pool/apparmor
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 598823 from home:cboltz

Browse Source 
--------------------------------------------------------------------
- update to AppArmor 2.13
  - add support for multiple cache directories and cache overlays
    (boo#1069906, boo#1074429)
  - add support for conditional includes in policy
  - remove group restrictions from aa-notify (boo#1058787)
  - aa-complain etc.: set flags for profiles represented by a glob
  - aa-status: split profile from exec name
  - several profile and abstraction updates
  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
    for the detailed upstream changelog
- drop upstreamed patches and files:
  - aa-teardown
  - apparmor.service
  - apparmor.systemd
  - 32-bit-no-uid.diff
  - disable-cache-on-ro-fs.diff
  - dovecot-stats.diff
  - parser-write-cache-warn-only.diff
  - set-flags-for-profiles-represented-by-glob.patch
  - fix-regression-in-set-flags.patch
- drop spec code that handled installing aa-teardown, apparmor.service
  and apparmor.systemd (now part of upstream Makefile)
- simplify "make -C profiles parser-check" call (upstream Makefile bug
  that required to call "cd" was fixed)
- add aa-teardown-path.diff - install aa-teardown in /usr/sbin/
- move 'exec' symlink to parser package (belongs to aa-exec)

libapparmor:
- update to AppArmor 2.13
  - add support for multiple cache directories and cache overlays
    (boo#1069906, boo#1074429)
  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
    for the detailed upstream changelog

OBS-URL: https://build.opensuse.org/request/show/598823
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=207
This commit is contained in:
Christian Boltz 2018-04-19 22:21:11 +00:00 committed by Git OBS Bridge
parent d4030892e0
commit d3384f4923
18 changed files with 83 additions and 435 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
32-bit-no-uid.diff
View File

@ -1,21 +0,0 @@
diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py
index 0e74c3f5..5738bb10 100644
--- a/utils/apparmor/logparser.py
+++ b/utils/apparmor/logparser.py
@@ -12,6 +12,7 @@
# GNU General Public License for more details.
#
# ----------------------------------------------------------------------
+import ctypes
import os
import re
import sys
@@ -118,7 +118,7 @@ class ReadLog:
ev['protocol'] = event.net_protocol
ev['sock_type'] = event.net_sock_type
- if event.ouid != 18446744073709551615: # 2^64 - 1
+ if event.ouid != ctypes.c_ulong(-1).value: # ULONG_MAX
ev['fsuid'] = event.fsuid
ev['ouid'] = event.ouid

10
aa-teardown
View File

@ -1,10 +0,0 @@
#!/bin/bash
test $# = 0 || {
echo "Usage: $0"
echo
echo "Unloads all AppArmor profiles"
exit 1
}
/lib/apparmor/apparmor.systemd stop

15
aa-teardown-path.diff Normal file
View File

@ -0,0 +1,15 @@
Index: parser/Makefile
===================================================================
--- parser/Makefile.orig 2018-04-15 15:48:53.000000000 +0200
+++ parser/Makefile 2018-04-15 23:21:13.677508654 +0200
@@ -384,8 +384,8 @@ install-systemd:
install -m 755 -d $(SYSTEMD_UNIT_DIR)
install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX)
- install -m 755 -d $(DESTDIR)/sbin
- install -m 755 aa-teardown $(DESTDIR)/sbin
+ install -m 755 -d $(DESTDIR)/usr/sbin
+ install -m 755 aa-teardown $(DESTDIR)/usr/sbin
ifndef VERBOSE
.SILENT: clean

3
apparmor-2.12.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056
size 7258450

