
|
||||
+ gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+}
|
||||
+
|
||||
+sub gen_conflicting_x {
|
||||
+ gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL");
|
||||
+}
|
||||
+
|
||||
+sub gen_overlap_re_exact {
|
||||
+
|
||||
+ gen_files("exact", "/bin/cat", "/bin/*", "PASS");
|
||||
+}
|
||||
+
|
||||
+# we currently don't support this, once supported change to "PASS"
|
||||
+sub gen_dominate_re_re {
|
||||
+ gen_files("dominate", "/bin/*", "/bin/**", "FAIL");
|
||||
+}
|
||||
+
|
||||
+sub gen_ambiguous_re_re {
|
||||
+ gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
|
||||
+}
|
||||
|
||||
=== added directory 'parser/tst/simple_tests/generated_x'
|
||||
=== added file 'parser/tst/simple_tests/generated_x/readme'
|
||||
--- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000
|
||||
+++ b/parser/tst/simple_tests/generated_x/readme 2011-01-10 18:12:33 +0000
|
||||
@@ -0,0 +1,2 @@
|
||||
+Directory for auto generated x-transition tests
|
||||
+
|
||||
|
||||
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers'
|
||||
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers 2010-09-10 15:28:28 +0000
|
||||
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers 2011-01-10 18:12:33 +0000
|
||||
@@ -18,7 +18,7 @@
|
||||
/usr/bin/prism PUx,
|
||||
/usr/bin/rekonq PUx,
|
||||
/usr/bin/seamonkey PUx,
|
||||
- /usr/bin/sensible-browser PUxr,
|
||||
+ /usr/bin/sensible-browser Pixr,
|
||||
|
||||
/usr/bin/chromium-browser PUx,
|
||||
/usr/lib/chromium-browser/chromium-browser PUx,
|
||||
|
||||
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-email'
|
||||
--- a/profiles/apparmor.d/abstractions/ubuntu-email 2010-09-10 15:28:28 +0000
|
||||
+++ b/profiles/apparmor.d/abstractions/ubuntu-email 2011-01-10 18:12:33 +0000
|
||||
@@ -15,5 +15,5 @@
|
||||
/usr/bin/tkrat PUx,
|
||||
|
||||
/usr/lib/thunderbird/thunderbird PUx,
|
||||
- /usr/lib/thunderbird-3*/thunderbird PUx,
|
||||
+ /usr/lib/thunderbird-3*/thunderbird{,.sh} PUx,
|
||||
|
||||
|
||||
=== modified file 'tests/regression/subdomain/changehat_misc.sh'
|
||||
--- a/tests/regression/subdomain/changehat_misc.sh 2006-05-19 17:32:14 +0000
|
||||
+++ b/tests/regression/subdomain/changehat_misc.sh 2011-01-10 18:12:33 +0000
|
||||
@@ -64,7 +64,7 @@
|
||||
echo "*** A 'Killed' message from bash is expected for the following test"
|
||||
runchecktest "CHANGEHAT (subprofile->subprofile w/ bad magic)" signal9 $subtest $subtest2 badmagic $file
|
||||
|
||||
-# 1. ATTEMPT TO CHANGEGAT TO AN INVALUD PROFILE, SHOULD PUT US INTO A NULL
|
||||
+# 1. ATTEMPT TO CHANGEHAT TO AN INVALID PROFILE, SHOULD PUT US INTO A NULL
|
||||
# PROFILE
|
||||
# 2. ATTEMPT TO CHANGEHAT OUT WITH BAD TOKEN
|
||||
settest changehat_fail
|
||||
|
||||
=== modified file 'tests/regression/subdomain/deleted.c'
|
||||
--- a/tests/regression/subdomain/deleted.c 2006-05-19 17:32:14 +0000
|
||||
+++ b/tests/regression/subdomain/deleted.c 2011-01-10 18:12:33 +0000
|
||||
@@ -90,7 +90,7 @@
|
||||
}
|
||||
|
||||
/* test that we can create the file. Not necessarily a (deleted)
|
||||
- * case but lets use flush out other combinations
|
||||
+ * case but lets us flush out other combinations.
|
||||
*/
|
||||
fd2=creat(argv[2], S_IRUSR | S_IWUSR);
|
||||
if (fd2 == -1){
|
||||
|
||||
=== modified file 'tests/regression/subdomain/deleted.sh'
|
||||
--- a/tests/regression/subdomain/deleted.sh 2007-12-23 01:00:19 +0000
|
||||
+++ b/tests/regression/subdomain/deleted.sh 2011-01-10 18:12:33 +0000
|
||||
@@ -1,7 +1,7 @@
|
||||
#! /bin/bash
|
||||
-# $Id$
|
||||
-
|
||||
+#
|
||||
# Copyright (C) 2002-2005 Novell/SUSE
|
||||
+# Copyright (C) 2010 Canonical, Ltd
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License as
|
||||
@@ -10,7 +10,7 @@
|
||||
|
||||
#=NAME deleted
|
||||
#=DESCRIPTION
|
||||
-# Test subdomain is properly working around a kernel in which the kernel
|
||||
+# Test AppArmor is properly working around a kernel in which the kernel
|
||||
# appends (deleted) to deleted files verifies that the d_path appending
|
||||
# (deleted) fix is working
|
||||
#=END
|
||||
@@ -24,6 +24,7 @@
|
||||
|
||||
file=$tmpdir/file
|
||||
file2="$tmpdir/file (deleted)"
|
||||
+file3="$tmpdir/unavailable"
|
||||
okperm=rwl
|
||||
|
||||
subtest=sub
|
||||
@@ -40,8 +41,8 @@
|
||||
# NO CHANGEHAT TEST - doesn't force revalidation
|
||||
|
||||
genprofile $file:$okperm
|
||||
-
|
||||
runchecktest "NO CHANGEHAT (access file)" pass nochange $file
|
||||
+runchecktest "NO CHANGEHAT (cannot access unavailable)" fail nochange $file3
|
||||
|
||||
genprofile "$file2":$okperm
|
||||
runchecktest "NO CHANGEHAT (access file (delete))" pass nochange "$file2"
|
||||
@@ -49,6 +50,7 @@
|
||||
# CHANGEHAT TEST - force revalidation using changehat
|
||||
genprofile $file:$okperm hat:$subtest $file:$okperm
|
||||
runchecktest "CHANGEHAT (access file)" pass $subtest $file
|
||||
+runchecktest "CHANGEHAT (cannot access unavailable)" fail $subtest $file3
|
||||
|
||||
genprofile "$file2":$okperm hat:$subtest "$file2":$okperm
|
||||
runchecktest "CHANGEHAT (access file (deleted))" pass $subtest "$file2"
|
||||
@@ -115,7 +117,7 @@
|
||||
# FAIL - confined client, w access to the file
|
||||
|
||||
genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw
|
||||
-runchecktest "fd passing; confined client w/ w only" pass $file $socket $fd_client "delete_file"
|
||||
+runchecktest "fd passing; confined client w/ w only" fail $file $socket $fd_client "delete_file"
|
||||
|
||||
sleep 1
|
||||
rm -f ${socket}
|
||||
|
||||
=== modified file 'tests/regression/subdomain/mkprofile.pl'
