Accepting request 282158 from home:cboltz

- pull in upstream fixes since the 2.9.1 release - update logparser.py to support changed syslog format (lp#1399027) - update usr.sbin.dovecot and usr.lib.dovecot.imap{, -login} profiles (lp#1296667) - update the mysqld profile - fix network rule description in apparmor.d(5) manpage - drop upstreamed dnsmasq-profile-fixes.patch - update expired GPG key Also add a missing bnc number in the Jan 1 2015 changelog entry. OBS-URL: https://build.opensuse.org/request/show/282158 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=118
2015-01-20 21:05:09 +00:00 · 2015-01-20 21:05:09 +00:00 · c728560d5f
commit c728560d5f
parent 29b885b462
5 changed files with 457 additions and 62 deletions
--- a/apparmor-changes-since-2.9.1.diff
+++ b/apparmor-changes-since-2.9.1.diff
@ -0,0 +1,374 @@
+------------------------------------------------------------
+revno: 2839
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: 2.9
+timestamp: Sun 2015-01-18 14:57:10 +0100
+message:
+  Add some tests for logparser.py based on the log lines from
+  https://bugs.launchpad.net/apparmor/+bug/1399027
+  
+  Also move some existing tests from aa_test.py to test-logparser.py and
+  adds checks for RE_LOG_v2_6_audit and RE_LOG_v2_6_syslog to them.
+  
+  
+  Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
+------------------------------------------------------------
+revno: 2838
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: 2.9
+timestamp: Sat 2015-01-17 14:35:38 +0100
+message:
+  update logparser.py to support the changed syslog format by adding
+  (audit:\s+)?   to RE_LOG_v2_6_syslog
+  
+  References: https://bugs.launchpad.net/apparmor/+bug/1399027
+  
+  
+  Acked-by: Seth Arnold <seth.arnold@canonical.com> (for trunk)
+  
+  Acked-by: Steve Beattie <steve@nxnw.org> for 2.9 as well
+------------------------------------------------------------
+revno: 2837
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: 2.9
+timestamp: Mon 2014-12-22 17:57:40 +0100
+message:
+  Fix the dnsmasq profile to allow executing bash to run the --dhcp-script
+  argument. Also fixed /usr/lib -> /usr/{lib,lib64} to get libvirt
+  leasehelper script to run even on x86_64.
+  
+  References: https://bugzilla.opensuse.org/show_bug.cgi?id=911001
+  
+  Patch by "Cédric Bosdonnat" <cbosdonnat@suse.com>
+  
+  Note: the original patch used {lib,lib64} - I changed it to lib{,64} to
+  match the style we typically use.
+  
+  Acked-by: John Johansen <john.johansen@canonical.com>
+  
+  (backport of trunk r2841)
+------------------------------------------------------------
+revno: 2836
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: 2.9
+timestamp: Mon 2014-12-22 17:51:02 +0100
+message:
+  update and cleanup usr.sbin.dovecot profile
+  
+  Add #include <abstractions/dovecot-common> to the usr.sbin.dovecot
+  profile. Effectively this adds "deny capability block_suspend," which
+  is the only missing part from
+  https://bugs.launchpad.net/apparmor/+bug/1296667/
+  
+  Also remove "capability setgid," (covered by
+  abstractions/dovecot-common) and "@{PROC}/filesystems r," (part of
+  abstractions/base).
+  
+  Acked-by: John Johansen <john.johansen@canonical.com>
+  
+  (backport of trunk r2840)
+------------------------------------------------------------
+revno: 2835
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: 2.9
+timestamp: Mon 2014-12-22 17:43:54 +0100
+message:
+  Add some missing /run/dovecot/* to usr.lib.dovecot.imap{, -login}
+  
+  Add the needed permissions as reported in
+  https://bugs.launchpad.net/apparmor/+bug/1296667/ comment #1
+  to the usr.lib.dovecot.imap and imap-login profiles.
