Accepting request 81356 from security:apparmor:factory

- install SubDomain.pm compat module (bnc#713408)

- Update to 2.6.1.
  - One patch eliminated
  - Lots of minor fixes
  - Split out more common abstractions
- Add check_for_apparmor() helper.

- dhcpd: Fix apparmor profile (bnc#692428)

 
- Fixed typos in descriptions and summaries of apparmor.spec
 

- move the requires and prerequires to the right package

OBS-URL: https://build.opensuse.org/request/show/81356
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=20
This commit is contained in:
Sascha Peilicke 2011-09-09 09:06:14 +00:00 committed by Git OBS Bridge
parent 01f6bae72d
commit c36abb7d55
13 changed files with 155 additions and 15025 deletions

View File

@ -17,7 +17,7 @@ Signed-off-by: Jeff Mahoney <jeffm@suse.com>
--- a/profiles/apparmor.d/abstractions/nameservice --- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice +++ b/profiles/apparmor.d/abstractions/nameservice
@@ -70,6 +70,9 @@ @@ -72,6 +72,9 @@
# kerberos # kerberos
#include <abstractions/kerberosclient> #include <abstractions/kerberosclient>

View File

@ -48,7 +48,7 @@
# db backend # db backend
/var/lib/misc/*.db r, /var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading # The Name Service Cache Daemon can cache lookups, sometimes leading
@@ -58,6 +53,9 @@ @@ -60,6 +55,9 @@
# nis # nis
#include <abstractions/nis> #include <abstractions/nis>

File diff suppressed because it is too large Load Diff

34
apparmor-2.6.0-dhcpd Normal file
View File

@ -0,0 +1,34 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: dhcpd: Fix apparmor profile
References: bnc#692428
This patch adds the network rules needed, corrects the path to dhcpd.leases,
and adds the path for TSIG DNS keys.
Reported-by: Andrew Beames <suseforum@roocomputing.co.uk>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor/profiles/extras/usr.sbin.dhcpd | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd
@@ -21,12 +21,17 @@
capability setuid,
capability sys_chroot,
+ network inet raw,
+ network packet raw,
+
/db/dhcpd.leases* lrw,
/etc/dhcpd.conf r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/usr/sbin/dhcpd rmix,
- /var/lib/dhcp/dhcpd.leases* rwl,
+ /var/lib/dhcp/db/dhcpd.leases* rwl,
/var/lib/dhcp/etc/dhcpd.conf r,
/var/run/dhcpd.pid wl,
+ /etc/named.d/* r,
+ @{PROC}/net/dev r,
}

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b08f90ee4d6774d1fe176adfa5764e3d24a6b1976b249757f25203b52216f857
size 1240705

3
apparmor-2.6.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d8b6d41181354a603bd0e1a79cb0a971339fd3366b12b18da3b648fe259ef915
size 1242129

23
apparmor-compat-routines Normal file
View File

@ -0,0 +1,23 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Add check_for_apparmor helper.
This should be an alias but those get complicated quickly in perl.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/Immunix/AppArmor.pm | 4 ++++
1 file changed, 4 insertions(+)
--- a/utils/Immunix/AppArmor.pm
+++ b/utils/Immunix/AppArmor.pm
@@ -463,6 +463,10 @@ sub check_for_subdomain () {
return $sd_mountpoint;
}
+sub check_for_apparmor () {
+ return check_for_subdomain();
+}
+
sub which ($) {
my $file = shift;

View File

@ -1,15 +0,0 @@
---
parser/tst/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/tst/Makefile
+++ b/parser/tst/Makefile
@@ -12,7 +12,7 @@ endif
all: tests
.PHONY: tests error_output gen_xtrans parser_sanity caching
-tests: error_output gen_xtrans parser_sanity caching
+tests: error_output gen_xtrans parser_sanity
gen_xtrans:
./gen-xtrans.pl