|
||||
--- a/tests/regression/subdomain/mkprofile.pl 2009-11-11 18:44:26 +0000
|
||||
+++ b/tests/regression/subdomain/mkprofile.pl 2011-01-10 18:12:33 +0000
|
||||
@@ -5,7 +5,7 @@
|
||||
#
|
||||
# Gawd, I hate writing perl. It shows, too.
|
||||
#
|
||||
-my $__VERSION__='$Id$';
|
||||
+my $__VERSION__=$0;
|
||||
|
||||
use strict;
|
||||
use Getopt::Long;
|
||||
|
||||
=== modified file 'tests/regression/subdomain/prologue.inc'
|
||||
--- a/tests/regression/subdomain/prologue.inc 2010-08-26 18:24:41 +0000
|
||||
+++ b/tests/regression/subdomain/prologue.inc 2011-01-10 18:12:33 +0000
|
||||
@@ -93,8 +93,10 @@
|
||||
|
||||
while [ -h ${link} ]
|
||||
do
|
||||
- if [ -x /usr/bin/readlink ] ; then
|
||||
- target=$(/usr/bin/readlink ${link})
|
||||
+ if [ -x /usr/bin/readlink ] ; then
|
||||
+ target=$(/usr/bin/readlink -f ${link})
|
||||
+ elif [ -x /bin/readlink ] ; then
|
||||
+ target=$(/bin/readlink -f ${link})
|
||||
else
|
||||
# I'm sure there's a more perlish way to do this
|
||||
target=$( perl -e "printf (\"%s\n\", readlink(\"${link}\"));")
|
||||
|
||||
=== modified file 'tests/regression/subdomain/pwrite.sh'
|
||||
--- a/tests/regression/subdomain/pwrite.sh 2007-12-23 00:58:47 +0000
|
||||
+++ b/tests/regression/subdomain/pwrite.sh 2011-01-10 18:12:33 +0000
|
||||
@@ -27,7 +27,7 @@
|
||||
|
||||
genprofile $file:$okperm
|
||||
|
||||
-runtestbg "PWRITE with w" pass $file
|
||||
+runtestbg "PREAD/PWRITE with rw" pass $file
|
||||
|
||||
sleep 2
|
||||
|
||||
|
||||
=== modified file 'tests/regression/subdomain/swap.sh'
|
||||
--- a/tests/regression/subdomain/swap.sh 2006-05-19 17:32:14 +0000
|
||||
+++ b/tests/regression/subdomain/swap.sh 2011-01-10 18:12:33 +0000
|
||||
@@ -32,7 +32,7 @@
|
||||
swap_file=$tmpdir/swapfile
|
||||
|
||||
dd if=/dev/zero of=${swap_file} bs=1024 count=512 2> /dev/null
|
||||
-/sbin/mkswap ${swap_file} > /dev/null
|
||||
+/sbin/mkswap -f ${swap_file} > /dev/null
|
||||
|
||||
# TEST 1. Make sure can enable and disable swap unconfined
|
||||
|
||||
|
||||
=== modified file 'tests/regression/subdomain/syscall.sh'
|
||||
--- a/tests/regression/subdomain/syscall.sh 2007-12-23 01:02:50 +0000
|
||||
+++ b/tests/regression/subdomain/syscall.sh 2011-01-10 18:12:33 +0000
|
||||
@@ -1,7 +1,7 @@
|
||||
#! /bin/bash
|
||||
-# $Id$
|
||||
-
|
||||
+#
|
||||
# Copyright (C) 2002-2005 Novell/SUSE
|
||||
+# Copyright (C) 2010 Canonical, Ltd.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License as
|
||||
@@ -114,9 +114,9 @@
|
||||
runchecktest "MKNOD sock (permissions)" fail s $mknod_file
|
||||
|
||||
##
|
||||
-## D. SETHOSTNAME
|
||||
+## C. SYSCTL
|
||||
##
|
||||
-sh syscall_sysctl.sh
|
||||
+bash syscall_sysctl.sh
|
||||
|
||||
##
|
||||
## D. SETHOSTNAME
|
||||
|
||||
=== modified file 'tests/regression/subdomain/unix_fd_server.c'
|
||||
--- a/tests/regression/subdomain/unix_fd_server.c 2006-05-19 17:32:14 +0000
|
||||
+++ b/tests/regression/subdomain/unix_fd_server.c 2011-01-10 18:12:33 +0000
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
/*
|
||||
* Copyright (C) 2002-2005 Novell/SUSE
|
||||
+ * Copyright (C) 2010 Canonical, Ltd.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License as
|
||||
@@ -134,6 +135,7 @@
|
||||
}
|
||||
|
||||
/* Check for info re: reading the file */
|
||||
+ memset(inbound_buffer, 0, sizeof(inbound_buffer));
|
||||
if (recv(in_sock, inbound_buffer, 16,0) == -1 ) {
|
||||
fprintf(stderr, "FAIL - recv %s\n",
|
||||
strerror(errno));
|
||||
|
||||
=== modified file 'tests/regression/subdomain/xattrs.sh'
|
||||
--- a/tests/regression/subdomain/xattrs.sh 2010-02-07 07:04:57 +0000
|
||||
+++ b/tests/regression/subdomain/xattrs.sh 2011-01-10 18:12:33 +0000
|
||||
@@ -38,41 +38,59 @@
|
||||
|
||||
. $bin/prologue.inc
|
||||
|
||||
-file=$tmpdir/testfile
|
||||
-link=$tmpdir/testlink
|
||||
-dir=$tmpdir/testdir/
|
||||
+tmpmount=$tmpdir/mountpoint
|
||||
+diskimg=$tmpdir/disk.img
|
||||
+file=$tmpmount/testfile
|
||||
+link=$tmpmount/testlink
|
||||
+dir=$tmpmount/testdir/
|
||||
okperm=rw
|
||||
badperm=r
|
||||
|
||||
+# guarantee fs supports user_xattrs
|
||||
+dd if=/dev/zero of=${diskimg} bs=4096 count=4096 2> /dev/null
|
||||
+mkfs.ext3 -q -F ${diskimg}
|
||||
+mkdir ${tmpmount}
|
||||
+mount -o loop,user_xattr ${diskimg} ${tmpmount}
|
||||
+
|
||||
touch $file
|
||||
ln -s $file $link
|
||||
mkdir $dir
|
||||
|
||||
+add_attrs()
|
||||
+{
|
||||
+ #set the xattr for thos that passed above again so we can test removing it
|
||||
+ setfattr -h -n security.sdtest -v hello "$1"
|
||||
+ setfattr -h -n trusted.sdtest -v hello "$1"
|
||||
+ if [ "$1" != $link ] ; then
|
||||
+ setfattr -h -n user.sdtest -v hello "$1"
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
for var in $file $link $dir ; do
|
||||
#write xattr
|
||||
genprofile $var:$badperm
|
||||
xattrtest $var $badperm write security fail
|
||||
#xattrtest $var $badperm write system fail
|
||||
xattrtest $var $badperm write trusted fail
|
||||
- if [ $var != $link ] ; then xattrtest $var $badperm write user fail ; fi
|
||||
+ if [ $var != $link ] ; then xattrtest $var $badperm write user xfail ; fi
|
||||
|
||||
genprofile $var:$badperm capability:sys_admin
|
||||
xattrtest $var "$badperm+cap SYS_ADMIN" write security xfail
|
||||
#xattrtest $var "$badperm+cap SYS_ADMIN" write system fail
|
||||
xattrtest $var "$badperm+cap SYS_ADMIN" write trusted xfail
|
||||
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user fail ; fi
|
||||
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user xfail ; fi
|
||||
|
||||
genprofile $var:$okperm
|
||||
xattrtest $var $okperm write security xpass
|
||||
#xattrtest $var $okperm write system fail
|
||||
xattrtest $var $okperm write trusted fail
|
||||
- if [ $var != $link ] ; then xattrtest $var $okperm write user xpass ; fi
|
||||
+ if [ $var != $link ] ; then xattrtest $var $okperm write user pass ; fi
|
||||
|
||||
genprofile $var:$okperm capability:sys_admin
|
||||
xattrtest $var "$okperm+cap SYS_ADMIN" write security pass
|
||||
#xattrtest $var "$okperm+cap SYS_ADMIN" write system pass
|
||||
xattrtest $var "$okperm+cap SYS_ADMIN" write trusted pass
|
||||
- if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user xpass ; fi
|
||||
+ if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user pass ; fi
|
||||
|
||||
|
||||
#read xattr
|
||||
@@ -80,13 +98,13 @@
|
||||
xattrtest $var $badperm read security pass
|
||||
#xattrtest $var $badperm read system fail
|
||||
xattrtest $var $badperm read trusted fail
|
||||
- if [ $var != $link ] ; then xattrtest $var $badperm read user xpass ; fi
|
||||
+ if [ $var != $link ] ; then xattrtest $var $badperm read user pass ; fi
|
||||
|
||||
genprofile $var:$badperm capability:sys_admin
|
||||
xattrtest $var "$badperm+cap SYS_ADMIN" read security pass
|
||||
#xattrtest $var "$badperm+cap SYS_ADMIN" read system pass
|
||||
xattrtest $var "$badperm+cap SYS_ADMIN" read trusted pass
|
||||
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user xpass ; fi
|
||||
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user pass ; fi
|
||||
|
||||
|
||||
#remove xattr
|
||||
@@ -94,23 +112,25 @@
|
||||
xattrtest $var $badperm remove security fail
|
||||
#xattrtest $var $badperm remove system fail
|
||||
xattrtest $var $badperm remove trusted fail
|
||||
- if [ $var != $link ] ; then xattrtest $var $badperm remove user fail ; fi
|
||||
+ if [ $var != $link ] ; then xattrtest $var $badperm remove user xfail ; fi
|
||||
+
|
||||
+ add_attrs $var
|
||||
|
||||
genprofile $var:$badperm capability:sys_admin
|
||||
xattrtest $var "$badperm+cap SYS_ADMIN" remove security xfail
|
||||
#xattrtest $var "$badperm+cap SYS_ADMIN" remove system fail
|
||||
xattrtest $var "$badperm+cap SYS_ADMIN" remove trusted xfail
|
||||
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user fail ; fi
|
||||
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user xfail ; fi
|
||||
+
|
||||
+ add_attrs $var
|
||||
|
||||
genprofile $var:$okperm
|
||||
xattrtest $var $okperm remove security xpass
|
||||
#xattrtest $var $okperm remove system fail
|
||||
xattrtest $var $okperm remove trusted fail
|
||||
- if [ $var != $link ] ; then xattrtest $var $okperm remove user xpass ; fi
|
||||
+ if [ $var != $link ] ; then xattrtest $var $okperm remove user pass ; fi
|
||||
|
||||
- #set the xattr for thos that passed above again so we can test removing it
|
||||
- setfattr -h -n security.sdtest -v hello $var
|
||||
- if [ $var != $link ] ; then setfattr -h -n user.sdtest -v hello $var ; fi
|
||||
+ add_attrs $var
|
||||
|
||||
genprofile $var:$okperm capability:sys_admin
|
||||
xattrtest $var "$okperm+cap SYS_ADMIN" remove security pass
|
||||
@@ -120,3 +140,4 @@
|
||||
|
||||
done
|
||||
|
||||
+umount ${tmpmount}
|
||||
|
||||
=== modified file 'utils/SubDomain.pm'
|
||||
--- a/utils/SubDomain.pm 2010-09-21 07:40:50 +0000
|
||||
+++ b/utils/SubDomain.pm 2011-01-10 18:12:33 +0000
|
||||
@@ -2420,7 +2420,7 @@
|
||||
my $RE_LOG_v2_1_audit =
|
||||
qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
|
||||
my $RE_LOG_v2_6_audit =
|
||||
- qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/;
|
||||
+ qr/type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=/;
|
||||
|
||||
sub prefetch_next_log_entry {
|
||||
# if we already have an existing cache entry, something's broken
|
||||
@@ -6622,10 +6622,14 @@
|
||||
LibAppArmor::free_record($event);
|
||||
|
||||
#map new c and d to w as logprof doesn't support them yet
|
||||
- $rmask =~ s/c/w/g;
|
||||
- $rmask =~ s/d/w/g;
|
||||
- $dmask =~ s/c/w/g;
|
||||
- $dmask =~ s/d/w/g;
|
||||
+ if ($rmask) {
|
||||
+ $rmask =~ s/c/w/g;
|
||||
+ $rmask =~ s/d/w/g;
|
||||
+ }
|
||||
+ if ($dmask) {
