From d4030892e0bb1163b82247aaa0b69329e838aa7cec09e4166dbd89abd2292d06 Mon Sep 17 00:00:00 2001 From: Goldwyn Rodrigues Date: Thu, 19 Apr 2018 21:36:48 +0000 Subject: [PATCH] Accepting request 598610 from home:goldwynr:branches:security:apparmor bsc#1086154 OBS-URL: https://build.opensuse.org/request/show/598610 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=206 --- apparmor.changes | 7 +++ apparmor.spec | 4 ++ fix-regression-in-set-flags.patch | 40 ++++++++++++++ ...ags-for-profiles-represented-by-glob.patch | 55 +++++++++++++++++++ 4 files changed, 106 insertions(+) create mode 100644 fix-regression-in-set-flags.patch create mode 100644 set-flags-for-profiles-represented-by-glob.patch diff --git a/apparmor.changes b/apparmor.changes index 555a30b..b57baab 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Apr 19 11:23:37 UTC 2018 - rgoldwyn@suse.com + +- Set flags for profiles represented by glob (bsc#1086154) + set-flags-for-profiles-represented-by-glob.patch + fix-regression-in-set-flags.patch + ------------------------------------------------------------------- Wed Apr 11 20:28:13 UTC 2018 - suse-beta@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index f2d892e..04c1d14 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -75,6 +75,8 @@ Patch10: disable-cache-on-ro-fs.diff # allow dovecot to run dovecot/stats, and add that profile (submitted upstream 2018-04-11 https://gitlab.com/apparmor/apparmor/merge_requests/90) Patch11: dovecot-stats.diff +Patch12: set-flags-for-profiles-represented-by-glob.patch +Patch13: fix-regression-in-set-flags.patch PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -367,6 +369,8 @@ SubDomain. %patch9 -p1 %patch10 -p0 %patch11 -p1 +%patch12 -p1 +%patch13 -p1 %build export SUSE_ASNEEDED=0 diff --git a/fix-regression-in-set-flags.patch b/fix-regression-in-set-flags.patch new file mode 100644 index 0000000..104d42d --- /dev/null +++ b/fix-regression-in-set-flags.patch @@ -0,0 +1,40 @@ +commit f472b6bb3422fd13d3039a8f4c83d017a2d660e3 +Author: Christian Boltz +Date: Sat Apr 14 21:45:39 2018 +0200 + + fix regression in {get,set}_profile_flags() + + Since the latest change, calling {get,set}_profile_flags() with the + profile name failed when attachment was specified ("profile foo /bar"). + + Catched by the unittests. + + Also fix a whitespace issue. + +diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py +index 4545dfc7..e28b8495 100644 +--- a/utils/apparmor/aa.py ++++ b/utils/apparmor/aa.py +@@ -617,7 +617,7 @@ def get_profile_flags(filename, program): + else: + profile_glob = AARE(matches['profile'], True) + flags = matches['flags'] +- if (program is not None and profile_glob.match(program)) or program is None: ++ if (program is not None and profile_glob.match(program)) or program is None or program == matches['profile']: + return flags + + raise AppArmorException(_('%s contains no profile') % filename) +@@ -674,10 +674,11 @@ def set_profile_flags(prof_filename, program, newflags): + profile_glob = AARE(matches['attachment'], True) + else: + profile_glob = AARE(matches['profile'], True) +- if (program is not None and profile_glob.match(program)) or program is None: ++ if (program is not None and profile_glob.match(program)) or program is None or program == matches['profile']: + found = True + if program is not None and program != profile: +- aaui.UI_Info(_('Warning: profile %s represents multiple programs') % profile) ++ aaui.UI_Info(_('Warning: profile %s represents multiple programs') % profile) ++ + header_data = { + 'attachment': matches['attachment'] or '', + 'flags': newflags, diff --git a/set-flags-for-profiles-represented-by-glob.patch b/set-flags-for-profiles-represented-by-glob.patch new file mode 100644 index 0000000..ceaf8df --- /dev/null +++ b/set-flags-for-profiles-represented-by-glob.patch @@ -0,0 +1,55 @@ +commit 5e187daa0b87a4999f78925e5e9864e7656ffc11 +Author: Goldwyn Rodrigues +Date: Tue Apr 10 09:02:09 2018 -0500 +References: bsc#1086154 + + Set flags for profiles represented by a glob + + Getting and Setting profile represented by a glob does not work correctly + because they are checked for equality. Use a glob match to check for them. + Also, add a warning stating that the profile being set represents multiple programs. + + traceroute is an example whose profile name is represented as + /usr/{sbin/traceroute,bin/traceroute.db} and exhibits the issue: + + Setting /usr/sbin/traceroute to enforce mode. + + ERROR: /etc/apparmor.d/usr.sbin.traceroute contains no profile + + Signed-off-by: Goldwyn Rodrigues + +diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py +index c8089aa8..4545dfc7 100644 +--- a/utils/apparmor/aa.py ++++ b/utils/apparmor/aa.py +@@ -612,9 +612,12 @@ def get_profile_flags(filename, program): + for line in f_in: + if RE_PROFILE_START.search(line): + matches = parse_profile_start_line(line, filename) +- profile = matches['profile'] ++ if (matches['attachment'] is not None): ++ profile_glob = AARE(matches['attachment'], True) ++ else: ++ profile_glob = AARE(matches['profile'], True) + flags = matches['flags'] +- if profile == program or program is None: ++ if (program is not None and profile_glob.match(program)) or program is None: + return flags + + raise AppArmorException(_('%s contains no profile') % filename) +@@ -667,8 +670,14 @@ def set_profile_flags(prof_filename, program, newflags): + space = matches['leadingspace'] or '' + profile = matches['profile'] + +- if profile == program or program is None: ++ if (matches['attachment'] is not None): ++ profile_glob = AARE(matches['attachment'], True) ++ else: ++ profile_glob = AARE(matches['profile'], True) ++ if (program is not None and profile_glob.match(program)) or program is None: + found = True ++ if program is not None and program != profile: ++ aaui.UI_Info(_('Warning: profile %s represents multiple programs') % profile) + header_data = { + 'attachment': matches['attachment'] or '', + 'flags': newflags,