Accepting request 65172 from security:apparmor:factory

Accepted submit request 65172 from user licensedigger

OBS-URL: https://build.opensuse.org/request/show/65172
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=14
This commit is contained in:
Sascha Peilicke 2011-03-25 08:04:51 +00:00 committed by Git OBS Bridge
parent 477fa21390
commit b5a1419370
44 changed files with 2061 additions and 3126 deletions

View File

@ -1,705 +0,0 @@
=== added file '.bzrignore'
--- a/.bzrignore 1970-01-01 00:00:00 +0000
+++ b/.bzrignore 2011-01-10 18:12:33 +0000
@@ -0,0 +1,1 @@
+parser/tst/simple_tests/generated_x/*.sd
=== modified file 'libraries/libapparmor/testsuite/Makefile.am'
--- a/libraries/libapparmor/testsuite/Makefile.am 2008-05-19 22:48:31 +0000
+++ b/libraries/libapparmor/testsuite/Makefile.am 2011-01-10 18:12:33 +0000
@@ -12,7 +12,7 @@
test_multi_multi_SOURCES = test_multi.c
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
test_multi_multi_LDFLAGS = $(LDFLAGS)
-test_multi_multi_LDADD = ../src/.libs/libapparmor.a
+test_multi_multi_LDADD = -L../src/.libs -lapparmor
clean-local:
rm -f tmp.err.* tmp.out.* site.exp site.bak
=== modified file 'parser/Makefile'
--- a/parser/Makefile 2009-11-11 18:58:57 +0000
+++ b/parser/Makefile 2011-01-10 18:12:33 +0000
@@ -45,11 +45,14 @@
echo "$${warning}"; \
fi ; \
done)
-CFLAGS = -O2 -pipe
+ifndef CFLAGS
+CFLAGS = -g -O2 -pipe
ifdef DEBUG
CFLAGS = -g
endif
+endif #CFLAGS
+
EXTRA_CFLAGS = ${CFLAGS} ${WARNINGS} -D_GNU_SOURCE
#LEXLIB := -lfl
@@ -125,9 +128,20 @@
techdoc.txt: techdoc/index.html
w3m -dump $< > $@
-all: $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf
+# targets arranged this way so that people who don't want full docs can
+# pick specific targets they want.
+main: $(TOOLS)
$(Q)make -C po all
- $(Q)make -s tests
+
+manpages: $(MANPAGES)
+
+htmlmanpages: $(HTMLMANPAGES)
+
+pdf: techdoc.pdf
+
+docs: manpages htmlmanpages pdf
+
+all: main docs tests
apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS)
rm -f ./libstdc++.a
@@ -191,7 +205,7 @@
af_names.h: /usr/include/bits/socket.h
LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n# define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" $< > $@
LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)[ \\t]\\+.*/#define AA_AF_MAX \\1\n/p" $< >> $@
- cat $@
+ # cat $@
cap_names.h: /usr/include/linux/capability.h
LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
@@ -224,7 +238,7 @@
.SILENT: $(AAREOBJECTS)
.PHONY: $(AAREOBJECTS)
$(AAREOBJECTS):
- make -C $(AAREDIR)
+ make -C $(AAREDIR) CFLAGS="$(CFLAGS)"
.SILENT: $(PCREOBJECTS)
.PHONY: $(PCREOBJECTS)
=== modified file 'parser/immunix.h'
--- a/parser/immunix.h 2009-08-20 15:41:10 +0000
+++ b/parser/immunix.h 2011-01-10 18:12:33 +0000
@@ -148,12 +148,12 @@
#include <stdio.h>
static inline int is_merged_x_consistent(int a, int b)
{
- if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
+ if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
{ fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
return 0;
}
- if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
+ if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
{ fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
return 0;
=== modified file 'parser/libapparmor_re/regexp.y'
--- a/parser/libapparmor_re/regexp.y 2010-07-24 14:16:14 +0000
+++ b/parser/libapparmor_re/regexp.y 2011-01-10 18:12:33 +0000
@@ -720,17 +720,19 @@
Node *i = t->child[!dir];
for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
if (t->child[dir]->eq(i->child[dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}
}
// last altnode of chain check other dir as well
if (t->child[dir]->eq(p->child[!dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}
@@ -2581,9 +2583,9 @@
#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
extern "C" void aare_reset_matchflags(void)
{
@@ -2644,8 +2646,8 @@
flip_tree(tree);
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
=== modified file 'parser/tst/Makefile'
--- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000
+++ b/parser/tst/Makefile 2011-01-10 18:12:33 +0000
@@ -11,8 +11,11 @@
all: tests
-.PHONY: tests error_output parser_sanity caching
-tests: error_output parser_sanity caching
+.PHONY: tests error_output gen_xtrans parser_sanity caching
+tests: error_output gen_xtrans parser_sanity caching
+
+gen_xtrans:
+ perl ./gen-xtrans.pl
error_output: $(PARSER)
$(PARSER) -S -I errors >/dev/null errors/okay.sd
@@ -34,3 +37,6 @@
$(PARSER):
make -C $(PARSER_DIR) $(PARSER_BIN)
+
+clean:
+ rm -f simple_tests/generated_x/*
=== added file 'parser/tst/gen-xtrans.pl'
--- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000
+++ b/parser/tst/gen-xtrans.pl 2011-01-10 18:12:33 +0000
@@ -0,0 +1,152 @@
+#!/usr/bin/perl
+
+use strict;
+use Locale::gettext;
+use POSIX;
+
+setlocale(LC_MESSAGES, "");
+
+my $prefix="simple_tests/generated_x";
+
+my @trans_types = ("p", "P", "c", "C", "u", "i");
+my @modifiers = ("i", "u");
+my %trans_modifiers = (
+ "p" => \@modifiers,
+ "P" => \@modifiers,
+ "c" => \@modifiers,
+ "C" => \@modifiers,
+ );
+
+my @targets = ("", "target", "target2");
+my @null_target = ("");
+
+my %named_trans = (
+ "p" => \@targets,
+ "P" => \@targets,
+ "c" => \@targets,
+ "C" => \@targets,
+ "u" => \@null_target,
+ "i" => \@null_target,
+ );
+
+# audit qualifier disabled for now it really shouldn't affect the conflict
+# test but it may be worth checking every once in awhile
+#my @qualifiers = ("", "owner", "audit", "audit owner");
+my @qualifiers = ("", "owner");
+
+my $count = 0;
+
+gen_conflicting_x();
+gen_overlap_re_exact();
+gen_dominate_re_re();
+gen_ambiguous_re_re();
+
+print "Generated $count xtransition interaction tests\n";
+
+sub gen_list {
+ my @output;
+ foreach my $trans (@trans_types) {
+ if ($trans_modifiers{$trans}) {
+ foreach my $mod (@{$trans_modifiers{$trans}}) {
+ push @output, "${trans}${mod}x";
+ }
+ }
+ push @output, "${trans}x";
+ }
+ return @output;
+}
+
+sub print_rule($$$$) {
+ my ($file, $name, $perm, $target) = @_;
+ print $file "\t${name} ${perm}";
+ if ($target ne "") {
+ print $file " -> $target";
+ }
+ print $file ",\n";
+}
+
+sub gen_file($$$$$$$$) {
+ my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
+
+# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
+
+ my $file;
+ unless (open $file, ">$name") {
+ print("couldn't open $name\n");
+ exit 1;
+ }
+
+ print $file "#\n";
+ print $file "#=DESCRIPTION ${name}\n";
+ print $file "#=EXRESULT ${xres}\n";
+ print $file "#\n";
+ print $file "/usr/bin/foo {\n";
+ print_rule($file, $rule1, $perm1, $target1);
+ print_rule($file, $rule2, $perm2, $target2);
+ print $file "}";
+ close($file);
+
+ $count++;
+}
+
+#NOTE: currently we don't do px to cx, or cx to px conversion
+# so
+# /foo {
+# /* px -> /foo//bar,
+# /* cx -> bar,
+#
+# will conflict
+#
+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords
+# It is assumed that there are extra tests to verify 1 to 1 coorispondance
+sub gen_files($$$$) {
+ my ($name, $rule1, $rule2, $default) = @_;
+
+ my @perms = gen_list();
+
+# print "@perms\n";
+
+ foreach my $i (@perms) {
+ foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
+ foreach my $q (@qualifiers) {
+ foreach my $j (@perms) {
+ foreach my $u (@{$named_trans{substr($j, 0, 1)}}) {
+ foreach my $r (@qualifiers) {
+ my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd";
+# print "$file\n";
+
+ #override failures when transitions are the same
+ my $xres = ${default};
+ if ($i eq $j && $t eq $u) {
+ $xres = "PASS";
+ }
+
+
+# print "foo $xres $rule1 $i $t $rule2 $j $u\n";
+ gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
+ }
+ }
+ }
+ }
+ }
+ }
+
+}
+
+sub gen_conflicting_x {
+ gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL");
+}
+
+sub gen_overlap_re_exact {
+
+ gen_files("exact", "/bin/cat", "/bin/*", "PASS");
+}
+
+# we currently don't support this, once supported change to "PASS"
+sub gen_dominate_re_re {
+ gen_files("dominate", "/bin/*", "/bin/**", "FAIL");
+}
+
+sub gen_ambiguous_re_re {
+ gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
+}
=== added directory 'parser/tst/simple_tests/generated_x'
=== added file 'parser/tst/simple_tests/generated_x/readme'
--- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000
+++ b/parser/tst/simple_tests/generated_x/readme 2011-01-10 18:12:33 +0000
@@ -0,0 +1,2 @@
+Directory for auto generated x-transition tests
+
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers'
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers 2010-09-10 15:28:28 +0000
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers 2011-01-10 18:12:33 +0000
@@ -18,7 +18,7 @@
/usr/bin/prism PUx,
/usr/bin/rekonq PUx,
/usr/bin/seamonkey PUx,
- /usr/bin/sensible-browser PUxr,
+ /usr/bin/sensible-browser Pixr,
/usr/bin/chromium-browser PUx,
/usr/lib/chromium-browser/chromium-browser PUx,
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-email'
--- a/profiles/apparmor.d/abstractions/ubuntu-email 2010-09-10 15:28:28 +0000
+++ b/profiles/apparmor.d/abstractions/ubuntu-email 2011-01-10 18:12:33 +0000
@@ -15,5 +15,5 @@
/usr/bin/tkrat PUx,
/usr/lib/thunderbird/thunderbird PUx,
- /usr/lib/thunderbird-3*/thunderbird PUx,
+ /usr/lib/thunderbird-3*/thunderbird{,.sh} PUx,
=== modified file 'tests/regression/subdomain/changehat_misc.sh'
--- a/tests/regression/subdomain/changehat_misc.sh 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/changehat_misc.sh 2011-01-10 18:12:33 +0000
@@ -64,7 +64,7 @@
echo "*** A 'Killed' message from bash is expected for the following test"
runchecktest "CHANGEHAT (subprofile->subprofile w/ bad magic)" signal9 $subtest $subtest2 badmagic $file
-# 1. ATTEMPT TO CHANGEGAT TO AN INVALUD PROFILE, SHOULD PUT US INTO A NULL
+# 1. ATTEMPT TO CHANGEHAT TO AN INVALID PROFILE, SHOULD PUT US INTO A NULL
# PROFILE
# 2. ATTEMPT TO CHANGEHAT OUT WITH BAD TOKEN
settest changehat_fail
=== modified file 'tests/regression/subdomain/deleted.c'
--- a/tests/regression/subdomain/deleted.c 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/deleted.c 2011-01-10 18:12:33 +0000
