From d96e8c3c99e98e5c51690a50adf29b882584c9fb14b5d6993d41903bb0a3505a Mon Sep 17 00:00:00 2001 From: Lars Vogdt Date: Fri, 14 Oct 2011 07:46:42 +0000 Subject: [PATCH] Accepting request 87773 from security:apparmor:factory - update to AppArmor 2.7.0 rc1 - aa-notify: add --display option and warn if $DISPLAY is not set (important for usage with sudo on openSUSE) - fix syntax error on "rcapparmor stop" - allow read access to /proc/*/mounts in the dovecot profile OBS-URL: https://build.opensuse.org/request/show/87773 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=25 --- apparmor-2.7-changes-since-beta2.diff | 155 -------------------------- apparmor-2.7.beta2.tar.gz | 3 - apparmor-2.7.rc1.tar.gz | 3 + apparmor.changes | 9 ++ apparmor.spec | 8 +- 5 files changed, 14 insertions(+), 164 deletions(-) delete mode 100644 apparmor-2.7-changes-since-beta2.diff delete mode 100644 apparmor-2.7.beta2.tar.gz create mode 100644 apparmor-2.7.rc1.tar.gz diff --git a/apparmor-2.7-changes-since-beta2.diff b/apparmor-2.7-changes-since-beta2.diff deleted file mode 100644 index 08eacf3..0000000 --- a/apparmor-2.7-changes-since-beta2.diff +++ /dev/null @@ -1,155 +0,0 @@ -bzr diff -r1829..1834 -also create parser/parser.conf (forgotten in r1834, will probably be in r1835) - -=== modified file 'parser/Makefile' ---- parser/Makefile 2011-09-01 18:57:54 +0000 -+++ parser/Makefile 2011-10-07 21:43:54 +0000 -@@ -246,17 +246,14 @@ - install-redhat: - install -m 755 -d $(DESTDIR)/etc/init.d - install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor -- install -m 755 rc.aaeventd.redhat $(DESTDIR)/etc/init.d/aaeventd - - .PHONY: install-suse - install-suse: - install -m 755 -d $(DESTDIR)/etc/init.d - install -m 755 rc.apparmor.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/boot.apparmor -- install -m 755 rc.aaeventd.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/aaeventd - install -m 755 -d $(DESTDIR)/sbin - ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor - ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain -- ln -sf /etc/init.d/aaeventd $(DESTDIR)/sbin/rcaaeventd - - .PHONY: install-slackware - install-slackware: -@@ -288,6 +285,7 @@ - install-indep: - install -m 755 -d $(INSTALL_CONFDIR) - install -m 644 subdomain.conf $(INSTALL_CONFDIR) -+ install -m 644 parser.conf $(INSTALL_CONFDIR) - install -m 755 -d ${DESTDIR}/var/lib/apparmor - install -m 755 -d $(APPARMOR_BIN_PREFIX) - install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX) - -=== modified file 'parser/apparmor-parser.spec.in' ---- parser/apparmor-parser.spec.in 2010-12-20 20:29:10 +0000 -+++ parser/apparmor-parser.spec.in 2011-10-07 21:43:54 +0000 -@@ -103,6 +103,7 @@ - /etc/init.d/aaeventd - %endif - %config(noreplace) /etc/apparmor/subdomain.conf -+%config(noreplace) /etc/apparmor/parser.conf - /var/lib/apparmor - %dir %attr(-, root, root) %{apparmor_bin_prefix} - %{apparmor_bin_prefix}/rc.apparmor.functions - -=== modified file 'parser/parser_main.c' ---- parser/parser_main.c 2011-08-09 13:52:43 +0000 -+++ parser/parser_main.c 2011-10-07 21:42:55 +0000 -@@ -1007,8 +1007,7 @@ - } - else { - unlink(cachetemp); -- if (show_cache) -- PERROR("Removed cache attempt: %s\n", cachetemp); -+ PERROR("Warning failed to create cache: %s\n", basename); - } - free(cachetemp); - } ---- /dev/null -+++ parser/parser.conf -@@ -0,0 +1,58 @@ -+# parser.conf is a global AppArmor config file for the apparmor_parser -+# -+# It can be used to specify the default options for the parser, which -+# can then be overriden by options passed on the command line. -+# -+# Leading whitespace is ignored and lines that begin with # are treated -+# as comments. -+# -+# Config options are specified one per line using the same format as the -+# longform command line options (without the preceding --). -+# -+# If a value is specified twice the last version to appear is used. -+ -+## Suppress Warnings -+#quiet -+ -+## Be verbose -+#verbose -+ -+## Set include path -+#Include /etc/apparmor.d/abstractions -+ -+## Set location of apparmor filesystem -+#subdomainfs /sys/kernel/security/apparmor -+ -+## Set match-string to use - for forcing