Accepting request 784421 from security:apparmor

- update to AppArmor 2.13.4
  - several abstraction updates (including boo#1153162)
  - disallow writing to fontconfig cache in abstractions/fonts
  - some bugfixes in the aa-* tools
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4
    for the detailed upstream changelog
- drop upstreamed patches:
  - abstractions-ssl-certbot-paths.diff
  - apparmor-krb5-conf-d.diff
  - libapparmor-python3.8.diff
  - usr-etc-abstractions-authentification.diff
- refresh usr-etc-abstractions-authentification.diff

libapparmor:
- update to AppArmor 2.13.4
  - fix log parsing for logs with an embedded newline
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4
    for the detailed upstream changelog

OBS-URL: https://build.opensuse.org/request/show/784421
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=135

abstractions-ssl-certbot-paths.diff

@@ -1,38 +0,0 @@
-commit b5772e29efbc3c2325b4a2ba312bb4cf0c78f181
-Author: Christian Boltz <gitlab2@cboltz.de>
-Date:   Sun Jun 30 07:14:42 2019 +0000
-
-    Merge branch 'cboltz-2.13-certbot' into 'apparmor-2.13'
-    
-    [2.10..2.13] Add for Certbot on openSUSE Leap
-    
-    See merge request apparmor/apparmor!398
-    
-    Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..2.13
-    
-    (cherry picked from commit 14a11e67a5b8e06a5ba5080d9824df8010e28552)
-    
-    8b766451 Add for Certbot on openSUSE Leap
-
-diff --git a/profiles/apparmor.d/abstractions/ssl_certs b/profiles/apparmor.d/abstractions/ssl_certs
-index b5382ec9..789efc58 100644
---- a/profiles/apparmor.d/abstractions/ssl_certs
-+++ b/profiles/apparmor.d/abstractions/ssl_certs
-@@ -38,3 +38,7 @@
-   /etc/letsencrypt/archive/*/cert*.pem r,
-   /etc/letsencrypt/archive/*/chain*.pem r,
-   /etc/letsencrypt/archive/*/fullchain*.pem r,
-+
-+  /etc/certbot/archive/*/cert*.pem r,
-+  /etc/certbot/archive/*/chain*.pem r,
-+  /etc/certbot/archive/*/fullchain*.pem r,
-diff --git a/profiles/apparmor.d/abstractions/ssl_keys b/profiles/apparmor.d/abstractions/ssl_keys
-index 84f5c503..2de760b5 100644
---- a/profiles/apparmor.d/abstractions/ssl_keys
-+++ b/profiles/apparmor.d/abstractions/ssl_keys
-@@ -26,3 +26,5 @@
- 
-   # certbot / letsencrypt
-   /etc/letsencrypt/archive/*/privkey*.pem r,
-+
-+  /etc/certbot/archive/*/privkey*.pem r,

apparmor-2.13.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639
-size 7384974

apparmor-2.13.3.tar.gz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl0IkgAaHGFwcGFybW9y
-QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLszZQ/8D1nea3CtBqCN3u2nsfVi
-DLCuE41lGgVwHamnJLcoW80+98udq1OqJfudN47bg3593C/C8AvWElthgfXCnlFc
-y6Njcc6qyJWbx0eEcIu/SlmuclqC1ukbbdj5nNEhwDGxtahrUSdWvM4suQm8dCSi
-zGAJRm4Tc7I63Vy4SDc7ibRtix6SmxwyZHlGpdiuz3ShqR45Tqyrs2gkmT2oj93E
-1VSaQrEGNVmQMXBmpw45WgVjz3DlakT4FfHqvmnPqrg1qEhdpZE+U0NzwOU987QS
-o4gdR3foumY6KpzD5BbXxl3blqeBw38hILMOq8lJ8Zsq9hrUPbcySBYyvr85yBu0
-MDDgrzexUBYbko2rIKY4CmOuswx/pYznqssErujEkEUKHMgAdJX2z7TC25AMQjF6
-ISvjZiCyHP5+vUqa7ym0CCiGNaOIENqRc4lmmwONOMSdBmvnrwiZewJA8Mmlei+G
-+v5Vr2c8H8EJh3D2eWuYg/At2COhFvJpAh04qJ3btPylY3rprn98SnYlw/TmbljR
-upxaYs8I72WI8yX9Ty7fDBN92O+3zxxUM9dAeIXSFiLuQXrYcVx1d/ILTsLuogM/
-OwFOQeHzDCNwNMVwYvQ1jDhu7/fZlmJZk0c9OLK+ZppXD05Hy4bfGNx4GbgQr6aX
-IsT+gbT2AkIFO33V56KZVIo=
-=Favj
------END PGP SIGNATURE-----