16
apparmor-2.12.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQI3BAABCgAhBQJaP2rLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
5k49NmS72aQP/1y8Xr4GxCKJAonXSYdF3dlR54SIz6DWyMcdFnmE49w4/XVFhrf6
T3sIQzGdb38o1cjf6oPWaitMuOlr8SHZOSAtZXZm7xDh3fGXG11Vj12iNBX4o6CJ
WyrBG1MUX4u03iDjnv98rtbAViS9/DZsbN9iPZ9Ibo+Fb/wVS4EKe5iCZWTpqdW5
lbrWQVajqCw4EzD0ld6kklsuH6nb+pII4KawSDsk4hN5o4HxTZeK/lgwZ/sFE5LA
RJb3vShdSsIodDsj5mc5wfDVmzdqPcfTTaffLcW8uXYuMhtcI6vRAxGEKqHwDa4x
aUasiJPfFH21e1lTlztzCi2vlSdrnb89V2m7lHiOOL2bCtHhnIduRYgo+WnMZC+m
FcF9heBrTSajzg9ZE3EpVsN2wQYEGrVQer2MSy2vE8n+9JDxaJeyZ1RbT5yoeSkO
zPo6IlrfSruRdLVVekzZezoDow2kWfyzfTbDcOdZlDIchwPyXwVdGwFAf/s9aSoz
i/UIL0XpLCrd+MkaLeClWxPQR0IR5US3kxgI3vmpg4AGICq4Ayg6A2tQCMjI66Db
l1SRwLsEsZT9gfcvXeBF2w+xh9bCDUasmxcFkhv5axr12/r2nZWcKE0U1bsuK6bd
BOn2oRNshOcxnh6ni5YbTuASH52H3evKM5zypYmUpc4nUqHbFjeJOetM
=rBMH
-----END PGP SIGNATURE-----

3
apparmor-2.13.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:49f0b65a60c1eb5b7b4316023811bf1785875567e0e0c4c8a26cb1f1c3ac5858
size 7352564

16
apparmor-2.13.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQI3BAABCgAhBQJa01juGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
5k49NmS7w7sP/jWzBwvWn4NySOdncM+/h83AIb0Kx2mBPFCqLrZ3low73riA/LtJ
mq7JN/qiBYM/lB/6fiEJZV5eUTvN9IFOtJkJVbEYOhIe5IjBkkOoxDfmnpnrkTvK
GYkoIjSpsJDepvzqpBeQ44exH7XGkhpZRULlgJZkpJXvYE0nb9JDQgOuPWP56Q0F
t773uEIYME/7sveQtHYbUVrB2ncnMO4ppcFhNo2VEz7q1xl+s0D9b5qAvRNMjA/9
vgx8ZXSGbhsIUhMf5RgZd3j2hVs2LI+Qg6jM+ULzB+C9PtXefSe802gREoSkKxvQ
f88sPuOL1DX2aiIu5GFUQqziP9u+Xp/2YkQs0WSJEGUbs2+HfKDJHVF/610B4i6L
jpBIja9cYRacINU4beTNvZulyAAZHQ0CsRf1eyRzUrwNIi76eLlmhkBve40mtVq0
6CKWkKllTmEk94D3CEFPzzDV7rpA9hcif71WGwNbMBj4HOlLK/pNAedAccdWwNbo
4EExDyMQrOeHQsUmppaiH/ulwMKd6HGQOMiLm1kPesBqpW+bbI1PMP0O/Kpb/tVQ
Kesr9tTYiTrSXeQUoWeaCZ5xV2yq6xr9RWLSLkLj3B2F9WF9RcR8jj1K7796ervi
Ybm7VwdnmSi/fRV+8lUUjy1NPksTZ4iem26GJ0YsQqxCz3phH9wAvW1c
=oH+3
-----END PGP SIGNATURE-----

