Accepting request 598829 from security:apparmor
- create and package precompiled cache (/usr/share/apparmor/cache, read-only) (boo#1069906, boo#1074429) - change (writeable) cache directory to /var/cache/apparmor/ - with the new btrfs layout, the only reason for using /var/lib/apparmor/cache/ (which was "it's part of the / subvolume") is gone, and /var/cache makes more sense for the cache - adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both cache locations - clear cache also in %post of abstractions package -------------------------------------------------------------------- - update to AppArmor 2.13 - add support for multiple cache directories and cache overlays (boo#1069906, boo#1074429) - add support for conditional includes in policy - remove group restrictions from aa-notify (boo#1058787) - aa-complain etc.: set flags for profiles represented by a glob - aa-status: split profile from exec name - several profile and abstraction updates - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13 for the detailed upstream changelog - drop upstreamed patches and files: - aa-teardown - apparmor.service - apparmor.systemd - 32-bit-no-uid.diff - disable-cache-on-ro-fs.diff - dovecot-stats.diff - parser-write-cache-warn-only.diff - set-flags-for-profiles-represented-by-glob.patch - fix-regression-in-set-flags.patch - drop spec code that handled installing aa-teardown, apparmor.service and apparmor.systemd (now part of upstream Makefile) - simplify "make -C profiles parser-check" call (upstream Makefile bug that required to call "cd" was fixed) - add aa-teardown-path.diff - install aa-teardown in /usr/sbin/ - move 'exec' symlink to parser package (belongs to aa-exec) -------------------------------------------------------------------- - Set flags for profiles represented by glob (bsc#1086154) set-flags-for-profiles-represented-by-glob.patch fix-regression-in-set-flags.patch libapparmor - update to AppArmor 2.13 - add support for multiple cache directories and cache overlays (boo#1069906, boo#1074429) - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13 for the detailed upstream changelog OBS-URL: https://build.opensuse.org/request/show/598829 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=114
This commit is contained in:
commit
b72b687164
@ -1,21 +0,0 @@
|
||||
diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py
|
||||
index 0e74c3f5..5738bb10 100644
|
||||
--- a/utils/apparmor/logparser.py
|
||||
+++ b/utils/apparmor/logparser.py
|
||||
@@ -12,6 +12,7 @@
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# ----------------------------------------------------------------------
|
||||
+import ctypes
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
@@ -118,7 +118,7 @@ class ReadLog:
|
||||
ev['protocol'] = event.net_protocol
|
||||
ev['sock_type'] = event.net_sock_type
|
||||
|
||||
- if event.ouid != 18446744073709551615: # 2^64 - 1
|
||||
+ if event.ouid != ctypes.c_ulong(-1).value: # ULONG_MAX
|
||||
ev['fsuid'] = event.fsuid
|
||||
ev['ouid'] = event.ouid
|
||||
|
10
aa-teardown
10
aa-teardown
@ -1,10 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
test $# = 0 || {
|
||||
echo "Usage: $0"
|
||||
echo
|
||||