@@ -90,7 +90,7 @@
}
/* test that we can create the file. Not necessarily a (deleted)
- * case but lets use flush out other combinations
+ * case but lets us flush out other combinations.
*/
fd2=creat(argv[2], S_IRUSR | S_IWUSR);
if (fd2 == -1){
=== modified file 'tests/regression/subdomain/deleted.sh'
--- a/tests/regression/subdomain/deleted.sh 2007-12-23 01:00:19 +0000
+++ b/tests/regression/subdomain/deleted.sh 2011-01-10 18:12:33 +0000
@@ -1,7 +1,7 @@
#! /bin/bash
-# $Id$
-
+#
# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2010 Canonical, Ltd
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
@@ -10,7 +10,7 @@
#=NAME deleted
#=DESCRIPTION
-# Test subdomain is properly working around a kernel in which the kernel
+# Test AppArmor is properly working around a kernel in which the kernel
# appends (deleted) to deleted files verifies that the d_path appending
# (deleted) fix is working
#=END
@@ -24,6 +24,7 @@
file=$tmpdir/file
file2="$tmpdir/file (deleted)"
+file3="$tmpdir/unavailable"
okperm=rwl
subtest=sub
@@ -40,8 +41,8 @@
# NO CHANGEHAT TEST - doesn't force revalidation
genprofile $file:$okperm
-
runchecktest "NO CHANGEHAT (access file)" pass nochange $file
+runchecktest "NO CHANGEHAT (cannot access unavailable)" fail nochange $file3
genprofile "$file2":$okperm
runchecktest "NO CHANGEHAT (access file (delete))" pass nochange "$file2"
@@ -49,6 +50,7 @@
# CHANGEHAT TEST - force revalidation using changehat
genprofile $file:$okperm hat:$subtest $file:$okperm
runchecktest "CHANGEHAT (access file)" pass $subtest $file
+runchecktest "CHANGEHAT (cannot access unavailable)" fail $subtest $file3
genprofile "$file2":$okperm hat:$subtest "$file2":$okperm
runchecktest "CHANGEHAT (access file (deleted))" pass $subtest "$file2"
@@ -115,7 +117,7 @@
# FAIL - confined client, w access to the file
genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw
-runchecktest "fd passing; confined client w/ w only" pass $file $socket $fd_client "delete_file"
+runchecktest "fd passing; confined client w/ w only" fail $file $socket $fd_client "delete_file"
sleep 1
rm -f ${socket}
=== modified file 'tests/regression/subdomain/mkprofile.pl'
--- a/tests/regression/subdomain/mkprofile.pl 2009-11-11 18:44:26 +0000
+++ b/tests/regression/subdomain/mkprofile.pl 2011-01-10 18:12:33 +0000
@@ -5,7 +5,7 @@
#
# Gawd, I hate writing perl. It shows, too.
#
-my $__VERSION__='$Id$';
+my $__VERSION__=$0;
use strict;
use Getopt::Long;
=== modified file 'tests/regression/subdomain/prologue.inc'
--- a/tests/regression/subdomain/prologue.inc 2010-08-26 18:24:41 +0000
+++ b/tests/regression/subdomain/prologue.inc 2011-01-10 18:12:33 +0000
@@ -93,8 +93,10 @@
while [ -h ${link} ]
do
- if [ -x /usr/bin/readlink ] ; then
- target=$(/usr/bin/readlink ${link})
+ if [ -x /usr/bin/readlink ] ; then
+ target=$(/usr/bin/readlink -f ${link})
+ elif [ -x /bin/readlink ] ; then
+ target=$(/bin/readlink -f ${link})
else
# I'm sure there's a more perlish way to do this
target=$( perl -e "printf (\"%s\n\", readlink(\"${link}\"));")
=== modified file 'tests/regression/subdomain/pwrite.sh'
--- a/tests/regression/subdomain/pwrite.sh 2007-12-23 00:58:47 +0000
+++ b/tests/regression/subdomain/pwrite.sh 2011-01-10 18:12:33 +0000
@@ -27,7 +27,7 @@
genprofile $file:$okperm
-runtestbg "PWRITE with w" pass $file
+runtestbg "PREAD/PWRITE with rw" pass $file
sleep 2
=== modified file 'tests/regression/subdomain/swap.sh'
--- a/tests/regression/subdomain/swap.sh 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/swap.sh 2011-01-10 18:12:33 +0000
@@ -32,7 +32,7 @@
swap_file=$tmpdir/swapfile
dd if=/dev/zero of=${swap_file} bs=1024 count=512 2> /dev/null
-/sbin/mkswap ${swap_file} > /dev/null
+/sbin/mkswap -f ${swap_file} > /dev/null
# TEST 1. Make sure can enable and disable swap unconfined
=== modified file 'tests/regression/subdomain/syscall.sh'
--- a/tests/regression/subdomain/syscall.sh 2007-12-23 01:02:50 +0000
+++ b/tests/regression/subdomain/syscall.sh 2011-01-10 18:12:33 +0000
@@ -1,7 +1,7 @@
#! /bin/bash
-# $Id$
-
+#
# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2010 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
@@ -114,9 +114,9 @@
runchecktest "MKNOD sock (permissions)" fail s $mknod_file
##
-## D. SETHOSTNAME
+## C. SYSCTL
##
-sh syscall_sysctl.sh
+bash syscall_sysctl.sh
##
## D. SETHOSTNAME
=== modified file 'tests/regression/subdomain/unix_fd_server.c'
--- a/tests/regression/subdomain/unix_fd_server.c 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/unix_fd_server.c 2011-01-10 18:12:33 +0000
@@ -2,6 +2,7 @@
/*
* Copyright (C) 2002-2005 Novell/SUSE
+ * Copyright (C) 2010 Canonical, Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
@@ -134,6 +135,7 @@
}
/* Check for info re: reading the file */
+ memset(inbound_buffer, 0, sizeof(inbound_buffer));
if (recv(in_sock, inbound_buffer, 16,0) == -1 ) {
fprintf(stderr, "FAIL - recv %s\n",
strerror(errno));
=== modified file 'tests/regression/subdomain/xattrs.sh'
--- a/tests/regression/subdomain/xattrs.sh 2010-02-07 07:04:57 +0000
+++ b/tests/regression/subdomain/xattrs.sh 2011-01-10 18:12:33 +0000
@@ -38,41 +38,59 @@
. $bin/prologue.inc
-file=$tmpdir/testfile
-link=$tmpdir/testlink
-dir=$tmpdir/testdir/
+tmpmount=$tmpdir/mountpoint
+diskimg=$tmpdir/disk.img
+file=$tmpmount/testfile
+link=$tmpmount/testlink
+dir=$tmpmount/testdir/
okperm=rw
badperm=r
+# guarantee fs supports user_xattrs
+dd if=/dev/zero of=${diskimg} bs=4096 count=4096 2> /dev/null
+mkfs.ext3 -q -F ${diskimg}
+mkdir ${tmpmount}
+mount -o loop,user_xattr ${diskimg} ${tmpmount}
+
touch $file
ln -s $file $link
mkdir $dir
+add_attrs()
+{
+ #set the xattr for thos that passed above again so we can test removing it
+ setfattr -h -n security.sdtest -v hello "$1"
+ setfattr -h -n trusted.sdtest -v hello "$1"
+ if [ "$1" != $link ] ; then
+ setfattr -h -n user.sdtest -v hello "$1"
+ fi
+}
+
for var in $file $link $dir ; do
#write xattr
genprofile $var:$badperm
xattrtest $var $badperm write security fail
#xattrtest $var $badperm write system fail
xattrtest $var $badperm write trusted fail
- if [ $var != $link ] ; then xattrtest $var $badperm write user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var $badperm write user xfail ; fi
genprofile $var:$badperm capability:sys_admin
xattrtest $var "$badperm+cap SYS_ADMIN" write security xfail
#xattrtest $var "$badperm+cap SYS_ADMIN" write system fail
xattrtest $var "$badperm+cap SYS_ADMIN" write trusted xfail
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user xfail ; fi
genprofile $var:$okperm
xattrtest $var $okperm write security xpass
#xattrtest $var $okperm write system fail
xattrtest $var $okperm write trusted fail
- if [ $var != $link ] ; then xattrtest $var $okperm write user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var $okperm write user pass ; fi
genprofile $var:$okperm capability:sys_admin
xattrtest $var "$okperm+cap SYS_ADMIN" write security pass
#xattrtest $var "$okperm+cap SYS_ADMIN" write system pass
xattrtest $var "$okperm+cap SYS_ADMIN" write trusted pass
- if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user pass ; fi
#read xattr
@@ -80,13 +98,13 @@
xattrtest $var $badperm read security pass
#xattrtest $var $badperm read system fail
xattrtest $var $badperm read trusted fail
- if [ $var != $link ] ; then xattrtest $var $badperm read user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var $badperm read user pass ; fi
genprofile $var:$badperm capability:sys_admin
xattrtest $var "$badperm+cap SYS_ADMIN" read security pass
#xattrtest $var "$badperm+cap SYS_ADMIN" read system pass
xattrtest $var "$badperm+cap SYS_ADMIN" read trusted pass
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user pass ; fi
#remove xattr
@@ -94,23 +112,25 @@
xattrtest $var $badperm remove security fail
#xattrtest $var $badperm remove system fail
xattrtest $var $badperm remove trusted fail
- if [ $var != $link ] ; then xattrtest $var $badperm remove user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var $badperm remove user xfail ; fi
+
+ add_attrs $var
genprofile $var:$badperm capability:sys_admin
xattrtest $var "$badperm+cap SYS_ADMIN" remove security xfail
#xattrtest $var "$badperm+cap SYS_ADMIN" remove system fail
xattrtest $var "$badperm+cap SYS_ADMIN" remove trusted xfail
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user xfail ; fi
+
+ add_attrs $var
genprofile $var:$okperm
xattrtest $var $okperm remove security xpass
#xattrtest $var $okperm remove system fail
xattrtest $var $okperm remove trusted fail
- if [ $var != $link ] ; then xattrtest $var $okperm remove user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var $okperm remove user pass ; fi
- #set the xattr for thos that passed above again so we can test removing it
- setfattr -h -n security.sdtest -v hello $var
- if [ $var != $link ] ; then setfattr -h -n user.sdtest -v hello $var ; fi
+ add_attrs $var
genprofile $var:$okperm capability:sys_admin
xattrtest $var "$okperm+cap SYS_ADMIN" remove security pass
@@ -120,3 +140,4 @@
done
+umount ${tmpmount}
=== modified file 'utils/SubDomain.pm'
--- a/utils/SubDomain.pm 2010-09-21 07:40:50 +0000
+++ b/utils/SubDomain.pm 2011-01-10 18:12:33 +0000
@@ -2420,7 +2420,7 @@
my $RE_LOG_v2_1_audit =
qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
my $RE_LOG_v2_6_audit =
- qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/;
+ qr/type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=/;
sub prefetch_next_log_entry {
# if we already have an existing cache entry, something's broken
@@ -6622,10 +6622,14 @@
LibAppArmor::free_record($event);
#map new c and d to w as logprof doesn't support them yet
- $rmask =~ s/c/w/g;
- $rmask =~ s/d/w/g;
- $dmask =~ s/c/w/g;
- $dmask =~ s/d/w/g;
+ if ($rmask) {
+ $rmask =~ s/c/w/g;
+ $rmask =~ s/d/w/g;
+ }
+ if ($dmask) {
+ $dmask =~ s/c/w/g;
+ $dmask =~ s/d/w/g;
+ }
if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
fatal_error(sprintf(gettext('Log contains unknown mode %s.'),