View File

@ -1,9 +1,9 @@
--- ---
parser/rc.aaeventd.suse | 2 +- parser/rc.aaeventd.suse | 2 +-
parser/rc.apparmor.functions | 14 +++++++------- parser/rc.apparmor.functions | 9 ++++-----
parser/rc.apparmor.suse | 23 ++++++++++++++++++++++- parser/rc.apparmor.suse | 23 ++++++++++++++++++++++-
3 files changed, 30 insertions(+), 9 deletions(-) 3 files changed, 27 insertions(+), 7 deletions(-)
--- a/parser/rc.aaeventd.suse --- a/parser/rc.aaeventd.suse
+++ b/parser/rc.aaeventd.suse +++ b/parser/rc.aaeventd.suse
@ -43,25 +43,6 @@
fi fi
aa_log_end_msg 0 aa_log_end_msg 0
return 0 return 0
@@ -412,7 +411,8 @@ remove_profiles() {
#them so stor to tmp first
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
- cat "$MODULE_PLIST" | while read profile ; do
+ # Skip subprofiles, they'll be removed with the owning profile
+ grep -v // "$MODULE_PLIST" | while IFS= read profile ; do
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
rc=$?
if [ ${rc} -ne 0 ] ; then
@@ -427,7 +427,7 @@ apparmor_stop() {
aa_log_daemon_msg "Unloading AppArmor profiles "
remove_profiles
rc=$?
- log_end_msg $rc
+ aa_log_end_msg $rc
return $rc
}
--- a/parser/rc.apparmor.suse --- a/parser/rc.apparmor.suse
+++ b/parser/rc.apparmor.suse +++ b/parser/rc.apparmor.suse
@@ -31,6 +31,7 @@ @@ -31,6 +31,7 @@

View File

@ -1,7 +1,16 @@
Index: apparmor-2.6.0/parser/rc.apparmor.functions From: Federic Crozat <fcrozat@suse.com>
=================================================================== Subkect: apparmor: Let systemd automount securityfs
--- apparmor-2.6.0.orig/parser/rc.apparmor.functions References: bnc#704460
+++ apparmor-2.6.0/parser/rc.apparmor.functions
Do not mount securityfs when running under systemd, just access
the directory, systemd will automount it
---
parser/rc.apparmor.functions | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -295,7 +295,7 @@ is_apparmor_loaded() { @@ -295,7 +295,7 @@ is_apparmor_loaded() {
} }

View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Mon Aug 22 11:54:21 UTC 2011 - opensuse@cboltz.de
- install SubDomain.pm compat module (bnc#713408)
-------------------------------------------------------------------
Wed Aug 3 02:46:08 CEST 2011 - jeffm@suse.de
- Update to 2.6.1.
- One patch eliminated
- Lots of minor fixes
- Split out more common abstractions
- Add check_for_apparmor() helper.
-------------------------------------------------------------------
Tue Aug 2 17:07:43 CEST 2011 - jeffm@suse.de
- dhcpd: Fix apparmor profile (bnc#692428)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Aug 2 09:19:45 UTC 2011 - fcrozat@suse.com Tue Aug 2 09:19:45 UTC 2011 - fcrozat@suse.com
@ -5,12 +24,22 @@ Tue Aug 2 09:19:45 UTC 2011 - fcrozat@suse.com
when running under systemd, just access the directory, systemd when running under systemd, just access the directory, systemd
will automount it (bnc#704460). will automount it (bnc#704460).
-------------------------------------------------------------------
Sun Jul 17 20:04:18 UTC 2011 - andrea.turrini@gmail.com
- Fixed typos in descriptions and summaries of apparmor.spec
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jun 24 16:02:21 CEST 2011 - jeffm@suse.de Fri Jun 24 16:02:21 CEST 2011 - jeffm@suse.de
- Fixed building of pam_apparmor to properly link libpam (bnc#696553). - Fixed building of pam_apparmor to properly link libpam (bnc#696553).
- Fixed building of apache2-mod_apparmor to properly link (bnc#701821). - Fixed building of apache2-mod_apparmor to properly link (bnc#701821).
-------------------------------------------------------------------
Tue Jun 21 09:54:28 UTC 2011 - coolo@novell.com
- move the requires and prerequires to the right package
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 27 17:28:58 UTC 2011 - opensuse@cboltz.de Wed Apr 27 17:28:58 UTC 2011 - opensuse@cboltz.de

