Accepting request 784421 from security:apparmor

- update to AppArmor 2.13.4 - several abstraction updates (including boo#1153162) - disallow writing to fontconfig cache in abstractions/fonts - some bugfixes in the aa-* tools - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4 for the detailed upstream changelog - drop upstreamed patches: - abstractions-ssl-certbot-paths.diff - apparmor-krb5-conf-d.diff - libapparmor-python3.8.diff - usr-etc-abstractions-authentification.diff - refresh usr-etc-abstractions-authentification.diff libapparmor: - update to AppArmor 2.13.4 - fix log parsing for logs with an embedded newline - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4 for the detailed upstream changelog OBS-URL: https://build.opensuse.org/request/show/784421 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=135
2020-03-16 09:15:58 +00:00 · 2020-03-16 09:15:58 +00:00 · d593b4708f
commit d593b4708f
parent 21d4ec5418 9e2caf2d7f
13 changed files with 52 additions and 226 deletions
--- a/abstractions-ssl-certbot-paths.diff
+++ b/abstractions-ssl-certbot-paths.diff
@ -1,38 +0,0 @@
 commit b5772e29efbc3c2325b4a2ba312bb4cf0c78f181
 Author: Christian Boltz <gitlab2@cboltz.de>
 Date:   Sun Jun 30 07:14:42 2019 +0000
    Merge branch 'cboltz-2.13-certbot' into 'apparmor-2.13'
    [2.10..2.13] Add for Certbot on openSUSE Leap
    See merge request apparmor/apparmor!398
    Acked-by: John Johansen <john.johansen@canonical.com> for 2.10..2.13
    (cherry picked from commit 14a11e67a5b8e06a5ba5080d9824df8010e28552)
    8b766451 Add for Certbot on openSUSE Leap
 diff --git a/profiles/apparmor.d/abstractions/ssl_certs b/profiles/apparmor.d/abstractions/ssl_certs
 index b5382ec9..789efc58 100644
 --- a/profiles/apparmor.d/abstractions/ssl_certs
 +++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -38,3 +38,7 @@
   /etc/letsencrypt/archive/*/cert*.pem r,
   /etc/letsencrypt/archive/*/chain*.pem r,
   /etc/letsencrypt/archive/*/fullchain*.pem r,
 +
 +  /etc/certbot/archive/*/cert*.pem r,
 +  /etc/certbot/archive/*/chain*.pem r,
 +  /etc/certbot/archive/*/fullchain*.pem r,
 diff --git a/profiles/apparmor.d/abstractions/ssl_keys b/profiles/apparmor.d/abstractions/ssl_keys
 index 84f5c503..2de760b5 100644
 --- a/profiles/apparmor.d/abstractions/ssl_keys
 +++ b/profiles/apparmor.d/abstractions/ssl_keys
@@ -26,3 +26,5 @@
   # certbot / letsencrypt
   /etc/letsencrypt/archive/*/privkey*.pem r,
 +
 +  /etc/certbot/archive/*/privkey*.pem r,
--- a/apparmor-2.13.3.tar.gz
+++ b/apparmor-2.13.3.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639
 size 7384974
--- a/apparmor-2.13.3.tar.gz.asc
+++ b/apparmor-2.13.3.tar.gz.asc
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl0IkgAaHGFwcGFybW9y
 QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLszZQ/8D1nea3CtBqCN3u2nsfVi
 DLCuE41lGgVwHamnJLcoW80+98udq1OqJfudN47bg3593C/C8AvWElthgfXCnlFc
 y6Njcc6qyJWbx0eEcIu/SlmuclqC1ukbbdj5nNEhwDGxtahrUSdWvM4suQm8dCSi
 zGAJRm4Tc7I63Vy4SDc7ibRtix6SmxwyZHlGpdiuz3ShqR45Tqyrs2gkmT2oj93E
 1VSaQrEGNVmQMXBmpw45WgVjz3DlakT4FfHqvmnPqrg1qEhdpZE+U0NzwOU987QS
 o4gdR3foumY6KpzD5BbXxl3blqeBw38hILMOq8lJ8Zsq9hrUPbcySBYyvr85yBu0
 MDDgrzexUBYbko2rIKY4CmOuswx/pYznqssErujEkEUKHMgAdJX2z7TC25AMQjF6
 ISvjZiCyHP5+vUqa7ym0CCiGNaOIENqRc4lmmwONOMSdBmvnrwiZewJA8Mmlei+G
 +v5Vr2c8H8EJh3D2eWuYg/At2COhFvJpAh04qJ3btPylY3rprn98SnYlw/TmbljR
 upxaYs8I72WI8yX9Ty7fDBN92O+3zxxUM9dAeIXSFiLuQXrYcVx1d/ILTsLuogM/
 OwFOQeHzDCNwNMVwYvQ1jDhu7/fZlmJZk0c9OLK+ZppXD05Hy4bfGNx4GbgQr6aX
 IsT+gbT2AkIFO33V56KZVIo=
 =Favj
 -----END PGP SIGNATURE-----
--- a/apparmor-2.13.4.tar.gz
+++ b/apparmor-2.13.4.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:90bf86c07ffbe2c22be46d75c7345fad12d5911653c59750a37d59c63ad5d10e
 size 7390179
--- a/apparmor-2.13.4.tar.gz.asc
+++ b/apparmor-2.13.4.tar.gz.asc
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl5qHBQaHGFwcGFybW9y
 QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLuB+BAAgKn0XnskA42OHiVxKty+
 lA2Bez6BKdbFWlqzMWw2uisNtCOr8bt0yvU3JWGb5CzrNbCVqBv6rqJeuLIBLZ3u
 70Ldfnno962kFi57mOehVVQ2yaDKY2EpPBC6HnDdsb4Tf95aiE2c9gGvvfxjUZ/7
 eHNUrPrpKvvpdnrL1+O7qmWPh68DVArceFpSt/M1Yz49V00XhaGemMVDvk/iPB2/