|
||||
+ $dmask =~ s/c/w/g;
|
||||
+ $dmask =~ s/d/w/g;
|
||||
+ }
|
||||
|
||||
if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
|
||||
fatal_error(sprintf(gettext('Log contains unknown mode %s.'),
|
||||
|
@ -1,37 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: profiles: Add libvirt pid support to dnsmasq profile
|
||||
References: bnc#666090
|
||||
|
||||
libvirt starts up dnsmasq with its pid file in
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
|
||||
profiles/apparmor.d/usr.sbin.dnsmasq | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
Index: apparmor-2.5.1/profiles/apparmor.d/usr.sbin.dnsmasq
|
||||
===================================================================
|
||||
--- apparmor-2.5.1.orig/profiles/apparmor.d/usr.sbin.dnsmasq
|
||||
+++ apparmor-2.5.1/profiles/apparmor.d/usr.sbin.dnsmasq
|
||||
@@ -8,6 +8,9 @@
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability dac_override,
|
||||
+ capability net_admin, # for DHCP server
|
||||
+ capability net_raw, # for DHCP server ping checks
|
||||
+ network inet raw,
|
||||
|
||||
/etc/dnsmasq.conf r,
|
||||
/etc/dnsmasq.d/ r,
|
||||
@@ -19,5 +22,10 @@
|
||||
/var/run/dnsmasq/ r,
|
||||
/var/run/dnsmasq/* rw,
|
||||
|
||||
+ /var/run/libvirt/network/ r, # Required when called by libvirt
|
||||
+ /var/run/libvirt/network/*.pid rw, # Required when called by libvirt
|
||||
+ /var/lib/libvirt/dnsmasq/ r, # Required when called by libvirt
|
||||
+ /var/lib/libvirt/dnsmasq/*.hostsfile r, # Required when called by libvirt
|
||||
+
|
||||
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
|
||||
}
|
@ -17,7 +17,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
|
||||
--- a/profiles/apparmor.d/abstractions/nameservice
|
||||
+++ b/profiles/apparmor.d/abstractions/nameservice
|
||||
@@ -71,6 +71,9 @@
|
||||
@@ -70,6 +70,9 @@
|
||||
# kerberos
|
||||
#include <abstractions/kerberosclient>
|
||||
|
||||
|
@ -1,26 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor-profiles: Fix proc usage in firefox profile
|
||||
References: bnc#436262
|
||||
|
||||
This patch corrects the use of the {proc} macro. It should be {PROC}.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
|
||||
@@ -32,9 +32,9 @@
|
||||
/opt/kde3/share/applications/ r,
|
||||
/opt/kde3/share/applications/mimeinfo.cache r,
|
||||
|
||||
- owner @{proc}/*/mounts r,
|
||||
- @{proc}/meminfo r,
|
||||
- @{proc}/sys/kernel/ngroups_max r,
|
||||
+ owner @{PROC}/*/mounts r,
|
||||
+ @{PROC}/meminfo r,
|
||||
+ @{PROC}/sys/kernel/ngroups_max r,
|
||||
|
||||
/usr/lib/**.so mr,
|
||||
|
@ -1,7 +1,10 @@
|
||||
Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
|
||||
===================================================================
|
||||
---
|
||||
profiles/apparmor.d/abstractions/ldapclient | 21 +++++++++++++++++++++
|
||||
profiles/apparmor.d/abstractions/nameservice | 8 +++-----
|
||||
2 files changed, 24 insertions(+), 5 deletions(-)
|
||||
|
||||
--- /dev/null
|
||||
+++ apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
|
||||
+++ b/profiles/apparmor.d/abstractions/ldapclient
|
||||
@@ -0,0 +1,21 @@
|
||||
+# ------------------------------------------------------------------
|
||||
+#
|
||||
@ -24,11 +27,9 @@ Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
|
||||
+ /usr/lib{,32,64}/sasl2/* r,
|
||||
+
|
||||
+ #include <abstractions/ssl_certs>
|
||||
Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
|
||||
===================================================================
|
||||
--- apparmor-2.5.1.orig/profiles/apparmor.d/abstractions/nameservice
|
||||
+++ apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
|
||||
@@ -17,8 +17,6 @@
|
||||
--- a/profiles/apparmor.d/abstractions/nameservice
|
||||
+++ b/profiles/apparmor.d/abstractions/nameservice
|
||||
@@ -16,8 +16,6 @@
|
||||
/etc/group r,
|
||||
/etc/host.conf r,
|
||||
/etc/hosts r,
|
||||
@ -37,7 +38,7 @@ Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
|
||||
/etc/nsswitch.conf r,
|
||||
/etc/gai.conf r,
|
||||
/etc/passwd r,
|
||||
@@ -33,9 +31,6 @@
|
||||
@@ -32,9 +30,6 @@
|
||||
|
||||
/etc/samba/lmhosts r,
|
||||
/etc/services r,
|
||||
@ -47,7 +48,7 @@ Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
|
||||
# db backend
|
||||
/var/lib/misc/*.db r,
|
||||
# The Name Service Cache Daemon can cache lookups, sometimes leading
|
||||
@@ -59,6 +54,9 @@
|
||||
@@ -58,6 +53,9 @@
|
||||
# nis
|
||||
#include <abstractions/nis>
|
||||
|
||||
|
@ -1,94 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor: Fix network event parsing
|
||||
References: bnc#665483
|
||||
|
||||
The upstream version of AppArmor had network mediation but it was
|
||||
removed. There's a compability patch floating around that both openSUSE
|
||||
and Ubuntu have applied to their kernels. Unfortunately, one part was
|
||||
overlooked. The socket operation event names where changed from the
|
||||
socket_ prefixed names they had when AppArmor was out-of-tree and
|
||||
utils/SubDomain.pm was never updated to understand them.
|
||||
|
||||
This patch adds an operation-type table so that the code can just
|
||||
do a optype($operation) call to discover what type of operation a
|
||||
particular name refers to. It then uses this in place of the socket_
|
||||
checks to decide whether an event is a network operation.
|
||||
|
||||
This allows genprof and logprof to work with networking rules again.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/SubDomain.pm | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 46 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
@@ -233,6 +233,50 @@ my %MODE_HASH = (
|
||||
N => $AA_EXEC_NT,
|
||||
);
|
||||
|
||||
+
|
||||
+# Currently only used by netdomain but there's no reason it couldn't
|
||||
+# be extended to support other types.
|
||||
+my %operation_types = (
|
||||
+
|
||||
+ # Old socket names
|
||||
+ "socket_create", => "net",
|
||||
+ "socket_post_create" => "net",
|
||||
+ "socket_bind" => "net",
|
||||
+ "socket_connect" => "net",
|
||||
+ "socket_listen" => "net",
|
||||
+ "socket_accept" => "net",
|
||||
+ "socket_sendmsg" => "net",
|
||||
+ "socket_recvmsg" => "net",
|
||||
+ "socket_getsockname" => "net",
|
||||
+ "socket_getpeername" => "net",
|
||||
+ "socket_getsockopt" => "net",
|
||||
+ "socket_setsockopt" => "net",
|
||||
+ "socket_shutdown" => "net",
|
||||
+
|
||||
+ # New socket names
|
||||
+ "create" => "net",
|
||||
+ "post_create" => "net",
|
||||
+ "bind" => "net",
|
||||
+ "connect" => "net",
|
||||
+ "listen" => "net",
|
||||
+ "accept" => "net",
|
||||
+ "sendmsg" => "net",
|
||||
+ "recvmsg" => "net",
|
||||
+ "getsockname" => "net",
|
||||
+ "getpeername" => "net",
|
||||
+ "getsockopt" => "net",
|
||||
+ "setsockopt" => "net",
|
||||
+ "sock_shutdown" => "net",
|
||||
+);
|
||||
+
|
||||
+sub optype($) {
|
||||
+ my $op = shift;
|
||||
+ my $type = $operation_types{$op};
|
||||
+
|
||||
+ return "unknown" if !defined($type);
|
||||
+ return $type;
|
||||
+}
|
||||
+
|
||||
sub debug ($) {
|
||||
my $message = shift;
|
||||
chomp($message);
|
||||
@@ -2911,7 +2955,7 @@ sub add_event_to_tree ($) {
|
||||
}
|
||||
$pid{$child} = $arrayref;
|
||||
push @{$arrayref}, [ "fork", $child, $profile, $hat ];
|
||||
- } elsif ($e->{operation} =~ m/socket_/) {
|
||||
+ } elsif (optype($e->{operation}) eq "net") {
|
||||
add_to_tree( $e->{pid},
|
||||
$e->{parent},
|
||||
"netdomain",
|
||||
@@ -6620,7 +6664,7 @@ sub parse_event($) {
|
||||
LibAppArmor::aa_log_record::swig_magic_token_get($event);
|
||||
|
||||
# NetDomain
|
||||
- if ( $ev{'operation'} && $ev{'operation'} =~ /socket/ ) {
|
||||
+ if ( $ev{'operation'} && optype($ev{'operation'}) eq "net" ) {
|
||||
$ev{'family'} =
|
||||
LibAppArmor::aa_log_record::swig_net_family_get($event);
|
||||
$ev{'protocol'} =
|
@ -1,28 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor: Fix incorrect /proc/*/sys usage in usr.sbin.ntpd
|
||||
References: bnc#634801
|
||||
|
||||
/proc/sys/kernel exists, but /proc/*/sys/kernel doesn't. This patch
|
||||
fixes the profile.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
profiles/apparmor.d/usr.sbin.ntpd | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/profiles/apparmor.d/usr.sbin.ntpd
|
||||
+++ b/profiles/apparmor.d/usr.sbin.ntpd
|
||||
@@ -59,11 +59,11 @@
|
||||
/var/run/ntpd.pid w,
|
||||
/var/tmp/ntp* rwl,
|
||||
@{PROC}/*/net/if_inet6 r,
|
||||
- @{PROC}/*/sys/kernel/ngroups_max r,
|
||||
+ @{PROC}/sys/kernel/ngroups_max r,
|
||||
|
||||
# allow access for when chrooted
|
||||
/var/lib/ntp/@{PROC}/*/net/if_inet6 r,
|
||||
- /var/lib/ntp/@{PROC}/*/sys/kernel/ngroups_max r,
|
||||
+ /var/lib/ntp/@{PROC}/sys/kernel/ngroups_max r,
|
||||
|
||||
@{NTPD_DEVICE} rw,
|
||||
}
|
@ -14,7 +14,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
|
||||
--- a/profiles/apparmor.d/usr.sbin.ntpd
|
||||
+++ b/profiles/apparmor.d/usr.sbin.ntpd
|
||||
@@ -25,6 +25,7 @@
|
||||
@@ -24,6 +24,7 @@
|
||||
capability sys_chroot,
|
||||
capability sys_resource,
|
||||
capability sys_time,
|
||||
|
@ -39,7 +39,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
#include <stdio.h>
|
||||
--- a/parser/parser_interface.c
|
||||
+++ b/parser/parser_interface.c
|
||||
@@ -17,6 +17,7 @@
|
||||
@@ -15,6 +15,7 @@
|
||||
* along with this program; if not, contact Novell, Inc.
|
||||
*/
|
||||
|
||||
@ -59,11 +59,11 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
+
|
||||
/* eliminates need to link with libfl */
|
||||
%option noyywrap
|
||||
|
||||
%option nounput
|
||||
--- a/parser/parser_main.c
|
||||
+++ b/parser/parser_main.c
|
||||
@@ -17,6 +17,7 @@
|
||||
* along with this program; if not, contact Novell, Inc.
|
||||
@@ -19,6 +19,7 @@
|
||||
* Ltd.