echo "Unloads all AppArmor profiles"
|
||||
exit 1
|
||||
}
|
||||
|
||||
/lib/apparmor/apparmor.systemd stop
|
15
aa-teardown-path.diff
Normal file
15
aa-teardown-path.diff
Normal file
@ -0,0 +1,15 @@
|
||||
Index: parser/Makefile
|
||||
===================================================================
|
||||
--- parser/Makefile.orig 2018-04-15 15:48:53.000000000 +0200
|
||||
+++ parser/Makefile 2018-04-15 23:21:13.677508654 +0200
|
||||
@@ -384,8 +384,8 @@ install-systemd:
|
||||
install -m 755 -d $(SYSTEMD_UNIT_DIR)
|
||||
install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
|
||||
install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX)
|
||||
- install -m 755 -d $(DESTDIR)/sbin
|
||||
- install -m 755 aa-teardown $(DESTDIR)/sbin
|
||||
+ install -m 755 -d $(DESTDIR)/usr/sbin
|
||||
+ install -m 755 aa-teardown $(DESTDIR)/usr/sbin
|
||||
|
||||
ifndef VERBOSE
|
||||
.SILENT: clean
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056
|
||||
size 7258450
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQI3BAABCgAhBQJaP2rLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
|
||||
5k49NmS72aQP/1y8Xr4GxCKJAonXSYdF3dlR54SIz6DWyMcdFnmE49w4/XVFhrf6
|
||||
T3sIQzGdb38o1cjf6oPWaitMuOlr8SHZOSAtZXZm7xDh3fGXG11Vj12iNBX4o6CJ
|
||||
WyrBG1MUX4u03iDjnv98rtbAViS9/DZsbN9iPZ9Ibo+Fb/wVS4EKe5iCZWTpqdW5
|
||||
lbrWQVajqCw4EzD0ld6kklsuH6nb+pII4KawSDsk4hN5o4HxTZeK/lgwZ/sFE5LA
|
||||
RJb3vShdSsIodDsj5mc5wfDVmzdqPcfTTaffLcW8uXYuMhtcI6vRAxGEKqHwDa4x
|
||||
aUasiJPfFH21e1lTlztzCi2vlSdrnb89V2m7lHiOOL2bCtHhnIduRYgo+WnMZC+m
|
||||
FcF9heBrTSajzg9ZE3EpVsN2wQYEGrVQer2MSy2vE8n+9JDxaJeyZ1RbT5yoeSkO
|
||||
zPo6IlrfSruRdLVVekzZezoDow2kWfyzfTbDcOdZlDIchwPyXwVdGwFAf/s9aSoz
|
||||
i/UIL0XpLCrd+MkaLeClWxPQR0IR5US3kxgI3vmpg4AGICq4Ayg6A2tQCMjI66Db
|
||||
l1SRwLsEsZT9gfcvXeBF2w+xh9bCDUasmxcFkhv5axr12/r2nZWcKE0U1bsuK6bd
|
||||
BOn2oRNshOcxnh6ni5YbTuASH52H3evKM5zypYmUpc4nUqHbFjeJOetM
|
||||
=rBMH
|
||||
-----END PGP SIGNATURE-----
|
3
apparmor-2.13.tar.gz
Normal file
3
apparmor-2.13.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:49f0b65a60c1eb5b7b4316023811bf1785875567e0e0c4c8a26cb1f1c3ac5858
|
||||
size 7352564
|
16
apparmor-2.13.tar.gz.asc
Normal file
16
apparmor-2.13.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQI3BAABCgAhBQJa01juGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
|
||||
5k49NmS7w7sP/jWzBwvWn4NySOdncM+/h83AIb0Kx2mBPFCqLrZ3low73riA/LtJ
|
||||
mq7JN/qiBYM/lB/6fiEJZV5eUTvN9IFOtJkJVbEYOhIe5IjBkkOoxDfmnpnrkTvK
|
||||
GYkoIjSpsJDepvzqpBeQ44exH7XGkhpZRULlgJZkpJXvYE0nb9JDQgOuPWP56Q0F
|
||||
t773uEIYME/7sveQtHYbUVrB2ncnMO4ppcFhNo2VEz7q1xl+s0D9b5qAvRNMjA/9
|
||||
vgx8ZXSGbhsIUhMf5RgZd3j2hVs2LI+Qg6jM+ULzB+C9PtXefSe802gREoSkKxvQ
|
||||
f88sPuOL1DX2aiIu5GFUQqziP9u+Xp/2YkQs0WSJEGUbs2+HfKDJHVF/610B4i6L
|
||||
jpBIja9cYRacINU4beTNvZulyAAZHQ0CsRf1eyRzUrwNIi76eLlmhkBve40mtVq0
|
||||
6CKWkKllTmEk94D3CEFPzzDV7rpA9hcif71WGwNbMBj4HOlLK/pNAedAccdWwNbo
|
||||
4EExDyMQrOeHQsUmppaiH/ulwMKd6HGQOMiLm1kPesBqpW+bbI1PMP0O/Kpb/tVQ
|
||||
Kesr9tTYiTrSXeQUoWeaCZ5xV2yq6xr9RWLSLkLj3B2F9WF9RcR8jj1K7796ervi
|
||||
Ybm7VwdnmSi/fRV+8lUUjy1NPksTZ4iem26GJ0YsQqxCz3phH9wAvW1c
|
||||
=oH+3
|
||||
-----END PGP SIGNATURE-----
|
@ -2,22 +2,45 @@ Enable caching of profiles.