32
apparmor.changes
View File

@ -1,4 +1,34 @@
-------------------------------------------------------------------
--------------------------------------------------------------------
Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de
- update to AppArmor 2.13
- add support for multiple cache directories and cache overlays
(boo#1069906, boo#1074429)
- add support for conditional includes in policy
- remove group restrictions from aa-notify (boo#1058787)
- aa-complain etc.: set flags for profiles represented by a glob
- aa-status: split profile from exec name
- several profile and abstraction updates
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
for the detailed upstream changelog
- drop upstreamed patches and files:
- aa-teardown
- apparmor.service
- apparmor.systemd
- 32-bit-no-uid.diff
- disable-cache-on-ro-fs.diff
- dovecot-stats.diff
- parser-write-cache-warn-only.diff
- set-flags-for-profiles-represented-by-glob.patch
- fix-regression-in-set-flags.patch
- drop spec code that handled installing aa-teardown, apparmor.service
and apparmor.systemd (now part of upstream Makefile)
- simplify "make -C profiles parser-check" call (upstream Makefile bug
that required to call "cd" was fixed)
- add aa-teardown-path.diff - install aa-teardown in /usr/sbin/
- move 'exec' symlink to parser package (belongs to aa-exec)
--------------------------------------------------------------------
Thu Apr 19 11:23:37 UTC 2018 - rgoldwyn@suse.com
- Set flags for profiles represented by glob (bsc#1086154)

25
apparmor.service
View File

@ -1,25 +0,0 @@
[Unit]
Description=Load AppArmor profiles
DefaultDependencies=no
Before=sysinit.target
After=systemd-journald-audit.socket
After=var.mount var-lib.mount
ConditionSecurity=apparmor
[Service]
Type=oneshot
ExecStart=/lib/apparmor/apparmor.systemd reload
ExecReload=/lib/apparmor/apparmor.systemd reload
# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement
# from running processes (and not being able to re-apply it later).
# Upstream systemd developers refused to implement an option that allows overriding
# this behaviour, therefore we have to make ExecStop a no-op to error out on the
# safe side.
#
# If you really want to unload all AppArmor profiles, run aa-teardown
ExecStop=/bin/true
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

47
apparmor.spec
View File

@ -35,7 +35,7 @@
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
Name: apparmor
Version: 2.12
Version: 2.13
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0-or-later
@ -48,10 +48,8 @@ Source2: %{name}.keyring
Source5: update-trans.sh
Source6: baselibs.conf
Source7: apparmor-rpmlintrc
Source8: apparmor.service
Source9: apparmor.systemd
Source10: aa-teardown
# TODO: set cache-loc in parser.conf, and update dependencies in apparmor.service for changed cache paths
# enable caching of profiles (= massive performance speedup when loading profiles)
Patch1: apparmor-enable-profile-cache.diff
@ -64,19 +62,8 @@ Patch5: ruby-2_0-mkmf-destdir.patch
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch7: apparmor-lessopen-profile.patch
# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a log event on 32 bit systems (fixed upstream 2018-03-07)
Patch8: 32-bit-no-uid.diff
# make cache write failures a warning instead of an error - (patch from https://gitlab.com/apparmor/apparmor/merge_requests/49 2018-01-04)
Patch9: parser-write-cache-warn-only.diff
# Disable write cache if filesystem is read-only, don't abort (merged upstream 2018-01-16 to 2.10..trunk)
Patch10: disable-cache-on-ro-fs.diff
# allow dovecot to run dovecot/stats, and add that profile (submitted upstream 2018-04-11 https://gitlab.com/apparmor/apparmor/merge_requests/90)
Patch11: dovecot-stats.diff
Patch12: set-flags-for-profiles-represented-by-glob.patch
Patch13: fix-regression-in-set-flags.patch
# install aa-teardown to /usr/sbin, not /sbin (merged upstream 2018-04-15 https://gitlab.com/apparmor/apparmor/merge_requests/97)
Patch8: aa-teardown-path.diff
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -365,12 +352,7 @@ SubDomain.
%patch2
%patch5 -p1
%patch7
%patch8 -p1
%patch9 -p1
%patch10 -p0
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch8
%build
export SUSE_ASNEEDED=0
@ -437,9 +419,7 @@ make check -C parser
make check -C binutils
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/80 should allow to switch to make -C
# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
(cd profiles && make check-parser)
make -C profiles check-parser
make check -C utils
@ -511,18 +491,6 @@ done
# remove *.la files
rm -fv %{buildroot}%{_libdir}/libapparmor.la
# Adjust for systemd
test ! -f %{buildroot}%{_unitdir}/apparmor.service
install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
test ! -f %{buildroot}%{apparmor_bin_prefix}/apparmor.systemd
install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix}
test ! -f %{buildroot}%{_sbindir}/aa-teardown
install -m0755 %{S:10} %{buildroot}%{_sbindir}
# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/79 obsoletes the next 3 lines
rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor
rm %{buildroot}/sbin/rcsubdomain
ln -sf service %{buildroot}/sbin/rcapparmor
echo -------------------------------------------------------------------
#find -ls
echo -------------------------------------------------------------------
@ -546,6 +514,7 @@ echo -------------------------------------------------------------------
%{_bindir}/aa-enabled
%{_bindir}/aa-exec
%{_sbindir}/aa-teardown
%{_sbindir}/exec
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
%dir %{_sysconfdir}/apparmor.d
%{_sysconfdir}/apparmor.d/cache
@ -564,6 +533,7 @@ echo -------------------------------------------------------------------
%doc %{_mandir}/man5/apparmor.vim.5.gz
%doc %{_mandir}/man5/subdomain.conf.5.gz
%doc %{_mandir}/man7/apparmor.7.gz
%doc %{_mandir}/man8/aa-teardown.8.gz
%doc %{_mandir}/man8/apparmor_parser.8.gz
%pre parser
@ -623,7 +593,6 @@ fi
%{_sbindir}/decode
%{_sbindir}/disable
%{_sbindir}/enforce
%{_sbindir}/exec
%{_sbindir}/genprof
%{_sbindir}/logprof
%{_sbindir}/notify