|
||||
*/
|
||||
|
||||
+#define _GNU_SOURCE /* for asprintf in stdio.h */
|
||||
@ -72,11 +72,11 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
#include <stdlib.h>
|
||||
--- a/parser/parser_variable.c
|
||||
+++ b/parser/parser_variable.c
|
||||
@@ -17,6 +17,7 @@
|
||||
@@ -15,6 +15,7 @@
|
||||
* along with this program; if not, contact Novell, Inc.
|
||||
*/
|
||||
|
||||
+#define _GNU_SOURCE /* for asprintf in stdio.h */
|
||||
#include <ctype.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
@ -29,7 +29,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
+
|
||||
--- a/profiles/apparmor.d/abstractions/ssl_certs
|
||||
+++ b/profiles/apparmor.d/abstractions/ssl_certs
|
||||
@@ -15,3 +15,7 @@
|
||||
@@ -14,3 +14,7 @@
|
||||
/etc/ssl/certs/* r,
|
||||
/usr/share/ca-certificates/ r,
|
||||
/usr/share/ca-certificates/** r,
|
||||
@ -39,7 +39,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
+ /usr/share/ca-certificates/mozilla/* r,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
|
||||
@@ -16,6 +16,7 @@
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <program-chunks/postfix-common>
|
||||
@ -47,7 +47,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
@@ -39,7 +40,6 @@
|
||||
@@ -38,7 +39,6 @@
|
||||
/etc/postfix/{ssl/,}*.pem r,
|
||||
/etc/postfix/prng_exch rw,
|
||||
/usr/share/ssl/certs/ca-bundle.crt r,
|
||||
@ -57,7 +57,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
/etc/mtab r,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
|
||||
@@ -16,6 +16,7 @@
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <program-chunks/postfix-common>
|
||||
@ -65,7 +65,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
|
||||
capability dac_override,
|
||||
capability dac_read_search,
|
||||
@@ -44,7 +45,6 @@
|
||||
@@ -43,7 +44,6 @@
|
||||
/usr/lib/sasl2/* mr,
|
||||
|
||||
/usr/share/ssl/certs/ca-bundle.crt r,
|
||||
@ -75,7 +75,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
/{var/spool/postfix/,}private/anvil w,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
|
||||
@@ -18,6 +18,7 @@
|
||||
@@ -17,6 +17,7 @@
|
||||
#include <abstractions/kerberosclient>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/perl>
|
||||
@ -83,7 +83,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
|
||||
capability kill,
|
||||
capability net_bind_service,
|
||||
@@ -84,7 +85,6 @@
|
||||
@@ -83,7 +84,6 @@
|
||||
/usr/share/snmp/mibs r,
|
||||
/usr/share/snmp/mibs/*.{txt,mib} r,
|
||||
/usr/share/snmp/mibs/.index wr,
|
||||
@ -93,7 +93,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
/var/log/httpd/ssl_scache.dir r,
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.imapd
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd
|
||||
@@ -16,10 +16,10 @@
|
||||
@@ -15,10 +15,10 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
@ -107,7 +107,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
}
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
|
||||
@@ -16,10 +16,10 @@
|
||||
@@ -15,10 +15,10 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
@ -121,7 +121,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
}
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
|
||||
@@ -16,10 +16,10 @@
|
||||
@@ -15,10 +15,10 @@
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/authentication>
|
||||
#include <abstractions/user-mail>
|
||||
|
@ -1,37 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
|
||||
|
||||
The version of AppArmor that was accepted into the mainline kernel
|
||||
issues audit events for things like change_hat while unconfined.
|
||||
Previous versions just returned -EPERM without the audit.
|
||||
|
||||
This results in logprof and friends spewing uninitialized value errors
|
||||
when it hits events like:
|
||||
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
|
||||
|
||||
... which happen any time an unconfined process does something with pam
|
||||
when pam_apparmor is installed.
|
||||
|
||||
This patch skips those events.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/SubDomain.pm | 20 ++++++++++++++++----
|
||||
1 file changed, 16 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
@@ -2735,6 +2735,13 @@ sub add_event_to_tree ($) {
|
||||
return if ($e->{operation} =~ /profile_set/);
|
||||
|
||||
my ($profile, $hat);
|
||||
+
|
||||
+ # The version of AppArmor that was accepted into the mainline kernel
|
||||
+ # issues audit events for things like change_hat while unconfined.
|
||||
+ # Previous versions just returned -EPERM without the audit so the
|
||||
+ # events wouldn't have been picked up here.
|
||||
+ return if (!$e->{profile});
|
||||
+
|
||||
# just convert new null profile style names to old before we begin processing
|
||||
# profile and name can contain multiple layers of null- but all we care about
|
||||
# currently is single level.
|
File diff suppressed because it is too large
Load Diff
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:00334c3e5391fa1578aa177ec5da1232073bc88141c1a49c3ecb1814784cc99b
|
||||
size 1293448
|
3
apparmor-2.6.0.tar.bz2
Normal file
3
apparmor-2.6.0.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:b08f90ee4d6774d1fe176adfa5764e3d24a6b1976b249757f25203b52216f857
|
||||
size 1240705
|
@ -1,22 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor-docs: Fix grammar error in techdoc.pdf
|
||||
References: bnc#588235
|
||||
|
||||
This patch fixes a grammar error in techdoc.pdf.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
parser/techdoc.tex | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/parser/techdoc.tex
|
||||
+++ b/parser/techdoc.tex
|
||||
@@ -213,7 +213,7 @@ files by controlling file descriptor pas
|
||||
|
||||
\subsection{Mount}
|
||||
|
||||
-Mounting can change a process's namespace in in almost arbitrary ways.
|
||||
+Mounting can change a process's namespace in almost arbitrary ways.
|
||||
This is a problem because AppArmor's file access control is pathname
|
||||
based, and granting a process the right to arbitrarily change its
|
||||
namespace would subvert this protection mechanism. AppArmor therefore
|
@ -12,4 +12,4 @@
|
||||
+tests: error_output gen_xtrans parser_sanity
|
||||
|
||||
gen_xtrans:
|
||||
perl ./gen-xtrans.pl
|
||||
./gen-xtrans.pl
|
||||
|
@ -1,19 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor-parser: Fix up translations
|
||||
References: bnc#586070
|
||||
|
||||
---
|
||||
parser/parser_interface.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/parser/parser_interface.c
|
||||
+++ b/parser/parser_interface.c
|
||||
@@ -77,7 +77,7 @@ static void print_error(int error)
|
||||
PERROR(_("Out of memory\n"));
|
||||
break;
|
||||
case -EFAULT:
|
||||
- PERROR(_("Couldn't copy profile Bad memory address\n"));
|
||||
+ PERROR(_("Couldn't copy profile: Bad memory address\n"));
|
||||
break;
|
||||
case -EPROTO:
|
||||
PERROR(_("Profile doesn't conform to protocol\n"));
|
@ -1,16 +0,0 @@
|
||||
---
|
||||
utils/Makefile | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/utils/Makefile
|
||||
+++ b/utils/Makefile
|
||||
@@ -41,7 +41,8 @@ all: ${MANPAGES} ${HTMLMANPAGES}
|
||||
DESTDIR=/
|
||||
BINDIR=${DESTDIR}/usr/sbin
|
||||
CONFDIR=${DESTDIR}/etc/apparmor
|
||||
-PERLDIR=${DESTDIR}/usr/lib/perl5/vendor_perl/Immunix
|
||||
+VENDOR_PERL ?= /usr/lib/perl5/vendor_perl
|
||||
+PERLDIR := ${DESTDIR}${VENDOR_PERL}/Immunix
|
||||
|
||||
po/${NAME}.pot: ${TOOLS}
|
||||
make -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} SubDomain.pm Repository.pm Config.pm Reports.pm"
|
@ -4,13 +4,14 @@ References: bnc#561152
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
|
||||
profiles/apparmor/profiles/extras/sbin.dhclient | 61 +++++++++++------
|
||||
profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
|
||||
2 files changed, 61 insertions(+), 21 deletions(-)