View File

@ -45,8 +45,8 @@ Name: apparmor
%define distro suse %define distro suse
%endif %endif
Summary: AppArmor userlevel parser utility Summary: AppArmor userlevel parser utility
Version: 2.6.0 Version: 2.6.1
Release: 58 Release: 56
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Source0: apparmor-%{version}.tar.bz2 Source0: apparmor-%{version}.tar.bz2
Source1: %{name}-profile-editor.png Source1: %{name}-profile-editor.png
@ -54,7 +54,6 @@ Source2: %{name}-profile-editor.desktop
Source3: update-trans.sh Source3: update-trans.sh
Patch1: apparmor-scripts Patch1: apparmor-scripts
Patch2: apparmor-no-caching-test
Patch3: apparmor-utils-add-log-types Patch3: apparmor-utils-add-log-types
Patch4: apparmor-utils-filenames-in-slash Patch4: apparmor-utils-filenames-in-slash
Patch5: apparmor-utils-string-split Patch5: apparmor-utils-string-split
@ -75,6 +74,8 @@ Patch19: klog-needs-CAP_SYSLOG
Patch20: apparmor-profiles-dhclient Patch20: apparmor-profiles-dhclient
Patch21: apparmor-utils-subdomain-compat Patch21: apparmor-utils-subdomain-compat
Patch22: apparmor-securityfs-systemd.patch Patch22: apparmor-securityfs-systemd.patch
Patch23: apparmor-2.6.0-dhcpd
Patch24: apparmor-compat-routines
License: GPLv2+ License: GPLv2+
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
Url: https://launchpad.net/apparmor Url: https://launchpad.net/apparmor
@ -99,12 +100,6 @@ BuildRequires: python-devel swig
BuildRequires: ruby-devel swig BuildRequires: ruby-devel swig
%endif %endif
%if %{with pam}
BuildRequires: pam-devel
Requires: pam pam-config
PreReq: pam pam-config
%endif
%if %{with apache} %if %{with apache}
BuildRequires: apache2-devel BuildRequires: apache2-devel
%endif %endif
@ -246,7 +241,7 @@ Obsoletes: perl-libapparmor < 2.5
%description -n perl-apparmor %description -n perl-apparmor
This package provides the perl interface to AppArmor. It is used for perl This package provides the perl interface to AppArmor. It is used for perl
applications interfacing with AppArmor, including the AppArmor utiltities. applications interfacing with AppArmor, including the AppArmor utilities.
Authors: Authors:
-------- --------
@ -365,8 +360,11 @@ Authors:
%package -n pam_apparmor %package -n pam_apparmor
License: GPLv2 ; LGPLv2.1+ License: GPLv2 ; LGPLv2.1+
Summary: PAM module to for AppArmor change_hat Summary: PAM module for AppArmor change_hat
Group: Productivity/Security Group: Productivity/Security
BuildRequires: pam-devel
Requires: pam pam-config
PreReq: pam pam-config
%description -n pam_apparmor %description -n pam_apparmor
The pam_apparmor module provides the means for any PAM applications The pam_apparmor module provides the means for any PAM applications
@ -422,7 +420,7 @@ Summary: An AppArmor event notification applet for GNOME
Group: System/GUI/GNOME Group: System/GUI/GNOME
%description -n apparmorapplet-gnome %description -n apparmorapplet-gnome
This taskbar applet recieves AppArmor events over DBUS, and notifies This taskbar applet receives AppArmor events over DBUS, and notifies
the user when AppArmor prevents an application from functioning. the user when AppArmor prevents an application from functioning.
@ -448,7 +446,6 @@ SubDomain.
%prep %prep
%setup -q -n %{name}-%{version} %setup -q -n %{name}-%{version}
%patch1 -p1 %patch1 -p1
%patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
@ -469,6 +466,8 @@ SubDomain.
%patch20 -p1 %patch20 -p1
%patch21 -p1 %patch21 -p1
%patch22 -p1 %patch22 -p1
%patch23 -p1
%patch24 -p1
%build %build
export SUSE_ASNEEDED=0 export SUSE_ASNEEDED=0

View File

@ -5,7 +5,7 @@
--- a/parser/parser_misc.c --- a/parser/parser_misc.c
+++ b/parser/parser_misc.c +++ b/parser/parser_misc.c
@@ -125,6 +125,9 @@ static int get_table_token(const char *n @@ -129,6 +129,9 @@ static int get_table_token(const char *n
static struct keyword_table capability_table[] = { static struct keyword_table capability_table[] = {
/* capabilities */ /* capabilities */
#include "cap_names.h" #include "cap_names.h"
@ -15,7 +15,7 @@
/* terminate */ /* terminate */
{NULL, 0} {NULL, 0}
}; };
@@ -783,6 +786,7 @@ static const char *capnames[] = { @@ -866,6 +869,7 @@ static const char *capnames[] = {
"audit_control", "audit_control",
"setfcap", "setfcap",
"mac_override" "mac_override"