85
apparmor.systemd
View File

@ -1,85 +0,0 @@
#!/bin/sh
APPARMOR_FUNCTIONS=/lib/apparmor/rc.apparmor.functions
aa_action()
{
echo $1
shift
"$@"
return $?
}
aa_log_warning_msg()
{
echo "Warning: $@"
}
aa_log_failure_msg()
{
echo "Error: $@"
}
aa_log_action_start()
{
echo "$@"
}
aa_log_action_end()
{
echo -n
}
aa_log_daemon_msg()
{
echo "$@"
}
aa_log_skipped_msg()
{
echo "Skipped: $@"
}
aa_log_end_msg()
{
echo -n
}
# source apparmor function library
if [ -f "${APPARMOR_FUNCTIONS}" ]; then
. ${APPARMOR_FUNCTIONS}
else
aa_log_failure_msg "Unable to find AppArmor initscript functions"
exit 1
fi
case "$1" in
start)
apparmor_start
rc=$?
;;
stop)
apparmor_stop
rc=$?
;;
restart|reload|force-reload)
apparmor_restart
rc=$?
;;
try-restart)
apparmor_try_restart
rc=$?
;;
kill)
apparmor_kill
rc=$?
;;
status)
apparmor_status
rc=$?
;;
*)
exit 1
;;
esac
exit $rc

11
disable-cache-on-ro-fs.diff
View File

@ -1,11 +0,0 @@
--- parser/parser_main.c
+++ parser/parser_main.c 2018/01/11 16:52:00
@@ -1124,7 +1124,7 @@
retval = aa_policy_cache_new(&policy_cache, features,
AT_FDCWD, cacheloc, max_caches);
if (retval) {
- if (errno != ENOENT && errno != EEXIST) {
+ if (errno != ENOENT && errno != EEXIST && errno != EROFS) {
PERROR(_("Failed setting up policy cache (%s): %s\n"),
cacheloc, strerror(errno));
return 1;