|
||||
|
||||
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
|
||||
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
|
||||
@@ -12,12 +12,12 @@
|
||||
@@ -11,12 +11,12 @@
|
||||
# raw sockets, and thus cannot be confined with NetDomain
|
||||
#
|
||||
# Should these programs have their own domains?
|
||||
@ -29,7 +30,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
@@ -25,25 +25,30 @@
|
||||
@@ -24,25 +24,30 @@
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/nameservice>
|
||||
@ -75,7 +76,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
/var/lib/dhcp/dhclient.leases rw,
|
||||
/var/lib/dhcp/dhclient-*.leases rw,
|
||||
/var/log/lastlog r,
|
||||
@@ -53,4 +58,18 @@
|
||||
@@ -52,4 +57,18 @@
|
||||
/var/run/dhclient-*.pid rw,
|
||||
/var/spool r,
|
||||
/var/spool/mail r,
|
||||
|
@ -13,7 +13,7 @@ References: bnc#457072
|
||||
|
||||
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
|
||||
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
|
||||
@@ -30,6 +30,8 @@
|
||||
@@ -29,6 +29,8 @@
|
||||
capability kill,
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
@ -22,7 +22,7 @@ References: bnc#457072
|
||||
|
||||
/dev/ptmx rw,
|
||||
/dev/urandom r,
|
||||
@@ -44,11 +46,12 @@
|
||||
@@ -43,11 +45,12 @@
|
||||
|
||||
@{PROC}/[0-9]*/fd/ r,
|
||||
@{PROC}/[0-9]*/loginuid w,
|
||||
|
@ -1,5 +1,9 @@
|
||||
--- a/profiles/apparmor.d/sbin.syslog-ng.old 2008-11-05 15:53:00.000000000 +0100
|
||||
+++ b/profiles/apparmor.d/sbin.syslog-ng 2010-11-05 09:11:23.186489224 +0100
|
||||
---
|
||||
profiles/apparmor.d/sbin.syslog-ng | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/profiles/apparmor.d/sbin.syslog-ng
|
||||
+++ b/profiles/apparmor.d/sbin.syslog-ng
|
||||
@@ -19,12 +19,14 @@
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
@ -29,5 +33,5 @@
|
||||
+ @{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
|
||||
+ /var/run/syslog-ng/additional-log-sockets.conf r,
|
||||
|
||||
}
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/sbin.syslog-ng>
|
||||
|
33
apparmor-profiles-usr.sbin.dnsmasq
Normal file
33
apparmor-profiles-usr.sbin.dnsmasq
Normal file
@ -0,0 +1,33 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: dnsmasq: Profile fixes
|
||||
References: bnc#666090 bnc#678749
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
profiles/apparmor.d/usr.sbin.dnsmasq | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
|
||||
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
|
||||
@@ -25,10 +25,12 @@
|
||||
/etc/dnsmasq.conf r,
|
||||
/etc/dnsmasq.d/ r,
|
||||
/etc/dnsmasq.d/* r,
|
||||
+ /etc/ethers r,
|
||||
|
||||
/usr/sbin/dnsmasq mr,
|
||||
|
||||
/var/run/*dnsmasq*.pid w,
|
||||
+ /var/run/dnsmasq-forwarders r,
|
||||
/var/run/dnsmasq/ r,
|
||||
/var/run/dnsmasq/* rw,
|
||||
|
||||
@@ -37,6 +39,8 @@
|
||||
# libvirt pid files for dnsmasq
|
||||
/var/run/libvirt/network/ r,
|
||||
/var/run/libvirt/network/*.pid rw,
|
||||
+ /var/lib/libvirt/dnsmasq/ r,
|
||||
+ /var/lib/libvirt/dnsmasq/*.hostsfile r,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.sbin.dnsmasq>
|
@ -9,14 +9,14 @@ Subject: apparmor-utils: Allow repository to be completely disabled
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/SubDomain.pm | 5 +++++
|
||||
utils/logprof.conf | 4 ++++
|
||||
utils/Immunix/AppArmor.pm | 5 +++++
|
||||
utils/logprof.conf | 4 ++++
|
||||
2 files changed, 9 insertions(+)
|
||||
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
@@ -3107,6 +3107,8 @@ sub UI_repo_signup {
|
||||
sub UI_ask_to_enable_repo {
|
||||
--- a/utils/Immunix/AppArmor.pm
|
||||
+++ b/utils/Immunix/AppArmor.pm
|
||||
@@ -3153,6 +3153,8 @@ sub UI_repo_signup() {
|
||||
sub UI_ask_to_enable_repo() {
|
||||
|
||||
my $q = { };
|
||||
+ return if (defined $cfg->{settings}{allow_repository} &&
|
||||
@ -24,7 +24,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
return if ( not defined $cfg->{repository}{url} );
|
||||
$q->{headers} = [
|
||||
gettext("Repository"), $cfg->{repository}{url},
|
||||
@@ -3231,6 +3233,8 @@ sub get_preferred_user ($) {
|
||||
@@ -3277,6 +3279,8 @@ sub get_preferred_user ($) {
|
||||
|
||||
sub repo_is_enabled () {
|
||||
my $enabled;
|
||||
@ -33,8 +33,8 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
if ($cfg->{repository}{url} &&
|
||||
$repo_cfg &&
|
||||
$repo_cfg->{repository}{enabled} &&
|
||||
@@ -3244,6 +3248,7 @@ sub repo_is_enabled () {
|
||||
sub update_repo_profile {
|
||||
@@ -3290,6 +3294,7 @@ sub repo_is_enabled () {
|
||||
sub update_repo_profile($) {
|
||||
my $profile = shift;
|
||||
|
||||
+ return undef if not repo_is_enabled();
|
||||
@ -43,7 +43,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
my $url = $profile->{repo}{url};
|
||||
--- a/utils/logprof.conf
|
||||
+++ b/utils/logprof.conf
|
||||
@@ -35,6 +35,10 @@
|
||||
@@ -34,6 +34,10 @@
|
||||
# files.
|
||||
custom_includes =
|
||||
|
||||
|
@ -1,13 +1,13 @@
|
||||
---
|
||||
|
||||
parser/rc.aaeventd.suse | 2 +-
|
||||
parser/rc.apparmor.functions | 16 ++++++++--------
|
||||
parser/rc.apparmor.functions | 14 +++++++-------
|
||||
parser/rc.apparmor.suse | 23 ++++++++++++++++++++++-
|
||||
3 files changed, 31 insertions(+), 10 deletions(-)
|
||||
3 files changed, 30 insertions(+), 9 deletions(-)
|
||||
|
||||
--- a/parser/rc.aaeventd.suse
|
||||
+++ b/parser/rc.aaeventd.suse
|
||||
@@ -30,7 +30,7 @@
|
||||
@@ -27,7 +27,7 @@
|
||||
### BEGIN INIT INFO
|
||||
# Provides: aaeventd
|
||||
# Required-Start: apparmor
|
||||
@ -18,7 +18,7 @@
|
||||
# Short-Description: AppArmor Notification and Reporting
|
||||
--- a/parser/rc.apparmor.functions
|
||||
+++ b/parser/rc.apparmor.functions
|
||||
@@ -111,9 +111,7 @@ is_apparmor_present() {
|
||||
@@ -108,9 +108,7 @@ is_apparmor_present() {
|
||||
# check for subdomainfs version of module
|
||||
grep -qE "^($modules)[[:space:]]" /proc/modules
|
||||
|
||||
@ -29,7 +29,7 @@
|
||||
|
||||
return $?
|
||||
}
|
||||
@@ -380,10 +378,11 @@ apparmor_start() {
|
||||
@@ -377,10 +375,11 @@ apparmor_start() {
|
||||
configure_owlsm
|
||||
|
||||
# if there is anything in the profiles file don't load
|
||||
@ -43,7 +43,7 @@
|
||||
fi
|
||||
aa_log_end_msg 0
|
||||
return 0
|
||||
@@ -415,7 +414,8 @@ remove_profiles() {
|
||||
@@ -412,7 +411,8 @@ remove_profiles() {
|
||||
#them so stor to tmp first
|
||||
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
|
||||
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
|
||||
@ -53,7 +53,7 @@
|
||||
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
|
||||
rc=$?
|
||||
if [ ${rc} -ne 0 ] ; then
|
||||
@@ -430,7 +430,7 @@ apparmor_stop() {
|
||||
@@ -427,7 +427,7 @@ apparmor_stop() {
|
||||
aa_log_daemon_msg "Unloading AppArmor profiles "
|
||||
remove_profiles
|
||||
rc=$?
|
||||
@ -62,18 +62,9 @@
|
||||
return $rc
|
||||
}
|
||||
|
||||
@@ -468,7 +468,7 @@ __apparmor_restart() {
|
||||
profiles_names_list ${PNAMES_LIST}
|
||||
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
|
||||
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
|
||||
- sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while read profile ; do
|
||||
+ sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do
|
||||
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
|
||||
done
|
||||
rm "$MODULE_PLIST"
|
||||
--- a/parser/rc.apparmor.suse
|
||||
+++ b/parser/rc.apparmor.suse
|
||||
@@ -34,6 +34,7 @@
|
||||
@@ -31,6 +31,7 @@
|
||||
# Required-Start: boot.cleanup
|
||||
# Required-Stop: $null
|
||||
# Should-Start: $local_fs
|
||||
@ -81,7 +72,7 @@
|
||||
# Default-Start: B
|
||||
# Default-Stop:
|
||||
# Short-Description: AppArmor initialization
|
||||
@@ -76,7 +77,19 @@ aa_log_warning_msg() {
|
||||
@@ -73,7 +74,19 @@ aa_log_warning_msg() {
|
||||
}
|
||||
|
||||
aa_log_failure_msg() {
|
||||
@ -102,7 +93,7 @@
|
||||
}
|
||||
|
||||
aa_log_skipped_msg() {
|
||||
@@ -84,6 +97,14 @@ aa_log_skipped_msg() {
|
||||
@@ -81,6 +94,14 @@ aa_log_skipped_msg() {
|
||||
echo -e "$rc_skipped"
|
||||
}
|
||||
|
||||
|
@ -4,7 +4,7 @@
|
||||
|
||||
--- a/parser/rc.aaeventd.suse
|
||||
+++ b/parser/rc.aaeventd.suse
|
||||
@@ -81,9 +81,9 @@ usage() {
|
||||
@@ -78,9 +78,9 @@ usage() {
|
||||
|
||||
start_aa_event() {
|
||||
if [ -x "$AA_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
|
||||
|
@ -1,15 +0,0 @@
|
||||
---
|
||||
|
||||
libraries/libapparmor/swig/perl/Makefile.am | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/libraries/libapparmor/swig/perl/Makefile.am
|
||||
+++ b/libraries/libapparmor/swig/perl/Makefile.am
|
||||
@@ -9,6 +9,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibA
|
||||
|
||||
Makefile.perl: Makefile.PL
|
||||
$(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
|
||||
+ sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
|
||||
|
||||
LibAppArmor.so: libapparmor_wrap.c Makefile.perl
|
||||
if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
|
@ -1,24 +0,0 @@
|
||||
---
|
||||
utils/SubDomain.pm | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
@@ -2304,7 +2304,7 @@ sub handlechildren {
|
||||
unless (-e getprofilefilename($exec_target)) {
|
||||
my $ynans = "y";
|
||||
if ($exec_mode & str_to_mode("i")) {
|
||||
- $ynans = UI_YesNo(sprintf(gettext("A profile for %s does not exist create one?"), $exec_target), "n");
|
||||
+ $ynans = UI_YesNo(sprintf(gettext("A profile for %s does not exist. Create one?"), $exec_target), "n");
|
||||
}
|
||||
if ($ynans eq "y") {
|
||||
$helpers{$exec_target} = "enforce";
|
||||
@@ -2331,7 +2331,7 @@ sub handlechildren {
|
||||
unless ($sd{$profile}{$exec_target}) {
|
||||
my $ynans = "y";
|
||||
if ($exec_mode & str_to_mode("i")) {
|
||||
- $ynans = UI_YesNo(sprintf(gettext("A local profile for %s does not exist create one?"), $exec_target), "n");
|
||||
+ $ynans = UI_YesNo(sprintf(gettext("A local profile for %s does not exist. Create one?"), $exec_target), "n");
|
||||
}
|
||||
if ($ynans eq "y") {
|
||||
$hat = $exec_target;
|
@ -1,107 +0,0 @@
|
||||
---
|
||||
utils/Reports.pm | 2 +-
|
||||
utils/SubDomain.pm | 2 +-
|
||||
utils/genprof | 4 ++--
|
||||
utils/rc.sd-event-dispatch.suse | 10 +++++-----
|
||||
utils/unconfined | 2 +-
|
||||
5 files changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
--- a/utils/Reports.pm
|
||||
+++ b/utils/Reports.pm
|
||||
@@ -14,7 +14,7 @@ package Immunix::Reports;
|
||||
################################################################################
|
||||
# /usr/lib/perl5/site_perl/Reports.pm
|
||||
#
|
||||
-# - Parses /var/log/messages for SubDomain messages
|
||||
+# - Parses /var/log/messages for AppArmor messages
|
||||
# - Writes results to .html or comma-delimited (.csv) files (Optional)
|
||||
#
|
||||
# Requires:
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
@@ -1590,7 +1590,7 @@ my %CMDS = (
|
||||
CMD_GLOBEXT => "Glob w/(E)xt",
|
||||
CMD_ADDHAT => "(A)dd Requested Hat",
|
||||
CMD_USEDEFAULT => "(U)se Default Hat",
|
||||
- CMD_SCAN => "(S)can system log for SubDomain events",
|
||||
+ CMD_SCAN => "(S)can system log for AppArmor events",
|
||||
CMD_HELP => "(H)elp",
|
||||
CMD_VIEW_PROFILE => "(V)iew Profile",
|
||||
CMD_USE_PROFILE => "(U)se Profile",
|
||||
--- a/utils/genprof
|
||||
+++ b/utils/genprof
|
||||
@@ -52,7 +52,7 @@ GetOptions(
|
||||
|
||||
my $sd_mountpoint = check_for_subdomain();
|
||||
unless ($sd_mountpoint) {
|
||||
- fatal_error(gettext("SubDomain does not appear to be started. Please enable SubDomain and try again."));
|
||||
+ fatal_error(gettext("AppArmor does not appear to be started. Please enable AppArmor and try again."));
