diff --git a/apparmor-abstractions-no-multiline.diff b/apparmor-abstractions-no-multiline.diff index 831924a..75e008a 100644 --- a/apparmor-abstractions-no-multiline.diff +++ b/apparmor-abstractions-no-multiline.diff @@ -37,7 +37,7 @@ Index: profiles/apparmor.d/abstractions/dbus-session-strict =================================================================== --- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2014-10-18 13:11:18.498652324 +0200 +++ profiles/apparmor.d/abstractions/dbus-session-strict 2014-10-18 13:11:31.098494805 +0200 -@@ -13,13 +13,6 @@ +@@ -13,16 +13,9 @@ /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -46,6 +46,9 @@ Index: profiles/apparmor.d/abstractions/dbus-session-strict - peer=(addr="@/tmp/dbus-*"), + unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"), + # dbus with systemd and --enable-user-session + owner /run/user/[0-9]*/bus rw, + - dbus send - bus=session - path=/org/freedesktop/DBus diff --git a/apparmor.changes b/apparmor.changes index 21993b2..e0c183f 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Fri Aug 26 20:21:37 UTC 2016 - suse-beta@cboltz.de + +- add changes-since-2.10.1--r3326..3346.diff with upstream changes and + fixes since the 2.10.1 release, including + - allow dac_override in winbindd profile (boo#990006#c5) + - allow mr for /usr/lib*/ldb/*.so in samba abstractions (needed since + Samba 4.4.x, boo#990006) + - abstractions/nameservice: also support ConnMan-managed resolv.conf + - let aa-genprof ask about profiles in extra dir (again) + - fix aa-logprof "add hat" endless loop (lp#1538306) + - honor 'chown' file events in logparser.py + - ignore log file events with a request mask of 'send' or 'receive' + because they are actually network events (lp#1577051, lp#1582374) + - accept hostname with dots when parsing logs (lp#1453300 comments #1 and #2) +- fix python LibAppArmor import failures with swig > 3.0.8 (boo#987607) + (libapparmor-fix-import-path.diff) +- refresh apparmor-abstractions-no-multiline.diff +- drop upstreamed profiles-ping-inet6-r3449.diff +- add %check section - runs libapparmor (including swig bindings), + parser and profiles tests +- add BuildRequires: perl(Locale::gettext) - needed for parser tests + ------------------------------------------------------------------- Tue May 24 12:15:19 UTC 2016 - suse-beta@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 7459a55..9a9d35c 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -82,6 +82,9 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. Patch3: apparmor-utils-string-split +# upstream changes/fixes from 2.10 branch r3326..3346 +Patch4: changes-since-2.10.1--r3326..3346.diff + # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de Patch5: ruby-2_0-mkmf-destdir.patch @@ -92,8 +95,8 @@ Patch6: apparmor-abstractions-no-multiline.diff # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch -# boo#980596 - latest ping includes IPv6 (commited upstream trunk r3449 / 2.10 branch r3331 / 2.9 branch r3009) -Patch8: profiles-ping-inet6-r3449.diff +# fix import path for LibAppArmor for newer swig versions (boo#987607, not upstreamed yet) +Patch8: libapparmor-fix-import-path.diff Url: https://launchpad.net/apparmor PreReq: sed @@ -110,6 +113,7 @@ BuildRequires: latex2html BuildRequires: pcre-devel BuildRequires: pkg-config BuildRequires: python +BuildRequires: perl(Locale::gettext) %if 0%{?suse_version} > 1220 BuildRequires: texlive-amsfonts BuildRequires: texlive-cm-super @@ -434,6 +438,7 @@ SubDomain. %patch1 -p1 %patch2 %patch3 -p1 +%patch4 # Ruby 2.0 mkmf prefixes every path with $(DESTDIR) %if 0%{?suse_version} > 1230 @@ -479,12 +484,10 @@ export PYTHON=/usr/bin/python3 %endif make - #make check ) # Utilities: make -C utils -# make -C utils check # deprecated/utils (perl modules still needed by YaST) %if %{with perl} @@ -495,7 +498,6 @@ make -C deprecated/utils make -C parser V=1 # techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough make -C parser V=1 techdoc.txt -# make -C parser check # Apache mod_apparmor: %if %{with apache} @@ -509,7 +511,6 @@ make -C parser V=1 techdoc.txt # Profiles: make -C profiles -# make -C profiles check ##configure --disable-static --with-pic \ #--with-perl \ @@ -517,6 +518,20 @@ make -C profiles make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME} %endif +%check +%if %{with python3} +export PYTHON=/usr/bin/python3 +export PYTHON_VERSIONS=python3 +%endif + +make check -C libraries/libapparmor +make check -C parser +# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks +# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory) +(cd profiles && make check-parser) +# utils make check fails if profiles don't exist in /etc/apparmor.d/ +# make check -C utils + %install %if %{with python3} @@ -772,7 +787,9 @@ fi %dir %{python3_sitearch}/LibAppArmor/__pycache__ %{python3_sitearch}/LibAppArmor/_LibAppArmor.cpython-*.so %{python3_sitearch}/LibAppArmor/__pycache__/__init__.cpython-*.pyc +%{python3_sitearch}/LibAppArmor/__pycache__/LibAppArmor.cpython-*.pyc %{python3_sitearch}/LibAppArmor/__init__.py +%{python3_sitearch}/LibAppArmor/LibAppArmor.py %{python3_sitelib}/apparmor/ %{python3_sitelib}/apparmor-%{version}-py*.egg-info %endif diff --git a/changes-since-2.10.1--r3326..3346.diff b/changes-since-2.10.1--r3326..3346.diff new file mode 100644 index 0000000..6fa36ef --- /dev/null +++ b/changes-since-2.10.1--r3326..3346.diff @@ -0,0 +1,875 @@ +------------------------------------------------------------ +revno: 3346 +behebt den Fehler: https://launchpad.net/bugs/1538306 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Mon 2016-08-15 22:06:47 +0200 +message: + Fix aa-logprof "add hat" endless loop + + This turned out to be a simple case of misinterpreting the promptUser() + result - it returns the answer and the selected option, and + "surprisingly" something like + ('CMD_ADDHAT', 0) + never matched + 'CMD_ADDHAT' + ;-) + + I also noticed that the new hat doesn't get initialized as + profile_storage(), and that the changed profile doesn't get marked as + changed. This is also fixed by this patch. + + + References: https://bugs.launchpad.net/apparmor/+bug/1538306 + + + Acked-by: Steve Beattie for trunk, 2.10 and 2.9 +------------------------------------------------------------ +revno: 3345 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Fri 2016-08-12 12:02:43 +0200 +message: + type_is_str(): make pyflakes3 happy + + pyflakes3 doesn't check sys.version and therefore complains about + 'unicode' being undefined. + + This patch defines unicode as alias of str to make pyflakes3 happy, and + as a side effect, simplifies type_is_str(). + + + Acked-by: Seth Arnold for trunk and 2.10. +------------------------------------------------------------ +revno: 3344 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Mon 2016-08-08 23:16:12 +0200 +message: + delete_duplicates(): don't modify self.rules while looping over it + + By calling self.delete() inside the delete_duplicates() loop, the + self.rules list was modified. This resulted in some rules not being + checked and therefore (some, not all) superfluous rules not being + removed. + + This patch switches to a temporary variable to loop over, and rebuilds + self.rules with the rules that are not superfluous. + + This also fixes some strange issues already marked with a "Huh?" comment + in the tests. + + + Acked-by: Seth Arnold for trunk and 2.10. + + Note that in 2.10 cleanprof_test.* doesn't contain a ptrace rule, + therefore the cleanprof_test.out change doesn't make sense for 2.10. +------------------------------------------------------------ +revno: 3343 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Wed 2016-08-03 21:53:06 +0200 +message: + winbindd profile: allow dac_override + + This is needed to delete kerberos ccache files, for details see + https://bugzilla.opensuse.org/show_bug.cgi?id=990006#c5 + + + Acked-by: Seth Arnold for trunk, 2.10 and 2.9. + Acked-by: Steve Beattie for trunk, 2.10 and 2.9. +------------------------------------------------------------ +revno: 3342 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Sun 2016-07-31 17:15:42 +0200 +message: + logparser: store network-related params if an event looks like network + + Network events can come with an operation= that looks like a file event. + Nevertheless, if the event has a typical network parameter (like + net_protocol) set, make sure to store the network-related flags in ev. + + This fixes the test failure introduced in my last commit. + + + Acked-by: Kshitij Gupta for trunk, 2.10 and 2.9 +------------------------------------------------------------ +revno: 3341 +behebt den Fehler: https://launchpad.net/bugs/1577051 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Sat 2016-07-30 00:44:18 +0200 +message: + logparser.py: ignore network events with 'send receive' + + We already ignore network events that look like file events (based on + the operation keyword) if they have a request_mask of 'send' or + 'receive' to avoid aa-logprof crashes because of "unknown" permissions. + It turned out that both can happen at once, so we should also ignore + this case. + + Also add the now-ignored log event as test_multi testcase. + + + References: https://bugs.launchpad.net/apparmor/+bug/1577051 #13 + + + Acked-by: Tyler Hicks for trunk, 2.10 and 2.9. +------------------------------------------------------------ +revno: 3340 +committer: Seth Arnold +branch nick: 2.10 +timestamp: Fri 2016-07-29 11:46:16 -0700 +message: + add ld.so.preload to , thanks to Uzair Shamim +------------------------------------------------------------ +revno: 3339 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Tue 2016-07-26 21:13:49 +0200 +message: + Allow mr for /usr/lib*/ldb/*.so in samba abstractions + + This is needed for winbindd (since samba 4.4.x), but smbd could also need it. + + References: https://bugzilla.opensuse.org/show_bug.cgi?id=990006 + + + Acked-by: Seth Arnold for trunk, 2.10 and 2.9. +------------------------------------------------------------ +revno: 3338 +committer: Seth Arnold +branch nick: 2.10 +timestamp: Fri 2016-06-24 10:36:42 -0700 +message: + intrigeri@boum.org 2016-06-24 mod_apparmor manpage: fix "documenation" typo. +------------------------------------------------------------ +revno: 3337 +committer: Seth Arnold +branch nick: 2.10 +timestamp: Wed 2016-06-22 15:15:42 -0700 +message: + From: Simon McVittie + Date: Tue, 21 Jun 2016 18:18:45 +0100 + Subject: abstractions/nameservice: also support ConnMan-managed resolv.conf + + Follow the same logic we already did for NetworkManager, + resolvconf and systemd-resolved. The wonderful thing about + standards is that there are so many to choose from. + + Signed-off-by: Simon McVittie + + [modified by sarnold to fit the surroundings] +------------------------------------------------------------ +revno: 3336 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Sun 2016-06-05 23:43:55 +0200 +message: + Add a note about still enforcing deny rules to aa-complain manpage + + This behaviour makes sense (for example to force the confined program to + use a fallback path), but is probably surprising for users, so we should + document it. + + References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826218#37 + + + Acked-by: John Johansen for trunk, 2.10 and 2.9 +------------------------------------------------------------ +revno: 3335 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Sun 2016-06-05 20:07:33 +0200 +message: + honor 'chown' file events in logparser.py + + Also add a testcase to libapparmor's log collection + + + Acked-by: Kshitij Gupta for trunk, 2.10 and 2.9 +------------------------------------------------------------ +revno: 3334 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Wed 2016-06-01 21:06:25 +0200 +message: + aa-genprof: ask about profiles in extra dir (again) + + Thanks to reading the wrong directory in read_inactive_profiles() + (profile_dir instead of extra_profile_dir), aa-genprof never asked about + using a profile from the extra_profile_dir. + + Sounds like an easy fix, right? ;-) + + After fixing this (last chunk), several other errors popped up, one + after the other: + - get_profile() missed a required parameter in a serialize_profile() call + - when saving the profile, it was written to extra_profile_dir, not to + profile_dir where it (as a now-active profile) should be. This is + fixed by removing the filename from existing_profiles{} so that it can + pick up the default name. + - CMD_FINISHED (when asking if the extra profile should be used or a new + one) behaved exactly like CMD_CREATE_PROFILE, but this is surprising + for the user. Remove it to avoid confusion. + - displaying the extra profile was only implemented in YaST mode + - get_pager() returned None, not an actual pager. Since we have 'less' + hardcoded at several places, also return it in get_pager() + + Finally, also remove CMD_FINISHED from the get_profile() test in + test-translations.py. + + + (test-translations.py is only in trunk, therefore this part of the patch + is obviously trunk-only.) + + + + + Acked-by: Seth Arnold for trunk + Acked-by: John Johansen for trunk + a 50% ACK for 2.10 and 2.9 + Acked-by: Kshitij Gupta for trunk, 2.10 and 2.9 +------------------------------------------------------------ +revno: 3333 +behebt die Fehler: https://launchpad.net/bugs/1577051 https://launchpad.net/bugs/1582374 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Mon 2016-05-23 23:32:23 +0200 +message: + Ignore file events with a request mask of 'send' or 'receive' + + Those events are actually network events, so ideally we should map them + as such. Unfortunately this requires bigger changes, so here is a hotfix + that ignores those events and thus avoids crashing aa-logprof. + + References: https://bugs.launchpad.net/apparmor/+bug/1577051 + https://bugs.launchpad.net/apparmor/+bug/1582374 + + + Acked-by: Seth Arnold for trunk, 2.10 and 2.9 +------------------------------------------------------------ +revno: 3332 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Sun 2016-05-22 14:51:55 +0200 +message: + Document empty quotes ("") as empty value of a variable + + + Acked-by: Seth Arnold for all branches where this makes sense :) +------------------------------------------------------------ +revno: 3331 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Wed 2016-05-18 21:18:34 +0200 +message: + allow inet6 in ping profile + + The latest iputils merged ping and ping6 into a single binary that does + both IPv4 and IPv6 pings (by default, it really does both). + This means we need to allow network inet6 raw in the ping profile. + + References: https://bugzilla.opensuse.org/show_bug.cgi?id=980596 + (contains more details and example output) + + + Acked-by: Steve Beattie for trunk, 2.10 and 2.9 +------------------------------------------------------------ +revno: 3330 +committer: Seth Arnold +branch nick: 2.10 +timestamp: Wed 2016-05-11 17:23:22 -0700 +message: + dbus-session-strict: allow access to the user bus socket + + From: Simon McVittie + Date: Wed, 4 May 2016 13:48:36 +0100 + Subject: dbus-session-strict: allow access to the user bus socket + + If dbus is configured with --enable-user-bus (for example in the + dbus-user-session package in Debian and its derivatives), and the user + session is started with systemd, then the "dbus-daemon --session" will be + started by "systemd --user" and