+  
+  Acked-by: John Johansen <john.johansen@canonical.com>
+  
+  (backport of trunk r2839)
+------------------------------------------------------------
+revno: 2834
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: 2.9
+timestamp: Mon 2014-12-22 17:39:29 +0100
+message:
+  update the mysqld profile in the extras directory to
+  something that works on my servers ;-)
+  
+  Acked-by: John Johansen <john.johansen@canonical.com>
+  
+  (backport of trunk r2838)
+------------------------------------------------------------
+revno: 2833
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: 2.9
+timestamp: Fri 2014-12-19 13:57:12 +0100
+message:
+  fix network rule description in apparmor.d.pod
+  
+  (backport from trunk r2837)
+  
+  Acked-by: John Johansen <john.johansen@canonical.com> (for trunk)
+  
+  Acked-by: Steve Beattie <steve@nxnw.org> (for 2.9)
+------------------------------------------------------------
+
+
+=== modified file 'parser/apparmor.d.pod'
+--- parser/apparmor.d.pod	2014-12-12 14:20:31 +0000
+++ parser/apparmor.d.pod	2014-12-19 12:57:12 +0000
+@@ -61,7 +61,7 @@
+ B<CAPABILITY> = (lowercase capability name without 'CAP_' prefix; see
+ capabilities(7))
+ 
+-B<NETWORK RULE> = 'network' [ [ I<DOMAIN> ] [ I<TYPE> ] [ I<PROTOCOL> ] ] ','
+B<NETWORK RULE> = 'network' [ [ I<DOMAIN> [ I<TYPE> | I<PROTOCOL> ] ] | [ I<PROTOCOL> ] ] ','
+ 
+ B<DOMAIN> = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' ) ','
+ 
+
+=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap'
+--- profiles/apparmor.d/usr.lib.dovecot.imap	2014-09-25 22:37:14 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap	2014-12-22 16:43:54 +0000
+@@ -26,6 +26,7 @@
+ 
+   @{HOME} r, # ???
+   /usr/lib/dovecot/imap mr,
+  /{,var/}run/dovecot/auth-master rw,
+ 
+   # Site-specific additions and overrides. See local/README for details.
+   #include <local/usr.lib.dovecot.imap>
+
+=== modified file 'profiles/apparmor.d/usr.lib.dovecot.imap-login'
+--- profiles/apparmor.d/usr.lib.dovecot.imap-login	2014-06-27 19:14:53 +0000
+++ profiles/apparmor.d/usr.lib.dovecot.imap-login	2014-12-22 16:43:54 +0000
+@@ -24,6 +24,7 @@
+   network inet6 stream,
+ 
+   /usr/lib/dovecot/imap-login mr,
+  /{,var/}run/dovecot/anvil rw,
+   /{,var/}run/dovecot/login/ r,
+   /{,var/}run/dovecot/login/* rw,
+ 
+
+=== modified file 'profiles/apparmor.d/usr.sbin.dnsmasq'
+--- profiles/apparmor.d/usr.sbin.dnsmasq	2014-12-02 17:46:26 +0000
+++ profiles/apparmor.d/usr.sbin.dnsmasq	2014-12-22 16:57:40 +0000
+@@ -45,6 +45,8 @@
+ 
+   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+ 
+  /bin/bash ix, # Required to execute --dhcp-script argument
+
+   # access to iface mtu needed for Router Advertisement messages in IPv6
+   # Neighbor Discovery protocol (RFC 2461)
+   @{PROC}/sys/net/ipv6/conf/*/mtu r,
+@@ -64,7 +66,7 @@
+   /{,var/}run/libvirt/network/*.pid rw,
+ 
+   # libvirt lease helper
+-  /usr/lib/libvirt/libvirt_leaseshelper ix,
+  /usr/lib{,64}/libvirt/libvirt_leaseshelper ix,
+   /{,var/}run/leaseshelper.pid rwk,
+ 
+   # NetworkManager integration
+
+=== modified file 'profiles/apparmor.d/usr.sbin.dovecot'
+--- profiles/apparmor.d/usr.sbin.dovecot	2014-09-03 19:45:56 +0000