 tyJ0XETzjHQYeJ5IHsXrd5qe3nDOQ4YycpgyQKqiGSgO8jbwFdVyFb7nG2BGfvXG
 80wUrHc4qTv3rYYwlW+6aN2MVOKNm0T8mES+PAWJ5IVNkwsWg8VafkwLVZy0JhyW
 QY2eI5cQGVfEKl6MiXXEy6HL/CJT2MfVDj6oSD/6thFTokTyJoowvcZcsbZVvhEM
 pdh4foe7pPYavqBErQ15S9YOXeYUDH0mmdzvH0Qj1A/l4MGpio86XTOpihkfq6GR
 yZy0TMy6ZYPBxfKdcfusUHEf9YUO+ag2WRwkmIYXAKn4jTYMVjeEPQmHpZYWJ+t3
 yOlHo5+1/oyMTQXTK/5o7v/44ah2wxHszqtAHF9/ykfVCouxzBUrpbJ/NhWi32aX
 OvdNPzZWcLqogOcuL+GuPMfXv/uw9nfc+BcniR9TBJG4jq5aMe2BLBWinRNPPnJP
 nfHrUWYuwo2ADEN/STz5Bgw=
 =+xo5
 -----END PGP SIGNATURE-----
--- a/apparmor-krb5-conf-d.diff
+++ b/apparmor-krb5-conf-d.diff
@ -1,28 +0,0 @@
 From 1e37af227ec977efe1a6b6454f5a801c4c04e886 Mon Sep 17 00:00:00 2001
 From: Luiz Angelo Daros de Luca <luizluca@gmail.com>
 Date: Fri, 27 Sep 2019 18:34:20 -0300
 Subject: [PATCH] abstractions/kerberosclient: allow /etc/krb5.conf.d
 Permit the use of /etc/krb5.conf.d configuration snippets
 Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
 ---
 profiles/apparmor.d/abstractions/kerberosclient | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/profiles/apparmor.d/abstractions/kerberosclient b/profiles/apparmor.d/abstractions/kerberosclient
 index 8b08c146..7cb1f9e0 100644
 --- a/profiles/apparmor.d/abstractions/kerberosclient
 +++ b/profiles/apparmor.d/abstractions/kerberosclient
@@ -22,6 +22,8 @@
   /etc/krb5.keytab            rk,
   /etc/krb5.conf              r,
 +  /etc/krb5.conf.d/           r,
 +  /etc/krb5.conf.d/*          r,
   # config files found via strings on libs
   /etc/krb.conf               r,
 -- 
 2.23.0
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Thu Mar 12 19:55:06 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
 - update to AppArmor 2.13.4
  - several abstraction updates (including boo#1153162)
  - disallow writing to fontconfig cache in abstractions/fonts
  - some bugfixes in the aa-* tools
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4
    for the detailed upstream changelog
 - drop upstreamed patches:
  - abstractions-ssl-certbot-paths.diff
  - apparmor-krb5-conf-d.diff
  - libapparmor-python3.8.diff
  - usr-etc-abstractions-authentification.diff
 - refresh usr-etc-abstractions-authentification.diff
 -------------------------------------------------------------------
 Sat Jan 25 18:51:17 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
--- a/apparmor.spec
+++ b/apparmor.spec
@ -35,7 +35,7 @@
 %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
 Name:           apparmor
-Version:        2.13.3
+Version:        2.13.4
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@ -65,19 +65,7 @@ Patch4:         apparmor-lessopen-profile.patch
 # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix)
 Patch5:         apparmor-lessopen-nfs-workaround.diff
-# allow /etc/krb5.conf.d/ for kerberos client (submitted upstream 2019-09-28 https://gitlab.com/apparmor/apparmor/merge_requests/425)
+# update abstractions/base and nameservice for /usr/etc (submitted upstream 2020-01-25 https://gitlab.com/apparmor/apparmor/merge_requests/447, only merged to master, not 2.13.x)
 Patch6:         apparmor-krb5-conf-d.diff
 # add certbot paths to abstractions/ssl_keys and abstractions/ssl_certs (from upstream https://gitlab.com/apparmor/apparmor/merge_requests/398, merged 2019-06-30)
 Patch7:         abstractions-ssl-certbot-paths.diff
 # allow reading /usr/etc/pam.d/* and some other authentification-related files (submitted upstream 2019-10-07 https://gitlab.com/apparmor/apparmor/merge_requests/426)
 Patch8:         usr-etc-abstractions-authentification.diff
 # fix building libapparmor python bindings with python 3.8. Based on https://gitlab.com/apparmor/apparmor/merge_requests/430 but patching configure directly to avoid needing BuildRequires: aclocal
 Patch9:         libapparmor-python3.8.diff
 # update abstractions/base and nameservice for /usr/etc (submitted upstream 2020-01-25 https://gitlab.com/apparmor/apparmor/merge_requests/447)
 Patch10:        ./usr-etc-abstractions-base-nameservice.diff
 PreReq:         sed
@ -368,10 +356,6 @@ SubDomain.
 %patch3 -p1
 %patch4
 %patch5