listen on $XDG_RUNTIME_DIR/bus. Similarly, + on systems where dbus-daemon has been replaced with kdbus, the + bridge/proxy used to provide compatibility with the traditional D-Bus + protocol listens on that same socket. + + In practice, $XDG_RUNTIME_DIR is /run/user/$uid on all systemd systems, + where $uid represents the numeric uid. I have not used /{var/,}run here, + because systemd does not support configurations where /var/run and /run + are distinct; in practice, /var/run is a symbolic link. + + Based on a patch by Sjoerd Simons, which originally used the historical + path /run/user/*/dbus/user_bus_socket. That path was popularized by the + user-session-units git repository, but has never been used in a released + version of dbus and should be considered unsupported. + + Signed-off-by: Simon McVittie +------------------------------------------------------------ +revno: 3329 +committer: Seth Arnold +branch nick: 2.10 +timestamp: Wed 2016-05-11 16:30:29 -0700 +message: + syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n + + From: Simon McVittie + Date: Wed, 11 May 2016 13:52:56 +0100 + Subject: syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n + + This test attempts to auto-skip the sysctl() part if that syscall + was not compiled into the current kernel, via + CONFIG_SYSCTL_SYSCALL=n. Unfortunately, this didn't actually work, + for two reasons: + + * Because "${test} ro" wasn't in "&&", "||", a pipeline or an "if", + and it had nonzero exit status, the trap on ERR was triggered, + causing execution of the error_handler() shell function, which + aborts the test with a failed status. The rules for ERR are the + same as for "set -e", so we can circumvent it in the same ways. + * Because sysctl_syscall.c prints its diagnostic message to stderr, + but the $() operator only captures stdout, it never matched + in the string comparison. This is easily solved by redirecting + its stderr to stdout. + + Signed-off-by: Simon McVittie +------------------------------------------------------------ +revno: 3328 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Tue 2016-05-10 14:34:40 +0200 +message: + load variables in ask_the_questions() + + Variables can be used in several rule types (from the existing *Rule + classes: change_profile, dbus, ptrace, signal). It seems nobody uses + variables with those rules, otherwise we'd have received a bugreport ;-) + + I noticed this while working on FileRule, where usage of variables is + more common. The file code in bzr (not using a *Rule class) already + loads the variables, so old versions don't need changes for file rule + handling. + + However, 2.10 already has ChangeProfileRule and therefore also needs + this fix. + + + Acked-by: Seth Arnold for trunk and 2.10. +------------------------------------------------------------ +revno: 3327 +behebt den Fehler: https://launchpad.net/bugs/1453300 +committer: Christian Boltz +branch nick: 2.10 +timestamp: Thu 2016-05-05 12:02:11 +0200 +message: + accept hostname with dots + + Some people have the full hostname in their syslog messages, so + libapparmor needs to accept hostnames that contain dots. + + + References: https://bugs.launchpad.net/apparmor/+bug/1453300 comments + #1 and #2 (the log samples reported by scrx in #apparmor) + + + + Acked-by: Seth Arnold + Acked-by: John Johansen + for trunk, 2.10 and 2.9. +------------------------------------------------------------ +revno: 3326 +tags: apparmor_2.10.1 +committer: John Johansen +branch nick: 2.10 +timestamp: Wed 2016-04-20 02:07:34 -0700 +message: + common/Version: prepare for 2.10.1 release +=== modified file 'changehat/mod_apparmor/mod_apparmor.pod' +--- changehat/mod_apparmor/mod_apparmor.pod 2014-09-15 18:30:47 +0000 ++++ changehat/mod_apparmor/mod_apparmor.pod 2016-06-24 17:36:42 +0000 +@@ -65,7 +65,7 @@ + + AAHatName allows you to specify a hat to be used for a given Apache + EDirectoryE, EDirectoryMatchE, ELocationE or +-ELocationMatchE directive (see the Apache documenation for more ++ELocationMatchE directive (see the Apache documentation for more + details). Note that mod_apparmor behavior can become confused if + EDirectory*E and ELocation*E directives are intermingled + and it is recommended to use one type of directive. If the hat specified by + +=== modified file 'libraries/libapparmor/src/scanner.l' +--- libraries/libapparmor/src/scanner.l 2015-06-02 08:00:29 +0000 ++++ libraries/libapparmor/src/scanner.l 2016-05-05 10:02:11 +0000 +@@ -178,7 +178,7 @@ + hhmmss {digit}{2}{colon}{digit}{2}{colon}{digit}{2} + timezone ({plus}|{minus}){digit}{2}{colon}{digit}{2} + syslog_time {hhmmss}({period}{digits})?{timezone}? +-syslog_hostname [[:alnum:]_-]+ ++syslog_hostname [[:alnum:]._-]+ + dmesg_timestamp \[[[:digit:] ]{5,}\.