|
||||
|
||||
This speeds up loading the (unchanged) profiles about 20 times.
|
||||
|
||||
Upstream doesn't enable caching because the cache directory is not
|
||||
Upstream doesn't enable caching because the cache directory is not
|
||||
writeable at the time profiles are loaded in Ubuntu.
|
||||
|
||||
See also bnc#689458
|
||||
|
||||
|
||||
Also set the cache location to /var/cache/apparmor/ (writeable) and
|
||||
/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust
|
||||
the mount requirements in apparmor.service accordingly.
|
||||
|
||||
See boo#1069906 and boo#1074429
|
||||
|
||||
|
||||
Signed-off by: Christian Boltz <apparmor@cboltz.de>
|
||||
|
||||
--- a/parser/parser.conf_ORIG 2011-10-09 20:59:31.000000000 +0200
|
||||
+++ b/parser/parser.conf 2011-10-09 21:00:15.000000000 +0200
|
||||
@@ -28,7 +28,7 @@
|
||||
Index: parser/parser.conf
|
||||
===================================================================
|
||||
--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200
|
||||
+++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200
|
||||
@@ -31,7 +31,10 @@
|
||||
# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
|
||||
|
||||
## Turn creating/updating of the cache on by default
|
||||
-#write-cache
|
||||
+write-cache
|
||||
+
|
||||
+# cache location (cache writes go to the first directory in the list)
|
||||
+cache-loc /var/cache/apparmor,/usr/share/apparmor/cache
|
||||
|
||||
## Show cache hits
|
||||
#show-cache
|
||||
--- parser/apparmor.service_ORIG 2018-04-19 22:58:12.631443321 +0200
|
||||
+++ parser/apparmor.service 2018-04-19 22:58:47.903343044 +0200
|
||||
@@ -4,7 +4,7 @@ DefaultDependencies=no
|
||||
Before=sysinit.target
|
||||
After=systemd-journald-audit.socket
|
||||
# profile cache
|
||||
-After=var.mount var-lib.mount
|
||||
+After=var.mount var-cache.mount usr.mount usr-share.mount
|
||||
ConditionSecurity=apparmor
|
||||
|
||||
[Service]
|
||||
|
@ -1,3 +1,53 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 19 22:13:40 UTC 2018 - suse-beta@cboltz.de
|
||||
|
||||
- create and package precompiled cache (/usr/share/apparmor/cache,
|
||||
read-only) (boo#1069906, boo#1074429)
|
||||
- change (writeable) cache directory to /var/cache/apparmor/ - with the
|
||||
new btrfs layout, the only reason for using /var/lib/apparmor/cache/
|
||||
(which was "it's part of the / subvolume") is gone, and /var/cache
|
||||
makes more sense for the cache
|
||||
- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
|
||||
cache locations
|
||||
- clear cache also in %post of abstractions package
|
||||
|
||||
--------------------------------------------------------------------
|
||||
Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de
|
||||
|
||||
- update to AppArmor 2.13
|
||||
- add support for multiple cache directories and cache overlays
|
||||
(boo#1069906, boo#1074429)
|
||||
- add support for conditional includes in policy
|
||||
- remove group restrictions from aa-notify (boo#1058787)
|
||||
- aa-complain etc.: set flags for profiles represented by a glob
|
||||
- aa-status: split profile from exec name
|
||||
- several profile and abstraction updates
|
||||
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
|
||||
for the detailed upstream changelog
|
||||
- drop upstreamed patches and files:
|
||||
- aa-teardown
|
||||
- apparmor.service
|
||||
- apparmor.systemd
|
||||
- 32-bit-no-uid.diff
|
||||
- disable-cache-on-ro-fs.diff
|
||||
- dovecot-stats.diff
|
||||
- parser-write-cache-warn-only.diff
|
||||
