pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 598829 from security:apparmor

Browse Source 
- create and package precompiled cache (/usr/share/apparmor/cache,
  read-only) (boo#1069906, boo#1074429)
- change (writeable) cache directory to /var/cache/apparmor/ - with the
  new btrfs layout, the only reason for using /var/lib/apparmor/cache/
  (which was "it's part of the / subvolume") is gone, and /var/cache
  makes more sense for the cache
- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
  cache locations
- clear cache also in %post of abstractions package
--------------------------------------------------------------------
- update to AppArmor 2.13
  - add support for multiple cache directories and cache overlays
    (boo#1069906, boo#1074429)
  - add support for conditional includes in policy
  - remove group restrictions from aa-notify (boo#1058787)
  - aa-complain etc.: set flags for profiles represented by a glob
  - aa-status: split profile from exec name
  - several profile and abstraction updates
  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
    for the detailed upstream changelog
- drop upstreamed patches and files:
  - aa-teardown
  - apparmor.service
  - apparmor.systemd
  - 32-bit-no-uid.diff
  - disable-cache-on-ro-fs.diff
  - dovecot-stats.diff
  - parser-write-cache-warn-only.diff
  - set-flags-for-profiles-represented-by-glob.patch
  - fix-regression-in-set-flags.patch
- drop spec code that handled installing aa-teardown, apparmor.service
  and apparmor.systemd (now part of upstream Makefile)
- simplify "make -C profiles parser-check" call (upstream Makefile bug
  that required to call "cd" was fixed)
- add aa-teardown-path.diff - install aa-teardown in /usr/sbin/
- move 'exec' symlink to parser package (belongs to aa-exec)
--------------------------------------------------------------------
- Set flags for profiles represented by glob (bsc#1086154)
   set-flags-for-profiles-represented-by-glob.patch
   fix-regression-in-set-flags.patch


libapparmor
- update to AppArmor 2.13
  - add support for multiple cache directories and cache overlays
    (boo#1069906, boo#1074429)
  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
    for the detailed upstream changelog

OBS-URL: https://build.opensuse.org/request/show/598829
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=114
This commit is contained in:
Dominique Leuenberger 2018-04-22 12:38:58 +00:00 committed by Git OBS Bridge
commit b72b687164
17 changed files with 157 additions and 341 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
32-bit-no-uid.diff
View File

@ -1,21 +0,0 @@
diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py
index 0e74c3f5..5738bb10 100644
--- a/utils/apparmor/logparser.py
+++ b/utils/apparmor/logparser.py
@@ -12,6 +12,7 @@
# GNU General Public License for more details.
#
# ----------------------------------------------------------------------
+import ctypes
import os
import re
import sys
@@ -118,7 +118,7 @@ class ReadLog:
ev['protocol'] = event.net_protocol
ev['sock_type'] = event.net_sock_type
- if event.ouid != 18446744073709551615: # 2^64 - 1
+ if event.ouid != ctypes.c_ulong(-1).value: # ULONG_MAX
ev['fsuid'] = event.fsuid
ev['ouid'] = event.ouid

10
aa-teardown
View File

@ -1,10 +0,0 @@
#!/bin/bash
test $# = 0 || {
echo "Usage: $0"
echo
echo "Unloads all AppArmor profiles"
exit 1
}
/lib/apparmor/apparmor.systemd stop

15
aa-teardown-path.diff Normal file
View File

@ -0,0 +1,15 @@
Index: parser/Makefile
===================================================================
--- parser/Makefile.orig 2018-04-15 15:48:53.000000000 +0200
+++ parser/Makefile 2018-04-15 23:21:13.677508654 +0200
@@ -384,8 +384,8 @@ install-systemd:
install -m 755 -d $(SYSTEMD_UNIT_DIR)
install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX)
- install -m 755 -d $(DESTDIR)/sbin
- install -m 755 aa-teardown $(DESTDIR)/sbin
+ install -m 755 -d $(DESTDIR)/usr/sbin
+ install -m 755 aa-teardown $(DESTDIR)/usr/sbin
ifndef VERBOSE
.SILENT: clean

