Accepting request 966667 from security:apparmor

- ensure precompiled cache files are newer than (text) profiles - reload profiles in %posttrans instead of %post to ensure both -profiles and -abstractons package are updated before the cache in /var/cache/apparmor/ gets built (boo#1195463 #c20) (forwarded request 966666 from cboltz) OBS-URL: https://build.opensuse.org/request/show/966667 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=166
2022-04-05 17:55:25 +00:00 · 2022-04-05 17:55:25 +00:00 · bd594ec2cb
commit bd594ec2cb
parent fe99ae5b7e f697678c37
2 changed files with 14 additions and 4 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Mar 29 20:04:22 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
+
+- ensure precompiled cache files are newer than (text) profiles
+- reload profiles in %posttrans instead of %post to ensure both
+  -profiles and -abstractons package are updated before the cache
+  in /var/cache/apparmor/ gets built (boo#1195463 #c20)
+
 -------------------------------------------------------------------
 Thu Mar 24 14:09:58 UTC 2022 - Noel Power <nopower@suse.com>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -63,7 +63,7 @@ Source7:        apparmor-rpmlintrc
 # and set cache-loc in parser.conf and apparmor.service accordingly
 Patch1:         apparmor-enable-profile-cache.diff

-# include autogenerated profile sniplet for samba shares (bnc#688040)
+# include autogenerated profile sniplet for samba shares (bnc#688040) - upstreamed as part of https://gitlab.com/apparmor/apparmor/-/merge_requests/838 2022-02-16 (master + 3.0 branch)
 Patch2:         apparmor-samba-include-permissions-for-shares.diff

 # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
@ -442,7 +442,9 @@ mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
 %if %{with precompiled_cache}
 install -d -m 755 %{buildroot}/usr/share/apparmor/cache
 echo -e "\n\n    *** WARNING: precompiling cache is known to fail under 'osc build' - use 'osc build --vm-type kvm' instead or skip building the precompiled cache with 'osc build --without precompiled_cache' ***\n\n"
-cp -a profiles/cache/* %{buildroot}/usr/share/apparmor/cache
+# ensure cache files are newer than (text) profiles by sleeping a few seconds, and using cp -r which updates the timestamps
+sleep 2
+cp -r profiles/cache/* %{buildroot}/usr/share/apparmor/cache
 test -f %{buildroot}/usr/share/apparmor/cache/*/.features
 test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
 %endif
@ -718,13 +720,13 @@ export DISABLE_RESTART_ON_UPDATE="yes"
 %service_del_postun_without_restart apparmor.service
 %endif

-%post abstractions
+%posttrans abstractions
 # workaround for bnc#904620#c8 / lp#1392042
 rm -f /var/cache/apparmor/* 2>/dev/null
 #restart_on_update apparmor - but non-broken (bnc#853019)
 systemctl is-active -q apparmor && systemctl reload apparmor ||:

-%post profiles
+%posttrans profiles
 # workaround for bnc#904620#c8 / lp#1392042
 # old cache location up to 2.12
 rm -f /var/lib/apparmor/cache/* 2>/dev/null