View File

@ -1,37 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: profiles: Add libvirt pid support to dnsmasq profile
References: bnc#666090
libvirt starts up dnsmasq with its pid file in
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor.d/usr.sbin.dnsmasq | 6 ++++++
1 file changed, 6 insertions(+)
Index: apparmor-2.5.1/profiles/apparmor.d/usr.sbin.dnsmasq
===================================================================
--- apparmor-2.5.1.orig/profiles/apparmor.d/usr.sbin.dnsmasq
+++ apparmor-2.5.1/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -8,6 +8,9 @@
capability setgid,
capability setuid,
capability dac_override,
+ capability net_admin, # for DHCP server
+ capability net_raw, # for DHCP server ping checks
+ network inet raw,
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
@@ -19,5 +22,10 @@
/var/run/dnsmasq/ r,
/var/run/dnsmasq/* rw,
+ /var/run/libvirt/network/ r, # Required when called by libvirt
+ /var/run/libvirt/network/*.pid rw, # Required when called by libvirt
+ /var/lib/libvirt/dnsmasq/ r, # Required when called by libvirt
+ /var/lib/libvirt/dnsmasq/*.hostsfile r, # Required when called by libvirt
+
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
}

View File

@ -17,7 +17,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -71,6 +71,9 @@
@@ -70,6 +70,9 @@
# kerberos
#include <abstractions/kerberosclient>

View File

@ -1,26 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-profiles: Fix proc usage in firefox profile
References: bnc#436262
This patch corrects the use of the {proc} macro. It should be {PROC}.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
+++ b/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
@@ -32,9 +32,9 @@
/opt/kde3/share/applications/ r,
/opt/kde3/share/applications/mimeinfo.cache r,
- owner @{proc}/*/mounts r,
- @{proc}/meminfo r,
- @{proc}/sys/kernel/ngroups_max r,
+ owner @{PROC}/*/mounts r,
+ @{PROC}/meminfo r,
+ @{PROC}/sys/kernel/ngroups_max r,
/usr/lib/**.so mr,

View File

@ -1,7 +1,10 @@
Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
===================================================================
---
profiles/apparmor.d/abstractions/ldapclient | 21 +++++++++++++++++++++
profiles/apparmor.d/abstractions/nameservice | 8 +++-----
2 files changed, 24 insertions(+), 5 deletions(-)
--- /dev/null
+++ apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
+++ b/profiles/apparmor.d/abstractions/ldapclient
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
@ -24,11 +27,9 @@ Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
+ /usr/lib{,32,64}/sasl2/* r,
+
+ #include <abstractions/ssl_certs>
Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
===================================================================
--- apparmor-2.5.1.orig/profiles/apparmor.d/abstractions/nameservice
+++ apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
@@ -17,8 +17,6 @@
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -16,8 +16,6 @@
/etc/group r,
/etc/host.conf r,
/etc/hosts r,
@ -37,7 +38,7 @@ Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
/etc/nsswitch.conf r,
/etc/gai.conf r,
/etc/passwd r,
@@ -33,9 +31,6 @@
@@ -32,9 +30,6 @@
/etc/samba/lmhosts r,
/etc/services r,
@ -47,7 +48,7 @@ Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
# db backend
/var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading
@@ -59,6 +54,9 @@
@@ -58,6 +53,9 @@
# nis
#include <abstractions/nis>