+++ profiles/apparmor.d/usr.sbin.dovecot	2014-12-22 16:51:02 +0000
+@@ -15,6 +15,7 @@
+ /usr/sbin/dovecot {
+   #include <abstractions/authentication>
+   #include <abstractions/base>
+  #include <abstractions/dovecot-common>
+   #include <abstractions/mysql>
+   #include <abstractions/nameservice>
+   #include <abstractions/ssl_certs>
+@@ -25,7 +26,6 @@
+   capability fsetid,
+   capability kill,
+   capability net_bind_service,
+-  capability setgid,
+   capability setuid,
+   capability sys_chroot,
+ 
+@@ -34,7 +34,6 @@
+   /etc/lsb-release r,
+   /etc/SuSE-release r,
+   @{PROC}/@{pid}/mounts r,
+-  @{PROC}/filesystems r,
+   /usr/bin/doveconf rix,
+   /usr/lib/dovecot/anvil Px,
+   /usr/lib/dovecot/auth Px,
+
+=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.mysqld'
+--- profiles/apparmor/profiles/extras/usr.sbin.mysqld	2007-05-16 18:51:46 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.mysqld	2014-12-22 16:39:29 +0000
+@@ -1,6 +1,9 @@
+# Last Modified: Mon Dec  1 22:23:12 2014
+
+ # ------------------------------------------------------------------
+ #
+ #    Copyright (C) 2002-2005 Novell/SUSE
+#    Copyright (C) 2014 Christian Boltz
+ #
+ #    This program is free software; you can redistribute it and/or
+ #    modify it under the terms of version 2 of the GNU General Public
+@@ -8,12 +11,12 @@
+ #
+ # ------------------------------------------------------------------
+ # vim:syntax=apparmor
+-# Last Modified: Wed Aug 17 14:28:07 2005
+ 
+ #include <tunables/global>
+ 
+ /usr/sbin/mysqld {
+   #include <abstractions/base>
+  #include <abstractions/mysql>
+   #include <abstractions/nameservice>
+   #include <abstractions/user-tmp>
+ 
+@@ -21,8 +24,22 @@
+   capability setgid,
+   capability setuid,
+ 
+  /etc/hosts.allow r,
+  /etc/hosts.deny r,
+   /etc/my.cnf r,
+  /etc/my.cnf.d/ r,
+  /etc/my.cnf.d/*.cnf r,
+  /root/.my.cnf r,
+  /usr/lib{,32,64}/**.so mr,
+   /usr/sbin/mysqld r,
+  /usr/share/mariadb/*/errmsg.sys r,
+  /usr/share/mysql-community-server/*/errmsg.sys r,
+   /usr/share/mysql/** r,
+-  /var/lib/mysql/** lrw,
+  /var/lib/mysql/ r,
+  /var/lib/mysql/** rwl,
+  /var/log/mysql/mysqld-upgrade-run.log w,
+  /var/log/mysql/mysqld.log w,
+  /var/log/mysql/mysqld.log-20* w,
+  /{,var/}run/mysql/mysqld.pid w,
+
+ }
+
+=== modified file 'utils/apparmor/logparser.py'
+--- utils/apparmor/logparser.py	2014-08-20 22:55:44 +0000
+++ utils/apparmor/logparser.py	2015-01-17 13:35:38 +0000
+@@ -25,7 +25,7 @@
+ _ = init_translation()
+ 
+ class ReadLog:
+-    RE_LOG_v2_6_syslog = re.compile('kernel:\s+(\[[\d\.\s]+\]\s+)?type=\d+\s+audit\([\d\.\:]+\):\s+apparmor=')
+    RE_LOG_v2_6_syslog = re.compile('kernel:\s+(\[[\d\.\s]+\]\s+)?(audit:\s+)?type=\d+\s+audit\([\d\.\:]+\):\s+apparmor=')
+     RE_LOG_v2_6_audit = re.compile('type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=')
+     # Used by netdomain to identify the operation types
+     # New socket names
+
+=== modified file 'utils/test/aa_test.py'
+--- utils/test/aa_test.py	2014-07-26 00:49:06 +0000
+++ utils/test/aa_test.py	2015-01-18 13:57:10 +0000
+@@ -86,29 +86,6 @@
+         for path in globs.keys():
+             self.assertEqual(apparmor.aa.glob_path_withext(path), globs[path], 'Unexpected glob generated for path: %s'%path)