[[:digit:]]{6,}\] + + %x single_quoted_string + +=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.err' +=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.in' +--- libraries/libapparmor/testsuite/test_multi/file_chown.in 1970-01-01 00:00:00 +0000 ++++ libraries/libapparmor/testsuite/test_multi/file_chown.in 2016-06-05 18:07:33 +0000 +@@ -0,0 +1,1 @@ ++type=AVC msg=audit(1465133533.431:728): apparmor="DENIED" operation="chown" profile="/usr/sbin/cupsd" name="/run/cups/certs/" pid=8515 comm="cupsd" requested_mask="w" denied_mask="w" fsuid=0 ouid=4 + +=== added file 'libraries/libapparmor/testsuite/test_multi/file_chown.out' +--- libraries/libapparmor/testsuite/test_multi/file_chown.out 1970-01-01 00:00:00 +0000 ++++ libraries/libapparmor/testsuite/test_multi/file_chown.out 2016-06-05 18:07:33 +0000 +@@ -0,0 +1,15 @@ ++START ++File: file_chown.in ++Event type: AA_RECORD_DENIED ++Audit ID: 1465133533.431:728 ++Operation: chown ++Mask: w ++Denied Mask: w ++fsuid: 0 ++ouid: 4 ++Profile: /usr/sbin/cupsd ++Name: /run/cups/certs/ ++Command: cupsd ++PID: 8515 ++Epoch: 1465133533 ++Audit subid: 728 + +=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.err' +=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in' +--- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 1970-01-01 00:00:00 +0000 ++++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.in 2016-05-05 10:02:11 +0000 +@@ -0,0 +1,1 @@ ++Sep 14 18:49:13 mfa-mia-74-app-rabbitmq-1.mia.ix.int kernel: [964718.247816] type=1400 audit(1442256553.643:40143): apparmor="ALLOWED" operation="open" profile="/opt/evoke/venv/bin/gunicorn" name="/opt/evoke/venv/lib/python2.7/warnings.pyc" pid=28943 comm="gunicorn" requested_mask="r" denied_mask="r" fsuid=1000 ouid=110 + +=== added file 'libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out' +--- libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 1970-01-01 00:00:00 +0000 ++++ libraries/libapparmor/testsuite/test_multi/syslog_hostname_with_dot.out 2016-05-05 10:02:11 +0000 +@@ -0,0 +1,15 @@ ++START ++File: syslog_hostname_with_dot.in ++Event type: AA_RECORD_ALLOWED ++Audit ID: 1442256553.643:40143 ++Operation: open ++Mask: r ++Denied Mask: r ++fsuid: 1000 ++ouid: 110 ++Profile: /opt/evoke/venv/bin/gunicorn ++Name: /opt/evoke/venv/lib/python2.7/warnings.pyc ++Command: gunicorn ++PID: 28943 ++Epoch: 1442256553 ++Audit subid: 40143 + +=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.err' +=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in' +--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 1970-01-01 00:00:00 +0000 ++++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.in 2016-07-29 22:44:18 +0000 +@@ -0,0 +1,1 @@ ++Jul 29 11:42:05 files kernel: [483212.877816] audit: type=1400 audit(1469785325.122:21021): apparmor="ALLOWED" operation="file_inherit" profile="/usr/bin/nginx-amplify-agent.py//null-/bin/dash" pid=18239 comm="sh" laddr=192.168.10.3 lport=50758 faddr=54.153.70.241 fport=443 family="inet" sock_type="stream" protocol=6 requested_mask="send receive" denied_mask="send receive" + +=== added file 'libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out' +--- libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 1970-01-01 00:00:00 +0000 ++++ libraries/libapparmor/testsuite/test_multi/testcase_network_send_receive.out 2016-07-29 22:44:18 +0000 +@@ -0,0 +1,19 @@ ++START ++File: testcase_network_send_receive.in ++Event type: AA_RECORD_ALLOWED ++Audit ID: 1469785325.122:21021 ++Operation: file_inherit ++Mask: send receive ++Denied Mask: send receive ++Profile: /usr/bin/nginx-amplify-agent.py//null-/bin/dash ++Command: sh ++PID: 18239 ++Network family: inet ++Socket type: stream ++Protocol: tcp ++Local addr: 192.168.10.3 ++Foreign addr: 54.153.70.241 ++Local port: 50758 ++Foreign port: 443 ++Epoch: 1469785325 ++Audit subid: 21021 + +=== modified file 'parser/apparmor.d.pod' +--- parser/apparmor.d.pod 2016-02-12 20:43:42 +0000 ++++ parser/apparmor.d.pod 2016-05-22 12:51:55 +0000 +@@ -1234,7 +1234,8 @@ + + The parser will automatically expand variables to include all values + that they have been assigned; it is an error to reference a variable +-without setting at least one value. ++without setting at least one value. You can use empty quotes ("") to ++explicitly add an empty value. + + At the time of this writing, the following variables are defined in the + provided AppArmor policy: + +=== modified file 'profiles/apparmor.d/abstractions/base' +--- profiles/apparmor.d/abstractions/base 2015-08-23 13:20:20 +0000 ++++ profiles/apparmor.d/abstractions/base 2016-07-29 18:46:16 +0000 +@@ -47,6 +47,7 @@ + # ld.so.cache and ld are used to load shared libraries; they are best + # available everywhere + /etc/ld.so.cache mr, ++ /etc/ld.so.preload r, + /lib{,32,64}/ld{,32,64}-*.so mrix, + /lib{,32,64}/**/ld{,32,64}-*.so mrix, + /lib/@{multiarch}/ld{,32,64}-*.so mrix, + +=== modified file 'profiles/apparmor.d/abstractions/dbus-session-strict' +--- profiles/apparmor.d/abstractions/dbus-session-strict 2014-09-03 20:11:05 +0000 ++++ profiles/apparmor.d/abstractions/dbus-session-strict 2016-05-12 00:23:22 +0000 +@@ -17,6 +17,9 @@ + type=stream + peer=(addr="@/tmp/dbus-*"), + ++ # dbus with systemd and --enable-user-session ++ owner /run/user/[0-9]*/bus rw, ++ + dbus send + bus=session + path=/org/freedesktop/DBus + +=== modified file 'profiles/apparmor.d/abstractions/nameservice' +--- profiles/apparmor.d/abstractions/nameservice 2016-01-05 23:04:34 +0000 ++++ profiles/apparmor.d/abstractions/nameservice 