View File

@ -1,94 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Fix network event parsing
References: bnc#665483
The upstream version of AppArmor had network mediation but it was
removed. There's a compability patch floating around that both openSUSE
and Ubuntu have applied to their kernels. Unfortunately, one part was
overlooked. The socket operation event names where changed from the
socket_ prefixed names they had when AppArmor was out-of-tree and
utils/SubDomain.pm was never updated to understand them.
This patch adds an operation-type table so that the code can just
do a optype($operation) call to discover what type of operation a
particular name refers to. It then uses this in place of the socket_
checks to decide whether an event is a network operation.
This allows genprof and logprof to work with networking rules again.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 46 insertions(+), 2 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -233,6 +233,50 @@ my %MODE_HASH = (
N => $AA_EXEC_NT,
);
+
+# Currently only used by netdomain but there's no reason it couldn't
+# be extended to support other types.
+my %operation_types = (
+
+ # Old socket names
+ "socket_create", => "net",
+ "socket_post_create" => "net",
+ "socket_bind" => "net",
+ "socket_connect" => "net",
+ "socket_listen" => "net",
+ "socket_accept" => "net",
+ "socket_sendmsg" => "net",
+ "socket_recvmsg" => "net",
+ "socket_getsockname" => "net",
+ "socket_getpeername" => "net",
+ "socket_getsockopt" => "net",
+ "socket_setsockopt" => "net",
+ "socket_shutdown" => "net",
+
+ # New socket names
+ "create" => "net",
+ "post_create" => "net",
+ "bind" => "net",
+ "connect" => "net",
+ "listen" => "net",
+ "accept" => "net",
+ "sendmsg" => "net",
+ "recvmsg" => "net",
+ "getsockname" => "net",
+ "getpeername" => "net",
+ "getsockopt" => "net",
+ "setsockopt" => "net",
+ "sock_shutdown" => "net",
+);
+
+sub optype($) {
+ my $op = shift;
+ my $type = $operation_types{$op};
+
+ return "unknown" if !defined($type);
+ return $type;
+}
+
sub debug ($) {
my $message = shift;
chomp($message);
@@ -2911,7 +2955,7 @@ sub add_event_to_tree ($) {
}
$pid{$child} = $arrayref;
push @{$arrayref}, [ "fork", $child, $profile, $hat ];
- } elsif ($e->{operation} =~ m/socket_/) {
+ } elsif (optype($e->{operation}) eq "net") {
add_to_tree( $e->{pid},
$e->{parent},
"netdomain",
@@ -6620,7 +6664,7 @@ sub parse_event($) {
LibAppArmor::aa_log_record::swig_magic_token_get($event);
# NetDomain
- if ( $ev{'operation'} && $ev{'operation'} =~ /socket/ ) {
+ if ( $ev{'operation'} && optype($ev{'operation'}) eq "net" ) {
$ev{'family'} =
LibAppArmor::aa_log_record::swig_net_family_get($event);
$ev{'protocol'} =

View File

@ -1,28 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Fix incorrect /proc/*/sys usage in usr.sbin.ntpd
References: bnc#634801
/proc/sys/kernel exists, but /proc/*/sys/kernel doesn't. This patch
fixes the profile.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor.d/usr.sbin.ntpd | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -59,11 +59,11 @@
/var/run/ntpd.pid w,
/var/tmp/ntp* rwl,
@{PROC}/*/net/if_inet6 r,
- @{PROC}/*/sys/kernel/ngroups_max r,
+ @{PROC}/sys/kernel/ngroups_max r,
# allow access for when chrooted
/var/lib/ntp/@{PROC}/*/net/if_inet6 r,
- /var/lib/ntp/@{PROC}/*/sys/kernel/ngroups_max r,
+ /var/lib/ntp/@{PROC}/sys/kernel/ngroups_max r,
@{NTPD_DEVICE} rw,
}

View File

@ -14,7 +14,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -25,6 +25,7 @@
@@ -24,6 +24,7 @@
capability sys_chroot,
capability sys_resource,
capability sys_time,

View File

@ -39,7 +39,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
#include <stdio.h>
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -17,6 +17,7 @@
@@ -15,6 +15,7 @@
* along with this program; if not, contact Novell, Inc.
*/
@ -59,11 +59,11 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+
/* eliminates need to link with libfl */
%option noyywrap
%option nounput
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -17,6 +17,7 @@
* along with this program; if not, contact Novell, Inc.
@@ -19,6 +19,7 @@
* Ltd.
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
@ -72,11 +72,11 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
#include <stdlib.h>
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -17,6 +17,7 @@
@@ -15,6 +15,7 @@
* along with this program; if not, contact Novell, Inc.
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
#include <ctype.h>
#include <stdlib.h>
#include <stdio.h>
#include <stdarg.h>
#include <string.h>

View File

@ -29,7 +29,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+
--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -15,3 +15,7 @@
@@ -14,3 +14,7 @@
/etc/ssl/certs/* r,
/usr/share/ca-certificates/ r,
/usr/share/ca-certificates/** r,
@ -39,7 +39,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+ /usr/share/ca-certificates/mozilla/* r,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
@@ -16,6 +16,7 @@
@@ -15,6 +15,7 @@
#include <abstractions/nameservice>
#include <abstractions/kerberosclient>
#include <program-chunks/postfix-common>
@ -47,7 +47,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
capability dac_override,
capability dac_read_search,
@@ -39,7 +40,6 @@
@@ -38,7 +39,6 @@
/etc/postfix/{ssl/,}*.pem r,
/etc/postfix/prng_exch rw,
/usr/share/ssl/certs/ca-bundle.crt r,
@ -57,7 +57,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
/etc/mtab r,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
@@ -16,6 +16,7 @@
@@ -15,6 +15,7 @@
#include <abstractions/nameservice>
#include <abstractions/kerberosclient>
#include <program-chunks/postfix-common>
@ -65,7 +65,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
capability dac_override,
capability dac_read_search,
@@ -44,7 +45,6 @@
@@ -43,7 +44,6 @@
/usr/lib/sasl2/* mr,
/usr/share/ssl/certs/ca-bundle.crt r,
@ -75,7 +75,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
/{var/spool/postfix/,}private/anvil w,
--- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
+++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
@@ -18,6 +18,7 @@
@@ -17,6 +17,7 @@
#include <abstractions/kerberosclient>
#include <abstractions/nameservice>
#include <abstractions/perl>
@ -83,7 +83,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
capability kill,
capability net_bind_service,
@@ -84,7 +85,6 @@
@@ -83,7 +84,6 @@
/usr/share/snmp/mibs r,
/usr/share/snmp/mibs/*.{txt,mib} r,
/usr/share/snmp/mibs/.index wr,
@ -93,7 +93,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
/var/log/httpd/ssl_scache.dir r,
--- a/profiles/apparmor/profiles/extras/usr.sbin.imapd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd
@@ -16,10 +16,10 @@
@@ -15,10 +15,10 @@
#include <abstractions/nameservice>
#include <abstractions/authentication>
#include <abstractions/user-mail>
@ -107,7 +107,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
}
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
@@ -16,10 +16,10 @@
@@ -15,10 +15,10 @@
#include <abstractions/nameservice>
#include <abstractions/authentication>
#include <abstractions/user-mail>
@ -121,7 +121,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
}
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
@@ -16,10 +16,10 @@
@@ -15,10 +15,10 @@
#include <abstractions/nameservice>
#include <abstractions/authentication>
#include <abstractions/user-mail>

View File

@ -1,37 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
The version of AppArmor that was accepted into the mainline kernel
issues audit events for things like change_hat while unconfined.
Previous versions just returned -EPERM without the audit.
This results in logprof and friends spewing uninitialized value errors
when it hits events like:
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
... which happen any time an unconfined process does something with pam
when pam_apparmor is installed.
This patch skips those events.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2735,6 +2735,13 @@ sub add_event_to_tree ($) {
return if ($e->{operation} =~ /profile_set/);
my ($profile, $hat);
+
+ # The version of AppArmor that was accepted into the mainline kernel
+ # issues audit events for things like change_hat while unconfined.
+ # Previous versions just returned -EPERM without the audit so the
+ # events wouldn't have been picked up here.
+ return if (!$e->{profile});
+
# just convert new null profile style names to old before we begin processing
# profile and name can contain multiple layers of null- but all we care about
# currently is single level.