apparmor-2.13.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:90bf86c07ffbe2c22be46d75c7345fad12d5911653c59750a37d59c63ad5d10e
+size 7390179

apparmor-2.13.4.tar.gz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl5qHBQaHGFwcGFybW9y
+QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLuB+BAAgKn0XnskA42OHiVxKty+
+lA2Bez6BKdbFWlqzMWw2uisNtCOr8bt0yvU3JWGb5CzrNbCVqBv6rqJeuLIBLZ3u
+70Ldfnno962kFi57mOehVVQ2yaDKY2EpPBC6HnDdsb4Tf95aiE2c9gGvvfxjUZ/7
+eHNUrPrpKvvpdnrL1+O7qmWPh68DVArceFpSt/M1Yz49V00XhaGemMVDvk/iPB2/
+tyJ0XETzjHQYeJ5IHsXrd5qe3nDOQ4YycpgyQKqiGSgO8jbwFdVyFb7nG2BGfvXG
+80wUrHc4qTv3rYYwlW+6aN2MVOKNm0T8mES+PAWJ5IVNkwsWg8VafkwLVZy0JhyW
+QY2eI5cQGVfEKl6MiXXEy6HL/CJT2MfVDj6oSD/6thFTokTyJoowvcZcsbZVvhEM
+pdh4foe7pPYavqBErQ15S9YOXeYUDH0mmdzvH0Qj1A/l4MGpio86XTOpihkfq6GR
+yZy0TMy6ZYPBxfKdcfusUHEf9YUO+ag2WRwkmIYXAKn4jTYMVjeEPQmHpZYWJ+t3
+yOlHo5+1/oyMTQXTK/5o7v/44ah2wxHszqtAHF9/ykfVCouxzBUrpbJ/NhWi32aX
+OvdNPzZWcLqogOcuL+GuPMfXv/uw9nfc+BcniR9TBJG4jq5aMe2BLBWinRNPPnJP
+nfHrUWYuwo2ADEN/STz5Bgw=
+=+xo5
+-----END PGP SIGNATURE-----

apparmor-krb5-conf-d.diff

@@ -1,28 +0,0 @@
-From 1e37af227ec977efe1a6b6454f5a801c4c04e886 Mon Sep 17 00:00:00 2001
-From: Luiz Angelo Daros de Luca <luizluca@gmail.com>
-Date: Fri, 27 Sep 2019 18:34:20 -0300
-Subject: [PATCH] abstractions/kerberosclient: allow /etc/krb5.conf.d
-
-Permit the use of /etc/krb5.conf.d configuration snippets
-
-Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
----
- profiles/apparmor.d/abstractions/kerberosclient | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/profiles/apparmor.d/abstractions/kerberosclient b/profiles/apparmor.d/abstractions/kerberosclient
-index 8b08c146..7cb1f9e0 100644
---- a/profiles/apparmor.d/abstractions/kerberosclient
-+++ b/profiles/apparmor.d/abstractions/kerberosclient
-@@ -22,6 +22,8 @@
- 
-   /etc/krb5.keytab            rk,
-   /etc/krb5.conf              r,
-+  /etc/krb5.conf.d/           r,
-+  /etc/krb5.conf.d/*          r,
- 
-   # config files found via strings on libs
-   /etc/krb.conf               r,
--- 
-2.23.0
-

apparmor.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Thu Mar 12 19:55:06 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 2.13.4
+  - several abstraction updates (including boo#1153162)
+  - disallow writing to fontconfig cache in abstractions/fonts
+  - some bugfixes in the aa-* tools
+  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4
+    for the detailed upstream changelog
+- drop upstreamed patches:
+  - abstractions-ssl-certbot-paths.diff
+  - apparmor-krb5-conf-d.diff
+  - libapparmor-python3.8.diff
+  - usr-etc-abstractions-authentification.diff
+- refresh usr-etc-abstractions-authentification.diff
+
 -------------------------------------------------------------------
 Sat Jan 25 18:51:17 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
 

apparmor.spec

@@ -35,7 +35,7 @@
 %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
 
 Name:           apparmor
-Version:        2.13.3
+Version:        2.13.4
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@@ -65,19 +65,7 @@ Patch4:         apparmor-lessopen-profile.patch
 # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
 Patch5:         apparmor-lessopen-nfs-workaround.diff
 