+ 
+-    def test_parse_event(self):
+-        parser = apparmor.logparser.ReadLog('', '', '', '', '')
+-        event = 'type=AVC msg=audit(1345027352.096:499): apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name=2F686F6D652F7777772F666F6F2E6261722E696E2F68747470646F63732F61707061726D6F722F696D616765732F746573742F696D61676520312E6A7067 pid=20143 comm="httpd2-prefork" requested_mask="wc" denied_mask="wc" fsuid=30 ouid=30'
+-        parsed_event = parser.parse_event(event)
+-        self.assertEqual(parsed_event['name'], '/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg', 'Incorrectly parsed/decoded name')
+-        self.assertEqual(parsed_event['profile'], '/usr/sbin/httpd2-prefork//vhost_foo', 'Incorrectly parsed/decode profile name')
+-        self.assertEqual(parsed_event['aamode'], 'PERMITTING')
+-        self.assertEqual(parsed_event['request_mask'], set(['w', 'a', '::w', '::a']))
+-        #print(parsed_event)
+-
+-        #event = 'type=AVC msg=audit(1322614912.304:857): apparmor="ALLOWED" operation="getattr" parent=16001 profile=74657374207370616365 name=74657374207370616365 pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0'
+-        #parsed_event = apparmor.aa.parse_event(event)
+-        #print(parsed_event)
+-
+-        event = 'type=AVC msg=audit(1322614918.292:4376): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=666F6F20626172 name="/home/foo/.bash_history" pid=17011 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000'
+-        parsed_event = parser.parse_event(event)
+-        self.assertEqual(parsed_event['name'], '/home/foo/.bash_history', 'Incorrectly parsed/decoded name')
+-        self.assertEqual(parsed_event['profile'], 'foo bar', 'Incorrectly parsed/decode profile name')
+-        self.assertEqual(parsed_event['aamode'], 'PERMITTING')
+-        self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a','::r' , '::w', '::a']))
+-        #print(parsed_event)
+-
+-
+     def test_modes_to_string(self):
+ 
+         for string in self.MODE_TEST.keys():
+
+=== added file 'utils/test/test-logparser.py'
+--- utils/test/test-logparser.py	1970-01-01 00:00:00 +0000
+++ utils/test/test-logparser.py	2015-01-18 13:57:10 +0000
+@@ -0,0 +1,71 @@
+# ----------------------------------------------------------------------
+#    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
+#    Copyright (C) 2015 Christian Boltz <apparmor@cboltz.de>
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License as published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+# ----------------------------------------------------------------------
+import unittest
+
+from apparmor.logparser import ReadLog
+
+class TestParseEvent(unittest.TestCase):
+    def setUp(self):
+        self.parser = ReadLog('', '', '', '', '')
+
+    def test_parse_event_audit_1(self):
+        event = 'type=AVC msg=audit(1345027352.096:499): apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name=2F686F6D652F7777772F666F6F2E6261722E696E2F68747470646F63732F61707061726D6F722F696D616765732F746573742F696D61676520312E6A7067 pid=20143 comm="httpd2-prefork" requested_mask="wc" denied_mask="wc" fsuid=30 ouid=30'
+        parsed_event = self.parser.parse_event(event)