File diff suppressed because it is too large Load Diff

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:00334c3e5391fa1578aa177ec5da1232073bc88141c1a49c3ecb1814784cc99b
size 1293448

3
apparmor-2.6.0.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b08f90ee4d6774d1fe176adfa5764e3d24a6b1976b249757f25203b52216f857
size 1240705

View File

@ -1,22 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-docs: Fix grammar error in techdoc.pdf
References: bnc#588235
This patch fixes a grammar error in techdoc.pdf.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
parser/techdoc.tex | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/techdoc.tex
+++ b/parser/techdoc.tex
@@ -213,7 +213,7 @@ files by controlling file descriptor pas
\subsection{Mount}
-Mounting can change a process's namespace in in almost arbitrary ways.
+Mounting can change a process's namespace in almost arbitrary ways.
This is a problem because AppArmor's file access control is pathname
based, and granting a process the right to arbitrarily change its
namespace would subvert this protection mechanism. AppArmor therefore

View File

@ -12,4 +12,4 @@
+tests: error_output gen_xtrans parser_sanity
gen_xtrans:
perl ./gen-xtrans.pl
./gen-xtrans.pl

View File

@ -1,19 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-parser: Fix up translations
References: bnc#586070
---
parser/parser_interface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -77,7 +77,7 @@ static void print_error(int error)
PERROR(_("Out of memory\n"));
break;
case -EFAULT:
- PERROR(_("Couldn't copy profile Bad memory address\n"));
+ PERROR(_("Couldn't copy profile: Bad memory address\n"));
break;
case -EPROTO:
PERROR(_("Profile doesn't conform to protocol\n"));

View File

@ -1,16 +0,0 @@
---
utils/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -41,7 +41,8 @@ all: ${MANPAGES} ${HTMLMANPAGES}
DESTDIR=/
BINDIR=${DESTDIR}/usr/sbin
CONFDIR=${DESTDIR}/etc/apparmor
-PERLDIR=${DESTDIR}/usr/lib/perl5/vendor_perl/Immunix
+VENDOR_PERL ?= /usr/lib/perl5/vendor_perl
+PERLDIR := ${DESTDIR}${VENDOR_PERL}/Immunix
po/${NAME}.pot: ${TOOLS}
make -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} SubDomain.pm Repository.pm Config.pm Reports.pm"

View File

@ -4,13 +4,14 @@ References: bnc#561152
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor/profiles/extras/sbin.dhclient | 61 +++++++++++------
profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
2 files changed, 61 insertions(+), 21 deletions(-)
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
@@ -12,12 +12,12 @@
@@ -11,12 +11,12 @@
# raw sockets, and thus cannot be confined with NetDomain
#
# Should these programs have their own domains?
@ -29,7 +30,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
#include <tunables/global>
@@ -25,25 +25,30 @@
@@ -24,25 +24,30 @@
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
@ -75,7 +76,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
/var/lib/dhcp/dhclient.leases rw,
/var/lib/dhcp/dhclient-*.leases rw,
/var/log/lastlog r,
@@ -53,4 +58,18 @@
@@ -52,4 +57,18 @@
/var/run/dhclient-*.pid rw,
/var/spool r,
/var/spool/mail r,

View File

@ -13,7 +13,7 @@ References: bnc#457072
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@@ -30,6 +30,8 @@
@@ -29,6 +29,8 @@
capability kill,
capability setgid,
capability setuid,
@ -22,7 +22,7 @@ References: bnc#457072
/dev/ptmx rw,
/dev/urandom r,
@@ -44,11 +46,12 @@
@@ -43,11 +45,12 @@
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/loginuid w,

View File

@ -1,5 +1,9 @@
--- a/profiles/apparmor.d/sbin.syslog-ng.old 2008-11-05 15:53:00.000000000 +0100
+++ b/profiles/apparmor.d/sbin.syslog-ng 2010-11-05 09:11:23.186489224 +0100
---
profiles/apparmor.d/sbin.syslog-ng | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/profiles/apparmor.d/sbin.syslog-ng
+++ b/profiles/apparmor.d/sbin.syslog-ng
@@ -19,12 +19,14 @@
#include <abstractions/base>
#include <abstractions/consoles>
@ -29,5 +33,5 @@
+ @{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
+ /var/run/syslog-ng/additional-log-sockets.conf r,
}
# Site-specific additions and overrides. See local/README for details.
#include <local/sbin.syslog-ng>

View File

@ -0,0 +1,33 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: dnsmasq: Profile fixes
References: bnc#666090 bnc#678749
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor.d/usr.sbin.dnsmasq | 4 ++++
1 file changed, 4 insertions(+)
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -25,10 +25,12 @@
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
+ /etc/ethers r,
/usr/sbin/dnsmasq mr,
/var/run/*dnsmasq*.pid w,
+ /var/run/dnsmasq-forwarders r,
/var/run/dnsmasq/ r,
/var/run/dnsmasq/* rw,
@@ -37,6 +39,8 @@
# libvirt pid files for dnsmasq
/var/run/libvirt/network/ r,
/var/run/libvirt/network/*.pid rw,
+ /var/lib/libvirt/dnsmasq/ r,
+ /var/lib/libvirt/dnsmasq/*.hostsfile r,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.dnsmasq>

View File

@ -9,14 +9,14 @@ Subject: apparmor-utils: Allow repository to be completely disabled
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 5 +++++
utils/logprof.conf | 4 ++++
utils/Immunix/AppArmor.pm | 5 +++++
utils/logprof.conf | 4 ++++
2 files changed, 9 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -3107,6 +3107,8 @@ sub UI_repo_signup {
sub UI_ask_to_enable_repo {
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -3153,6 +3153,8 @@ sub UI_repo_signup() {
sub UI_ask_to_enable_repo() {
my $q = { };
+ return if (defined $cfg->{settings}{allow_repository} &&
@ -24,7 +24,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
return if ( not defined $cfg->{repository}{url} );
$q->{headers} = [
gettext("Repository"), $cfg->{repository}{url},
@@ -3231,6 +3233,8 @@ sub get_preferred_user ($) {
@@ -3277,6 +3279,8 @@ sub get_preferred_user ($) {
sub repo_is_enabled () {
my $enabled;
@ -33,8 +33,8 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
if ($cfg->{repository}{url} &&
$repo_cfg &&
$repo_cfg->{repository}{enabled} &&
@@ -3244,6 +3248,7 @@ sub repo_is_enabled () {
sub update_repo_profile {
@@ -3290,6 +3294,7 @@ sub repo_is_enabled () {
sub update_repo_profile($) {
my $profile = shift;
+ return undef if not repo_is_enabled();
@ -43,7 +43,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
my $url = $profile->{repo}{url};
--- a/utils/logprof.conf
+++ b/utils/logprof.conf
@@ -35,6 +35,10 @@
@@ -34,6 +34,10 @@
# files.
custom_includes =

View File

@ -1,13 +1,13 @@
---
parser/rc.aaeventd.suse | 2 +-
parser/rc.apparmor.functions | 16 ++++++++--------
parser/rc.apparmor.functions | 14 +++++++-------
parser/rc.apparmor.suse | 23 ++++++++++++++++++++++-
3 files changed, 31 insertions(+), 10 deletions(-)
3 files changed, 30 insertions(+), 9 deletions(-)
--- a/parser/rc.aaeventd.suse
+++ b/parser/rc.aaeventd.suse
@@ -30,7 +30,7 @@
@@ -27,7 +27,7 @@
### BEGIN INIT INFO
# Provides: aaeventd
# Required-Start: apparmor
@ -18,7 +18,7 @@
# Short-Description: AppArmor Notification and Reporting
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -111,9 +111,7 @@ is_apparmor_present() {
@@ -108,9 +108,7 @@ is_apparmor_present() {
# check for subdomainfs version of module
grep -qE "^($modules)[[:space:]]" /proc/modules
@ -29,7 +29,7 @@
return $?
}
@@ -380,10 +378,11 @@ apparmor_start() {
@@ -377,10 +375,11 @@ apparmor_start() {
configure_owlsm
# if there is anything in the profiles file don't load
@ -43,7 +43,7 @@
fi
aa_log_end_msg 0
return 0
@@ -415,7 +414,8 @@ remove_profiles() {
@@ -412,7 +411,8 @@ remove_profiles() {
#them so stor to tmp first
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
@ -53,7 +53,7 @@
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
rc=$?
if [ ${rc} -ne 0 ] ; then
@@ -430,7 +430,7 @@ apparmor_stop() {
@@ -427,7 +427,7 @@ apparmor_stop() {
aa_log_daemon_msg "Unloading AppArmor profiles "
remove_profiles
rc=$?
@ -62,18 +62,9 @@
return $rc
}
@@ -468,7 +468,7 @@ __apparmor_restart() {
profiles_names_list ${PNAMES_LIST}
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
- sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while read profile ; do
+ sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
done
rm "$MODULE_PLIST"
--- a/parser/rc.apparmor.suse
+++ b/parser/rc.apparmor.suse
@@ -34,6 +34,7 @@
@@ -31,6 +31,7 @@
# Required-Start: boot.cleanup
# Required-Stop: $null
# Should-Start: $local_fs
@ -81,7 +72,7 @@
# Default-Start: B
# Default-Stop:
# Short-Description: AppArmor initialization
@@ -76,7 +77,19 @@ aa_log_warning_msg() {
@@ -73,7 +74,19 @@ aa_log_warning_msg() {
}
aa_log_failure_msg() {
@ -102,7 +93,7 @@
}
aa_log_skipped_msg() {
@@ -84,6 +97,14 @@ aa_log_skipped_msg() {
@@ -81,6 +94,14 @@ aa_log_skipped_msg() {
echo -e "$rc_skipped"
}