- set-flags-for-profiles-represented-by-glob.patch
|
||||
- fix-regression-in-set-flags.patch
|
||||
- drop spec code that handled installing aa-teardown, apparmor.service
|
||||
and apparmor.systemd (now part of upstream Makefile)
|
||||
- simplify "make -C profiles parser-check" call (upstream Makefile bug
|
||||
that required to call "cd" was fixed)
|
||||
- add aa-teardown-path.diff - install aa-teardown in /usr/sbin/
|
||||
- move 'exec' symlink to parser package (belongs to aa-exec)
|
||||
|
||||
--------------------------------------------------------------------
|
||||
Thu Apr 19 11:23:37 UTC 2018 - rgoldwyn@suse.com
|
||||
|
||||
- Set flags for profiles represented by glob (bsc#1086154)
|
||||
set-flags-for-profiles-represented-by-glob.patch
|
||||
fix-regression-in-set-flags.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 11 20:28:13 UTC 2018 - suse-beta@cboltz.de
|
||||
|
||||
|
@ -1,25 +0,0 @@
|
||||
[Unit]
|
||||
Description=Load AppArmor profiles
|
||||
DefaultDependencies=no
|
||||
Before=sysinit.target
|
||||
After=systemd-journald-audit.socket
|
||||
After=var.mount var-lib.mount
|
||||
ConditionSecurity=apparmor
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/lib/apparmor/apparmor.systemd reload
|
||||
ExecReload=/lib/apparmor/apparmor.systemd reload
|
||||
|
||||
# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
|
||||
# from running processes (and not being able to re-apply it later).
|
||||
# Upstream systemd developers refused to implement an option that allows overriding
|
||||
# this behaviour, therefore we have to make ExecStop a no-op to error out on the
|
||||
# safe side.
|
||||
#
|
||||
# If you really want to unload all AppArmor profiles, run aa-teardown
|
||||
ExecStop=/bin/true
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -35,7 +35,7 @@
|
||||
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
|
||||
|
||||
Name: apparmor
|
||||
Version: 2.12
|
||||
Version: 2.13
|
||||
Release: 0
|
||||
Summary: AppArmor userlevel parser utility
|
||||
License: GPL-2.0-or-later
|
||||
@ -48,11 +48,9 @@ Source2: %{name}.keyring
|
||||
Source5: update-trans.sh
|
||||
Source6: baselibs.conf
|
||||
Source7: apparmor-rpmlintrc
|
||||
Source8: apparmor.service
|
||||
Source9: apparmor.systemd
|
||||
Source10: aa-teardown
|
||||
|
||||
# enable caching of profiles (= massive performance speedup when loading profiles)
|
||||
# and set cache-loc in parser.conf and apparmor.service accordingly
|
||||
Patch1: apparmor-enable-profile-cache.diff
|
||||
|
||||
# include autogenerated profile sniplet for samba shares (bnc#688040)
|
||||
@ -64,17 +62,8 @@ Patch5: ruby-2_0-mkmf-destdir.patch
|
||||
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
|
||||
Patch7: apparmor-lessopen-profile.patch
|
||||
|
||||
# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a log event on 32 bit systems (fixed upstream 2018-03-07)
|
||||
Patch8: 32-bit-no-uid.diff
|
||||
|
||||
# make cache write failures a warning instead of an error - (patch from https://gitlab.com/apparmor/apparmor/merge_requests/49 2018-01-04)
|
||||
Patch9: parser-write-cache-warn-only.diff
|
||||
|
||||
# Disable write cache if filesystem is read-only, don't abort (merged upstream 2018-01-16 to 2.10..trunk)
|
||||
Patch10: disable-cache-on-ro-fs.diff
|
||||
|
||||
# allow dovecot to run dovecot/stats, and add that profile (submitted upstream 2018-04-11 https://gitlab.com/apparmor/apparmor/merge_requests/90)
|
||||
Patch11: dovecot-stats.diff
|
||||
