Accepting request 598610 from home:goldwynr:branches:security:apparmor

bsc#1086154

OBS-URL: https://build.opensuse.org/request/show/598610
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=206
This commit is contained in:
Goldwyn Rodrigues 2018-04-19 21:36:48 +00:00 committed by Git OBS Bridge
parent 01604b0fc7
commit d4030892e0
4 changed files with 106 additions and 0 deletions

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Apr 19 11:23:37 UTC 2018 - rgoldwyn@suse.com
- Set flags for profiles represented by glob (bsc#1086154)
set-flags-for-profiles-represented-by-glob.patch
fix-regression-in-set-flags.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 11 20:28:13 UTC 2018 - suse-beta@cboltz.de Wed Apr 11 20:28:13 UTC 2018 - suse-beta@cboltz.de

View File

@ -75,6 +75,8 @@ Patch10: disable-cache-on-ro-fs.diff
# allow dovecot to run dovecot/stats, and add that profile (submitted upstream 2018-04-11 https://gitlab.com/apparmor/apparmor/merge_requests/90) # allow dovecot to run dovecot/stats, and add that profile (submitted upstream 2018-04-11 https://gitlab.com/apparmor/apparmor/merge_requests/90)
Patch11: dovecot-stats.diff Patch11: dovecot-stats.diff
Patch12: set-flags-for-profiles-represented-by-glob.patch
Patch13: fix-regression-in-set-flags.patch
PreReq: sed PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -367,6 +369,8 @@ SubDomain.
%patch9 -p1 %patch9 -p1
%patch10 -p0 %patch10 -p0
%patch11 -p1 %patch11 -p1
%patch12 -p1
%patch13 -p1
%build %build
export SUSE_ASNEEDED=0 export SUSE_ASNEEDED=0

View File

@ -0,0 +1,40 @@
commit f472b6bb3422fd13d3039a8f4c83d017a2d660e3
Author: Christian Boltz <apparmor@cboltz.de>
Date: Sat Apr 14 21:45:39 2018 +0200
fix regression in {get,set}_profile_flags()
Since the latest change, calling {get,set}_profile_flags() with the
profile name failed when attachment was specified ("profile foo /bar").
Catched by the unittests.
Also fix a whitespace issue.
diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index 4545dfc7..e28b8495 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -617,7 +617,7 @@ def get_profile_flags(filename, program):
else:
profile_glob = AARE(matches['profile'], True)
flags = matches['flags']
- if (program is not None and profile_glob.match(program)) or program is None:
+ if (program is not None and profile_glob.match(program)) or program is None or program == matches['profile']:
return flags
raise AppArmorException(_('%s contains no profile') % filename)
@@ -674,10 +674,11 @@ def set_profile_flags(prof_filename, program, newflags):
profile_glob = AARE(matches['attachment'], True)
else:
profile_glob = AARE(matches['profile'], True)
- if (program is not None and profile_glob.match(program)) or program is None:
+ if (program is not None and profile_glob.match(program)) or program is None or program == matches['profile']:
found = True
if program is not None and program != profile:
- aaui.UI_Info(_('Warning: profile %s represents multiple programs') % profile)
+ aaui.UI_Info(_('Warning: profile %s represents multiple programs') % profile)
+
header_data = {
'attachment': matches['attachment'] or '',
'flags': newflags,

View File

@ -0,0 +1,55 @@
commit 5e187daa0b87a4999f78925e5e9864e7656ffc11
Author: Goldwyn Rodrigues <rgoldwyn@suse.com>
Date: Tue Apr 10 09:02:09 2018 -0500
References: bsc#1086154
Set flags for profiles represented by a glob
Getting and Setting profile represented by a glob does not work correctly
because they are checked for equality. Use a glob match to check for them.
Also, add a warning stating that the profile being set represents multiple programs.
traceroute is an example whose profile name is represented as
/usr/{sbin/traceroute,bin/traceroute.db} and exhibits the issue:
Setting /usr/sbin/traceroute to enforce mode.
ERROR: /etc/apparmor.d/usr.sbin.traceroute contains no profile
Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py
index c8089aa8..4545dfc7 100644
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@@ -612,9 +612,12 @@ def get_profile_flags(filename, program):
for line in f_in:
if RE_PROFILE_START.search(line):
matches = parse_profile_start_line(line, filename)
- profile = matches['profile']
+ if (matches['attachment'] is not None):
+ profile_glob = AARE(matches['attachment'], True)
+ else:
+ profile_glob = AARE(matches['profile'], True)
flags = matches['flags']
- if profile == program or program is None:
+ if (program is not None and profile_glob.match(program)) or program is None:
return flags
raise AppArmorException(_('%s contains no profile') % filename)
@@ -667,8 +670,14 @@ def set_profile_flags(prof_filename, program, newflags):
space = matches['leadingspace'] or ''
profile = matches['profile']
- if profile == program or program is None:
+ if (matches['attachment'] is not None):
+ profile_glob = AARE(matches['attachment'], True)
+ else:
+ profile_glob = AARE(matches['profile'], True)
+ if (program is not None and profile_glob.match(program)) or program is None:
found = True
+ if program is not None and program != profile:
+ aaui.UI_Info(_('Warning: profile %s represents multiple programs') % profile)
header_data = {
'attachment': matches['attachment'] or '',
'flags': newflags,