compiler to treat different kernels -+## the same -+# match-string "pattern=aadfa audit perms=crwxamlk/ user::other" -+ -+## Turn creating/updating of the cache on by default -+#write-cache -+ -+## Show cache hits -+#show-cache -+ -+## skip cached policy -+#skip-cache -+ -+## skip reading cache but allow updating -+#skip-read-cache -+ -+ -+#### Set Optimizaions. Multiple Optimizations can be set, one per line #### -+# For supported optimizations see -+# apparmor_parser --help=O -+ -+## Turn on equivalence classes -+#equiv -+ -+## Turn off expr tree simplification -+#Optimize=no-expr-simplify -+ -+## Turn off DFA minimization -+#Optimize=no-minimize -+ -+## Adjust compression -+#Optimize=compress-small -+#Optimize=compress-fast -=== modified file 'utils/aa-notify' ---- utils/aa-notify 2011-08-17 14:48:12 +0000 -+++ utils/aa-notify 2011-09-30 23:00:52 +0000 -@@ -36,6 +36,8 @@ - my $conf = "/etc/apparmor/notify.conf"; - my $user_conf = "$ENV{HOME}/.apparmor/notify.conf"; - my $notify_exe = "/usr/bin/notify-send"; -+my $notify_home = ""; -+my $notify_display = ""; - my $last_exe = "/usr/bin/last"; - my $ps_exe = "/bin/ps"; - my $url = "https://wiki.ubuntu.com/DebuggingApparmor"; -@@ -154,6 +156,12 @@ - - if ($opt_p) { - -x "$notify_exe" or _error("Could not find '$notify_exe'. Please install libnotify-bin. Aborting"); -+ -+ # we need correct values for $HOME and $DISPLAY environment variables, -+ # otherwise $notify_exe won't be able to connect to DBUS to display the -+ # message. Do this here to avoid excessive lookups. -+ $notify_home = (getpwuid $>)[7]; # homedir of the user -+# TODO: set $notify_display; - } elsif ($opt_l) { - -x "$last_exe" or _error("Could not find '$last_exe'. Aborting"); - } -@@ -305,6 +313,9 @@ - # notify-send needs $< to be the unprivileged user - $< = $>; - -+ $notify_home ne "" and $ENV{'HOME'} = $notify_home; -+ $notify_display ne "" and $ENV{'DISPLAY'} = $notify_display; -+ - # 'system' uses execvp() so no shell metacharacters here. - # $notify_exe is an absolute path so execvp won't search PATH. - system "$notify_exe", "-i", "gtk-dialog-warning", "-u", "critical", "--", "AppArmor Message", "$msg"; - diff --git a/apparmor-2.7.beta2.tar.gz b/apparmor-2.7.beta2.tar.gz deleted file mode 100644 index c6eb4e9..0000000 --- a/apparmor-2.7.beta2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f9e4ef359eac63834839f07497d9772e37d8b85accf96f03d354aa6543593915 -size 1426345 diff --git a/apparmor-2.7.rc1.tar.gz b/apparmor-2.7.rc1.tar.gz new file mode 100644 index 0000000..5a82c29 --- /dev/null +++ b/apparmor-2.7.rc1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e4e93cbca008cbec2da080931a5e8d7dc170c993fd5f070fdc04c4062a687ce3 +size 1427050 diff --git a/apparmor.changes b/apparmor.changes index 056145b..e3edc93 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Oct 13 22:52:24 UTC 2011 - opensuse@cboltz.de + +- update to AppArmor 2.7.0 rc1 + - aa-notify: add --display option and warn if $DISPLAY is not set + (important for usage with sudo on openSUSE) + - fix syntax error on "rcapparmor stop" + - allow read access to /proc/*/mounts in the dovecot profile + ------------------------------------------------------------------- Sun Oct 9 19:42:05 UTC 2011 - opensuse@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 77241ac..49a2d02 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -43,9 +43,9 @@ Name: apparmor %if ! %{?distro:1}0 %define distro suse %endif -Version: 2.7.beta2 +Version: 2.7.rc1 Release: 1 -%define versiondir 2.7.0~beta2 +%define versiondir 2.7.0~rc1 Summary: AppArmor userlevel parser utility Group: Productivity/Networking/Security Source0: apparmor-%{version}.tar.gz @@ -53,9 +53,6 @@ Source1: %{name}-profile-editor.png Source2: %{name}-profile-editor.desktop Source3: update-trans.sh -# upstream changes since 2.7beta2 release -Patch: apparmor-2.7-changes-since-beta2.diff - # enable caching of profiles (= massive performance speedup when loading profiles) Patch1: apparmor-enable-profile-cache.diff @@ -403,7 +400,6 @@ SubDomain. %prep %setup -q -n %{name}-%{versiondir} -%patch -p0 %patch1 -p1 %patch5 -p1 #%patch10 -p1 # disabled, see above