2016-06-22 22:15:42 +0000 +@@ -33,14 +33,10 @@ + /var/lib/sss/pipes/nss rw, + + /etc/resolv.conf r, +- # on systems using resolvconf, /etc/resolv.conf is a symlink to +- # /{,var/}run/resolvconf/resolv.conf and a file sometimes referenced in +- # /etc/resolvconf/run/resolv.conf +- /{,var/}run/resolvconf/resolv.conf r, ++ # On systems where /etc/resolv.conf is managed programmatically, it is ++ # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf. ++ /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r, + /etc/resolvconf/run/resolv.conf r, +- # on systems using systemd's networkd, /etc/resolv.conf is a symlink to +- # /run/systemd/resolve/resolv.conf +- /{,var/}run/systemd/resolve/resolv.conf r, + + /etc/samba/lmhosts r, + /etc/services r, + +=== modified file 'profiles/apparmor.d/abstractions/samba' +--- profiles/apparmor.d/abstractions/samba 2015-05-18 23:25:26 +0000 ++++ profiles/apparmor.d/abstractions/samba 2016-07-26 19:13:49 +0000 +@@ -10,6 +10,7 @@ + # ------------------------------------------------------------------ + + /etc/samba/* r, ++ /usr/lib*/ldb/*.so mr, + /usr/share/samba/*.dat r, + /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, + /var/cache/samba/ w, + +=== modified file 'profiles/apparmor.d/bin.ping' +--- profiles/apparmor.d/bin.ping 2015-10-20 21:12:35 +0000 ++++ profiles/apparmor.d/bin.ping 2016-05-18 19:18:34 +0000 +@@ -18,6 +18,7 @@ + capability net_raw, + capability setuid, + network inet raw, ++ network inet6 raw, + + /{,usr/}bin/ping mixr, + /etc/modules.conf r, + +=== modified file 'profiles/apparmor.d/usr.sbin.winbindd' +--- profiles/apparmor.d/usr.sbin.winbindd 2015-07-30 20:03:02 +0000 ++++ profiles/apparmor.d/usr.sbin.winbindd 2016-08-03 19:53:06 +0000 +@@ -7,6 +7,7 @@ + + deny capability block_suspend, + ++ capability dac_override, + capability ipc_lock, + capability setuid, + + +=== modified file 'tests/regression/apparmor/syscall_sysctl.sh' +--- tests/regression/apparmor/syscall_sysctl.sh 2014-03-20 18:23:10 +0000 ++++ tests/regression/apparmor/syscall_sysctl.sh 2016-05-11 23:30:29 +0000 +@@ -149,8 +149,7 @@ + # generally we want to encourage kernels to disable it, but if it's + # enabled we want to test against it + settest syscall_sysctl +-res=$(${test} ro) +-if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then ++if ! res="$(${test} ro 2>&1)" && [ "$res" = "FAIL: sysctl read failed - Function not implemented" ] ; then + echo " WARNING: syscall sysctl not implemented, skipping tests ..." + else + test_syscall_sysctl + +=== modified file 'utils/aa-complain.pod' +--- utils/aa-complain.pod 2014-09-15 18:30:47 +0000 ++++ utils/aa-complain.pod 2016-06-05 21:43:55 +0000 +@@ -41,6 +41,8 @@ + In this mode security policy is not enforced but rather access violations + are logged to the system log. + ++Note that 'deny' rules will be enforced even in complain mode. ++ + =head1 BUGS + + If you find any bugs, please report them at + +=== modified file 'utils/aa-mergeprof' +--- utils/aa-mergeprof 2015-07-06 20:02:34 +0000 ++++ utils/aa-mergeprof 2016-05-10 12:34:40 +0000 +@@ -1,6 +1,7 @@ + #! /usr/bin/env python + # ---------------------------------------------------------------------- + # Copyright (C) 2013 Kshitij Gupta ++# Copyright (C) 2014-2016 Christian Boltz + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -17,7 +18,7 @@ + import os + + import apparmor.aa +-from apparmor.aa import available_buttons, combine_name, delete_duplicates, is_known_rule, match_includes ++from apparmor.aa import available_buttons, combine_name, delete_duplicates, get_profile_filename, is_known_rule, match_includes + import apparmor.aamode + from apparmor.common import AppArmorException + from apparmor.regex import re_match_include +@@ -283,6 +284,9 @@ + if not sev_db: + sev_db = apparmor.severity.Severity(apparmor.aa.CONFDIR + '/severity.db', _('unknown')) + ++ sev_db.unload_variables() ++ sev_db.load_variables(get_profile_filename(profile)) ++ + for hat in sorted(other.aa[profile].keys()): + #Add the includes from the other profile to the user profile + done = False + +=== modified file 'utils/apparmor/aa.py' +--- utils/apparmor/aa.py 2016-03-01 20:25:29 +0000 ++++ utils/apparmor/aa.py 2016-08-15 20:06:47 +0000 +@@ -1,6 +1,6 @@ + # ---------------------------------------------------------------------- + # Copyright (C) 2013 Kshitij Gupta +-# Copyright (C) 2014-2015 Christian Boltz ++# Copyright (C) 2014-2016 Christian Boltz + # + # This program is free software; you can redistribute it and/or + # modify it under the terms of version 2 of the GNU General Public +@@ -557,8 +557,11 @@ + inactive_profile[prof_name][prof_name].pop('filename') + profile_hash[uname]['username'] = uname + profile_hash[uname]['profile_type'] = 'INACTIVE_LOCAL' +- profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name) ++ profile_hash[uname]['profile'] = serialize_profile(inactive_profile[prof_name], prof_name, None) + profile_hash[uname]['profile_data'] = inactive_profile ++ ++ existing_profiles.pop(prof_name) # remove profile filename from list to force storing in /etc/apparmor.d/ instead of extra_profile_dir ++ + # If no profiles in repo and