+        self.assertEqual(parsed_event['name'], '/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg')
+        self.assertEqual(parsed_event['profile'], '/usr/sbin/httpd2-prefork//vhost_foo')
+        self.assertEqual(parsed_event['aamode'], 'PERMITTING')
+        self.assertEqual(parsed_event['request_mask'], set(['w', 'a', '::w', '::a']))
+
+        self.assertIsNotNone(ReadLog.RE_LOG_v2_6_audit.search(event))
+        self.assertIsNone(ReadLog.RE_LOG_v2_6_syslog.search(event))
+
+    def test_parse_event_audit_2(self):
+        event = 'type=AVC msg=audit(1322614918.292:4376): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=666F6F20626172 name="/home/foo/.bash_history" pid=17011 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000'
+        parsed_event = self.parser.parse_event(event)
+        self.assertEqual(parsed_event['name'], '/home/foo/.bash_history')
+        self.assertEqual(parsed_event['profile'], 'foo bar')
+        self.assertEqual(parsed_event['aamode'], 'PERMITTING')
+        self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a','::r' , '::w', '::a']))
+
+        self.assertIsNotNone(ReadLog.RE_LOG_v2_6_audit.search(event))
+        self.assertIsNone(ReadLog.RE_LOG_v2_6_syslog.search(event))
+
+    def test_parse_event_syslog_1(self):
+        # from https://bugs.launchpad.net/apparmor/+bug/1399027
+        event = '2014-06-09T20:37:28.975070+02:00 geeko kernel: [21028.143765] type=1400 audit(1402339048.973:1421): apparmor="ALLOWED" operation="open" profile="/home/cb/linuxtag/apparmor/scripts/hello" name="/dev/tty" pid=14335 comm="hello" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0'
+        parsed_event = self.parser.parse_event(event)
+        self.assertEqual(parsed_event['name'], '/dev/tty')
+        self.assertEqual(parsed_event['profile'], '/home/cb/linuxtag/apparmor/scripts/hello')
+        self.assertEqual(parsed_event['aamode'], 'PERMITTING')
+        self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a', '::r', '::w', '::a']))
+
+        self.assertIsNone(ReadLog.RE_LOG_v2_6_audit.search(event))
+        self.assertIsNotNone(ReadLog.RE_LOG_v2_6_syslog.search(event))
+
+    def test_parse_event_syslog_2(self):
+        # from https://bugs.launchpad.net/apparmor/+bug/1399027
+        event = 'Dec  7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
+        parsed_event = self.parser.parse_event(event)
+        self.assertEqual(parsed_event['name'], '/usr/bin/')
+        self.assertEqual(parsed_event['profile'], '/home/simi/bin/aa-test')
+        self.assertEqual(parsed_event['aamode'], 'PERMITTING')
+        self.assertEqual(parsed_event['request_mask'], set(['r', '::r']))
+
+        self.assertIsNone(ReadLog.RE_LOG_v2_6_audit.search(event))
+        self.assertIsNotNone(ReadLog.RE_LOG_v2_6_syslog.search(event))
+
+
+if __name__ == "__main__":
+    unittest.main(verbosity=2)
+
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,11 +1,22 @@
+-------------------------------------------------------------------
+Tue Jan 20 20:33:55 UTC 2015 - opensuse@cboltz.de
+
+- pull in upstream fixes since the 2.9.1 release
+  - update logparser.py to support changed syslog format (lp#1399027)