|
||||
}
|
||||
|
||||
# let's convert it to full path...
|
||||
@@ -166,7 +166,7 @@ for my $p (sort keys %helpers) {
|
||||
}
|
||||
}
|
||||
|
||||
-UI_Info(gettext("Reloaded SubDomain profiles in enforce mode."));
|
||||
+UI_Info(gettext("Reloaded AppArmor profiles in enforce mode."));
|
||||
UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
|
||||
exit 0;
|
||||
|
||||
--- a/utils/rc.sd-event-dispatch.suse
|
||||
+++ b/utils/rc.sd-event-dispatch.suse
|
||||
@@ -7,14 +7,14 @@
|
||||
# /usr/sbin/rcsd-event-dispatch
|
||||
#
|
||||
# chkconfig: 2345 01 99
|
||||
-# description: SubDomain event dispatcher
|
||||
+# description: AppArmor event dispatcher
|
||||
#
|
||||
### BEGIN INIT INFO
|
||||
# Provides: sd-event-dispatch
|
||||
# Required-Start: subdomain
|
||||
# Default-Start: 3 4 5
|
||||
# Default-Stop: 0 1 2 6
|
||||
-# Description: Start the SubDomain event dispacher
|
||||
+# Description: Start the AppArmor event dispacher
|
||||
### END INIT INFO
|
||||
|
||||
SD_EV_BIN=/usr/sbin/sd-event-dispatch.pl
|
||||
@@ -38,7 +38,7 @@ rc_reset
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
- echo -n "Starting SubDomain Event daemon"
|
||||
+ echo -n "Starting AppArmor Event daemon"
|
||||
## Start daemon with startproc(8). If this fails
|
||||
## the echo return value is set appropriate.
|
||||
|
||||
@@ -48,7 +48,7 @@ case "$1" in
|
||||
rc_status -v
|
||||
;;
|
||||
stop)
|
||||
- echo -n "Shutting down SubDomain Event daemon"
|
||||
+ echo -n "Shutting down AppArmor Event daemon"
|
||||
## Stop daemon with killproc(8) and if this fails
|
||||
## set echo the echo return value.
|
||||
|
||||
@@ -75,7 +75,7 @@ case "$1" in
|
||||
rc_status
|
||||
;;
|
||||
status)
|
||||
- echo -n "Checking for SubDomain Event daemon"
|
||||
+ echo -n "Checking for AppArmor Event daemon"
|
||||
## Check status with checkproc(8), if process is running
|
||||
## checkproc will return with exit status 0.
|
||||
|
||||
--- a/utils/unconfined
|
||||
+++ b/utils/unconfined
|
||||
@@ -54,7 +54,7 @@ sub usage {
|
||||
|
||||
my $subdomainfs = check_for_subdomain();
|
||||
|
||||
-die gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.") . "\n"
|
||||
+die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
|
||||
unless $subdomainfs;
|
||||
|
||||
my @pids;
|
@ -8,12 +8,12 @@ References: bnc#564316
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/SubDomain.pm | 4 +++-
|
||||
utils/Immunix/AppArmor.pm | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
@@ -2789,7 +2789,9 @@ sub add_event_to_tree ($) {
|
||||
--- a/utils/Immunix/AppArmor.pm
|
||||
+++ b/utils/Immunix/AppArmor.pm
|
||||
@@ -2848,7 +2848,9 @@ sub add_event_to_tree ($) {
|
||||
""
|
||||
);
|
||||
}
|
||||
|
@ -1,29 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: [PATCH] apparmor-utils: cleanup after abort in genprof
|
||||
References: bnc#307067
|
||||
|
||||
The initial generation of the base profile is required to be written out
|
||||
to put the process in complain mode for observation. If the user
|
||||
decides to abort the profiling session, that base profile is left
|
||||
behind.
|
||||
|
||||
This patch removes all profiles created during the run up to an abort.
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
|
||||
utils/SubDomain.pm | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
@@ -1750,6 +1750,9 @@ sub confirm_and_abort {
|
||||
if ($ans eq "y") {
|
||||
UI_Info(gettext("Abandoning all changes."));
|
||||
shutdown_yast();
|
||||
+ foreach my $prof (@created) {
|
||||
+ delete_profile($prof);
|
||||
+ }
|
||||
exit 0;
|
||||
}
|
||||
}
|
@ -13,12 +13,12 @@ References: bnc#397883
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/SubDomain.pm | 9 +--------
|
||||
utils/Immunix/AppArmor.pm | 9 +--------
|
||||
1 file changed, 1 insertion(+), 8 deletions(-)
|
||||
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
@@ -511,14 +511,7 @@ sub get_full_path ($) {
|
||||
--- a/utils/Immunix/AppArmor.pm
|
||||
+++ b/utils/Immunix/AppArmor.pm
|
||||
@@ -553,14 +553,7 @@ sub get_full_path ($) {
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1,58 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles
|
||||
References: bnc#496204
|
||||
|
||||
When creating profiles with cx subprofiles, genprof will set the
|
||||
sub-profile in enforce mode. When genprof cycles multiple times, it
|
||||
prohibits the sub-profile from working correctly.
|
||||
|
||||
e.g.
|
||||
|
||||
# Last Modified: Mon Jan 24 13:52:26 2011
|
||||
#include <tunables/global>
|
||||
|
||||
/home/jeffm/mycat flags=(complain) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/bash>
|
||||
#include <abstractions/consoles>
|
||||
|
||||
/bin/bash ix,
|
||||
/bin/cat cx,
|
||||
/home/jeffm/mycat r,
|
||||
|
||||
profile /bin/cat {
|
||||
#include <abstractions/base>
|
||||
|
||||
/bin/cat r,
|
||||
/home/jeffm/mycat r,
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
This patch allows sub-profiles to inherit the flags from the parent
|
||||
profile, which allows it to be created in complain mode (if appropriate).
|
||||
The temporary complain flags are cleaned up at genprof completion as
|
||||
expected.
|
||||
|
||||
This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/SubDomain.pm | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
@@ -2337,6 +2337,12 @@ sub handlechildren {
|
||||
# we have seen more than a declaration so clear it
|
||||
$sd{$profile}{$hat}{'declared'} = 0;
|
||||
$sd{$profile}{$hat}{profile} = 1;
|
||||
+
|
||||
+ # Otherwise sub-profiles end up getting
|
||||
+ # put in enforce mode with genprof
|
||||
+ $sd{$profile}{$hat}{flags} = $sd{$profile}{$profile}{flags} if $profile ne $hat;
|
||||
+
|
||||
+ $sd{$profile}{$hat}{flags} = 'complain';
|
||||
$sd{$profile}{$hat}{allow}{path} = { };
|
||||
$sd{$profile}{$hat}{allow}{netdomain} = { };
|
||||
my $file = $sd{$profile}{$profile}{filename};
|
@ -1,25 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: Subdomain.pm: Fix for null path
|
||||
References: bnc#407959
|
||||
|
||||
When handling the following log entry, logprof will spew perl errors and
|
||||
ultimately generate an invalid config: "r,"
|
||||
|
||||
Since there is nothing to do with a null path, just skip to the next entry.
|
||||
|
||||
type=APPARMOR_DENIED msg=audit(1214497030.421:39): operation="inode_permission" info="Failed name resolution - object not a valid entry" requested_mask="r" denied_mask="r" pid=31367 profile="/usr/sbin/httpd2-worker
|
||||
---
|
||||
utils/SubDomain.pm | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
@@ -1905,7 +1905,7 @@ sub handlechildren {
|
||||
$hat = $h;
|
||||
}
|
||||
|
||||
- next unless $profile && $hat;
|
||||
+ next unless $profile && $hat && $detail;
|
||||
my $domainchange = ($type eq "exec") ? "change" : "nochange";
|
||||
|
||||
# escape special characters that show up in literal paths
|
@ -3,12 +3,12 @@ Subject: SubDomain.pm: Split long string
|
||||
|
||||
The string split here ends up not displaying well in yast.
|
||||
---
|
||||
utils/SubDomain.pm | 7 ++++++-
|
||||
utils/Immunix/AppArmor.pm | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
@@ -6241,7 +6241,12 @@ sub check_qualifiers {
|
||||
--- a/utils/Immunix/AppArmor.pm
|
||||
+++ b/utils/Immunix/AppArmor.pm
|
||||
@@ -6300,7 +6300,12 @@ sub check_qualifiers($) {
|
||||
|
||||
if ($cfg->{qualifiers}{$program}) {
|
||||
unless($cfg->{qualifiers}{$program} =~ /p/) {
|
||||
|
20
apparmor-utils-subdomain-compat
Normal file
20
apparmor-utils-subdomain-compat
Normal file
@ -0,0 +1,20 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor-utils: Add Immunix::SubDomain alias
|
||||
|
||||
This patch adds an alias so that 'use Immunix::SubDomain;' works with older
|
||||
code.
|
||||
|
||||
Acked-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
|
||||
utils/Immunix/SubDomain.pm | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
--- /dev/null
|
||||
+++ b/utils/Immunix/SubDomain.pm
|
||||
@@ -0,0 +1,5 @@
|
||||
+# Use of Immunix::SubDomain is deprecated.
