From bc413776a0cd1df31ae647f394a53d34b4b08f0b1daea482fe28f1fa4da16902 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sat, 18 Oct 2014 13:47:32 +0000 Subject: [PATCH] Accepting request 257520 from home:cboltz - update to AppArmor 2.9.0 (r2759) - change aa-mergeprof to the final commandline syntax - lots of bugfixes in the aa-* tools (bnc#900163, lp#1328707 and several bugs without a formal bugreport) - small additions to gnome, freedesktop.org, ubuntu-browsers.d/java and user-mail abstractions - fix mod_apparmor to not break basic auth - update perl modules to support signal, unix and ptrace rules (bnc#900013) - don't warn about rules not supported by the kernel - fix logging of "audit capability" (lp#1378091) - add support for the "hat" keyword in apparmor.vim - build html version of apparmor.vim manpage again (lp#1366572) - see also http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_0 - update apparmor-abstractions-no-multiline.diff - remove upstreamed apparmor-profiles-ntpd-pid-location.diff - add apparmor-abstractions-no-multiline.diff: change all multiline rules into one line. Needed for yast2-apparmor (bnc#900013) OBS-URL: https://build.opensuse.org/request/show/257520 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=104 --- apparmor-2.8.97.tar.gz | 3 - apparmor-2.8.97.tar.gz.asc | 7 - apparmor-2.9.0.tar.gz | 3 + apparmor-2.9.0.tar.gz.asc | 7 + apparmor-abstractions-no-multiline.diff | 285 +++++++++++++++++++++++ apparmor-profiles-ntpd-pid-location.diff | 12 - apparmor.changes | 25 ++ apparmor.spec | 10 +- 8 files changed, 327 insertions(+), 25 deletions(-) delete mode 100644 apparmor-2.8.97.tar.gz delete mode 100644 apparmor-2.8.97.tar.gz.asc create mode 100644 apparmor-2.9.0.tar.gz create mode 100644 apparmor-2.9.0.tar.gz.asc create mode 100644 apparmor-abstractions-no-multiline.diff delete mode 100644 apparmor-profiles-ntpd-pid-location.diff diff --git a/apparmor-2.8.97.tar.gz b/apparmor-2.8.97.tar.gz deleted file mode 100644 index f247368..0000000 --- a/apparmor-2.8.97.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:170a6495dd48246df1c042aa562fb759b287331ceed62c67961c81dc7ce6cba4 -size 2360991 diff --git a/apparmor-2.8.97.tar.gz.asc b/apparmor-2.8.97.tar.gz.asc deleted file mode 100644 index f9ca304..0000000 --- a/apparmor-2.8.97.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlQuRy8ACgkQgTeYuayTEnFnyACgyxwM2udlu+OnuaZwyMo0vsNZ -YacAn0lEU5qGxRHoSQv/h7Uo7c9qhhtg -=Bo0m ------END PGP SIGNATURE----- diff --git a/apparmor-2.9.0.tar.gz b/apparmor-2.9.0.tar.gz new file mode 100644 index 0000000..89c52ad --- /dev/null +++ b/apparmor-2.9.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:782df74c8a7a8a5302b4ad0d00184a7e623ef0631c1b8a16a1d92a968e4b4b6b +size 2354837 diff --git a/apparmor-2.9.0.tar.gz.asc b/apparmor-2.9.0.tar.gz.asc new file mode 100644 index 0000000..96b1375 --- /dev/null +++ b/apparmor-2.9.0.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlRBdzoACgkQgTeYuayTEnESHwCfbHmZyLtb6Qn/Pj6479thHvkA +R4AAoLWmkDZtpTJKSH5eUntBEuUtLrs9 +=wdnW +-----END PGP SIGNATURE----- diff --git a/apparmor-abstractions-no-multiline.diff b/apparmor-abstractions-no-multiline.diff new file mode 100644 index 0000000..c03cbc4 --- /dev/null +++ b/apparmor-abstractions-no-multiline.diff @@ -0,0 +1,285 @@ +=== modified file 'profiles/apparmor.d/abstractions/X' +Index: profiles/apparmor.d/abstractions/X +=================================================================== +--- profiles/apparmor.d/abstractions/X.orig 2014-10-18 13:11:18.498652324 +0200 ++++ profiles/apparmor.d/abstractions/X 2014-10-18 13:11:31.097494817 +0200 +@@ -23,9 +23,7 @@ + + # the unix socket to use to connect to the display + /tmp/.X11-unix/* w, +- unix (connect, receive, send) +- type=stream +- peer=(addr="@/tmp/.X11-unix/X[0-9]*"), ++ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + + /usr/include/X11/ r, + /usr/include/X11/** r, +Index: profiles/apparmor.d/abstractions/dbus-accessibility-strict +=================================================================== +--- profiles/apparmor.d/abstractions/dbus-accessibility-strict.orig 2014-10-18 13:11:18.498652324 +0200 ++++ profiles/apparmor.d/abstractions/dbus-accessibility-strict 