no inactive profiles + if not profile_hash.keys(): + return None +@@ -579,18 +582,13 @@ + + q = aaui.PromptQuestion() + q.headers = ['Profile', prof_name] +- q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', +- 'CMD_ABORT', 'CMD_FINISHED'] ++ q.functions = ['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT'] + q.default = "CMD_VIEW_PROFILE" + q.options = options + q.selected = 0 + + ans = '' + while 'CMD_USE_PROFILE' not in ans and 'CMD_CREATE_PROFILE' not in ans: +- if ans == 'CMD_FINISHED': +- save_profiles() +- return +- + ans, arg = q.promptUser() + p = profile_hash[options[arg]] + q.selected = options.index(options[arg]) +@@ -602,12 +600,13 @@ + 'profile_type': p['profile_type'] + }) + ypath, yarg = GetDataFromYast() +- #else: +- # pager = get_pager() +- # proc = subprocess.Popen(pager, stdin=subprocess.PIPE) ++ else: ++ pager = get_pager() ++ proc = subprocess.Popen(pager, stdin=subprocess.PIPE) + # proc.communicate('Profile submitted by %s:\n\n%s\n\n' % + # (options[arg], p['profile'])) +- # proc.kill() ++ proc.communicate(p['profile'].encode()) ++ proc.kill() + elif ans == 'CMD_USE_PROFILE': + if p['profile_type'] == 'INACTIVE_LOCAL': + profile_data = p['profile_data'] +@@ -658,6 +657,7 @@ + if not profile_data: + profile_data = create_new_profile(pname) + file = get_profile_filename(pname) ++ profile_data[pname][pname]['filename'] = None # will be stored in /etc/apparmor.d when saving, so it shouldn't carry the extra_profile_dir filename + attach_profile_data(aa, profile_data) + attach_profile_data(original_aa, profile_data) + if os.path.isfile(profile_dir + '/tunables/global'): +@@ -1095,7 +1095,7 @@ + + seen_events += 1 + +- ans = q.promptUser() ++ ans = q.promptUser()[0] + + if ans == 'CMD_FINISHED': + save_profiles() +@@ -1105,7 +1105,9 @@ + + if ans == 'CMD_ADDHAT': + hat = uhat ++ aa[profile][hat] = profile_storage(profile, hat, 'handle_children addhat') + aa[profile][hat]['flags'] = aa[profile][profile]['flags'] ++ changed[profile] = True + elif ans == 'CMD_USEDEFAULT': + hat = default_hat + elif ans == 'CMD_DENY': +@@ -1590,6 +1592,10 @@ + UI_SelectUpdatedRepoProfile(profile, p) + + found += 1 ++ ++ sev_db.unload_variables() ++ sev_db.load_variables(get_profile_filename(profile)) ++ + # Sorted list of hats with the profile name coming first + hats = list(filter(lambda key: key != profile, sorted(log_dict[aamode][profile].keys()))) + if log_dict[aamode][profile].get(profile, False): +@@ -2305,7 +2311,7 @@ + reload_base(profile_name) + + def get_pager(): +- pass ++ return 'less' + + def generate_diff(oldprofile, newprofile): + oldtemp = tempfile.NamedTemporaryFile('w') +@@ -2504,7 +2510,7 @@ + except: + fatal_error(_("Can't read AppArmor profiles in %s") % extra_profile_dir) + +- for file in os.listdir(profile_dir): ++ for file in os.listdir(extra_profile_dir): + if os.path.isfile(extra_profile_dir + '/' + file): + if is_skippable_file(file): + continue + +=== modified file 'utils/apparmor/common.py' +--- utils/apparmor/common.py 2015-12-17 22:38:02 +0000 ++++ utils/apparmor/common.py 2016-08-12 10:02:43 +0000 +@@ -245,11 +245,12 @@ + return False + return True + ++if sys.version_info[0] > 2: ++ unicode = str # python 3 dropped the unicode type. To keep type_is_str() simple (and pyflakes3 happy), re-create it as alias of str. ++ + def type_is_str(var): + ''' returns True if the given variable is a str (or unicode string when using python 2)''' +- if type(var) == str: +- return True +- elif sys.version_info[0] < 3 and type(var) == unicode: # python 2 sometimes uses the 'unicode' type ++ if type(var) in [str, unicode]: # python 2 sometimes uses the 'unicode' type + return True + else: + return False + +=== modified file 'utils/apparmor/logparser.py' +--- utils/apparmor/logparser.py 2016-02-10 18:09:57 +0000 ++++ utils/apparmor/logparser.py 2016-07-31 15:15:42 +0000 +@@ -133,7 +133,7 @@ + ev['denied_mask'] = event.denied_mask + ev['request_mask'] = event.requested_mask + ev['magic_token'] = event.magic_token +- if ev['operation'] and self.op_type(ev['operation']) == 'net': ++ if ev['operation'] and (self.op_type(ev['operation']) == 'net' or event.net_protocol): + ev['family'] = event.net_family + ev['protocol'] = event.net_protocol + ev['sock_type'] = event.net_sock_type +@@ -278,7 +278,7 @@ + self.debug_logger.debug('parse_event_for_tree: dropped exec event in %s' % e['profile']) + + elif ( e['operation'].startswith('file_') or e['operation'].startswith('inode_') or +- e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'rename_src', ++ e['operation'] in ['open', 'truncate', 'mkdir', 'mknod', 'chmod', 'chown', 'rename_src', + 'rename_dest', 'unlink', 'rmdir', 'symlink_create', 'link', + 'sysctl', 'getattr', 'setattr', 'xattr'] ): + +@@ -289,6 +289,13 @@ + self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e) + return None + ++ # sometimes network events come with an e['operation'] that matches the list of file operations ++ # see https://bugs.launchpad.net/apparmor/+bug/1577051 and https://bugs.launchpad.net/apparmor/+bug/1582374 ++ # XXX these events are network events, so we should map them as such ++ if 'send' in