# install aa-teardown to /usr/sbin, not /sbin (merged upstream 2018-04-15 https://gitlab.com/apparmor/apparmor/merge_requests/97)
|
||||
Patch8: aa-teardown-path.diff
|
||||
|
||||
PreReq: sed
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
@ -359,14 +348,11 @@ SubDomain.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch1
|
||||
%patch2
|
||||
%patch5 -p1
|
||||
%patch7
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p0
|
||||
%patch11 -p1
|
||||
%patch8
|
||||
|
||||
%build
|
||||
export SUSE_ASNEEDED=0
|
||||
@ -422,6 +408,10 @@ make -C profiles
|
||||
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
|
||||
%endif
|
||||
|
||||
# pre-build profile cache
|
||||
# note that -L only works with an absolute path, therefore prefix it with $(pwd)
|
||||
parser/apparmor_parser --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
|
||||
|
||||
%check
|
||||
%if %{with python3}
|
||||
export PYTHON=/usr/bin/python3
|
||||
@ -433,9 +423,11 @@ make check -C parser
|
||||
make check -C binutils
|
||||
|
||||
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
|
||||
# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/80 should allow to switch to make -C
|
||||
# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
|
||||
(cd profiles && make check-parser)
|
||||
make -C profiles check-parser
|
||||
|
||||
# test for a few files that should exist in the cache
|
||||
test -f profiles/cache/*/bin.ping
|
||||
test -f profiles/cache/*/.features
|
||||
|
||||
make check -C utils
|
||||
|
||||
@ -459,11 +451,20 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
|
||||
|
||||
%makeinstall -C profiles
|
||||
|
||||
install -d -m 755 %{buildroot}/usr/share/apparmor/cache
|
||||
cp -a profiles/cache/* %{buildroot}/usr/share/apparmor/cache
|
||||
test -f %{buildroot}/usr/share/apparmor/cache/*/.features
|
||||
test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
|
||||
|
||||
%makeinstall -C parser
|
||||
# default cache dir is /etc/apparmor.d/cache - not the best location.
|
||||
# default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location.
|
||||
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
|
||||
mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
|
||||
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )
|
||||
# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location
|
||||
# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it
|
||||
mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
|
||||
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d )
|
||||
|
||||
%if %{with apache}
|
||||
%makeinstall -C changehat/mod_apparmor
|
||||
@ -507,18 +508,6 @@ done
|
||||
# remove *.la files
|
||||
rm -fv %{buildroot}%{_libdir}/libapparmor.la
|
||||
|
||||
# Adjust for systemd
|
||||
test ! -f %{buildroot}%{_unitdir}/apparmor.service
|
||||
install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
|
||||
test ! -f %{buildroot}%{apparmor_bin_prefix}/apparmor.systemd
|
||||
install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix}
|
||||
test ! -f %{buildroot}%{_sbindir}/aa-teardown
|
||||
install -m0755 %{S:10} %{buildroot}%{_sbindir}
|
||||
# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/79 obsoletes the next 3 lines
|
||||
rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor
|
||||
rm %{buildroot}/sbin/rcsubdomain
|
||||
ln -sf service %{buildroot}/sbin/rcapparmor
|
||||
|
||||
echo -------------------------------------------------------------------
|
||||
#find -ls
|
||||
echo -------------------------------------------------------------------
|
||||