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %build
--- a/libapparmor-python3.8.diff
+++ b/libapparmor-python3.8.diff
@ -1,56 +0,0 @@
 From ccbf1e0bf1bf5c3bbab47029fbbc5415ef73bac1 Mon Sep 17 00:00:00 2001
 From: intrigeri <intrigeri@boum.org>
 Date: Tue, 29 Oct 2019 17:53:11 +0000
 Subject: [PATCH] Fix a Python 3.8 autoconf check
 Bug-Debian: https://bugs.debian.org/943657
 Author: Matthias Klose <doko@debian.org>
 ---
 libraries/libapparmor/m4/ac_python_devel.m4 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 #Index: libraries/libapparmor/m4/ac_python_devel.m4
 #===================================================================
 #--- a/libraries/libapparmor/m4/ac_python_devel.m4.orig	2019-06-18 01:55:38.000000000 +0200
 #+++ b/libraries/libapparmor/m4/ac_python_devel.m4	2019-11-02 23:18:39.461818181 +0100
 #@@ -139,7 +139,7 @@ sys.stdout.write('%s\n' % distutils.sysc
 #         if test -z "$PYTHON_EXTRA_LIBS"; then
 #            PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
 # conf = distutils.sysconfig.get_config_var; \
 #-sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
 #+sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf('LIBS')))"`
 #         fi
 #         AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
 #         AC_SUBST(PYTHON_EXTRA_LIBS)
 #@@ -164,7 +164,7 @@ sys.stdout.write('%s\n' % conf('LINKFORS
 #         # save current global flags
 #         ac_save_LIBS="$LIBS"
 #         ac_save_CPPFLAGS="$CPPFLAGS"
 #-        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
 #+        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LIBS"
 #         CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
 #         AC_TRY_LINK([
 #                 #include <Python.h>
 Index: libraries/libapparmor/configure
 ===================================================================
 --- a/libraries/libapparmor/configure.orig	2019-06-18 01:57:46.000000000 +0200
 +++ b/libraries/libapparmor/configure	2019-11-02 23:19:48.225634333 +0100
@@ -4756,7 +4756,7 @@ $as_echo_n "checking python extra librar
         if test -z "$PYTHON_EXTRA_LIBS"; then
            PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
 conf = distutils.sysconfig.get_config_var; \
 -sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
 +sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf('LIBS')))"`
         fi
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_EXTRA_LIBS" >&5
 $as_echo "$PYTHON_EXTRA_LIBS" >&6; }
@@ -4790,7 +4790,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
         # save current global flags
         ac_save_LIBS="$LIBS"
         ac_save_CPPFLAGS="$CPPFLAGS"
 -        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
 +        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LIBS"
         CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
         cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
--- a/libapparmor.changes
+++ b/libapparmor.changes
@ -1,3 +1,11 @@
 -------------------------------------------------------------------
 Thu Mar 12 19:30:19 UTC 2020 - Christian Boltz <suse-beta@cboltz.de>
 - update to AppArmor 2.13.4
  - fix log parsing for logs with an embedded newline
  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_2.13.4
    for the detailed upstream changelog
 -------------------------------------------------------------------
 Tue Jun 18 20:50:19 UTC 2019 - Christian Boltz <suse-beta@cboltz.de>
--- a/libapparmor.spec
+++ b/libapparmor.spec
@ -18,7 +18,7 @@
 Name:           libapparmor
-Version:        2.13.3
+Version:        2.13.4
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later
--- a/usr-etc-abstractions-authentification.diff
+++ b/usr-etc-abstractions-authentification.diff
@ -1,60 +0,0 @@
 commit ee7194a7141b99225bb1d040ef2d37ad47ca838e
 Author: Christian Boltz <apparmor@cboltz.de>
 Date:   Mon Oct 7 21:47:25 2019 +0200
    Allow /usr/etc/ in abstractions/authentication
    openSUSE (and hopefully some other distributions) work on moving shipped
    config files from /etc/ to /usr/etc/ so that /etc/ only contains files
    written by the admin of each system.