3
apparmor-2.12.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056
size 7258450

16
apparmor-2.12.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQI3BAABCgAhBQJaP2rLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
5k49NmS72aQP/1y8Xr4GxCKJAonXSYdF3dlR54SIz6DWyMcdFnmE49w4/XVFhrf6
T3sIQzGdb38o1cjf6oPWaitMuOlr8SHZOSAtZXZm7xDh3fGXG11Vj12iNBX4o6CJ
WyrBG1MUX4u03iDjnv98rtbAViS9/DZsbN9iPZ9Ibo+Fb/wVS4EKe5iCZWTpqdW5
lbrWQVajqCw4EzD0ld6kklsuH6nb+pII4KawSDsk4hN5o4HxTZeK/lgwZ/sFE5LA
RJb3vShdSsIodDsj5mc5wfDVmzdqPcfTTaffLcW8uXYuMhtcI6vRAxGEKqHwDa4x
aUasiJPfFH21e1lTlztzCi2vlSdrnb89V2m7lHiOOL2bCtHhnIduRYgo+WnMZC+m
FcF9heBrTSajzg9ZE3EpVsN2wQYEGrVQer2MSy2vE8n+9JDxaJeyZ1RbT5yoeSkO
zPo6IlrfSruRdLVVekzZezoDow2kWfyzfTbDcOdZlDIchwPyXwVdGwFAf/s9aSoz
i/UIL0XpLCrd+MkaLeClWxPQR0IR5US3kxgI3vmpg4AGICq4Ayg6A2tQCMjI66Db
l1SRwLsEsZT9gfcvXeBF2w+xh9bCDUasmxcFkhv5axr12/r2nZWcKE0U1bsuK6bd
BOn2oRNshOcxnh6ni5YbTuASH52H3evKM5zypYmUpc4nUqHbFjeJOetM
=rBMH
-----END PGP SIGNATURE-----

3
apparmor-2.13.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:49f0b65a60c1eb5b7b4316023811bf1785875567e0e0c4c8a26cb1f1c3ac5858
size 7352564

16
apparmor-2.13.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQI3BAABCgAhBQJa01juGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
5k49NmS7w7sP/jWzBwvWn4NySOdncM+/h83AIb0Kx2mBPFCqLrZ3low73riA/LtJ
mq7JN/qiBYM/lB/6fiEJZV5eUTvN9IFOtJkJVbEYOhIe5IjBkkOoxDfmnpnrkTvK
GYkoIjSpsJDepvzqpBeQ44exH7XGkhpZRULlgJZkpJXvYE0nb9JDQgOuPWP56Q0F
t773uEIYME/7sveQtHYbUVrB2ncnMO4ppcFhNo2VEz7q1xl+s0D9b5qAvRNMjA/9
vgx8ZXSGbhsIUhMf5RgZd3j2hVs2LI+Qg6jM+ULzB+C9PtXefSe802gREoSkKxvQ
f88sPuOL1DX2aiIu5GFUQqziP9u+Xp/2YkQs0WSJEGUbs2+HfKDJHVF/610B4i6L
jpBIja9cYRacINU4beTNvZulyAAZHQ0CsRf1eyRzUrwNIi76eLlmhkBve40mtVq0
6CKWkKllTmEk94D3CEFPzzDV7rpA9hcif71WGwNbMBj4HOlLK/pNAedAccdWwNbo
4EExDyMQrOeHQsUmppaiH/ulwMKd6HGQOMiLm1kPesBqpW+bbI1PMP0O/Kpb/tVQ
Kesr9tTYiTrSXeQUoWeaCZ5xV2yq6xr9RWLSLkLj3B2F9WF9RcR8jj1K7796ervi
Ybm7VwdnmSi/fRV+8lUUjy1NPksTZ4iem26GJ0YsQqxCz3phH9wAvW1c
=oH+3
-----END PGP SIGNATURE-----