2014-10-18 13:11:31.098494805 +0200 +@@ -9,9 +9,4 @@ + # + # ------------------------------------------------------------------ + +- dbus send +- bus=accessibility +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} +- peer=(name=org.freedesktop.DBus), ++ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), +Index: profiles/apparmor.d/abstractions/dbus-session-strict +=================================================================== +--- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2014-10-18 13:11:18.498652324 +0200 ++++ profiles/apparmor.d/abstractions/dbus-session-strict 2014-10-18 13:11:31.098494805 +0200 +@@ -13,13 +13,6 @@ + /etc/machine-id r, + /var/lib/dbus/machine-id r, + +- unix (connect, receive, send) +- type=stream +- peer=(addr="@/tmp/dbus-*"), ++ unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"), + +- dbus send +- bus=session +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} +- peer=(name=org.freedesktop.DBus), ++ dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), +Index: profiles/apparmor.d/abstractions/dbus-strict +=================================================================== +--- profiles/apparmor.d/abstractions/dbus-strict.orig 2014-10-18 13:11:18.498652324 +0200 ++++ profiles/apparmor.d/abstractions/dbus-strict 2014-10-18 13:11:31.098494805 +0200 +@@ -11,9 +11,4 @@ + + /{,var/}run/dbus/system_bus_socket rw, + +- dbus send +- bus=system +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} +- peer=(name=org.freedesktop.DBus), ++ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), +Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base +=================================================================== +--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2014-10-18 13:11:18.497652337 +0200 ++++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2014-10-18 13:11:31.098494805 +0200 +@@ -16,41 +16,16 @@ + #include + + # Allow connecting to session bus and where to connect to services +- dbus (send) +- bus=session +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member=Hello +- peer=(name=org.freedesktop.DBus), +- dbus (send) +- bus=session +- path=/org/freedesktop/{db,DB}us +- interface=org.freedesktop.DBus +- member={Add,Remove}Match +- peer=(name=org.freedesktop.DBus), ++ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), ++ dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), + # NameHasOwner and GetNameOwner could leak running processes and apps + # depending on how services are implemented +- dbus (send) +- bus=session +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member=GetNameOwner +- peer=(name=org.freedesktop.DBus), +- dbus (send) +- bus=session +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member=NameHasOwner +- peer=(name=org.freedesktop.DBus), ++ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), ++ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), + + # Allow starting services on the session bus (actual communications with + # the service are mediated elsewhere) +- dbus (send) +- bus=session +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member=StartServiceByName +- peer=(name=org.freedesktop.DBus), ++ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), + + # Allow connecting to system bus and where to connect to services. Put these + # here so we don't need to repeat these rules in multiple places (actual +@@ -58,108 +33,47 @@ + # allow apps to brute-force enumerate system services, but our system + # services aren't a secret. + /{,var/}run/dbus/system_bus_socket rw, +- dbus (send) +- bus=system +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member=Hello +- peer=(name=org.freedesktop.DBus), +- dbus (send) +- bus=system +- path=/org/freedesktop/{db,DB}us +- interface=org.freedesktop.DBus +- member={Add,Remove}Match +- peer=(name=org.freedesktop.DBus), ++ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), ++ dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), + # NameHasOwner and GetNameOwner could leak running processes and apps + # depending on how services are implemented +- dbus (send) +- bus=system +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member=GetNameOwner +- peer=(name=org.freedesktop.DBus), +- dbus (send) +- bus=system +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member=NameHasOwner +- peer=(name=org.freedesktop.DBus), ++ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), ++ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), + + # + # Access required for connecting to/communication with Unity HUD + # +- dbus (send) +- bus=session +- path="/com/canonical/hud", +- dbus (send) +- bus=session +- interface="com.canonical.hud.