    See https://en.opensuse.org/openSUSE:Packaging_UsrEtc for details and
    the first moved files.
    Updating abstractions/authentication is the first step, and also fixes
    bugzilla.opensuse.org/show_bug.cgi?id=1153162
 diff --git a/profiles/apparmor.d/abstractions/authentication b/profiles/apparmor.d/abstractions/authentication
 index b92516f9..58efe6b9 100644
 --- a/profiles/apparmor.d/abstractions/authentication
 +++ b/profiles/apparmor.d/abstractions/authentication
@@ -2,6 +2,7 @@
 #
 #    Copyright (C) 2002-2009 Novell/SUSE
 #    Copyright (C) 2009-2012 Canonical Ltd
 +#    Copyright (C) 2019 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -14,13 +15,13 @@
   # Some services need to perform authentication of users
   # Such authentication almost certainly needs access to the local users
   # databases containing passwords, PAM configuration files, PAM libraries
 -  /etc/nologin                r,
 -  /etc/pam.d/*                r,
 -  /etc/securetty              r,
 -  /etc/security/*             r,
 -  /etc/shadow                 r,
 -  /etc/gshadow                r,
 -  /etc/pwdb.conf              r,
 +  /{usr/,}etc/nologin                r,
 +  /{usr/,}etc/pam.d/*                r,
 +  /{usr/,}etc/securetty              r,
 +  /{usr/,}etc/security/*             r,
 +  /{usr/,}etc/shadow                 r,
 +  /{usr/,}etc/gshadow                r,
 +  /{usr/,}etc/pwdb.conf              r,
   /{usr/,}lib{,32,64}/security/pam_filter/*  mr,
   /{usr/,}lib{,32,64}/security/pam_*.so      mr,
@@ -32,8 +33,8 @@
   # kerberos
   #include <abstractions/kerberosclient>
   # SuSE's pwdutils are different:
 -  /etc/default/passwd         r,
 -  /etc/login.defs             r,
 +  /{usr/,}etc/default/passwd         r,
 +  /{usr/,}etc/login.defs             r,
   # nis
   #include <abstractions/nis>
--- a/usr-etc-abstractions-base-nameservice.diff
+++ b/usr-etc-abstractions-base-nameservice.diff
@ -10,10 +10,10 @@ diff --git a/profiles/apparmor.d/abstractions/base b/profiles/apparmor.d/abstrac
 index cecb126f..6288da76 100644
 --- a/profiles/apparmor.d/abstractions/base
 +++ b/profiles/apparmor.d/abstractions/base
-@@ -23,9 +23,9 @@
+@@ -27,9 +27,9 @@
-   /dev/log                       w,
+   # time and getrandom()/{,u}random and, when available, runs under an
-   /dev/random                    r,
+   # unprivilged, dedicated user).
-   /dev/urandom                   r,
+   /run/uuidd/request             r,
 -  /etc/locale/**                 r,
 -  /etc/locale.alias              r,
 -  /etc/localtime                 r,
@ -23,7 +23,7 @@ index cecb126f..6288da76 100644
   /usr/share/locale-bundle/**    r,
   /usr/share/locale-langpack/**  r,
   /usr/share/locale/**           r,
-@@ -48,14 +48,14 @@
+@@ -52,14 +52,14 @@
   /usr/lib/@{multiarch}/gconv/gconv-modules* mr,
   # used by glibc when binding to ephemeral ports