Accepting request 102458 from security:apparmor:factory

- Update to AppArmor 2.7.2 (= 2.7 branch / r1894)
  - move various permissions from httpd2-prefork profile to
    abstractions/apache2-common. Backward-incompatible change: *.htaccess
    files are no longer allowed for ^HANDLING_UNTRUSTED_INPUT
  - allow access for more /usr/lib*/samba/ files for smbd (bnc#725967#c5)
  - allow various .conf files for dovecot (lp#458922)
  - disallow wl for *.so in @{HOME}/.pki/nssdb/ in abstractions/private-files
    and abstractions/private-files-strict (lp#911847)
  - update abstractions/kde, private-files* and ubuntu-browsers.d/user-files
    to use ~/.kde4, not only ~/.kde (bnc#741592)
  - block write access to ~/.kde{,4}/env in abstractions/private-files
    (lp#914190)
  - allow write access for personal dictionary etc. in abstractions/aspell
    (lp#917859)
  - when using genprof for a script, include read access to the script itsself
  - automatically include abstractions/python or abstractions/ruby for
    python/ruby scripts
  - add profile for smbldap-useradd and allow smbd to call it (bnc#738041)
  - allow creation of the .config directory in abstractions/enchant (lp#914184)
  - allow TFTP read-only access in dnsmasq profile (lp#905412)
  - allow capability dac_read_search for syslog-ng (bnc#731876)
  - add p11-kit abstraction and include it in abstractions/authentification
    (lp#912754, lp#912752)
  - add audacity to abstractions/ubuntu-media-players (lp#899963)
  - allow software-center, fireclam plugin, [tT]unar, exo-open, kate and
    /dev/nvidia* in abstractons/ubuntu-browsers.d/* (lp#662906, lp#562831,
    lp#890894, lp#890894, lp#884748)
  - fix typo for multiarch gconf-modules in abstractions/base (lp#904548)
  - allow avahi to do dbus introspection (lp#769148)
  - allow access to ~/.fonts.conf.d in abstractions/fonts (lp#870992)
  - allow transmission in abstractions/ubuntu-bittorrent-clients (lp#852062)
  - allow reading ~/.cups/client.conf and ~/.cups/lpoptions in
    abstractions/cups-client (lp#887992)
  - allow read access of /etc/python{2,3}.[0-7]*/sitecustomize.py in
    abstractions/python (lp#860856)
  - various updates to the sshd profile (lp#817956)
  - (and some more changes I already included in the apparmor-2.7-branch.diff)

OBS-URL: https://build.opensuse.org/request/show/102458
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=32
This commit is contained in:
Stephan Kulow 2012-02-02 16:56:20 +00:00 committed by Git OBS Bridge
parent b2f1c70e39
commit c958d9cad3
6 changed files with 64 additions and 63 deletions

View File

@ -1,36 +0,0 @@
svn diff -r1858..1861 > 2.7-branch.diff
=== modified file 'profiles/Makefile'
--- profiles/Makefile 2011-10-19 22:23:19 +0000
+++ profiles/Makefile 2012-01-03 22:45:00 +0000
@@ -56,6 +56,7 @@
${PROFILES_DEST}/program-chunks \
${PROFILES_DEST}/tunables \
${PROFILES_DEST}/tunables/home.d \
+ ${PROFILES_DEST}/tunables/multiarch.d \
${PROFILES_DEST}/local
install -m 644 ${PROFILES_TO_COPY} ${PROFILES_DEST}
install -m 644 ${ABSTRACTIONS_TO_COPY} ${PROFILES_DEST}/abstractions
=== modified file 'profiles/apparmor.d/abstractions/python'
--- profiles/apparmor.d/abstractions/python 2011-11-30 16:56:45 +0000
+++ profiles/apparmor.d/abstractions/python 2012-01-03 20:23:30 +0000
@@ -31,4 +31,4 @@
/usr/lib/wx/python/*.pth r,
# python build configuration and headers
- /usr/include/python{2,3}.[0-7]*/pyconfig.h
+ /usr/include/python{2,3}.[0-7]*/pyconfig.h r,
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd 2011-11-01 17:28:49 +0000
+++ profiles/apparmor.d/usr.sbin.smbd 2011-12-30 20:55:58 +0000
@@ -21,6 +21,7 @@
capability sys_tty_config,
/etc/mtab r,
+ /etc/netgroup r,
/etc/printcap r,
/proc/*/mounts r,
/proc/sys/kernel/core_pattern r,

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ff8a2f49f902faa78e502590c65d3850fb9a2a3453bef0dc1f99e947c52fc60f
size 1399442