|
||||
+# Use Immunix::AppArmor directly instead.
|
||||
+use Immunix::AppArmor;
|
||||
+*Immunix::SubDomain:: = *Immunix::AppArmor::;
|
||||
+1;
|
@ -1,54 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor-utils: Translation unification
|
||||
References: bnc#586072
|
||||
|
||||
This patch removes small inconsistencies between identical strings to
|
||||
allow for easier translation.
|
||||
|
||||
Reported-by: Isis Binder <isis.binder@gmail.com>
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/Reports.pm | 6 +++---
|
||||
utils/unconfined | 2 +-
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/utils/Reports.pm
|
||||
+++ b/utils/Reports.pm
|
||||
@@ -967,7 +967,7 @@ sub getEssStats {
|
||||
};
|
||||
|
||||
if ($@) {
|
||||
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
|
||||
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -980,7 +980,7 @@ sub getEssStats {
|
||||
};
|
||||
|
||||
if ($@) {
|
||||
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
|
||||
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -988,7 +988,7 @@ sub getEssStats {
|
||||
eval { $ret = $dbh->selectall_arrayref("$query"); };
|
||||
|
||||
if ($@) {
|
||||
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
|
||||
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
|
||||
return;
|
||||
}
|
||||
|
||||
--- a/utils/unconfined
|
||||
+++ b/utils/unconfined
|
||||
@@ -54,7 +54,7 @@ sub usage {
|
||||
|
||||
my $subdomainfs = check_for_subdomain();
|
||||
|
||||
-die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
|
||||
+die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
|
||||
unless $subdomainfs;
|
||||
|
||||
my @pids;
|
@ -1,3 +1,29 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 24 21:30:15 CET 2011 - jeffm@suse.de
|
||||
|
||||
- Added alias from Immunix::SubDomain to Immunix:AppArmor to allow
|
||||
older users of perl-apparmor to work properly.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 22 21:29:49 CET 2011 - jeffm@suse.de
|
||||
|
||||
- Properly re-created links to old utility names.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 14 19:24:02 CET 2011 - jeffm@suse.de
|
||||
|
||||
- Added /etc/ethers and /var/run/dnsmasq-forwarders to
|
||||
usr.sbin.dnsmasq (bnc#678749)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 14 16:48:53 CET 2011 - jeffm@suse.de
|
||||
|
||||
- Update to 2.6.0
|
||||
- 19 patches eliminated
|
||||
- Lots of minor fixes.
|
||||
- Split out more common abstractions
|
||||
- Added more local includes
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 1 09:56:30 UTC 2011 - rhafer@suse.de
|
||||
|
||||
|
112
apparmor.spec
112
apparmor.spec
@ -32,9 +32,6 @@
|
||||
%define JAR_FILE changeHatValve.jar
|
||||
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
|
||||
|
||||
%define srcversion 2.5.1
|
||||
%define bzr_commit r1445
|
||||
|
||||
Name: apparmor
|
||||
%if ! %{?distro:1}0
|
||||
%if %{?suse_version:1}0
|
||||
@ -48,52 +45,35 @@ Name: apparmor
|
||||
%define distro suse
|
||||
%endif
|
||||
Summary: AppArmor userlevel parser utility
|
||||
Version: %{srcversion}.%{bzr_commit}
|
||||
Release: 55
|
||||
Version: 2.6.0
|
||||
Release: 54
|
||||
Group: Productivity/Networking/Security
|
||||
Source0: apparmor-%{srcversion}.tar.bz2
|
||||
Source0: apparmor-%{version}.tar.bz2
|
||||
Source1: %{name}-profile-editor.png
|
||||
Source2: %{name}-profile-editor.desktop
|
||||
Source3: update-trans.sh
|
||||
Patch: apparmor-2.5-%{bzr_commit}
|
||||
Patch1: pam-apparmor-include
|
||||
Patch2: mod_apparmor-includes
|
||||
Patch3: tomcat-build-fixes
|
||||
Patch4: apparmor-swig-build-fix
|
||||
Patch5: apparmor-scripts
|
||||
Patch6: apparmor-translation-fixes
|
||||
Patch7: apparmor-perl
|
||||
Patch8: apparmor-no-caching-test
|
||||
Patch9: apparmorapplet-gnome-build-fix
|
||||
Patch10: apparmor-utils-SubDomain
|
||||
Patch11: apparmor-utils-cleanup-on-abort
|
||||
Patch12: apparmor-utils-translation-unification
|
||||
Patch13: apparmor-utils-add-log-types
|
||||
Patch14: apparmor-utils-filenames-in-slash
|
||||
Patch15: apparmor-utils-null-path-fix
|
||||
Patch16: apparmor-utils-string-split
|
||||
Patch17: apparmor-profiles-cupsd-fix
|
||||
Patch18: apparmor-profiles-sshd-fix
|
||||
Patch19: apparmor-profiles-syslog-ng-fix
|
||||
Patch20: apparmor-docs-techdoc-grammar-fixes
|
||||
Patch21: apparmor-parser-string-fixes
|
||||
Patch22: apparmor-startproc.patch
|
||||
Patch23: apparmor-2.5.1-unified-build
|
||||
Patch24: apparmor-2.5.1-rpmlint-asprintf
|
||||
Patch25: apparmor-2.5.1-ntpd-proc-fixes
|
||||
Patch26: apparmor-2.5.1-edirectory-profile
|
||||
Patch27: apparmor-2.5.1-firefox-proc-fix
|
||||
Patch28: apparmor-2.5.1-unconfined-fixes
|
||||
Patch29: apparmor-utils-inherit-flags-during-profile-generation
|
||||
Patch30: apparmor-2.5.1-ldapclient-profile
|
||||
Patch31: genprof-whitespace-in-profile-fix
|
||||
Patch32: apparmor-remove-repo
|
||||
Patch33: apparmor-2.5.1-ntpd-sys_nice
|
||||
Patch34: apparmor-2.5.1-ssl-fix
|
||||
Patch35: apparmor-2.5.1-dnsmasq-libvirt-profile-fix
|
||||
Patch36: klog-needs-CAP_SYSLOG
|
||||
Patch37: apparmor-2.5.1-network-fixes
|
||||
Patch38: apparmor-profiles-dhclient
|
||||
|
||||
Patch1: apparmor-scripts
|
||||
Patch2: apparmor-no-caching-test
|
||||
Patch3: apparmor-utils-add-log-types
|
||||
Patch4: apparmor-utils-filenames-in-slash
|
||||
Patch5: apparmor-utils-string-split
|
||||
Patch6: apparmor-profiles-cupsd-fix
|
||||
Patch7: apparmor-profiles-sshd-fix
|
||||
Patch8: apparmor-profiles-syslog-ng-fix
|
||||
Patch9: apparmor-startproc.patch
|
||||
Patch10: apparmor-2.5.1-unified-build
|
||||
Patch11: apparmor-2.5.1-rpmlint-asprintf
|
||||
Patch12: apparmor-2.5.1-edirectory-profile
|
||||
Patch13: apparmor-2.5.1-ldapclient-profile
|
||||
Patch14: genprof-whitespace-in-profile-fix
|
||||
Patch15: apparmor-remove-repo
|
||||
Patch16: apparmor-2.5.1-ntpd-sys_nice
|
||||
Patch17: apparmor-2.5.1-ssl-fix
|
||||
Patch18: apparmor-profiles-usr.sbin.dnsmasq
|
||||
Patch19: klog-needs-CAP_SYSLOG
|
||||
Patch20: apparmor-profiles-dhclient
|
||||
Patch21: apparmor-utils-subdomain-compat
|
||||
License: GPLv2+
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Url: https://launchpad.net/apparmor
|
||||
@ -463,8 +443,7 @@ SubDomain.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup -q -n %{name}-%{srcversion}
|
||||
%patch -p1
|
||||
%setup -q -n %{name}-%{version}
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
@ -486,23 +465,6 @@ SubDomain.
