Accepting request 87773 from security:apparmor:factory

- update to AppArmor 2.7.0 rc1
  - aa-notify: add --display option and warn if $DISPLAY is not set
    (important for usage with sudo on openSUSE)
  - fix syntax error on "rcapparmor stop"
  - allow read access to /proc/*/mounts in the dovecot profile

OBS-URL: https://build.opensuse.org/request/show/87773
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=25
This commit is contained in:
Lars Vogdt 2011-10-14 07:46:42 +00:00 committed by Git OBS Bridge
parent 86ade05802
commit d96e8c3c99
5 changed files with 14 additions and 164 deletions

View File

@ -1,155 +0,0 @@
bzr diff -r1829..1834
also create parser/parser.conf (forgotten in r1834, will probably be in r1835)
=== modified file 'parser/Makefile'
--- parser/Makefile 2011-09-01 18:57:54 +0000
+++ parser/Makefile 2011-10-07 21:43:54 +0000
@@ -246,17 +246,14 @@
install-redhat:
install -m 755 -d $(DESTDIR)/etc/init.d
install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor
- install -m 755 rc.aaeventd.redhat $(DESTDIR)/etc/init.d/aaeventd
.PHONY: install-suse
install-suse:
install -m 755 -d $(DESTDIR)/etc/init.d
install -m 755 rc.apparmor.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/boot.apparmor
- install -m 755 rc.aaeventd.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/aaeventd
install -m 755 -d $(DESTDIR)/sbin
ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor
ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain
- ln -sf /etc/init.d/aaeventd $(DESTDIR)/sbin/rcaaeventd
.PHONY: install-slackware
install-slackware:
@@ -288,6 +285,7 @@
install-indep:
install -m 755 -d $(INSTALL_CONFDIR)
install -m 644 subdomain.conf $(INSTALL_CONFDIR)
+ install -m 644 parser.conf $(INSTALL_CONFDIR)
install -m 755 -d ${DESTDIR}/var/lib/apparmor
install -m 755 -d $(APPARMOR_BIN_PREFIX)
install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
=== modified file 'parser/apparmor-parser.spec.in'
--- parser/apparmor-parser.spec.in 2010-12-20 20:29:10 +0000
+++ parser/apparmor-parser.spec.in 2011-10-07 21:43:54 +0000
@@ -103,6 +103,7 @@
/etc/init.d/aaeventd
%endif
%config(noreplace) /etc/apparmor/subdomain.conf
+%config(noreplace) /etc/apparmor/parser.conf
/var/lib/apparmor
%dir %attr(-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix}/rc.apparmor.functions
=== modified file 'parser/parser_main.c'
--- parser/parser_main.c 2011-08-09 13:52:43 +0000
+++ parser/parser_main.c 2011-10-07 21:42:55 +0000
@@ -1007,8 +1007,7 @@
}
else {
unlink(cachetemp);
- if (show_cache)
- PERROR("Removed cache attempt: %s\n", cachetemp);
+ PERROR("Warning failed to create cache: %s\n", basename);
}
free(cachetemp);
}
--- /dev/null
+++ parser/parser.conf
@@ -0,0 +1,58 @@
+# parser.conf is a global AppArmor config file for the apparmor_parser
+#
+# It can be used to specify the default options for the parser, which
+# can then be overriden by options passed on the command line.
+#
+# Leading whitespace is ignored and lines that begin with # are treated
+# as comments.
+#
+# Config options are specified one per line using the same format as the
+# longform command line options (without the preceding --).
+#
+# If a value is specified twice the last version to appear is used.
+
+## Suppress Warnings
+#quiet
+
+## Be verbose
+#verbose
+
+## Set include path
+#Include /etc/apparmor.d/abstractions
+
+## Set location of apparmor filesystem
+#subdomainfs /sys/kernel/security/apparmor
+
+## Set match-string to use - for forcing compiler to treat different kernels
+## the same
+# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
+
+## Turn creating/updating of the cache on by default
+#write-cache
+
+## Show cache hits
+#show-cache
+
+## skip cached policy
+#skip-cache
+
+## skip reading cache but allow updating
+#skip-read-cache
+
+
+#### Set Optimizaions. Multiple Optimizations can be set, one per line ####
+# For supported optimizations see
+# apparmor_parser --help=O
+
+## Turn on equivalence classes
+#equiv
+
+## Turn off expr tree simplification
+#Optimize=no-expr-simplify
+
+## Turn off DFA minimization
+#Optimize=no-minimize
+
+## Adjust compression
+#Optimize=compress-small
+#Optimize=compress-fast
=== modified file 'utils/aa-notify'
--- utils/aa-notify 2011-08-17 14:48:12 +0000
+++ utils/aa-notify 2011-09-30 23:00:52 +0000
@@ -36,6 +36,8 @@
my $conf = "/etc/apparmor/notify.conf";
my $user_conf = "$ENV{HOME}/.apparmor/notify.conf";
my $notify_exe = "/usr/bin/notify-send";
+my $notify_home = "";
+my $notify_display = "";
my $last_exe = "/usr/bin/last";
my $ps_exe = "/bin/ps";
my $url = "https://wiki.ubuntu.com/DebuggingApparmor";
@@ -154,6 +156,12 @@
if ($opt_p) {
-x "$notify_exe" or _error("Could not find '$notify_exe'. Please install libnotify-bin. Aborting");
+
+ # we need correct values for $HOME and $DISPLAY environment variables,
+ # otherwise $notify_exe won't be able to connect to DBUS to display the
+ # message. Do this here to avoid excessive lookups.
+ $notify_home = (getpwuid $>)[7]; # homedir of the user
+# TODO: set $notify_display;
} elsif ($opt_l) {
-x "$last_exe" or _error("Could not find '$last_exe'. Aborting");
}
@@ -305,6 +313,9 @@
# notify-send needs $< to be the unprivileged user
$< = $>;
+ $notify_home ne "" and $ENV{'HOME'} = $notify_home;
+ $notify_display ne "" and $ENV{'DISPLAY'} = $notify_display;
+
# 'system' uses execvp() so no shell metacharacters here.
# $notify_exe is an absolute path so execvp won't search PATH.
system "$notify_exe", "-i", "gtk-dialog-warning", "-u", "critical", "--", "AppArmor Message", "$msg";