@ -542,14 +531,17 @@ echo -------------------------------------------------------------------
|
||||
%{_bindir}/aa-enabled
|
||||
%{_bindir}/aa-exec
|
||||
%{_sbindir}/aa-teardown
|
||||
%{_sbindir}/exec
|
||||
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
|
||||
%dir %{_sysconfdir}/apparmor.d
|
||||
%{_sysconfdir}/apparmor.d/cache
|
||||
%{_sysconfdir}/apparmor.d/cache.d
|
||||
/sbin/rcapparmor
|
||||
%{_unitdir}/apparmor.service
|
||||
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
|
||||
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
|
||||
%{_localstatedir}/lib/apparmor
|
||||
%{_localstatedir}/cache/apparmor
|
||||
%dir %attr(-, root, root) %{apparmor_bin_prefix}
|
||||
%{apparmor_bin_prefix}/rc.apparmor.functions
|
||||
%{apparmor_bin_prefix}/apparmor.systemd
|
||||
@ -560,6 +552,7 @@ echo -------------------------------------------------------------------
|
||||
%doc %{_mandir}/man5/apparmor.vim.5.gz
|
||||
%doc %{_mandir}/man5/subdomain.conf.5.gz
|
||||
%doc %{_mandir}/man7/apparmor.7.gz
|
||||
%doc %{_mandir}/man8/aa-teardown.8.gz
|
||||
%doc %{_mandir}/man8/apparmor_parser.8.gz
|
||||
|
||||
%pre parser
|
||||
@ -589,6 +582,8 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
|
||||
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
|
||||
%dir /usr/share/apparmor/
|
||||
/usr/share/apparmor/cache/
|
||||
/usr/share/apparmor/extra-profiles/
|
||||
|
||||
%files utils
|
||||
@ -619,7 +614,6 @@ fi
|
||||
%{_sbindir}/decode
|
||||
%{_sbindir}/disable
|
||||
%{_sbindir}/enforce
|
||||
%{_sbindir}/exec
|
||||
%{_sbindir}/genprof
|
||||
%{_sbindir}/logprof
|
||||
%{_sbindir}/notify
|
||||
@ -741,12 +735,17 @@ export DISABLE_RESTART_ON_UPDATE="yes"
|
||||
%service_del_postun apparmor.service
|
||||
|
||||
%post abstractions
|
||||
# workaround for bnc#904620#c8 / lp#1392042
|
||||
rm -f /var/cache/apparmor/* 2>/dev/null
|
||||
#restart_on_update apparmor - but non-broken (bnc#853019)
|
||||
systemctl is-active -q apparmor && systemctl reload apparmor ||:
|
||||
|
||||
%post profiles
|
||||
# workaround for bnc#904620#c8 / lp#1392042
|
||||
# old cache location up to 2.12
|
||||
rm -f /var/lib/apparmor/cache/* 2>/dev/null
|
||||
# cache location starting with 2.13
|
||||
rm -f /var/cache/apparmor/* 2>/dev/null
|
||||
#restart_on_update apparmor - but non-broken (bnc#853019)
|
||||
systemctl is-active -q apparmor && systemctl reload apparmor ||:
|
||||
|
||||
|
@ -1,85 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
|
||||
|
||||
aa_action()
|
||||
{
|
||||
echo $1
|
||||
shift
|
||||
"$@"
|
||||
return $?
|
||||
}
|
||||
|
||||
aa_log_warning_msg()
|
||||
{
|
||||
echo "Warning: $@"
|
||||
}
|
||||
|
||||
aa_log_failure_msg()
|
||||
{
|
||||
echo "Error: $@"
|
||||
}
|
||||
|
||||
aa_log_action_start()
|
||||
{
|
||||
echo "$@"
|
||||
}
|
||||
|
||||
aa_log_action_end()
|
||||
{
|
||||
echo -n
|
||||
}
|
||||
|
||||
aa_log_daemon_msg()
|
||||
{
|
||||
echo "$@"
|
||||
}
|
||||
|
||||
aa_log_skipped_msg()
|
||||
{
|
||||
echo "Skipped: $@"
|
||||
}
|
||||
|
||||
aa_log_end_msg()
|
||||
{
|
||||
echo -n
|
||||
}
|
||||
|
||||
# source apparmor function library
|
||||
if [ -f "${APPARMOR_FUNCTIONS}" ]; then
|
||||
. ${APPARMOR_FUNCTIONS}
|
||||
else
|
||||
aa_log_failure_msg "Unable to find AppArmor initscript functions"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
apparmor_start
|
||||
rc=$?
|
||||
;;
|
||||
stop)
|
||||
apparmor_stop
|
||||
rc=$?
|
||||
;;
|
||||
restart|reload|force-reload)
|
||||
apparmor_restart
|
||||
rc=$?