31
apparmor-enable-profile-cache.diff
View File

@ -2,22 +2,45 @@ Enable caching of profiles.
This speeds up loading the (unchanged) profiles about 20 times.
Upstream doesn't enable caching because the cache directory is not
Upstream doesn't enable caching because the cache directory is not
writeable at the time profiles are loaded in Ubuntu.
See also bnc#689458
Also set the cache location to /var/cache/apparmor/ (writeable) and
/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust
the mount requirements in apparmor.service accordingly.
See boo#1069906 and boo#1074429
Signed-off by: Christian Boltz <apparmor@cboltz.de>
--- a/parser/parser.conf_ORIG 2011-10-09 20:59:31.000000000 +0200
+++ b/parser/parser.conf 2011-10-09 21:00:15.000000000 +0200
@@ -28,7 +28,7 @@
Index: parser/parser.conf
===================================================================
--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200
+++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200
@@ -31,7 +31,10 @@
# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
## Turn creating/updating of the cache on by default
-#write-cache
+write-cache
+
+# cache location (cache writes go to the first directory in the list)
+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache
## Show cache hits
#show-cache
--- parser/apparmor.service_ORIG 2018-04-19 22:58:12.631443321 +0200
+++ parser/apparmor.service 2018-04-19 22:58:47.903343044 +0200
@@ -4,7 +4,7 @@ DefaultDependencies=no
Before=sysinit.target
After=systemd-journald-audit.socket
# profile cache
-After=var.mount var-lib.mount
+After=var.mount var-cache.mount usr.mount usr-share.mount
ConditionSecurity=apparmor
[Service]

50
apparmor.changes
View File

@ -1,3 +1,53 @@
-------------------------------------------------------------------
Thu Apr 19 22:13:40 UTC 2018 - suse-beta@cboltz.de
- create and package precompiled cache (/usr/share/apparmor/cache,
read-only) (boo#1069906, boo#1074429)
- change (writeable) cache directory to /var/cache/apparmor/ - with the
new btrfs layout, the only reason for using /var/lib/apparmor/cache/
(which was "it's part of the / subvolume") is gone, and /var/cache
makes more sense for the cache
- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
cache locations
- clear cache also in %post of abstractions package
--------------------------------------------------------------------
Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de
- update to AppArmor 2.13
- add support for multiple cache directories and cache overlays
(boo#1069906, boo#1074429)
- add support for conditional includes in policy
- remove group restrictions from aa-notify (boo#1058787)
- aa-complain etc.: set flags for profiles represented by a glob
- aa-status: split profile from exec name
- several profile and abstraction updates
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
for the detailed upstream changelog
- drop upstreamed patches and files:
- aa-teardown
- apparmor.service
- apparmor.systemd
- 32-bit-no-uid.diff
- disable-cache-on-ro-fs.diff
- dovecot-stats.diff
- parser-write-cache-warn-only.diff
- set-flags-for-profiles-represented-by-glob.patch
- fix-regression-in-set-flags.patch
- drop spec code that handled installing aa-teardown, apparmor.service
and apparmor.systemd (now part of upstream Makefile)
- simplify "make -C profiles parser-check" call (upstream Makefile bug
that required to call "cd" was fixed)
- add aa-teardown-path.diff - install aa-teardown in /usr/sbin/
- move 'exec' symlink to parser package (belongs to aa-exec)
--------------------------------------------------------------------
Thu Apr 19 11:23:37 UTC 2018 - rgoldwyn@suse.com
- Set flags for profiles represented by glob (bsc#1086154)
set-flags-for-profiles-represented-by-glob.patch
fix-regression-in-set-flags.patch
-------------------------------------------------------------------
Wed Apr 11 20:28:13 UTC 2018 - suse-beta@cboltz.de

25
apparmor.service
View File

@ -1,25 +0,0 @@
[Unit]
Description=Load AppArmor profiles
DefaultDependencies=no
Before=sysinit.target
After=systemd-journald-audit.socket
After=var.mount var-lib.mount
ConditionSecurity=apparmor
[Service]
Type=oneshot
ExecStart=/lib/apparmor/apparmor.systemd reload
ExecReload=/lib/apparmor/apparmor.systemd reload
# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
# from running processes (and not being able to re-apply it later).
# Upstream systemd developers refused to implement an option that allows overriding
# this behaviour, therefore we have to make ExecStop a no-op to error out on the
# safe side.
#
# If you really want to unload all AppArmor profiles, run aa-teardown
ExecStop=/bin/true
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