3
apparmor-2.7.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:42deb8cbf4937fac07a48ec8427b90131e92ed2f83b606beee092bdb4fc2a41f
size 1403151

View File

@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000
+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000
@@ -42,6 +42,10 @@
@@ -46,6 +46,10 @@
@{HOMEDIRS}/** lrwk,

View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Tue Jan 31 09:53:06 UTC 2012 - opensuse@cboltz.de
- Update to AppArmor 2.7.2 (= 2.7 branch / r1894)
- move various permissions from httpd2-prefork profile to
abstractions/apache2-common. Backward-incompatible change: *.htaccess
files are no longer allowed for ^HANDLING_UNTRUSTED_INPUT
- allow access for more /usr/lib*/samba/ files for smbd (bnc#725967#c5)
- allow various .conf files for dovecot (lp#458922)
- disallow wl for *.so in @{HOME}/.pki/nssdb/ in abstractions/private-files
and abstractions/private-files-strict (lp#911847)
- update abstractions/kde, private-files* and ubuntu-browsers.d/user-files
to use ~/.kde4, not only ~/.kde (bnc#741592)
- block write access to ~/.kde{,4}/env in abstractions/private-files
(lp#914190)
- allow write access for personal dictionary etc. in abstractions/aspell
(lp#917859)
- when using genprof for a script, include read access to the script itsself
- automatically include abstractions/python or abstractions/ruby for
python/ruby scripts
- add profile for smbldap-useradd and allow smbd to call it (bnc#738041)
- allow creation of the .config directory in abstractions/enchant (lp#914184)
- allow TFTP read-only access in dnsmasq profile (lp#905412)
- allow capability dac_read_search for syslog-ng (bnc#731876)
- add p11-kit abstraction and include it in abstractions/authentification
(lp#912754, lp#912752)
- add audacity to abstractions/ubuntu-media-players (lp#899963)
- allow software-center, fireclam plugin, [tT]unar, exo-open, kate and
/dev/nvidia* in abstractons/ubuntu-browsers.d/* (lp#662906, lp#562831,
lp#890894, lp#890894, lp#884748)
- fix typo for multiarch gconf-modules in abstractions/base (lp#904548)
- allow avahi to do dbus introspection (lp#769148)
- allow access to ~/.fonts.conf.d in abstractions/fonts (lp#870992)
- allow transmission in abstractions/ubuntu-bittorrent-clients (lp#852062)
- allow reading ~/.cups/client.conf and ~/.cups/lpoptions in
abstractions/cups-client (lp#887992)
- allow read access of /etc/python{2,3}.[0-7]*/sitecustomize.py in
abstractions/python (lp#860856)
- various updates to the sshd profile (lp#817956)
- (and some more changes I already included in the apparmor-2.7-branch.diff)
-------------------------------------------------------------------
Tue Jan 3 23:52:38 UTC 2012 - opensuse@cboltz.de