e['request_mask'] or 'receive' in e['request_mask']: ++ self.debug_logger.debug('UNHANDLED (request_mask is send or receive): %s' % e) ++ return None ++ + # Map c (create) and d (delete) to w (logging is more detailed than the profile language) + rmask = e['request_mask'] + rmask = rmask.replace('c', 'w') + +=== modified file 'utils/apparmor/rule/__init__.py' +--- utils/apparmor/rule/__init__.py 2016-01-25 22:42:45 +0000 ++++ utils/apparmor/rule/__init__.py 2016-08-08 21:16:12 +0000 +@@ -312,10 +312,13 @@ + + # delete rules that are covered by include files + if include_rules: +- for rule in self.rules: +- if include_rules.is_covered(rule, True, True): +- self.delete(rule) ++ oldrules = self.rules ++ self.rules = [] ++ for rule in oldrules: ++ if include_rules.is_covered(rule, True, False): + deleted += 1 ++ else: ++ self.rules.append(rule) + + # de-duplicate rules inside the profile + deleted += self.delete_in_profile_duplicates() + +=== modified file 'utils/test/test-capability.py' +--- utils/test/test-capability.py 2015-11-23 23:22:37 +0000 ++++ utils/test/test-capability.py 2016-08-08 21:16:12 +0000 +@@ -817,7 +817,6 @@ + inc.add(CapabilityRule.parse(rule)) + + expected_raw = [ +- ' allow capability sys_admin,', # XXX huh? should be deleted! + ' deny capability chgrp, # example comment', + '', + ] +@@ -825,11 +824,9 @@ + expected_clean = [ + ' deny capability chgrp, # example comment', + '', +- ' allow capability sys_admin,', # XXX huh? should be deleted! +- '', + ] + +- self.assertEqual(self.ruleset.delete_duplicates(inc), 1) ++ self.assertEqual(self.ruleset.delete_duplicates(inc), 2) + self.assertEqual(expected_raw, self.ruleset.get_raw(1)) + self.assertEqual(expected_clean, self.ruleset.get_clean(1)) + + diff --git a/libapparmor-fix-import-path.diff b/libapparmor-fix-import-path.diff new file mode 100644 index 0000000..f0d9d3c --- /dev/null +++ b/libapparmor-fix-import-path.diff @@ -0,0 +1,42 @@ +Index: libraries/libapparmor/swig/python/Makefile.am +=================================================================== +--- libraries/libapparmor/swig/python/Makefile.am.orig 2014-01-06 23:08:55.000000000 +0100 ++++ libraries/libapparmor/swig/python/Makefile.am 2016-08-26 18:03:52.526582753 +0200 +@@ -6,9 +6,8 @@ SUBDIRS = test + + libapparmor_wrap.c: $(srcdir)/../SWIG/libapparmor.i + $(SWIG) -python -I$(srcdir)/../../include -module LibAppArmor -o $@ $(srcdir)/../SWIG/libapparmor.i +- mv LibAppArmor.py __init__.py + +-MOSTLYCLEANFILES=libapparmor_wrap.c __init__.py ++MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py + + all-local: libapparmor_wrap.c setup.py + if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi +Index: libraries/libapparmor/swig/python/__init__.py +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ libraries/libapparmor/swig/python/__init__.py 2016-08-26 18:03:16.790763701 +0200 +@@ -0,0 +1 @@ ++from LibAppArmor.LibAppArmor import * +Index: libraries/libapparmor/swig/python/Makefile.in +=================================================================== +--- libraries/libapparmor/swig/python/Makefile.in.orig 2016-04-20 11:09:04.000000000 +0200 ++++ libraries/libapparmor/swig/python/Makefile.in 2016-08-26 18:04:51.770288833 +0200 +@@ -326,7 +326,7 @@ top_builddir = @top_builddir@ + top_srcdir = @top_srcdir@ + @HAVE_PYTHON_TRUE@EXTRA_DIST = libapparmor_wrap.c + @HAVE_PYTHON_TRUE@SUBDIRS = test +-@HAVE_PYTHON_TRUE@MOSTLYCLEANFILES = libapparmor_wrap.c __init__.py ++@HAVE_PYTHON_TRUE@MOSTLYCLEANFILES = libapparmor_wrap.c LibAppArmor.py + all: all-recursive + + .SUFFIXES: +@@ -648,7 +648,6 @@ uninstall-am: + + @HAVE_PYTHON_TRUE@libapparmor_wrap.c: $(srcdir)/../SWIG/libapparmor.i + @HAVE_PYTHON_TRUE@ $(SWIG) -python -I$(srcdir)/../../include -module LibAppArmor -o $@ $(srcdir)/../SWIG/libapparmor.i +-@HAVE_PYTHON_TRUE@ mv LibAppArmor.py __init__.py + + @HAVE_PYTHON_TRUE@all-local: libapparmor_wrap.c setup.py + @HAVE_PYTHON_TRUE@ if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi diff --git a/profiles-ping-inet6-r3449.diff b/profiles-ping-inet6-r3449.diff deleted file mode 100644 index f117bec..0000000 --- a/profiles-ping-inet6-r3449.diff +++ /dev/null @@ -1,33 +0,0 @@ ------------------------------------------------------------- -revno: trunk r3449 / 2.10 branch r3331 / 2.9 branch r3009 -committer: Christian Boltz -branch nick: apparmor -timestamp: Wed 2016-05-18 21:18:10 +0200 -message: - allow inet6 in ping profile - - The latest iputils merged ping and ping6 into a single binary that does - both IPv4 and IPv6 pings (by default, it really does both). - This means we need to allow network inet6 raw in the ping profile. - - References: https://bugzilla.opensuse.org/show_bug.cgi?id=980596 - (contains more details and example output) - - - Acked-by: Steve Beattie for trunk, 2.10 and 2.9 - - -=== modified file 'profiles/apparmor.d/bin.ping' ---- profiles/apparmor.d/bin.ping 2015-10-20 21:12:35 +0000 -+++ profiles/apparmor.d/bin.ping 2016-05-18 19:18:10 +0000 -@@ -18,6 +18,7 @@ - capability net_raw, - capability setuid, - network inet raw, -+ network inet6 raw, - - /{,usr/}bin/ping mixr, - /etc/modules.conf r, - - -vim:ft=diff