+  - update usr.sbin.dovecot and usr.lib.dovecot.imap{, -login} profiles (lp#1296667)
+  - update the mysqld profile
+  - fix network rule description in apparmor.d(5) manpage
+- drop upstreamed dnsmasq-profile-fixes.patch
+- update expired GPG key
+
 -------------------------------------------------------------------
 Thu Jan  1 16:07:25 UTC 2015 - opensuse@cboltz.de

 - update to AppArmor 2.9.1 (2.9 branch r2831)
  - fix log parsing for 3.16 kernels and syslog-style logs (boo#905368)
  - several fixes and performance improvements in the aa-* utils
-  - profile updates for dnsmasq (boo#907870), nscd (boo#904620#c14),
-	useradd, sendmail, man and passwd
+  - profile updates for dnsmasq (boo#907870), nscd (boo#904620#c14 and
+    bnc#908856), useradd, sendmail, man and passwd
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_1
    for full release notes
 - refresh dnsmasq-profile-fixes.patch
--- a/apparmor.keyring
+++ b/apparmor.keyring
@ -1,10 +1,5 @@
-pub   1024D/AC931271 2006-02-13 [expires: 2014-02-15]
-uid                  AppArmor Development Team (AppArmor signing key) <apparmor@lists.ubuntu.com>
-uid                  AppArmor Development Team (AppArmor signing key) <apparmor-dev@forge.novell.com>
-sub   4096g/79C0E55B 2006-02-13 [expires: 2011-02-12]
-
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.19 (GNU/Linux)
+Version: GnuPG v2

 mQGiBEPw2O4RBAD8PZ+0NfCEIBjuDXQjdb6vi642wRIrN7v67GTfNQ+uggGKESRe
 grFumlArz5MbJVLinyIsCqigwyBpspXeyP6cMrzTudmmwQJJN9caejoAu5029wjX
@ -18,33 +13,70 @@ AIIJeqGmN2Dq/+Q70kA/5Ck4hUABBoTMQZABWQkCh3POwMCwhbRMQXBwQXJtb3Ig
 RGV2ZWxvcG1lbnQgVGVhbSAoQXBwQXJtb3Igc2lnbmluZyBrZXkpIDxhcHBhcm1v
 ckBsaXN0cy51YnVudHUuY29tPohqBBMRCgAqAhsDAh4BAheAAhkBBQsJCAcDBRUK
 CQgLBRYCAwEABQJNXEDoBQkPDwJtAAoJEIE3mLmskxJxVFgAnjSeh2O03PKF0UJz
-T13Fn1yK1IvaAJ9bQ3EuAw03b/RkIQUx5SQSXyDDdLRQQXBwQXJtb3IgRGV2ZWxv
-cG1lbnQgVGVhbSAoQXBwQXJtb3Igc2lnbmluZyBrZXkpIDxhcHBhcm1vci1kZXZA
-Zm9yZ2Uubm92ZWxsLmNvbT6IZwQTEQIAJwIbAwIeAQIXgAULCQgHAwUVCgkICwUW
-AgMBAAUCTVxBAwUJDw8CbQAKCRCBN5i5rJMScQA9AJ9S5QhjNyhTMenrFysAVe8C
-qziLRgCfVwP9EU7hWMZVHB4I56YG26Z66NG5BA0EQ/DbBhAQAIGpFSylXH+UNf/z
-71UcvcRGIy62qNu3jq49/Tv0RapP03sdh/XZrWQKTeXlw6OHJFog673lvICqd8C5
-O8/2QeE8+c4HjO1QdwUlY5ziYkxOEs3+HgA0RNpWH7tZCAYFf+LB1J8FxTG9uUYf
-ZOBN+2UQPo6aui+9cbRpqhzfTkFCqI8/U0Q3sJ8183Toj4iUTSx8SMeVNixZnMMe
-9nb0yAynQPIvdZ5aOCNFQTjL/LCJFbvtY54n3xuI3DKBs2RinO9ARvGXF4GZ2IfM
-IwsW+pfbf4g+ZVW0bRiT7aJ41H3OIvgDEYT5W9q4AwaTJUtkMT5tNWnGtgZFtbuI
-wM3NfjQVJRUsUNYVC1Zphp+FYAeYLhQeK29a7i1jFJDn1GVBRotPGQ96nhKo62Ka
-vkOSAIZ35cVjVSDsZ7xwZW0awOUUxwZsvZJ+iUGcYGClYk5PH46a9+w8m/THC/uM
-savn8nWFANLCyUnoP7zapu7UtyrQbDfbyoj04rU9X2/gwM9FYJVf+CZOh+FVjzY2
-iUWHaofK2UnXEF1FCY0mWQx021IezmuZd97D32mq7tc3z7oXI3nCV97a0tWZI319
-ewlJjLf1syHj+ODDm7ZLbCXal9C2hrIDEjj/zsI6+d5x3NctTmRS/0nDujByZ2A2
-Vc9N5lvVR8wfGWC3QPgUgVIgR+0vAAQND/43Jbw/cnJbQDzVphv6toJlvATi3GmJ
-o34g2f7FooNcNgN8qIJSBg195ddCtZWlyI0LQzt68pV2cNsf3wWrJQITm0LGmq13
-D4nWLqN4da0F08vtMLIaTFPe1dR+l0FQyiZbxGo8kuo9D4nY0tT78V42hdMA+vL6
-VybHyuvZrYSITNXEBaC5VI8+Bs57XzqoUFrduDCJPstykQoc1jdtV1x2wbaBYZRT
-MFOkqNLYBgoMFV2aJtYzXWZ4XIcv9RJNsLF8bHXehV/NJ+0RjSeSKh8NnxO5PLDe
-gBrmsX9xQ1UiTjG+AKcR/O5Oww1sQbkUbpXrvXzRziodyJzsbAB28MtZY4NgQFp5
-eV502aXM2o5DtDLsR6l+uFrAWK3zAdnbaco8ehqZQ3ILi+vfaVblrNIjKulbOLIC