View File

@ -43,19 +43,17 @@ Name: apparmor
%if ! %{?distro:1}0
%define distro suse
%endif
Version: 2.7.0
Release: 1
%define versiondir 2.7.0
Version: 2.7.2
Release: 0
%define versiondir 2.7.2
Summary: AppArmor userlevel parser utility
License: GPL-2.0+
Group: Productivity/Networking/Security
Source0: apparmor-%{version}.tar.gz
Source1: %{name}-profile-editor.png
Source2: %{name}-profile-editor.desktop
Source3: update-trans.sh
# upstream changes since the 2.7 release
Patch0: apparmor-2.7-branch.diff
# enable caching of profiles (= massive performance speedup when loading profiles)
Patch1: apparmor-enable-profile-cache.diff
@ -79,7 +77,6 @@ Patch15: apparmor-remove-repo
# remove after 12.1 release - bnc#720617 #c7
Patch21: apparmor-utils-subdomain-compat
License: GPLv2+
Url: https://launchpad.net/apparmor
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -142,8 +139,8 @@ BuildRequires: pkgconfig(dbus-1)
%endif
%package parser
License: GPLv2+
Summary: AppArmor userlevel parser utility
License: GPL-2.0+
Group: Productivity/Networking/Security
Obsoletes: subdomain_parser < %{version}
Obsoletes: subdomain-parser < %{version}
@ -167,8 +164,8 @@ This package is part of a suite of tools that used to be named
SubDomain.
%package docs
License: GPLv2+
Summary: AppArmor Documentation package
License: GPL-2.0+
Group: Documentation/Other
BuildArch: noarch
@ -181,8 +178,8 @@ SubDomain.
%if %{with apache}
%package -n apache2-mod_apparmor
License: GPLv2+
Summary: AppArmor module for apache2
License: GPL-2.0+
Group: Productivity/Security
%description -n apache2-mod_apparmor
@ -198,8 +195,8 @@ The documentation is in the apparmor-admin_en package.
%endif
%package -n libapparmor1
License: LGPLv2.1+
Summary: Utility library for AppArmor
License: LGPL-2.1+
Group: Development/Libraries/C and C++
%ifarch ppc64
Obsoletes: libapparmor-64bit < %{version}
@ -216,8 +213,8 @@ change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages.
%package -n libapparmor-devel
License: LGPLv2.1+
Summary: Development headers and libraries for libapparmor
License: LGPL-2.1+
Group: Development/Libraries/C and C++
Requires: libapparmor1 = %{version}
Provides: libapparmor:/usr/include/sys/apparmor.h
@ -227,8 +224,8 @@ These libraries are needed for developing software that makes use of the
AppArmor API.
%package -n perl-apparmor
License: GPLv2 ; LGPLv2.1+
Summary: Perl interface for libapparmor functions
License: GPL-2.0 ; LGPL-2.1+
Group: Development/Libraries/Perl
Requires: libapparmor1 = %{version}
Requires: perl = %{perl_version}
@ -248,8 +245,8 @@ applications interfacing with AppArmor, including the AppArmor utilities.
%if %{with python}
%package -n python-apparmor
License: GPLv2 ; LGPLv2.1+
Summary: Python interface for libapparmor functions
License: GPL-2.0 ; LGPL-2.1+
Group: Development/Libraries/Python
BuildRequires: python
Requires: libapparmor1 = %{version}
@ -266,8 +263,8 @@ applications interfacing with AppArmor.
%if %{with ruby}
%package -n ruby-apparmor
License: GPLv2 ; LGPLv2.1+
Summary: Ruby interface for libapparmor functions
License: GPL-2.0 ; LGPL-2.1+
Group: Development/Libraries/Ruby
Requires: libapparmor1 = %{version}
Requires: ruby = %{ruby_version}
@ -281,8 +278,8 @@ applications interfacing with AppArmor.
%endif
%package profiles
License: GPLv2 ; LGPLv2.1+
Summary: AppArmor profiles that are loaded into the apparmor kernel module
License: GPL-2.0 ; LGPL-2.1+
Group: Productivity/Security
Requires: apparmor-parser(CAP_SYSLOG)
Obsoletes: subdomain-profiles < %{version}
@ -299,8 +296,8 @@ This package is part of a suite of tools that used to be named
SubDomain.
%package utils
License: GPLv2 ; LGPLv2.1+
Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
License: GPL-2.0 ; LGPL-2.1+
Group: Productivity/Security
Requires: libapparmor1 = %{version}
Requires: perl = %{perl_version}
@ -316,8 +313,8 @@ It is part of a suite of tools that used to be named SubDomain.
%if %{with tomcat}
%package -n tomcat_apparmor
License: GPLv2 ; LGPLv2.1+
Summary: Tomcat 6 plugin for AppArmor change_hat
License: GPL-2.0 ; LGPL-2.1+
Group: System/Libraries
Requires: libapparmor1 = %{version}
Requires: tomcat6
@ -334,8 +331,8 @@ created for individual URL processing or per servlet.
%if %{with pam}
%package -n pam_apparmor
License: GPLv2 ; LGPLv2.1+
Summary: PAM module for AppArmor change_hat
License: GPL-2.0 ; LGPL-2.1+
Group: Productivity/Security
BuildRequires: pam-devel
PreReq: pam
@ -354,8 +351,8 @@ policy.
%if %{with dbus}
%package dbus
License: GPLv2 ; LGPLv2.1+
Summary: Audit dispatcher for sending AppArmor events over DBUS
License: GPL-2.0 ; LGPL-2.1+
Group: System/Monitoring
%description dbus
@ -367,8 +364,8 @@ bus.
%if %{with editor}
%package profile-editor
License: GPLv2 ; LGPLv2.1+
Summary: AppArmor profile editor
License: GPL-2.0 ; LGPL-2.1+
Group: Productivity/Editors/Other
%description profile-editor
@ -379,8 +376,8 @@ A syntax highlighting editor for AppArmor profiles.
%if %{with gnome}
%package -n apparmorapplet-gnome
License: GPLv2 ; LGPLv2.1+
Summary: An AppArmor event notification applet for GNOME
License: GPL-2.0 ; LGPL-2.1+
Group: System/GUI/GNOME
%description -n apparmorapplet-gnome
@ -404,7 +401,6 @@ SubDomain.
%prep
%setup -q -n %{name}-%{versiondir}
%patch0 -p0
%patch1 -p1
%patch2 -p0
%patch5 -p1