View File

@ -4,7 +4,7 @@
--- a/parser/rc.aaeventd.suse
+++ b/parser/rc.aaeventd.suse
@@ -81,9 +81,9 @@ usage() {
@@ -78,9 +78,9 @@ usage() {
start_aa_event() {
if [ -x "$AA_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then

View File

@ -1,15 +0,0 @@
---
libraries/libapparmor/swig/perl/Makefile.am | 1 +
1 file changed, 1 insertion(+)
--- a/libraries/libapparmor/swig/perl/Makefile.am
+++ b/libraries/libapparmor/swig/perl/Makefile.am
@@ -9,6 +9,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibA
Makefile.perl: Makefile.PL
$(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
+ sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
LibAppArmor.so: libapparmor_wrap.c Makefile.perl
if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi

View File

@ -1,24 +0,0 @@
---
utils/SubDomain.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2304,7 +2304,7 @@ sub handlechildren {
unless (-e getprofilefilename($exec_target)) {
my $ynans = "y";
if ($exec_mode & str_to_mode("i")) {
- $ynans = UI_YesNo(sprintf(gettext("A profile for %s does not exist create one?"), $exec_target), "n");
+ $ynans = UI_YesNo(sprintf(gettext("A profile for %s does not exist. Create one?"), $exec_target), "n");
}
if ($ynans eq "y") {
$helpers{$exec_target} = "enforce";
@@ -2331,7 +2331,7 @@ sub handlechildren {
unless ($sd{$profile}{$exec_target}) {
my $ynans = "y";
if ($exec_mode & str_to_mode("i")) {
- $ynans = UI_YesNo(sprintf(gettext("A local profile for %s does not exist create one?"), $exec_target), "n");
+ $ynans = UI_YesNo(sprintf(gettext("A local profile for %s does not exist. Create one?"), $exec_target), "n");
}
if ($ynans eq "y") {
$hat = $exec_target;

View File

@ -1,107 +0,0 @@
---
utils/Reports.pm | 2 +-
utils/SubDomain.pm | 2 +-
utils/genprof | 4 ++--
utils/rc.sd-event-dispatch.suse | 10 +++++-----
utils/unconfined | 2 +-
5 files changed, 10 insertions(+), 10 deletions(-)
--- a/utils/Reports.pm
+++ b/utils/Reports.pm
@@ -14,7 +14,7 @@ package Immunix::Reports;
################################################################################
# /usr/lib/perl5/site_perl/Reports.pm
#
-# - Parses /var/log/messages for SubDomain messages
+# - Parses /var/log/messages for AppArmor messages
# - Writes results to .html or comma-delimited (.csv) files (Optional)
#
# Requires:
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1590,7 +1590,7 @@ my %CMDS = (
CMD_GLOBEXT => "Glob w/(E)xt",
CMD_ADDHAT => "(A)dd Requested Hat",
CMD_USEDEFAULT => "(U)se Default Hat",
- CMD_SCAN => "(S)can system log for SubDomain events",
+ CMD_SCAN => "(S)can system log for AppArmor events",
CMD_HELP => "(H)elp",
CMD_VIEW_PROFILE => "(V)iew Profile",
CMD_USE_PROFILE => "(U)se Profile",
--- a/utils/genprof
+++ b/utils/genprof
@@ -52,7 +52,7 @@ GetOptions(
my $sd_mountpoint = check_for_subdomain();
unless ($sd_mountpoint) {
- fatal_error(gettext("SubDomain does not appear to be started. Please enable SubDomain and try again."));
+ fatal_error(gettext("AppArmor does not appear to be started. Please enable AppArmor and try again."));
}
# let's convert it to full path...
@@ -166,7 +166,7 @@ for my $p (sort keys %helpers) {
}
}
-UI_Info(gettext("Reloaded SubDomain profiles in enforce mode."));
+UI_Info(gettext("Reloaded AppArmor profiles in enforce mode."));
UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
exit 0;
--- a/utils/rc.sd-event-dispatch.suse
+++ b/utils/rc.sd-event-dispatch.suse
@@ -7,14 +7,14 @@
# /usr/sbin/rcsd-event-dispatch
#
# chkconfig: 2345 01 99
-# description: SubDomain event dispatcher
+# description: AppArmor event dispatcher
#
### BEGIN INIT INFO
# Provides: sd-event-dispatch
# Required-Start: subdomain
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
-# Description: Start the SubDomain event dispacher
+# Description: Start the AppArmor event dispacher
### END INIT INFO
SD_EV_BIN=/usr/sbin/sd-event-dispatch.pl
@@ -38,7 +38,7 @@ rc_reset
case "$1" in
start)
- echo -n "Starting SubDomain Event daemon"
+ echo -n "Starting AppArmor Event daemon"
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
@@ -48,7 +48,7 @@ case "$1" in
rc_status -v
;;
stop)
- echo -n "Shutting down SubDomain Event daemon"
+ echo -n "Shutting down AppArmor Event daemon"
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
@@ -75,7 +75,7 @@ case "$1" in
rc_status
;;
status)
- echo -n "Checking for SubDomain Event daemon"
+ echo -n "Checking for AppArmor Event daemon"
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
--- a/utils/unconfined
+++ b/utils/unconfined
@@ -54,7 +54,7 @@ sub usage {
my $subdomainfs = check_for_subdomain();
-die gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.") . "\n"
+die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
unless $subdomainfs;
my @pids;

View File

@ -8,12 +8,12 @@ References: bnc#564316
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 4 +++-
utils/Immunix/AppArmor.pm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2789,7 +2789,9 @@ sub add_event_to_tree ($) {
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -2848,7 +2848,9 @@ sub add_event_to_tree ($) {
""
);
}

View File

@ -1,29 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: [PATCH] apparmor-utils: cleanup after abort in genprof
References: bnc#307067
The initial generation of the base profile is required to be written out
to put the process in complain mode for observation. If the user
decides to abort the profiling session, that base profile is left
behind.
This patch removes all profiles created during the run up to an abort.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 3 +++
1 file changed, 3 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1750,6 +1750,9 @@ sub confirm_and_abort {
if ($ans eq "y") {
UI_Info(gettext("Abandoning all changes."));
shutdown_yast();
+ foreach my $prof (@created) {
+ delete_profile($prof);
+ }
exit 0;
}
}

View File

@ -13,12 +13,12 @@ References: bnc#397883
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 9 +--------
utils/Immunix/AppArmor.pm | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -511,14 +511,7 @@ sub get_full_path ($) {
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -553,14 +553,7 @@ sub get_full_path ($) {
}
}

View File

@ -1,58 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles
References: bnc#496204
When creating profiles with cx subprofiles, genprof will set the
sub-profile in enforce mode. When genprof cycles multiple times, it
prohibits the sub-profile from working correctly.
e.g.
# Last Modified: Mon Jan 24 13:52:26 2011
#include <tunables/global>
/home/jeffm/mycat flags=(complain) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/consoles>
/bin/bash ix,
/bin/cat cx,
/home/jeffm/mycat r,
profile /bin/cat {
#include <abstractions/base>
/bin/cat r,
/home/jeffm/mycat r,
}
}
This patch allows sub-profiles to inherit the flags from the parent
profile, which allows it to be created in complain mode (if appropriate).
The temporary complain flags are cleaned up at genprof completion as
expected.
This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 6 ++++++
1 file changed, 6 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2337,6 +2337,12 @@ sub handlechildren {
# we have seen more than a declaration so clear it
$sd{$profile}{$hat}{'declared'} = 0;
$sd{$profile}{$hat}{profile} = 1;
+
+ # Otherwise sub-profiles end up getting
+ # put in enforce mode with genprof
+ $sd{$profile}{$hat}{flags} = $sd{$profile}{$profile}{flags} if $profile ne $hat;
+
+ $sd{$profile}{$hat}{flags} = 'complain';
$sd{$profile}{$hat}{allow}{path} = { };
$sd{$profile}{$hat}{allow}{netdomain} = { };
my $file = $sd{$profile}{$profile}{filename};

View File

@ -1,25 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: Subdomain.pm: Fix for null path
References: bnc#407959
When handling the following log entry, logprof will spew perl errors and
ultimately generate an invalid config: "r,"
Since there is nothing to do with a null path, just skip to the next entry.
type=APPARMOR_DENIED msg=audit(1214497030.421:39): operation="inode_permission" info="Failed name resolution - object not a valid entry" requested_mask="r" denied_mask="r" pid=31367 profile="/usr/sbin/httpd2-worker
---
utils/SubDomain.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1905,7 +1905,7 @@ sub handlechildren {
$hat = $h;
}
- next unless $profile && $hat;
+ next unless $profile && $hat && $detail;
my $domainchange = ($type eq "exec") ? "change" : "nochange";
# escape special characters that show up in literal paths