79
dovecot-stats.diff
View File

@ -1,79 +0,0 @@
commit d7cb151eb0da3ce6ac152b37ca84435266d34c88
Author: Christian Boltz <apparmor@cboltz.de>
Date: Wed Apr 11 22:17:29 2018 +0200
allow dovecot/auth to write /run/dovecot/old-stats-user
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c4
(3rd bullet point)
commit 3521edc41c3f01ebdd7681b107b5c5daa40fe896
Author: Christian Boltz <apparmor@cboltz.de>
Date: Wed Apr 11 21:34:51 2018 +0200
add dovecot/stats profile, and allow dovecot to run it
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1088161
diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth b/profiles/apparmor.d/usr.lib.dovecot.auth
index fcb54364..b44441e2 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------
#
-# Copyright (C) 2013 Christian Boltz
+# Copyright (C) 2013-2018 Christian Boltz
# Copyright (C) 2014 Christian Wittmer
#
# This program is free software; you can redistribute it and/or
@@ -43,6 +43,7 @@
/run/dovecot/auth-worker rw,
/run/dovecot/login/login rw,
/{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
+ /{var/,}run/dovecot/old-stats-user w,
/{var/,}run/dovecot/stats-user rw,
/{var/,}run/dovecot/anvil-auth-penalty rw,
diff --git a/profiles/apparmor.d/usr.lib.dovecot.stats b/profiles/apparmor.d/usr.lib.dovecot.stats
new file mode 100644
index 00000000..151e4ed6
--- /dev/null
+++ b/profiles/apparmor.d/usr.lib.dovecot.stats
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2018 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/stats {
+ #include <abstractions/base>
+ #include <abstractions/dovecot-common>
+
+ capability setuid,
+ capability sys_chroot,
+
+ /usr/lib/dovecot/stats mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.dovecot.stats>
+}
diff --git a/profiles/apparmor.d/usr.sbin.dovecot b/profiles/apparmor.d/usr.sbin.dovecot
index c0b180b4..e3a85fa0 100644
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -54,6 +54,7 @@
/usr/lib/dovecot/pop3-login Pxmr,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params mrPx,
+ /usr/lib/dovecot/stats Px,
/usr/sbin/dovecot mrix,
/usr/share/dovecot/protocols.d/ r,
/usr/share/dovecot/protocols.d/** r,

40
fix-regression-in-set-flags.patch
View File

@ -1,40 +0,0 @@
commit f472b6bb3422fd13d3039a8f4c83d017a2d660e3
Author: Christian Boltz <apparmor@cboltz.de>
Date: Sat Apr 14 21:45:39 2018 +0200
fix regression in {get,set}_profile_flags()
Since the latest change, calling {get,set}_profile_flags() with the
profile name failed when attachment was specified ("profile foo /bar").
Catched by the unittests.
Also fix a whitespace issue.
diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index 4545dfc7..e28b8495 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -617,7 +617,7 @@ def get_profile_flags(filename, program):
else:
profile_glob = AARE(matches['profile'], True)
flags = matches['flags']
- if (program is not None and profile_glob.match(program)) or program is None:
+ if (program is not None and profile_glob.match(program)) or program is None or program == matches['profile']:
return flags
raise AppArmorException(_('%s contains no profile') % filename)
@@ -674,10 +674,11 @@ def set_profile_flags(prof_filename, program, newflags):
profile_glob = AARE(matches['attachment'], True)
else:
profile_glob = AARE(matches['profile'], True)
- if (program is not None and profile_glob.match(program)) or program is None:
+ if (program is not None and profile_glob.match(program)) or program is None or program == matches['profile']:
found = True
if program is not None and program != profile:
- aaui.UI_Info(_('Warning: profile %s represents multiple programs') % profile)
+ aaui.UI_Info(_('Warning: profile %s represents multiple programs') % profile)
+
header_data = {
'attachment': matches['attachment'] or '',
'flags': newflags,

9
libapparmor.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Sun Apr 15 19:02:35 UTC 2018 - suse-beta@cboltz.de
- update to AppArmor 2.13
- add support for multiple cache directories and cache overlays
(boo#1069906, boo#1074429)
- see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
for the detailed upstream changelog
-------------------------------------------------------------------
Mon Dec 25 15:32:35 UTC 2017 - suse-beta@cboltz.de