*", +- dbus (send) +- bus=session +- path="/com/canonical/hud/applications/*", +- dbus (receive) +- bus=session +- path="/com/canonical/hud", +- dbus (receive) +- bus=session +- interface="com.canonical.hud.*", ++ dbus (send) bus=session path="/com/canonical/hud", ++ dbus (send) bus=session interface="com.canonical.hud.*", ++ dbus (send) bus=session path="/com/canonical/hud/applications/*", ++ dbus (receive) bus=session path="/com/canonical/hud", ++ dbus (receive) bus=session interface="com.canonical.hud.*", + + # + # Allow access for connecting to/communication with the appmenu + # + # dbusmenu +- dbus (send) +- bus=session +- interface="com.canonical.AppMenu.*", +- dbus (receive, send) +- bus=session +- path=/com/canonical/menu/**, ++ dbus (send) bus=session interface="com.canonical.AppMenu.*", ++ dbus (receive, send) bus=session path=/com/canonical/menu/**, + + # gmenu +- dbus (receive, send) +- bus=session +- interface=org.gtk.Actions, +- dbus (receive, send) +- bus=session +- interface=org.gtk.Menus, ++ dbus (receive, send) bus=session interface=org.gtk.Actions, ++ dbus (receive, send) bus=session interface=org.gtk.Menus, + + # + # Access required for using freedesktop notifications + # +- dbus (send) +- bus=session +- path=/org/freedesktop/Notifications +- member=GetCapabilities, +- dbus (send) +- bus=session +- path=/org/freedesktop/Notifications +- member=GetServerInformation, +- dbus (send) +- bus=session +- path=/org/freedesktop/Notifications +- member=Notify, +- dbus (receive) +- bus=session +- member="Notify" +- peer=(name="org.freedesktop.DBus"), +- dbus (receive) +- bus=session +- path=/org/freedesktop/Notifications +- member=NotificationClosed, +- dbus (send) +- bus=session +- path=/org/freedesktop/Notifications +- member=CloseNotification, ++ dbus (send) bus=session path=/org/freedesktop/Notifications member=GetCapabilities, ++ dbus (send) bus=session path=/org/freedesktop/Notifications member=GetServerInformation, ++ dbus (send) bus=session path=/org/freedesktop/Notifications member=Notify, ++ dbus (receive) bus=session member="Notify" peer=(name="org.freedesktop.DBus"), ++ dbus (receive) bus=session path=/org/freedesktop/Notifications member=NotificationClosed, ++ dbus (send) bus=session path=/org/freedesktop/Notifications member=CloseNotification, + + # accessibility +- dbus (send) +- bus=session +- peer=(name=org.a11y.Bus), +- dbus (receive) +- bus=session +- interface=org.a11y.atspi*, +- dbus (receive, send) +- bus=accessibility, ++ dbus (send) bus=session peer=(name=org.a11y.Bus), ++ dbus (receive) bus=session interface=org.a11y.atspi*, ++ dbus (receive, send) bus=accessibility, + + # + # Deny potentially dangerous access +Index: profiles/apparmor.d/abstractions/ubuntu-unity7-launcher +=================================================================== +--- profiles/apparmor.d/abstractions/ubuntu-unity7-launcher.orig 2014-10-18 13:11:18.497652337 +0200 ++++ profiles/apparmor.d/abstractions/ubuntu-unity7-launcher 2014-10-18 13:11:31.098494805 +0200 +@@ -1,7 +1,4 @@ + # + # Access required for connecting to/communicating with the Unity Launcher + # +- dbus (send) +- bus=session +- interface="com.canonical.Unity.LauncherEntry" +- member="Update", ++ dbus (send) bus=session interface="com.canonical.Unity.LauncherEntry" member="Update", +Index: profiles/apparmor.d/abstractions/ubuntu-unity7-messaging +=================================================================== +--- profiles/apparmor.d/abstractions/ubuntu-unity7-messaging.orig 2014-10-18 13:11:18.498652324 +0200 ++++ profiles/apparmor.d/abstractions/ubuntu-unity7-messaging 2014-10-18 13:11:31.099494792 +0200 +@@ -2,6 +2,4 @@ + # Access required for connecting to/communicating with the Unity messaging + # indicator + # +- dbus (receive, send) +- bus=session +- path="/com/canonical/indicator/messages/*", ++ dbus (receive, send) bus=session path="/com/canonical/indicator/messages/*", +Index: profiles/apparmor.d/abstractions/gnome +=================================================================== +--- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200 ++++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200 +@@ -88,6 +88,4 @@ + + # Allow connecting to the GNOME vfs socket (still need corresponding DBus + # rules) +- unix (send, receive, connect) +- type=stream +- peer=(addr="@/dbus-vfs-daemon/socket-*"), ++ unix (send, receive, connect) type=stream peer=(addr="@/dbus-vfs-daemon/socket-*"), diff --git a/apparmor-profiles-ntpd-pid-location.diff b/apparmor-profiles-ntpd-pid-location.diff deleted file mode 100644 index d12640a..0000000 --- a/apparmor-profiles-ntpd-pid-location.diff +++ /dev/null @@ -1,12 +0,0 @@ -=== modified file 'profiles/apparmor.d/usr.sbin.ntpd' ---- profiles/apparmor.d/usr.sbin.ntpd 2013-11-14 20:48:51 +0000 -+++ profiles/apparmor.d/usr.sbin.ntpd 2014-10-06 17:57:46 +0000 -@@ -55,6 +55,7 @@ - /var/opt/novell/xad/rpc/xadsd rw, - /{,var/}run/nscd/services r, - /{,var/}run/ntpd.pid w, -+ /{,var/}run/ntp/ntpd.pid w, - /var/tmp/ntp* rwl, - @{PROC}/@{pid}/net/if_inet6 r, - - diff --git a/apparmor.changes b/apparmor.changes index 80a6d97..613915c 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Sat Oct 18 09:43:19 UTC 2014 - opensuse@cboltz.de + +- update to AppArmor 2.9.0 (r2759) + - change aa-mergeprof to the final commandline syntax + - lots of bugfixes in the aa-* tools (bnc#900163, lp#1328707 and several + bugs without a formal bugreport) + - small additions to gnome, freedesktop.org, ubuntu-browsers.d/java + and user-mail abstractions + - fix mod_apparmor to not break basic auth + - update perl modules to support signal, unix and ptrace rules (bnc#900013) + - don't warn about rules not supported by the kernel + - fix logging of "audit capability" (lp#1378091) + - add support for the "hat" keyword in apparmor.vim + - build html version of apparmor.vim manpage again (lp#1366572) + - see also http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_0 +- update apparmor-abstractions-no-multiline.diff +- remove upstreamed apparmor-profiles-ntpd-pid-location.diff + +------------------------------------------------------------------- +Fri Oct 10 23:22:26 UTC 2014 - opensuse@cboltz.de + +- add apparmor-abstractions-no-multiline.diff: change all multiline + rules into one line. Needed for yast2-apparmor (bnc#900013) + ------------------------------------------------------------------- Mon Oct 6 18:07:50 UTC 2014 - opensuse@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 5318d08..8455803 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -60,7 +60,7 @@ Name: apparmor %if ! %{?distro:1}0 %define distro suse %endif -Version: 2.8.97 +Version: 2.9.0 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0+ @@ -88,8 +88,9 @@ Patch4: apparmor-2.5.1-edirectory-profile # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de Patch5: ruby-2_0-mkmf-destdir.patch -# Allow new pid location in ntpd profile (bnc#899746 - commited upstream trunk r2723, 2.8 branch r2145) -Patch6: apparmor-profiles-ntpd-pid-location.diff +# change multiline rules in abstractions to one line - needed because YaST still uses the perl module, which doesn't support multiline rules +# (bnc#900013, not for upstream) +Patch6: apparmor-abstractions-no-multiline.diff Url: https://launchpad.net/apparmor PreReq: sed @@ -431,6 +432,8 @@ SubDomain. %endif %patch6 +# search for left-over multiline rules +test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" %build echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 @@ -590,6 +593,7 @@ echo ------------------------------------------------------------------- %files docs %defattr(-,root,root) %doc parser/*.[1-9].html +%doc utils/vim/apparmor.vim.5.html %doc common/apparmor.css %doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt # apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file