View File

@ -3,12 +3,12 @@ Subject: SubDomain.pm: Split long string
The string split here ends up not displaying well in yast.
---
utils/SubDomain.pm | 7 ++++++-
utils/Immunix/AppArmor.pm | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -6241,7 +6241,12 @@ sub check_qualifiers {
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -6300,7 +6300,12 @@ sub check_qualifiers($) {
if ($cfg->{qualifiers}{$program}) {
unless($cfg->{qualifiers}{$program} =~ /p/) {

View File

@ -0,0 +1,20 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Add Immunix::SubDomain alias
This patch adds an alias so that 'use Immunix::SubDomain;' works with older
code.
Acked-by: Jeff Mahoney <jeffm@suse.com>
---
utils/Immunix/SubDomain.pm | 5 +++++
1 file changed, 5 insertions(+)
--- /dev/null
+++ b/utils/Immunix/SubDomain.pm
@@ -0,0 +1,5 @@
+# Use of Immunix::SubDomain is deprecated.
+# Use Immunix::AppArmor directly instead.
+use Immunix::AppArmor;
+*Immunix::SubDomain:: = *Immunix::AppArmor::;
+1;

View File

@ -1,54 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Translation unification
References: bnc#586072
This patch removes small inconsistencies between identical strings to
allow for easier translation.
Reported-by: Isis Binder <isis.binder@gmail.com>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/Reports.pm | 6 +++---
utils/unconfined | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/utils/Reports.pm
+++ b/utils/Reports.pm
@@ -967,7 +967,7 @@ sub getEssStats {
};
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
@@ -980,7 +980,7 @@ sub getEssStats {
};
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
@@ -988,7 +988,7 @@ sub getEssStats {
eval { $ret = $dbh->selectall_arrayref("$query"); };
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
--- a/utils/unconfined
+++ b/utils/unconfined
@@ -54,7 +54,7 @@ sub usage {
my $subdomainfs = check_for_subdomain();
-die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
+die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
unless $subdomainfs;
my @pids;

View File

@ -1,3 +1,29 @@
-------------------------------------------------------------------
Thu Mar 24 21:30:15 CET 2011 - jeffm@suse.de
- Added alias from Immunix::SubDomain to Immunix:AppArmor to allow
older users of perl-apparmor to work properly.
-------------------------------------------------------------------
Tue Mar 22 21:29:49 CET 2011 - jeffm@suse.de
- Properly re-created links to old utility names.
-------------------------------------------------------------------
Mon Mar 14 19:24:02 CET 2011 - jeffm@suse.de
- Added /etc/ethers and /var/run/dnsmasq-forwarders to
usr.sbin.dnsmasq (bnc#678749)
-------------------------------------------------------------------
Mon Mar 14 16:48:53 CET 2011 - jeffm@suse.de
- Update to 2.6.0
- 19 patches eliminated
- Lots of minor fixes.
- Split out more common abstractions
- Added more local includes
-------------------------------------------------------------------
Tue Mar 1 09:56:30 UTC 2011 - rhafer@suse.de

View File

@ -32,9 +32,6 @@
%define JAR_FILE changeHatValve.jar
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
%define srcversion 2.5.1
%define bzr_commit r1445
Name: apparmor
%if ! %{?distro:1}0
%if %{?suse_version:1}0
@ -48,52 +45,35 @@ Name: apparmor
%define distro suse
%endif
Summary: AppArmor userlevel parser utility
Version: %{srcversion}.%{bzr_commit}
Release: 55
Version: 2.6.0
Release: 54
Group: Productivity/Networking/Security
Source0: apparmor-%{srcversion}.tar.bz2
Source0: apparmor-%{version}.tar.bz2
Source1: %{name}-profile-editor.png
Source2: %{name}-profile-editor.desktop
Source3: update-trans.sh
Patch: apparmor-2.5-%{bzr_commit}
Patch1: pam-apparmor-include
Patch2: mod_apparmor-includes
Patch3: tomcat-build-fixes
Patch4: apparmor-swig-build-fix
Patch5: apparmor-scripts
Patch6: apparmor-translation-fixes
Patch7: apparmor-perl
Patch8: apparmor-no-caching-test
Patch9: apparmorapplet-gnome-build-fix
Patch10: apparmor-utils-SubDomain
Patch11: apparmor-utils-cleanup-on-abort
Patch12: apparmor-utils-translation-unification
Patch13: apparmor-utils-add-log-types
Patch14: apparmor-utils-filenames-in-slash
Patch15: apparmor-utils-null-path-fix
Patch16: apparmor-utils-string-split
Patch17: apparmor-profiles-cupsd-fix
Patch18: apparmor-profiles-sshd-fix
Patch19: apparmor-profiles-syslog-ng-fix
Patch20: apparmor-docs-techdoc-grammar-fixes
Patch21: apparmor-parser-string-fixes
Patch22: apparmor-startproc.patch
Patch23: apparmor-2.5.1-unified-build
Patch24: apparmor-2.5.1-rpmlint-asprintf
Patch25: apparmor-2.5.1-ntpd-proc-fixes
Patch26: apparmor-2.5.1-edirectory-profile
Patch27: apparmor-2.5.1-firefox-proc-fix
Patch28: apparmor-2.5.1-unconfined-fixes
Patch29: apparmor-utils-inherit-flags-during-profile-generation
Patch30: apparmor-2.5.1-ldapclient-profile
Patch31: genprof-whitespace-in-profile-fix
Patch32: apparmor-remove-repo
Patch33: apparmor-2.5.1-ntpd-sys_nice
Patch34: apparmor-2.5.1-ssl-fix
Patch35: apparmor-2.5.1-dnsmasq-libvirt-profile-fix
Patch36: klog-needs-CAP_SYSLOG
Patch37: apparmor-2.5.1-network-fixes
Patch38: apparmor-profiles-dhclient
Patch1: apparmor-scripts
Patch2: apparmor-no-caching-test
Patch3: apparmor-utils-add-log-types
Patch4: apparmor-utils-filenames-in-slash
Patch5: apparmor-utils-string-split
Patch6: apparmor-profiles-cupsd-fix
Patch7: apparmor-profiles-sshd-fix
Patch8: apparmor-profiles-syslog-ng-fix
Patch9: apparmor-startproc.patch
Patch10: apparmor-2.5.1-unified-build
Patch11: apparmor-2.5.1-rpmlint-asprintf
Patch12: apparmor-2.5.1-edirectory-profile
Patch13: apparmor-2.5.1-ldapclient-profile
Patch14: genprof-whitespace-in-profile-fix
Patch15: apparmor-remove-repo
Patch16: apparmor-2.5.1-ntpd-sys_nice
Patch17: apparmor-2.5.1-ssl-fix
Patch18: apparmor-profiles-usr.sbin.dnsmasq
Patch19: klog-needs-CAP_SYSLOG
Patch20: apparmor-profiles-dhclient
Patch21: apparmor-utils-subdomain-compat
License: GPLv2+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Url: https://launchpad.net/apparmor
@ -463,8 +443,7 @@ SubDomain.
%endif
%prep
%setup -q -n %{name}-%{srcversion}
%patch -p1
%setup -q -n %{name}-%{version}
%patch1 -p1
%patch2 -p1
%patch3 -p1
@ -486,23 +465,6 @@ SubDomain.
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%build
export SUSE_ASNEEDED=0
@ -574,21 +536,18 @@ ln -s %{_sysconfdir}/init.d/aaeventd ${RPM_BUILD_ROOT}/sbin/rcaaeventd
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcapparmor
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcsubdomain
for script in ${RPM_BUILD_ROOT}/usr/sbin/*; do
d=$(dirname $script)
f=$(basename $script)
if [ "${f#aa-}" = "$f" ]; then
ln -s /usr/sbin/$f $d/aa-$f
# Re-create the links to the old names
for file in ${RPM_BUILD_ROOT}/usr/{sbin,share/man/man[0-9]}/aa-*; do
d=$(dirname $file)
f=$(basename $file)
if [ "${f#aa-}" != "$f" ]; then
ln -s $f $d/${f#aa-}
fi
done
for man in ${RPM_BUILD_ROOT}/usr/share/man/man[18]/*; do
d=$(dirname $man)
f=$(basename $man)
if [ "${f#aa-}" = "$f" ]; then
ln -s $f $d/aa-$f
fi
done
mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{status.8,apparmor_status.8}
mv -f ${RPM_BUILD_ROOT}/usr/share/man/man8/{notify.8,apparmor_notify.8}
rm -f ${RPM_BUILD_ROOT}/usr/share/man/man8/decode.8
%if %{with editor}
%suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor
@ -687,6 +646,7 @@ fi
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
%{_prefix}/sbin/*
%dir /var/log/apparmor
%doc %{_mandir}/man2/aa_change_profile.2.gz
%doc %{_mandir}/man5/logprof.conf.5.gz
%doc %{_mandir}/man8/apparmor_notify.8.gz
%doc %{_mandir}/man8/aa-*.gz