|
||||
;;
|
||||
try-restart)
|
||||
apparmor_try_restart
|
||||
rc=$?
|
||||
;;
|
||||
kill)
|
||||
apparmor_kill
|
||||
rc=$?
|
||||
;;
|
||||
status)
|
||||
apparmor_status
|
||||
rc=$?
|
||||
;;
|
||||
*)
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
exit $rc
|
@ -1,11 +0,0 @@
|
||||
--- parser/parser_main.c
|
||||
+++ parser/parser_main.c 2018/01/11 16:52:00
|
||||
@@ -1124,7 +1124,7 @@
|
||||
retval = aa_policy_cache_new(&policy_cache, features,
|
||||
AT_FDCWD, cacheloc, max_caches);
|
||||
if (retval) {
|
||||
- if (errno != ENOENT && errno != EEXIST) {
|
||||
+ if (errno != ENOENT && errno != EEXIST && errno != EROFS) {
|
||||
PERROR(_("Failed setting up policy cache (%s): %s\n"),
|
||||
cacheloc, strerror(errno));
|
||||
return 1;
|
@ -1,79 +0,0 @@
|
||||
commit d7cb151eb0da3ce6ac152b37ca84435266d34c88
|
||||
Author: Christian Boltz <apparmor@cboltz.de>
|
||||
Date: Wed Apr 11 22:17:29 2018 +0200
|
||||
|
||||
allow dovecot/auth to write /run/dovecot/old-stats-user
|
||||
|
||||
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c4
|
||||
(3rd bullet point)
|
||||
|
||||
commit 3521edc41c3f01ebdd7681b107b5c5daa40fe896
|
||||
Author: Christian Boltz <apparmor@cboltz.de>
|
||||
Date: Wed Apr 11 21:34:51 2018 +0200
|
||||
|
||||
add dovecot/stats profile, and allow dovecot to run it
|
||||
|
||||
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1088161
|
||||
diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth
|
||||
index fcb54364..b44441e2 100644
|
||||
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
|
||||
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
|
||||
@@ -1,6 +1,6 @@
|
||||
# ------------------------------------------------------------------
|
||||
#
|
||||
-# Copyright (C) 2013 Christian Boltz
|
||||
+# Copyright (C) 2013-2018 Christian Boltz
|
||||
# Copyright (C) 2014 Christian Wittmer
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
@@ -43,6 +43,7 @@
|
||||
/run/dovecot/auth-worker rw,
|
||||
/run/dovecot/login/login rw,
|
||||
/{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
|
||||
+ /{var/,}run/dovecot/old-stats-user w,
|
||||
/{var/,}run/dovecot/stats-user rw,
|
||||
/{var/,}run/dovecot/anvil-auth-penalty rw,
|
||||
|
||||
diff --git a/profiles/apparmor.d/usr.lib.dovecot.stats b/profiles/apparmor.d/usr.lib.dovecot.stats
|
||||
new file mode 100644
|
||||
index 00000000..151e4ed6
|
||||
--- /dev/null
|
||||
+++ b/profiles/apparmor.d/usr.lib.dovecot.stats
|
||||
@@ -0,0 +1,25 @@
|
||||
+# ------------------------------------------------------------------
|
||||
+#
|
||||
+# Copyright (C) 2018 Christian Boltz
|
||||
+#
|
||||
+# This program is free software; you can redistribute it and/or
|
||||
+# modify it under the terms of version 2 of the GNU General Public
|
||||
+# License published by the Free Software Foundation.
|
||||
+#
|
||||
+# ------------------------------------------------------------------
|
||||
+# vim: ft=apparmor
|
||||
+
|
||||
+#include <tunables/global>
|
||||
+
|
||||
+/usr/lib/dovecot/stats {
|
||||
+ #include <abstractions/base>
|
||||
+ #include <abstractions/dovecot-common>
|
||||
+
|
||||
+ capability setuid,
|
||||
+ capability sys_chroot,
|
||||
+
|
||||
+ /usr/lib/dovecot/stats mr,
|
||||
+
|
||||
+ # Site-specific additions and overrides. See local/README for details.
