Accepting request 1183251 from security:apparmor

- add sampa-rpcd-witness.diff: allow samba-dcerpcd to execute
  rpcd_witness (boo#1225811) (forwarded request 1183249 from cboltz)

OBS-URL: https://build.opensuse.org/request/show/1183251
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=213

apparmor.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Jun 25 19:40:41 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>
+
+- add sampa-rpcd-witness.diff: allow samba-dcerpcd to execute
+  rpcd_witness (boo#1225811)
+
 -------------------------------------------------------------------
 Tue Jun 11 12:05:38 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>
 

apparmor.spec

@@ -107,6 +107,9 @@ Patch17:        sddm-xauth.diff
 # utils MountRule: add support for quoted paths and empty source (master merged upstream 2024-06-11, 4.0 branch submitted upstream 2024-06-11 https://gitlab.com/apparmor/apparmor/-/merge_requests/1259)
 Patch18:        logprof-mount-empty-source.diff
 
+#  samba-dcerpcd: allow to execute rpcd_witness (submitted upstream 2024-06-08 https://gitlab.com/apparmor/apparmor/-/merge_requests/1256, packaged patch adjusted to match the packaged samba-rpcd profile)
+Patch19:        sampa-rpcd-witness.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  autoconf
@@ -383,6 +386,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch -P 16 -p1
 %patch -P 17 -p1
 %patch -P 18 -p1
+%patch -P 19 -p1
 
 %build
 export SUSE_ASNEEDED=0

sampa-rpcd-witness.diff

@@ -0,0 +1,48 @@
+From https://gitlab.com/apparmor/apparmor/-/merge_requests/1256
+(adjusted to currently packaged samba-rpcd profile)
+
+
+From 94ccd111deac35d7deadb07e66d25e045633e221 Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor@cboltz.de>
+Date: Sat, 8 Jun 2024 22:46:53 +0200
+Subject: [PATCH] samba-dcerpcd: allow to execute rpcd_witness
+
+... and extend the samba-rpcd profile to also include rpcd_witness.
+
+Patch by Noel Power <nopower@suse.com>
+
+Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225811
+---
+ profiles/apparmor.d/samba-dcerpcd | 2 +-
+ profiles/apparmor.d/samba-rpcd    | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+Index: apparmor-v4.0.1/profiles/apparmor.d/samba-dcerpcd
+===================================================================
+--- apparmor-v4.0.1.orig/profiles/apparmor.d/samba-dcerpcd	2024-04-12 05:59:30.000000000 +0200
++++ apparmor-v4.0.1/profiles/apparmor.d/samba-dcerpcd	2024-06-25 21:49:49.017901846 +0200
+@@ -21,7 +21,7 @@ profile samba-dcerpcd /usr/lib*/samba/{,
+   /usr/lib*/samba/{,samba/}samba-dcerpcd mr,
+ 
+   /usr/lib*/samba/ r,
+-  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
++  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} Px -> samba-rpcd,
+   /usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic,
+   /usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss,
+ 
+Index: apparmor-v4.0.1/profiles/apparmor.d/samba-rpcd
+===================================================================
+--- apparmor-v4.0.1.orig/profiles/apparmor.d/samba-rpcd	2024-04-12 05:59:30.000000000 +0200
++++ apparmor-v4.0.1/profiles/apparmor.d/samba-rpcd	2024-06-25 21:49:49.017901846 +0200
+@@ -13,9 +13,9 @@ abi <abi/4.0>,
+ 
+ include <tunables/global>
+ 
+-profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
++profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} {
+   include <abstractions/samba-rpcd>
+-  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
++  /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg,witness} mr,
+ 
+   @{run}/samba/ncalrpc/np/winreg wr,
+