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f9e4ef359eac63834839f07497d9772e37d8b85accf96f03d354aa6543593915
size 1426345

3
apparmor-2.7.rc1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e4e93cbca008cbec2da080931a5e8d7dc170c993fd5f070fdc04c4062a687ce3
size 1427050

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Thu Oct 13 22:52:24 UTC 2011 - opensuse@cboltz.de
- update to AppArmor 2.7.0 rc1
- aa-notify: add --display option and warn if $DISPLAY is not set
(important for usage with sudo on openSUSE)
- fix syntax error on "rcapparmor stop"
- allow read access to /proc/*/mounts in the dovecot profile
-------------------------------------------------------------------
Sun Oct 9 19:42:05 UTC 2011 - opensuse@cboltz.de

View File

@ -43,9 +43,9 @@ Name: apparmor
%if ! %{?distro:1}0
%define distro suse
%endif
Version: 2.7.beta2
Version: 2.7.rc1
Release: 1
%define versiondir 2.7.0~beta2
%define versiondir 2.7.0~rc1
Summary: AppArmor userlevel parser utility
Group: Productivity/Networking/Security
Source0: apparmor-%{version}.tar.gz
@ -53,9 +53,6 @@ Source1: %{name}-profile-editor.png
Source2: %{name}-profile-editor.desktop
Source3: update-trans.sh
# upstream changes since 2.7beta2 release
Patch: apparmor-2.7-changes-since-beta2.diff
# enable caching of profiles (= massive performance speedup when loading profiles)
Patch1: apparmor-enable-profile-cache.diff
@ -403,7 +400,6 @@ SubDomain.
%prep
%setup -q -n %{name}-%{versiondir}
%patch -p0
%patch1 -p1
%patch5 -p1
#%patch10 -p1 # disabled, see above