-WkeOuJ7NVn1MJCstq4grawy8JzZXQjkULVKHVcfcJJqfBuzs4QEWwzhuromsI5FQ
-DKxaz9brdu6izrP/N/zygjCf4kNYf3rHyVqmpcVT718EJeQOZ8u0KVsexuHMi8cn
-fFb8LFPOxzJ5/G7oQ4/0AC7GQgLWrhqjPcNRkWN351XDSgpaA4KAcv8xpqRUgDKO
-DmW4+MvlZ7de+TFkNyh1cWJMG7I82WIA2FjDgTvAZVeNcUnPLKljPF5u/hFM27JO
-oYJCqg/kdmEr3ohPBBgRAgAPBQJD8NsGAhsMBQkJZgGAAAoJEIE3mLmskxJx04gA
-oK91aD8BBVjrm7gTPHI/+3xlrZjdAJwKmYhHdKq+HotT//yKq6SYn/EiOA==
-=Cn3y
+T13Fn1yK1IvaAJ9bQ3EuAw03b/RkIQUx5SQSXyDDdIhqBBMRCgAqAhsDBQkJZgGA
+Ah4BAheAAhkBBQJMjkjTBQsJCAcDBRUKCQgLBRYCAwEAAAoJEIE3mLmskxJxQ4wA
+oMb9+wVfGopVNTM/pwAFH+vcE1MaAKCUq/IOsOI0yRY7QVre3Rinzpy2/ohqBBMR
+CgAqAhsDBQkJZgGAAh4BAheAAhkBBQJMoOLLBQsJCAcDBRUKCQgLBRYCAwEAAAoJ
+EIE3mLmskxJxy6UAoN0PvpcVaBF9j6s46I6y5p12MBH3AJ0aiUVZj78cjyEprsJ6
+nuWqDm+dS4kCIAQQAQoACgUCTI5JiAMFAXgACgkQLwmejQBegfQtjw//ZVFIv/UR
+CsfamtmqEE/nZ7XfTh495SjHGQy3q4nZvLyfHHiF+XVQtD7JIlHzYpwGz4kla73c
+aM/tLts6bhNgVKQPqazi59NwrHV5dwCiP9B+pX2wdBsjNfgGROiPcVugO+R3hJst
+6JwbQ7P0wKM0MelySPaYL67K69/NsSCrhR4ds5DF0if7yIwKCZF5U9B2PTwe1UOt
+U09JP0mk0rMuZSe/nqgM4DCIa1zk2NwXxRG3EC7S4oEl9/yez7EgNRh54sRPFXXb
+craW5oosZRo1bJtp3Pn9cQPH8acObmw7B5lqRQD5lgpdTi4KewqFpTbgKFOqyMrB
+0Dk3ZR8K968yEdsVJnp9kjSMCkcETszi4bODBqF+dsLErZxr1WPXY77Hbt8hlAEK
+sX+ebsHFDKM95IMKbMKawdnw+RBDU/b5B5N6z7WokFY6G0/l0xI4B1mAi2kqNo6b
+vtZ1Ss6Y3yHzRxL1+qfEZQ4XsMQ7raMZ2zZnnVxH0amF4JD4iPVxt882VwABys/F
+abwh39NZVjz/39VA3cCNdwys/AO1fGJ9SvhiZrhORP/17qXH+zV9EqZyoLB3oAZG
+UAyFo2Wzdk/m2lJhk3+2DAzxojvp8xrjhZg6GsQW98dHOVg3lWL3KdwK7hR7nV6Z
+M5N9xawzkjwM6GJJ81ewk1l5L3IuCTdU0WGIagQTEQoAKgIbAwIeAQIXgAIZAQUL
+CQgHAwUVCgkICwUWAgMBAAUCUwFh/gUJEPG8hQAKCRCBN5i5rJMScanlAKDWnPJE
+GRDtnSgFmBTIb7qTGfyGOgCgn2twDY+VYYACfjfL5wSzBIvbplOJARwEEAECAAYF
+AlIOZ2YACgkQ8yFyWZ2NLpf95AgAqLVKvGMe9AU6bOKN9EdI6NPIDBYIqVMq2cmK
+xJ6k8PDSwJlLefCXo+V4Fo0FAgI6lQma6PpjNKfB2RwJzBRr90wDeDf4LopSYLTp
+tXF7R/IZ1apx5xn54sQobdHDQNGCprkljSJmyZlvpXJNbyAJNPU90Cbj52ZnEuaY
+LKqE5TOfvr4hQ49DFyVU7CFsFzWqjDKo4+2d3DDMcDC658h10jqkNGuW0kvIn1sL
+B/WysMcXXe4Uj+mlvBT+aCYSmQhqjiDx7mEaDyq0g/wVI16JvfOj/snL1RE629DE
+dGLiSJiyppXUKN7uUPtBTfGVcaQl+37MOi6DJ7KkKF0Sd0OYHbRQQXBwQXJtb3Ig
+RGV2ZWxvcG1lbnQgVGVhbSAoQXBwQXJtb3Igc2lnbmluZyBrZXkpIDxhcHBhcm1v
+ci1kZXZAZm9yZ2Uubm92ZWxsLmNvbT6IRgQQEQIABgUCQ/DcnQAKCRCq4Ef4O5hq
+8zHbAKCdvXzNIDqtgYk1f/bsuPkeS3kX7QCeI8eHe/s7pK4BNJ+LP8fIsXQPpwmI
+TAQQEQIADAUCQ/DrnQWDCWXu0QAKCRD72e4z2bCgmU6AAJ4gd95sCBuJrT41eKfF
+jJgbKkk3PQCdF/v8Hx6UKbwU2QTnXZvTDt54gcmITAQQEQIADAUCQ/Dr5QWDCWXu
+iQAKCRCv5SzGOaalP97MAKDo/w3w/13SGGhddksiJx6CsIydmACgnZM8wQf+uQCn
+D05sP8IWMVVU18CIZgQTEQIAJgUCQ/DY7gIbAwUJCWYBgAYLCQgHAwIEFQIIAwQW
+AgMBAh4BAheAAAoJEIE3mLmskxJxgCsAn0tuS2wJQ1OIz+Uy1xiVidW0q6u/AJ9J
+ElRNwTFgvK4+fmVJWTyvLxUBZYhnBBMRAgAnAhsDAh4BAheABQsJCAcDBRUKCQgL
+BRYCAwEABQJNXEEDBQkPDwJtAAoJEIE3mLmskxJxAD0An1LlCGM3KFMx6esXKwBV
+7wKrOItGAJ9XA/0RTuFYxlUcHgjnpgbbpnro0YhnBBMRAgAnAhsDBQkJZgGAAh4B
+AheABQJMoOLgBQsJCAcDBRUKCQgLBRYCAwEAAAoJEIE3mLmskxJxKxIAoJS5dvwi
+iylcYdF1O/k6exULYN6lAKCnIDB/prGCAsNI5Q4u7MO607fLL4hnBBMRAgAnAhsD
+Ah4BAheABQsJCAcDBRUKCQgLBRYCAwEABQJTAWIsBQkQ8byFAAoJEIE3mLmskxJx
+wgAAn0ubiW6hY0nSav7+U4V9gklKhvViAJ9Bx6SgTw4NzJhulZKOCr8TrrCuM7kE
+DQRD8NsGEBAAgakVLKVcf5Q1//PvVRy9xEYjLrao27eOrj39O/RFqk/Tex2H9dmt
+ZApN5eXDo4ckWiDrveW8gKp3wLk7z/ZB4Tz5zgeM7VB3BSVjnOJiTE4Szf4eADRE
+2lYfu1kIBgV/4sHUnwXFMb25Rh9k4E37ZRA+jpq6L71xtGmqHN9OQUKojz9TRDew