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28 -p1
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
%patch33 -p1
|
||||
%patch34 -p1
|
||||
%patch35 -p1
|
||||
%patch36 -p1
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
|
||||
%build
|
||||
export SUSE_ASNEEDED=0
|
||||
@ -574,21 +536,18 @@ ln -s %{_sysconfdir}/init.d/aaeventd ${RPM_BUILD_ROOT}/sbin/rcaaeventd
|
||||
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcapparmor
|
||||
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcsubdomain
|
||||
|
||||
for script in ${RPM_BUILD_ROOT}/usr/sbin/*; do
|
||||
d=$(dirname $script)
|
||||
f=$(basename $script)
|
||||
if [ "${f#aa-}" = "$f" ]; then
|
||||
ln -s /usr/sbin/$f $d/aa-$f
|
||||
# Re-create the links to the old names
|
||||
for file in ${RPM_BUILD_ROOT}/usr/{sbin,share/man/man[0-9]}/aa-*; do
|
||||
d=$(dirname $file)
|
||||
f=$(basename $file)
|
||||
if [ "${f#aa-}" != "$f" ]; then
|
||||
ln -s $f $d/${f#aa-}
|
||||
fi
|
||||
done
|
||||
|
||||
for man in ${RPM_BUILD_ROOT}/usr/share/man/man[18]/*; do
|
||||
d=$(dirname $man)
|
||||
f=$(basename $man)
|
||||
if [ "${f#aa-}" = "$f" ]; then
|
||||
ln -s $f $d/aa-$f
|
||||
fi
|
||||
done
|
||||
mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{status.8,apparmor_status.8}
|
||||
mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{notify.8,apparmor_notify.8}
|
||||
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man8/decode.8
|
||||
|
||||
%if %{with editor}
|
||||
%suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor
|
||||
@ -687,6 +646,7 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
|
||||
%{_prefix}/sbin/*
|
||||
%dir /var/log/apparmor
|
||||
%doc %{_mandir}/man2/aa_change_profile.2.gz
|
||||
%doc %{_mandir}/man5/logprof.conf.5.gz
|
||||
%doc %{_mandir}/man8/apparmor_notify.8.gz
|
||||
%doc %{_mandir}/man8/aa-*.gz
|
||||
|
@ -1,14 +0,0 @@
|
||||
---
|
||||
deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
|
||||
+++ b/deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
|
||||
@@ -11,6 +11,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <glib/gi18n.h>
|
||||
+#include <libgnome/gnome-program.h>
|
||||
#include "preferences_dialog.h"
|
||||
#include "reject_list.h"
|
||||
#include "apparmor-applet.h"
|
@ -14,11 +14,11 @@ References: bnc#480795
|
||||
|
||||
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
|
||||
---
|
||||
utils/SubDomain.pm | 8 ++++----
|
||||
utils/Immunix/AppArmor.pm | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/utils/SubDomain.pm
|
||||
+++ b/utils/SubDomain.pm
|
||||
--- a/utils/Immunix/AppArmor.pm
|
||||
+++ b/utils/Immunix/AppArmor.pm
|
||||
@@ -1033,13 +1033,13 @@ sub setprofileflags ($$) {
|
||||
if (open(PROFILE, "$filename")) {
|
||||
if (open(NEWPROFILE, ">$filename.new")) {
|
||||
|
@ -5,7 +5,7 @@
|
||||
|
||||
--- a/parser/parser_misc.c
|
||||
+++ b/parser/parser_misc.c
|
||||
@@ -122,6 +122,9 @@ static int get_table_token(const char *n
|
||||
@@ -125,6 +125,9 @@ static int get_table_token(const char *n
|
||||
static struct keyword_table capability_table[] = {
|
||||
/* capabilities */
|
||||
#include "cap_names.h"
|
||||
@ -15,7 +15,7 @@
|
||||
/* terminate */
|
||||
{NULL, 0}
|
||||
};
|
||||
@@ -820,6 +823,7 @@ static const char *capnames[] = {
|
||||
@@ -783,6 +786,7 @@ static const char *capnames[] = {
|
||||
"audit_control",
|
||||
"setfcap",
|
||||
"mac_override"
|
||||
|
@ -1,35 +0,0 @@
|
||||
---
|
||||
changehat/mod_apparmor/Makefile | 6 +-----
|
||||
changehat/mod_apparmor/mod_apparmor.c | 6 +-----
|
||||
2 files changed, 2 insertions(+), 10 deletions(-)
|
||||
|
||||
--- a/changehat/mod_apparmor/Makefile
|
||||
+++ b/changehat/mod_apparmor/Makefile
|
||||
@@ -42,11 +42,7 @@ APXS:=$(shell if [ -x "/usr/sbin/apxs2"
|
||||
fi )
|
||||
APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR)
|
||||
DESTDIR=
|
||||
-LIBAPPARMOR_FLAGS=$(shell if [ -f /usr/lib/libapparmor.so -o -f /usr/lib64/libapparmor.so ] ; then \
|
||||
- echo -lapparmor ; \
|
||||
- else \
|
||||
- echo -DUSE_COMPAT_IMMUNIX_H -limmunix ;\
|
||||
- fi)
|
||||
+LIBAPPARMOR_FLAGS="-I../../libraries/libapparmor/src -L../../libraries/libapparmor/src/.libs -lapparmor"
|
||||
|
||||
all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
|
||||
|
||||
--- a/changehat/mod_apparmor/mod_apparmor.c
|
||||
+++ b/changehat/mod_apparmor/mod_apparmor.c
|
||||
@@ -24,11 +24,7 @@
|
||||
#include "apr_strings.h"
|
||||
#include "apr_lib.h"
|
||||
|
||||
-#ifndef USE_COMPAT_IMMUNIX_H
|
||||
-#include <sys/apparmor.h>
|
||||
-#else
|
||||
-#include <sys/immunix.h>
|
||||
-#endif
|
||||
+#include "apparmor.h"
|
||||
#include <unistd.h>
|
||||
|
||||
/* #define DEBUG */
|
@ -1,42 +0,0 @@
|
||||
From: Jeff Mahoney <jeffm@suse.com>
|
||||
Subject: apparmor: Fix pam includes/linking
|
||||
|
||||
|
||||
---
|
||||
changehat/pam_apparmor/Makefile | 6 +++---
|
||||
changehat/pam_apparmor/pam_apparmor.c | 2 +-
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/changehat/pam_apparmor/Makefile
|
||||
+++ b/changehat/pam_apparmor/Makefile
|
||||
@@ -27,8 +27,8 @@ common/Make.rules: $(COMMONDIR)/Make.rul
|
||||
ln -sf $(COMMONDIR) .
|
||||
endif
|
||||
|
||||
-EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall
|
||||
-LINK_FLAGS=-Xlinker -x
|
||||
+EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall -I../../libraries/libapparmor/src/
|
||||
+LINK_FLAGS=-Xlinker -x -L../../libraries/libapparmor/src/.libs
|
||||
LIBS=-lpam -lapparmor
|
||||
OBJECTS=${NAME}.o get_options.o
|
||||
|
||||
@@ -42,7 +42,7 @@ $(NAME).so: ${OBJECTS}
|
||||
|
||||
# need some better way of determining this
|
||||
DESTDIR=/
|
||||
-SECDIR=${DESTDIR}/lib/security
|
||||
+SECDIR ?= ${DESTDIR}/lib/security
|
||||
|
||||
.PHONY: install
|
||||
install: $(NAME).so
|
||||
--- a/changehat/pam_apparmor/pam_apparmor.c
|
||||
+++ b/changehat/pam_apparmor/pam_apparmor.c
|
||||
@@ -27,7 +27,7 @@
|
||||
#include <grp.h>
|
||||
#include <syslog.h>
|
||||
#include <errno.h>
|
||||
-#include <sys/apparmor.h>
|
||||
+#include "apparmor.h"
|
||||
#include <security/pam_ext.h>
|
||||
#include <security/pam_modutil.h>
|
||||
|
@ -1,77 +0,0 @@
|
||||
---
|
||||
changehat/tomcat_apparmor/tomcat_5_5/build.xml | 15 +++++-----
|
||||
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c | 2 -
|
||||
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile | 4 +-
|
||||
3 files changed, 11 insertions(+), 10 deletions(-)
|
||||
|
||||
--- a/changehat/tomcat_apparmor/tomcat_5_5/build.xml
|
||||
+++ b/changehat/tomcat_apparmor/tomcat_5_5/build.xml
|
||||
@@ -4,8 +4,8 @@
|
||||
<property name="jni_src" location="src/jni_src"/>
|
||||
<property name="build" location="build"/>
|
||||
<property name="install_root" location="/"/>
|
||||
- <property name="catalina_home" location="/usr/share/tomcat5"/>
|
||||
- <property name="lib" location="lib"/>
|
||||
+ <property name="catalina_home" location="/usr/share/tomcat6"/>
|
||||
+ <property name="lib" location="/usr/share/tomcat6/bin"/>
|
||||
<property name="install_lib" value="/lib"/>
|
||||
<property name="dist" location="dist"/>
|
||||
<property name="jarfile" location="${dist}/${ant.project.name}.jar"/>
|
||||
@@ -18,10 +18,11 @@
|
||||
<include name="**/*.jar"/>
|
||||
</fileset>
|
||||
|
||||
- <fileset id="tomcat.jars" dir="${catalina_home}/server/lib">
|
||||
+ <fileset id="tomcat.jars" dir="${catalina_home}/lib">
|
||||
<include name="**/*.jar"/>
|
||||
</fileset>
|
||||
- <fileset id="servlet.jars" dir="${catalina_home}/common/lib">
|
||||
+
|
||||
+ <fileset id="servlet.jars" dir="${catalina_home}/lib">
|
||||
<include name="**/*.jar"/>
|
||||
</fileset>
|
||||
|
||||
@@ -80,9 +81,9 @@
|
||||
</target>
|
||||
|
||||
<target name="install_jar" depends="jni_so" description="Install jar file">
|
||||
- <mkdir dir="${install_root}/${catalina_home}/server/lib/"/>
|
||||
- <copy file="${jarfile}" tofile="${install_root}/${catalina_home}/server/lib/${ant.project.name}.jar"/>
|
||||
- <chmod perm="644" file="${install_root}/${catalina_home}/server/lib/${ant.project.name}.jar"/>
|
||||
+ <mkdir dir="${install_root}/${catalina_home}/lib/"/>
|
||||
+ <copy file="${jarfile}" tofile="${install_root}/${catalina_home}/lib/${ant.project.name}.jar"/>
|
||||
+ <chmod perm="644" file="${install_root}/${catalina_home}/lib/${ant.project.name}.jar"/>
|
||||
</target>
|
||||
|
||||
<target name="clean" description="Remove build and dist directories">
|
||||
--- a/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
|
||||
+++ b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
|
||||
@@ -13,7 +13,7 @@
|
||||
|
||||
#include "jni.h"
|
||||
#include <errno.h>
|
||||
-#include "sys/apparmor.h"
|
||||
+#include "apparmor.h"
|
||||
#include "com_novell_apparmor_JNIChangeHat.h"
|
||||
|
||||
/* c intermediate lib call for Java -> JNI -> c library execution of the change_hat call */
|
||||
--- a/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile
|
||||
+++ b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile
|
||||
@@ -4,7 +4,7 @@ LIB = lib/
|
||||
LIBDIR = /usr/${LIB}
|
||||
INCLUDE = ${LIBDIR}/jvm/java/include
|
||||
CFLAGS = -g -O2 -Wall -Wstrict-prototypes -Wl,-soname,$@.${SO_VERS} -pipe -fpic -D_REENTRANT
|
||||
-INCLUDES = -I$(INCLUDE) -I$(INCLUDE)/linux
|
||||
+INCLUDES = -I$(INCLUDE) -I$(INCLUDE)/linux -I$(TOP)/../../../libraries/libapparmor/src/
|
||||
CLASSFILE = ${CLASSPATH}/com/novell/apparmor/${JAVA_CLASSNAME}.class
|
||||
DESTDIR = ${TOP}/dist
|
||||
SO_VERS = 1
|
||||
@@ -20,7 +20,7 @@ ${JAVA_CLASSNAME}.java com_novell_apparm
|
||||
javah -jni -classpath ${CLASSPATH} com.novell.apparmor.${JAVA_CLASSNAME}
|
||||
|
||||
${TARGET}.so: ${JAVA_CLASSNAME}.c ${JAVA_CLASSNAME}.java com_novell_apparmor_${JAVA_CLASSNAME}.h
|
||||
- gcc ${INCLUDES} ${CFLAGS} -shared -o ${TARGET}.so ${JAVA_CLASSNAME}.c -lapparmor
|
||||
+ gcc ${INCLUDES} ${CFLAGS} -shared -o ${TARGET}.so ${JAVA_CLASSNAME}.c -L$(TOP)/../../../libraries/libapparmor/src/.libs -lapparmor
|
||||
|
||||
install: ${TARGET}.so
|
||||
install -d $(DESTDIR)/${LIB} $(DESTDIR)${LIBDIR}
|
Loading…
Reference in New Issue
Block a user