2
libapparmor.spec
View File

@ -18,7 +18,7 @@
Name: libapparmor
Version: 2.12
Version: 2.13
Release: 0
Summary: Utility library for AppArmor
License: LGPL-2.1-or-later

49
parser-write-cache-warn-only.diff
View File

@ -1,49 +0,0 @@
From cd45ebddeb67b55b956646bfc760918b4b5edb37 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 4 Jan 2018 03:01:35 -0800
Subject: [PATCH] parser: fix parser so that cache creation failure doesn't
cause load failure
This is a minimal patch so that it can be backported to 2.11 and 2.10
which reverts the abort on error failure when the cache can not be
created and write-cache is set.
This is meant as a temporary fix for
https://bugzilla.suse.com/show_bug.cgi?id=1069906
https://bugzilla.opensuse.org/show_bug.cgi?id=1074429
where the cache location is being mounted readonly and the cache
creation failure is causing policy to not be loaded. And the
thrown parser error to cause issues for openQA.
Note: A cache failure warning will be reported after the policy load.
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
parser/policy_cache.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/parser/policy_cache.c b/parser/policy_cache.c
index 6ede6171..3454cc0d 100644
--- a/parser/policy_cache.c
+++ b/parser/policy_cache.c
@@ -147,13 +147,13 @@ int setup_cache_tmp(const char **cachetmpname, const char *cachename)
*cachetmpname = NULL;
if (write_cache) {
/* Otherwise, set up to save a cached copy */
- if (asprintf(&tmpname, "%s-XXXXXX", cachename)<0) {
+ if (asprintf(&tmpname, "%s-XXXXXX", cachename) < 0) {
perror("asprintf");
- exit(1);
+ return -1;
}
if ((cache_fd = mkstemp(tmpname)) < 0) {
perror("mkstemp");
- exit(1);
+ return -1;
}
*cachetmpname = tmpname;
}
--
2.14.3

55
set-flags-for-profiles-represented-by-glob.patch
View File

@ -1,55 +0,0 @@
commit 5e187daa0b87a4999f78925e5e9864e7656ffc11
Author: Goldwyn Rodrigues <rgoldwyn@suse.com>
Date: Tue Apr 10 09:02:09 2018 -0500
References: bsc#1086154
Set flags for profiles represented by a glob
Getting and Setting profile represented by a glob does not work correctly
because they are checked for equality. Use a glob match to check for them.
Also, add a warning stating that the profile being set represents multiple programs.
traceroute is an example whose profile name is represented as
/usr/{sbin/traceroute,bin/traceroute.db} and exhibits the issue:
Setting /usr/sbin/traceroute to enforce mode.
ERROR: /etc/apparmor.d/usr.sbin.traceroute contains no profile
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index c8089aa8..4545dfc7 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -612,9 +612,12 @@ def get_profile_flags(filename, program):
for line in f_in:
if RE_PROFILE_START.search(line):
matches = parse_profile_start_line(line, filename)
- profile = matches['profile']
+ if (matches['attachment'] is not None):
+ profile_glob = AARE(matches['attachment'], True)
+ else:
+ profile_glob = AARE(matches['profile'], True)
flags = matches['flags']
- if profile == program or program is None:
+ if (program is not None and profile_glob.match(program)) or program is None:
return flags
raise AppArmorException(_('%s contains no profile') % filename)
@@ -667,8 +670,14 @@ def set_profile_flags(prof_filename, program, newflags):
space = matches['leadingspace'] or ''
profile = matches['profile']
- if profile == program or program is None:
+ if (matches['attachment'] is not None):
+ profile_glob = AARE(matches['attachment'], True)
+ else:
+ profile_glob = AARE(matches['profile'], True)
+ if (program is not None and profile_glob.match(program)) or program is None:
found = True
+ if program is not None and program != profile:
+ aaui.UI_Info(_('Warning: profile %s represents multiple programs') % profile)
header_data = {
'attachment': matches['attachment'] or '',
'flags': newflags,