+nzXzdOiPiJRNLHxIx5U2LFmcwx72dvTIDKdA8i91nlo4I0VBOMv8sIkVu+1jniff
+G4jcMoGzZGKc70BG8ZcXgZnYh8wjCxb6l9t/iD5lVbRtGJPtonjUfc4i+AMRhPlb
+2rgDBpMlS2QxPm01aca2BkW1u4jAzc1+NBUlFSxQ1hULVmmGn4VgB5guFB4rb1ru
+LWMUkOfUZUFGi08ZD3qeEqjrYpq+Q5IAhnflxWNVIOxnvHBlbRrA5RTHBmy9kn6J
+QZxgYKViTk8fjpr37Dyb9McL+4yxq+fydYUA0sLJSeg/vNqm7tS3KtBsN9vKiPTi
+tT1fb+DAz0VglV/4Jk6H4VWPNjaJRYdqh8rZSdcQXUUJjSZZDHTbUh7Oa5l33sPf
+aaru1zfPuhcjecJX3trS1ZkjfX17CUmMt/WzIeP44MObtktsJdqX0LaGsgMSOP/O
+wjr53nHc1y1OZFL/ScO6MHJnYDZVz03mW9VHzB8ZYLdA+BSBUiBH7S8ABA0P/jcl
+vD9ycltAPNWmG/q2gmW8BOLcaYmjfiDZ/sWig1w2A3yoglIGDX3l10K1laXIjQtD
+O3rylXZw2x/fBaslAhObQsaarXcPidYuo3h1rQXTy+0wshpMU97V1H6XQVDKJlvE
+ajyS6j0PidjS1PvxXjaF0wD68vpXJsfK69mthIhM1cQFoLlUjz4GzntfOqhQWt24
+MIk+y3KRChzWN21XXHbBtoFhlFMwU6So0tgGCgwVXZom1jNdZnhchy/1Ek2wsXxs
+dd6FX80n7RGNJ5IqHw2fE7k8sN6AGuaxf3FDVSJOMb4ApxH87k7DDWxBuRRuleu9
+fNHOKh3InOxsAHbwy1ljg2BAWnl5XnTZpczajkO0MuxHqX64WsBYrfMB2dtpyjx6
+GplDcguL699pVuWs0iMq6Vs4sgJaR464ns1WfUwkKy2riCtrDLwnNldCORQtUodV
+x9wkmp8G7OzhARbDOG6uiawjkVAMrFrP1ut27qLOs/83/PKCMJ/iQ1h/esfJWqal
+xVPvXwQl5A5ny7QpWx7G4cyLxyd8VvwsU87HMnn8buhDj/QALsZCAtauGqM9w1GR
+Y3fnVcNKCloDgoBy/zGmpFSAMo4OZbj4y+Vnt175MWQ3KHVxYkwbsjzZYgDYWMOB
+O8BlV41xSc8sqWM8Xm7+EUzbsk6hgkKqD+R2YSveiE8EGBECAA8FAkPw2wYCGwwF
+CQlmAYAACgkQgTeYuayTEnHTiACgr3VoPwEFWOubuBM8cj/7fGWtmN0AnAqZiEd0
+qr4ei1P//IqrpJif8SI4iE8EGBECAA8FAkPw2wcCGwwFCQlmAYAACgkQgTeYuayT
+EnFVPACg0VjGyWMniZ94t/EKcNziWd/01Z8An2vIS4inaHCws74JVV8vUNSVRajP
+=nbr7
 -----END PGP PUBLIC KEY BLOCK-----
--- a/apparmor.spec
+++ b/apparmor.spec
@ -95,8 +95,8 @@ Patch6:         apparmor-abstractions-no-multiline.diff
 # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
 Patch7:         apparmor-lessopen-profile.patch

-# boo#911001 - Allow executing --dhcp-client script (commited upstream trunk r2841, 2.9 r2837, {lib,lib64} changed to lib{,64})
-Patch8:         dnsmasq-profile-fixes.patch
+# upstream changes since the 2.9.1 release - bzr diff -r2832..2839 (2.9 branch)
+Patch8:         apparmor-changes-since-2.9.1.diff

 Url:            https://launchpad.net/apparmor
 PreReq:         sed
@ -437,7 +437,7 @@ SubDomain.

 %patch6
 %patch7 -p1
-%patch8 -p1
+%patch8
 # search for left-over multiline rules
 test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"

--- a/dnsmasq-profile-fixes.patch
+++ b/dnsmasq-profile-fixes.patch
@ -1,22 +0,0 @@
-Index: apparmor-2.9.0/profiles/apparmor.d/usr.sbin.dnsmasq
-===================================================================
--- apparmor-2.9.0.orig/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ apparmor-2.9.0/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -45,6 +44,8 @@
- 
-   /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
- 
-+  /bin/bash ix, # Required to execute --dhcp-script argument
-+
-   # access to iface mtu needed for Router Advertisement messages in IPv6
-   # Neighbor Discovery protocol (RFC 2461)
-   @{PROC}/sys/net/ipv6/conf/*/mtu r,
-@@ -64,7 +66,7 @@
-   /{,var/}run/libvirt/network/*.pid rw,
- 
-   # libvirt lease helper
-  /usr/lib/libvirt/libvirt_leaseshelper ix,
-+  /usr/{lib,lib64}/libvirt/libvirt_leaseshelper ix,
-   /{,var/}run/leaseshelper.pid rwk,
- 
-   # NetworkManager integration