73
apparmor.spec
View File

@ -35,7 +35,7 @@
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
Name: apparmor
Version: 2.12
Version: 2.13
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0-or-later
@ -48,11 +48,9 @@ Source2: %{name}.keyring
Source5: update-trans.sh
Source6: baselibs.conf
Source7: apparmor-rpmlintrc
Source8: apparmor.service
Source9: apparmor.systemd
Source10: aa-teardown
# enable caching of profiles (= massive performance speedup when loading profiles)
# and set cache-loc in parser.conf and apparmor.service accordingly
Patch1: apparmor-enable-profile-cache.diff
# include autogenerated profile sniplet for samba shares (bnc#688040)
@ -64,17 +62,8 @@ Patch5: ruby-2_0-mkmf-destdir.patch
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch7: apparmor-lessopen-profile.patch
# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a log event on 32 bit systems (fixed upstream 2018-03-07)
Patch8: 32-bit-no-uid.diff
# make cache write failures a warning instead of an error - (patch from https://gitlab.com/apparmor/apparmor/merge_requests/49 2018-01-04)
Patch9: parser-write-cache-warn-only.diff
# Disable write cache if filesystem is read-only, don't abort (merged upstream 2018-01-16 to 2.10..trunk)
Patch10: disable-cache-on-ro-fs.diff
# allow dovecot to run dovecot/stats, and add that profile (submitted upstream 2018-04-11 https://gitlab.com/apparmor/apparmor/merge_requests/90)
Patch11: dovecot-stats.diff
# install aa-teardown to /usr/sbin, not /sbin (merged upstream 2018-04-15 https://gitlab.com/apparmor/apparmor/merge_requests/97)
Patch8: aa-teardown-path.diff
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -359,14 +348,11 @@ SubDomain.
%prep
%setup -q
%patch1 -p1
%patch1
%patch2
%patch5 -p1
%patch7
%patch8 -p1
%patch9 -p1
%patch10 -p0
%patch11 -p1
%patch8
%build
export SUSE_ASNEEDED=0
@ -422,6 +408,10 @@ make -C profiles
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
%endif
# pre-build profile cache
# note that -L only works with an absolute path, therefore prefix it with $(pwd)
parser/apparmor_parser --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
%check
%if %{with python3}
export PYTHON=/usr/bin/python3
@ -433,9 +423,11 @@ make check -C parser
make check -C binutils
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/80 should allow to switch to make -C
# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
(cd profiles && make check-parser)
make -C profiles check-parser
# test for a few files that should exist in the cache
test -f profiles/cache/*/bin.ping
test -f profiles/cache/*/.features
make check -C utils
@ -459,11 +451,20 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
%makeinstall -C profiles
install -d -m 755 %{buildroot}/usr/share/apparmor/cache
cp -a profiles/cache/* %{buildroot}/usr/share/apparmor/cache
test -f %{buildroot}/usr/share/apparmor/cache/*/.features
test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
%makeinstall -C parser
# default cache dir is /etc/apparmor.d/cache - not the best location.
# default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location.
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )
# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location
# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d )
%if %{with apache}
%makeinstall -C changehat/mod_apparmor
@ -507,18 +508,6 @@ done
# remove *.la files
rm -fv %{buildroot}%{_libdir}/libapparmor.la
# Adjust for systemd
test ! -f %{buildroot}%{_unitdir}/apparmor.service
install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
test ! -f %{buildroot}%{apparmor_bin_prefix}/apparmor.systemd
install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix}
test ! -f %{buildroot}%{_sbindir}/aa-teardown
install -m0755 %{S:10} %{buildroot}%{_sbindir}
# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/79 obsoletes the next 3 lines
rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor
rm %{buildroot}/sbin/rcsubdomain
ln -sf service %{buildroot}/sbin/rcapparmor
echo -------------------------------------------------------------------
#find -ls
echo -------------------------------------------------------------------
@ -542,14 +531,17 @@ echo -------------------------------------------------------------------
%{_bindir}/aa-enabled
%{_bindir}/aa-exec
%{_sbindir}/aa-teardown
%{_sbindir}/exec
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
%dir %{_sysconfdir}/apparmor.d
%{_sysconfdir}/apparmor.d/cache
%{_sysconfdir}/apparmor.d/cache.d
/sbin/rcapparmor
%{_unitdir}/apparmor.service
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
%{_localstatedir}/lib/apparmor
%{_localstatedir}/cache/apparmor
%dir %attr(-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix}/rc.apparmor.functions
%{apparmor_bin_prefix}/apparmor.systemd
@ -560,6 +552,7 @@ echo -------------------------------------------------------------------
%doc %{_mandir}/man5/apparmor.vim.5.gz
%doc %{_mandir}/man5/subdomain.conf.5.gz
%doc %{_mandir}/man7/apparmor.7.gz
%doc %{_mandir}/man8/aa-teardown.8.gz
%doc %{_mandir}/man8/apparmor_parser.8.gz
%pre parser
@ -589,6 +582,8 @@ fi
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
%dir /usr/share/apparmor/
/usr/share/apparmor/cache/
/usr/share/apparmor/extra-profiles/
%files utils
@ -619,7 +614,6 @@ fi
%{_sbindir}/decode
%{_sbindir}/disable
%{_sbindir}/enforce
%{_sbindir}/exec
%{_sbindir}/genprof
%{_sbindir}/logprof
%{_sbindir}/notify
@ -741,12 +735,17 @@ export DISABLE_RESTART_ON_UPDATE="yes"
%service_del_postun apparmor.service
%post abstractions
# workaround for bnc#904620#c8 / lp#1392042
rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:
%post profiles
# workaround for bnc#904620#c8 / lp#1392042
# old cache location up to 2.12
rm -f /var/lib/apparmor/cache/* 2>/dev/null
# cache location starting with 2.13
rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:

85
apparmor.systemd
View File

@ -1,85 +0,0 @@
#!/bin/sh
APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
aa_action()
{
echo $1
shift
"$@"
return $?
}
aa_log_warning_msg()
{
echo "Warning: $@"
}
aa_log_failure_msg()
{
echo "Error: $@"
}
aa_log_action_start()
{
echo "$@"
}
aa_log_action_end()
{
echo -n
}
aa_log_daemon_msg()
{
echo "$@"
}
aa_log_skipped_msg()
{
echo "Skipped: $@"
}
aa_log_end_msg()
{
echo -n
}
# source apparmor function library
if [ -f "${APPARMOR_FUNCTIONS}" ]; then
. ${APPARMOR_FUNCTIONS}
else
aa_log_failure_msg "Unable to find AppArmor initscript functions"
exit 1
fi
case "$1" in
start)
apparmor_start
rc=$?
;;
stop)
apparmor_stop
rc=$?
;;
restart|reload|force-reload)
apparmor_restart
rc=$?
;;
try-restart)
apparmor_try_restart
rc=$?
;;
kill)
apparmor_kill
rc=$?
;;
status)
apparmor_status
rc=$?
;;
*)
exit 1
;;
esac
exit $rc

11
disable-cache-on-ro-fs.diff
View File

@ -1,11 +0,0 @@
--- parser/parser_main.c
+++ parser/parser_main.c 2018/01/11 16:52:00
@@ -1124,7 +1124,7 @@
retval = aa_policy_cache_new(&policy_cache, features,
AT_FDCWD, cacheloc, max_caches);
if (retval) {
- if (errno != ENOENT && errno != EEXIST) {
+ if (errno != ENOENT && errno != EEXIST && errno != EROFS) {
PERROR(_("Failed setting up policy cache (%s): %s\n"),
cacheloc, strerror(errno));
return 1;