|
||||
+ #include <local/usr.lib.dovecot.stats>
|
||||
+}
|
||||
diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot
|
||||
index c0b180b4..e3a85fa0 100644
|
||||
--- a/profiles/apparmor.d/usr.sbin.dovecot
|
||||
+++ b/profiles/apparmor.d/usr.sbin.dovecot
|
||||
@@ -54,6 +54,7 @@
|
||||
/usr/lib/dovecot/pop3-login Pxmr,
|
||||
/usr/lib/dovecot/ssl-build-param rix,
|
||||
/usr/lib/dovecot/ssl-params mrPx,
|
||||
+ /usr/lib/dovecot/stats Px,
|
||||
/usr/sbin/dovecot mrix,
|
||||
/usr/share/dovecot/protocols.d/ r,
|
||||
/usr/share/dovecot/protocols.d/** r,
|
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Apr 15 19:02:35 UTC 2018 - suse-beta@cboltz.de
|
||||
|
||||
- update to AppArmor 2.13
|
||||
- add support for multiple cache directories and cache overlays
|
||||
(boo#1069906, boo#1074429)
|
||||
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
|
||||
for the detailed upstream changelog
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 25 15:32:35 UTC 2017 - suse-beta@cboltz.de
|
||||
|
||||
|
@ -18,7 +18,7 @@
|
||||
|
||||
|
||||
Name: libapparmor
|
||||
Version: 2.12
|
||||
Version: 2.13
|
||||
Release: 0
|
||||
Summary: Utility library for AppArmor
|
||||
License: LGPL-2.1-or-later
|
||||
|
@ -1,49 +0,0 @@
|
||||
From cd45ebddeb67b55b956646bfc760918b4b5edb37 Mon Sep 17 00:00:00 2001
|
||||
From: John Johansen <john.johansen@canonical.com>
|
||||
Date: Thu, 4 Jan 2018 03:01:35 -0800
|
||||
Subject: [PATCH] parser: fix parser so that cache creation failure doesn't
|
||||
cause load failure
|
||||
|
||||
This is a minimal patch so that it can be backported to 2.11 and 2.10
|
||||
which reverts the abort on error failure when the cache can not be
|
||||
created and write-cache is set.
|
||||
|
||||
This is meant as a temporary fix for
|
||||
https://bugzilla.suse.com/show_bug.cgi?id=1069906
|
||||
https://bugzilla.opensuse.org/show_bug.cgi?id=1074429
|
||||
|
||||
where the cache location is being mounted readonly and the cache
|
||||
creation failure is causing policy to not be loaded. And the
|
||||
thrown parser error to cause issues for openQA.
|
||||
|
||||
Note: A cache failure warning will be reported after the policy load.
|
||||
|
||||
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
||||
---
|
||||
parser/policy_cache.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/parser/policy_cache.c b/parser/policy_cache.c
|
||||
index 6ede6171..3454cc0d 100644
|
||||
--- a/parser/policy_cache.c
|
||||
+++ b/parser/policy_cache.c
|
||||
@@ -147,13 +147,13 @@ int setup_cache_tmp(const char **cachetmpname, const char *cachename)
|
||||
*cachetmpname = NULL;
|
||||
if (write_cache) {
|
||||
/* Otherwise, set up to save a cached copy */
|
||||
- if (asprintf(&tmpname, "%s-XXXXXX", cachename)<0) {
|
||||
+ if (asprintf(&tmpname, "%s-XXXXXX", cachename) < 0) {
|
||||
perror("asprintf");
|
||||
- exit(1);
|
||||
+ return -1;
|
||||
}
|
||||
if ((cache_fd = mkstemp(tmpname)) < 0) {
|
||||
perror("mkstemp");
|
||||
- exit(1);
|
||||
+ return -1;
|
||||
}
|
||||
*cachetmpname = tmpname;
|
||||
}
|
||||
--
|
||||
2.14.3
|
||||
|
Loading…
Reference in New Issue
Block a user