View File

@ -1,14 +0,0 @@
---
deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c | 1 +
1 file changed, 1 insertion(+)
--- a/deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
+++ b/deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
@@ -11,6 +11,7 @@
#include <stdlib.h>
#include <string.h>
#include <glib/gi18n.h>
+#include <libgnome/gnome-program.h>
#include "preferences_dialog.h"
#include "reject_list.h"
#include "apparmor-applet.h"

View File

@ -14,11 +14,11 @@ References: bnc#480795
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 8 ++++----
utils/Immunix/AppArmor.pm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -1033,13 +1033,13 @@ sub setprofileflags ($$) {
if (open(PROFILE, "$filename")) {
if (open(NEWPROFILE, ">$filename.new")) {

View File

@ -5,7 +5,7 @@
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -122,6 +122,9 @@ static int get_table_token(const char *n
@@ -125,6 +125,9 @@ static int get_table_token(const char *n
static struct keyword_table capability_table[] = {
/* capabilities */
#include "cap_names.h"
@ -15,7 +15,7 @@
/* terminate */
{NULL, 0}
};
@@ -820,6 +823,7 @@ static const char *capnames[] = {
@@ -783,6 +786,7 @@ static const char *capnames[] = {
"audit_control",
"setfcap",
"mac_override"

View File

@ -1,35 +0,0 @@
---
changehat/mod_apparmor/Makefile | 6 +-----
changehat/mod_apparmor/mod_apparmor.c | 6 +-----
2 files changed, 2 insertions(+), 10 deletions(-)
--- a/changehat/mod_apparmor/Makefile
+++ b/changehat/mod_apparmor/Makefile
@@ -42,11 +42,7 @@ APXS:=$(shell if [ -x "/usr/sbin/apxs2"
fi )
APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR)
DESTDIR=
-LIBAPPARMOR_FLAGS=$(shell if [ -f /usr/lib/libapparmor.so -o -f /usr/lib64/libapparmor.so ] ; then \
- echo -lapparmor ; \
- else \
- echo -DUSE_COMPAT_IMMUNIX_H -limmunix ;\
- fi)
+LIBAPPARMOR_FLAGS="-I../../libraries/libapparmor/src -L../../libraries/libapparmor/src/.libs -lapparmor"
all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
--- a/changehat/mod_apparmor/mod_apparmor.c
+++ b/changehat/mod_apparmor/mod_apparmor.c
@@ -24,11 +24,7 @@
#include "apr_strings.h"
#include "apr_lib.h"
-#ifndef USE_COMPAT_IMMUNIX_H
-#include <sys/apparmor.h>
-#else
-#include <sys/immunix.h>
-#endif
+#include "apparmor.h"
#include <unistd.h>
/* #define DEBUG */

View File

@ -1,42 +0,0 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Fix pam includes/linking
---
changehat/pam_apparmor/Makefile | 6 +++---
changehat/pam_apparmor/pam_apparmor.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/changehat/pam_apparmor/Makefile
+++ b/changehat/pam_apparmor/Makefile
@@ -27,8 +27,8 @@ common/Make.rules: $(COMMONDIR)/Make.rul
ln -sf $(COMMONDIR) .
endif
-EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall
-LINK_FLAGS=-Xlinker -x
+EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall -I../../libraries/libapparmor/src/
+LINK_FLAGS=-Xlinker -x -L../../libraries/libapparmor/src/.libs
LIBS=-lpam -lapparmor
OBJECTS=${NAME}.o get_options.o
@@ -42,7 +42,7 @@ $(NAME).so: ${OBJECTS}
# need some better way of determining this
DESTDIR=/
-SECDIR=${DESTDIR}/lib/security
+SECDIR ?= ${DESTDIR}/lib/security
.PHONY: install
install: $(NAME).so
--- a/changehat/pam_apparmor/pam_apparmor.c
+++ b/changehat/pam_apparmor/pam_apparmor.c
@@ -27,7 +27,7 @@
#include <grp.h>
#include <syslog.h>
#include <errno.h>
-#include <sys/apparmor.h>
+#include "apparmor.h"
#include <security/pam_ext.h>
#include <security/pam_modutil.h>

View File

@ -1,77 +0,0 @@
---
changehat/tomcat_apparmor/tomcat_5_5/build.xml | 15 +++++-----
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c | 2 -
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile | 4 +-
3 files changed, 11 insertions(+), 10 deletions(-)
--- a/changehat/tomcat_apparmor/tomcat_5_5/build.xml
+++ b/changehat/tomcat_apparmor/tomcat_5_5/build.xml
@@ -4,8 +4,8 @@
<property name="jni_src" location="src/jni_src"/>
<property name="build" location="build"/>
<property name="install_root" location="/"/>
- <property name="catalina_home" location="/usr/share/tomcat5"/>
- <property name="lib" location="lib"/>
+ <property name="catalina_home" location="/usr/share/tomcat6"/>
+ <property name="lib" location="/usr/share/tomcat6/bin"/>
<property name="install_lib" value="/lib"/>
<property name="dist" location="dist"/>
<property name="jarfile" location="${dist}/${ant.project.name}.jar"/>
@@ -18,10 +18,11 @@
<include name="**/*.jar"/>
</fileset>
- <fileset id="tomcat.jars" dir="${catalina_home}/server/lib">
+ <fileset id="tomcat.jars" dir="${catalina_home}/lib">
<include name="**/*.jar"/>
</fileset>
- <fileset id="servlet.jars" dir="${catalina_home}/common/lib">
+
+ <fileset id="servlet.jars" dir="${catalina_home}/lib">
<include name="**/*.jar"/>
</fileset>
@@ -80,9 +81,9 @@
</target>
<target name="install_jar" depends="jni_so" description="Install jar file">
- <mkdir dir="${install_root}/${catalina_home}/server/lib/"/>
- <copy file="${jarfile}" tofile="${install_root}/${catalina_home}/server/lib/${ant.project.name}.jar"/>
- <chmod perm="644" file="${install_root}/${catalina_home}/server/lib/${ant.project.name}.jar"/>
+ <mkdir dir="${install_root}/${catalina_home}/lib/"/>
+ <copy file="${jarfile}" tofile="${install_root}/${catalina_home}/lib/${ant.project.name}.jar"/>
+ <chmod perm="644" file="${install_root}/${catalina_home}/lib/${ant.project.name}.jar"/>
</target>
<target name="clean" description="Remove build and dist directories">
--- a/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
+++ b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
@@ -13,7 +13,7 @@
#include "jni.h"
#include <errno.h>
-#include "sys/apparmor.h"
+#include "apparmor.h"
#include "com_novell_apparmor_JNIChangeHat.h"
/* c intermediate lib call for Java -> JNI -> c library execution of the change_hat call */
--- a/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile
+++ b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile
@@ -4,7 +4,7 @@ LIB = lib/
LIBDIR = /usr/${LIB}
INCLUDE = ${LIBDIR}/jvm/java/include
CFLAGS = -g -O2 -Wall -Wstrict-prototypes -Wl,-soname,$@.${SO_VERS} -pipe -fpic -D_REENTRANT
-INCLUDES = -I$(INCLUDE) -I$(INCLUDE)/linux
+INCLUDES = -I$(INCLUDE) -I$(INCLUDE)/linux -I$(TOP)/../../../libraries/libapparmor/src/
CLASSFILE = ${CLASSPATH}/com/novell/apparmor/${JAVA_CLASSNAME}.class
DESTDIR = ${TOP}/dist
SO_VERS = 1
@@ -20,7 +20,7 @@ ${JAVA_CLASSNAME}.java com_novell_apparm
javah -jni -classpath ${CLASSPATH} com.novell.apparmor.${JAVA_CLASSNAME}
${TARGET}.so: ${JAVA_CLASSNAME}.c ${JAVA_CLASSNAME}.java com_novell_apparmor_${JAVA_CLASSNAME}.h
- gcc ${INCLUDES} ${CFLAGS} -shared -o ${TARGET}.so ${JAVA_CLASSNAME}.c -lapparmor
+ gcc ${INCLUDES} ${CFLAGS} -shared -o ${TARGET}.so ${JAVA_CLASSNAME}.c -L$(TOP)/../../../libraries/libapparmor/src/.libs -lapparmor
install: ${TARGET}.so
install -d $(DESTDIR)/${LIB} $(DESTDIR)${LIBDIR}