79
dovecot-stats.diff
View File

@ -1,79 +0,0 @@
commit d7cb151eb0da3ce6ac152b37ca84435266d34c88
Author: Christian Boltz <apparmor@cboltz.de>
Date: Wed Apr 11 22:17:29 2018 +0200
allow dovecot/auth to write /run/dovecot/old-stats-user
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c4
(3rd bullet point)
commit 3521edc41c3f01ebdd7681b107b5c5daa40fe896
Author: Christian Boltz <apparmor@cboltz.de>
Date: Wed Apr 11 21:34:51 2018 +0200
add dovecot/stats profile, and allow dovecot to run it
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1088161
diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth
index fcb54364..b44441e2 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------
#
-# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2013-2018 Christian Boltz
# Copyright (C) 2014 Christian Wittmer
#
# This program is free software; you can redistribute it and/or
@@ -43,6 +43,7 @@
/run/dovecot/auth-worker rw,
/run/dovecot/login/login rw,
/{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
+ /{var/,}run/dovecot/old-stats-user w,
/{var/,}run/dovecot/stats-user rw,
/{var/,}run/dovecot/anvil-auth-penalty rw,
diff --git a/profiles/apparmor.d/usr.lib.dovecot.stats b/profiles/apparmor.d/usr.lib.dovecot.stats
new file mode 100644
index 00000000..151e4ed6
--- /dev/null
+++ b/profiles/apparmor.d/usr.lib.dovecot.stats
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2018 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/stats {
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ /usr/lib/dovecot/stats mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.stats>
+}
diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot
index c0b180b4..e3a85fa0 100644
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -54,6 +54,7 @@
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params mrPx,
+ /usr/lib/dovecot/stats Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/ r,
/usr/share/dovecot/protocols.d/** r,

9
libapparmor.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Sun Apr 15 19:02:35 UTC 2018 - suse-beta@cboltz.de
- update to AppArmor 2.13
- add support for multiple cache directories and cache overlays
(boo#1069906, boo#1074429)
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
for the detailed upstream changelog
-------------------------------------------------------------------
Mon Dec 25 15:32:35 UTC 2017 - suse-beta@cboltz.de

2
libapparmor.spec
View File

@ -18,7 +18,7 @@
Name: libapparmor
Version: 2.12
Version: 2.13
Release: 0
Summary: Utility library for AppArmor
License: LGPL-2.1-or-later

49
parser-write-cache-warn-only.diff
View File

@ -1,49 +0,0 @@
From cd45ebddeb67b55b956646bfc760918b4b5edb37 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 4 Jan 2018 03:01:35 -0800
Subject: [PATCH] parser: fix parser so that cache creation failure doesn't
cause load failure
This is a minimal patch so that it can be backported to 2.11 and 2.10
which reverts the abort on error failure when the cache can not be
created and write-cache is set.
This is meant as a temporary fix for
https://bugzilla.suse.com/show_bug.cgi?id=1069906
https://bugzilla.opensuse.org/show_bug.cgi?id=1074429
where the cache location is being mounted readonly and the cache
creation failure is causing policy to not be loaded. And the
thrown parser error to cause issues for openQA.
Note: A cache failure warning will be reported after the policy load.
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
parser/policy_cache.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/parser/policy_cache.c b/parser/policy_cache.c
index 6ede6171..3454cc0d 100644
--- a/parser/policy_cache.c
+++ b/parser/policy_cache.c
@@ -147,13 +147,13 @@ int setup_cache_tmp(const char **cachetmpname, const char *cachename)
*cachetmpname = NULL;
if (write_cache) {
/* Otherwise, set up to save a cached copy */
- if (asprintf(&tmpname, "%s-XXXXXX", cachename)<0) {
+ if (asprintf(&tmpname, "%s-XXXXXX", cachename) < 0) {
perror("asprintf");
- exit(1);
+ return -1;
}
if ((cache_fd = mkstemp(tmpname)) < 0) {
perror("mkstemp");
- exit(1);
+ return -1;
}
*cachetmpname = tmpname;
}
--
2.14.3