-# allow /etc/krb5.conf.d/ for kerberos client (submitted upstream 2019-09-28 https://gitlab.com/apparmor/apparmor/merge_requests/425)
-Patch6:         apparmor-krb5-conf-d.diff
-
-# add certbot paths to abstractions/ssl_keys and abstractions/ssl_certs (from upstream https://gitlab.com/apparmor/apparmor/merge_requests/398, merged 2019-06-30)
-Patch7:         abstractions-ssl-certbot-paths.diff
-
-# allow reading /usr/etc/pam.d/* and some other authentification-related files (submitted upstream 2019-10-07 https://gitlab.com/apparmor/apparmor/merge_requests/426)
-Patch8:         usr-etc-abstractions-authentification.diff
-
-# fix building libapparmor python bindings with python 3.8. Based on https://gitlab.com/apparmor/apparmor/merge_requests/430 but patching configure directly to avoid needing BuildRequires: aclocal
-Patch9:         libapparmor-python3.8.diff
-
-# update abstractions/base and nameservice for /usr/etc (submitted upstream 2020-01-25 https://gitlab.com/apparmor/apparmor/merge_requests/447)
+# update abstractions/base and nameservice for /usr/etc (submitted upstream 2020-01-25 https://gitlab.com/apparmor/apparmor/merge_requests/447, only merged to master, not 2.13.x)
 Patch10:        ./usr-etc-abstractions-base-nameservice.diff
 
 PreReq:         sed
@@ -368,10 +356,6 @@ SubDomain.
 %patch3 -p1
 %patch4
 %patch5
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
 %patch10 -p1
 
 %build

libapparmor-python3.8.diff

@@ -1,56 +0,0 @@
-From ccbf1e0bf1bf5c3bbab47029fbbc5415ef73bac1 Mon Sep 17 00:00:00 2001
-From: intrigeri <intrigeri@boum.org>
-Date: Tue, 29 Oct 2019 17:53:11 +0000
-Subject: [PATCH] Fix a Python 3.8 autoconf check
-
-Bug-Debian: https://bugs.debian.org/943657
-
-Author: Matthias Klose <doko@debian.org>
----
- libraries/libapparmor/m4/ac_python_devel.m4 | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-#Index: libraries/libapparmor/m4/ac_python_devel.m4
-#===================================================================
-#--- a/libraries/libapparmor/m4/ac_python_devel.m4.orig	2019-06-18 01:55:38.000000000 +0200
-#+++ b/libraries/libapparmor/m4/ac_python_devel.m4	2019-11-02 23:18:39.461818181 +0100
-#@@ -139,7 +139,7 @@ sys.stdout.write('%s\n' % distutils.sysc
-#         if test -z "$PYTHON_EXTRA_LIBS"; then
-#            PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
-# conf = distutils.sysconfig.get_config_var; \
-#-sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
-#+sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf('LIBS')))"`
-#         fi
-#         AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
-#         AC_SUBST(PYTHON_EXTRA_LIBS)
-#@@ -164,7 +164,7 @@ sys.stdout.write('%s\n' % conf('LINKFORS
-#         # save current global flags
-#         ac_save_LIBS="$LIBS"
-#         ac_save_CPPFLAGS="$CPPFLAGS"
-#-        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
-#+        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LIBS"
-#         CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
-#         AC_TRY_LINK([
-#                 #include <Python.h>
-Index: libraries/libapparmor/configure
-===================================================================
---- a/libraries/libapparmor/configure.orig	2019-06-18 01:57:46.000000000 +0200
-+++ b/libraries/libapparmor/configure	2019-11-02 23:19:48.225634333 +0100
-@@ -4756,7 +4756,7 @@ $as_echo_n "checking python extra librar
-         if test -z "$PYTHON_EXTRA_LIBS"; then
-            PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
- conf = distutils.sysconfig.get_config_var; \
--sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
-+sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf('LIBS')))"`
-         fi
-         { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_EXTRA_LIBS" >&5
- $as_echo "$PYTHON_EXTRA_LIBS" >&6; }
-@@ -4790,7 +4790,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
-         # save current global flags
-         ac_save_LIBS="$LIBS"
-         ac_save_CPPFLAGS="$CPPFLAGS"
--        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
-+        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LIBS"
-         CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
-         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */

libapparmor.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Mar 12 19:30:19 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 2.13.4
+  - fix log parsing for logs with an embedded newline
+  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4
+    for the detailed upstream changelog
+
 -------------------------------------------------------------------
 Tue Jun 18 20:50:19 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
 

libapparmor.spec

@@ -18,7 +18,7 @@
 
 
 Name:           libapparmor
-Version:        2.13.3
+Version:        2.13.4
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later

usr-etc-abstractions-authentification.diff

@@ -1,60 +0,0 @@
-commit ee7194a7141b99225bb1d040ef2d37ad47ca838e
-Author: Christian Boltz <apparmor@cboltz.de>
-Date:   Mon Oct 7 21:47:25 2019 +0200
-
-    Allow /usr/etc/ in abstractions/authentication
-    
-    openSUSE (and hopefully some other distributions) work on moving shipped
-    config files from /etc/ to /usr/etc/ so that /etc/ only contains files
-    written by the admin of each system.
-    
-    See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
-    the first moved files.
-    
-    Updating abstractions/authentication is the first step, and also fixes
-    bugzilla.opensuse.org/show_bug.cgi?id=1153162
-
-diff --git a/profiles/apparmor.d/abstractions/authentication b/profiles/apparmor.d/abstractions/authentication
-index b92516f9..58efe6b9 100644
---- a/profiles/apparmor.d/abstractions/authentication
-+++ b/profiles/apparmor.d/abstractions/authentication
-@@ -2,6 +2,7 @@
- #
- #    Copyright (C) 2002-2009 Novell/SUSE
- #    Copyright (C) 2009-2012 Canonical Ltd
-+#    Copyright (C) 2019 Christian Boltz
- #
- #    This program is free software; you can redistribute it and/or
- #    modify it under the terms of version 2 of the GNU General Public
-@@ -14,13 +15,13 @@
-   # Some services need to perform authentication of users
-   # Such authentication almost certainly needs access to the local users
-   # databases containing passwords, PAM configuration files, PAM libraries
--  /etc/nologin                r,
--  /etc/pam.d/*                r,
--  /etc/securetty              r,
--  /etc/security/*             r,
--  /etc/shadow                 r,
--  /etc/gshadow                r,
--  /etc/pwdb.conf              r,
-+  /{usr/,}etc/nologin                r,
-+  /{usr/,}etc/pam.d/*                r,
-+  /{usr/,}etc/securetty              r,
-+  /{usr/,}etc/security/*             r,
-+  /{usr/,}etc/shadow                 r,
-+  /{usr/,}etc/gshadow                r,
-+  /{usr/,}etc/pwdb.conf              r,
- 
-   /{usr/,}lib{,32,64}/security/pam_filter/*  mr,
-   /{usr/,}lib{,32,64}/security/pam_*.so      mr,
-@@ -32,8 +33,8 @@
-   # kerberos
-   #include <abstractions/kerberosclient>
-   # SuSE's pwdutils are different:
--  /etc/default/passwd         r,
--  /etc/login.defs             r,
-+  /{usr/,}etc/default/passwd         r,
-+  /{usr/,}etc/login.defs             r,
- 
-   # nis
-   #include <abstractions/nis>

usr-etc-abstractions-base-nameservice.diff

@@ -10,10 +10,10 @@ diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstrac
 index cecb126f..6288da76 100644
 --- a/profiles/apparmor.d/abstractions/base
 +++ b/profiles/apparmor.d/abstractions/base
-@@ -23,9 +23,9 @@
-   /dev/log                       w,
-   /dev/random                    r,
-   /dev/urandom                   r,
+@@ -27,9 +27,9 @@
+   # time and getrandom()/{,u}random and, when available, runs under an
+   # unprivilged, dedicated user).
+   /run/uuidd/request             r,
 -  /etc/locale/**                 r,
 -  /etc/locale.alias              r,
 -  /etc/localtime                 r,
@@ -23,7 +23,7 @@ index cecb126f..6288da76 100644
    /usr/share/locale-bundle/**    r,
    /usr/share/locale-langpack/**  r,
    /usr/share/locale/**           r,
-@@ -48,14 +48,14 @@
+@@ -52,14 +52,14 @@
    /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
  
    # used by glibc when binding to ephemeral ports