Accepting request 87773 from security:apparmor:factory

- update to AppArmor 2.7.0 rc1 - aa-notify: add --display option and warn if $DISPLAY is not set (important for usage with sudo on openSUSE) - fix syntax error on "rcapparmor stop" - allow read access to /proc/*/mounts in the dovecot profile OBS-URL: https://build.opensuse.org/request/show/87773 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=25
2011-10-14 07:46:42 +00:00 · 2011-10-14 07:46:42 +00:00 · d96e8c3c99
commit d96e8c3c99
parent 86ade05802
5 changed files with 14 additions and 164 deletions
--- a/apparmor-2.7-changes-since-beta2.diff
+++ b/apparmor-2.7-changes-since-beta2.diff
@ -1,155 +0,0 @@
 bzr diff -r1829..1834
 also create parser/parser.conf (forgotten in r1834, will probably be in r1835)
 === modified file 'parser/Makefile'
 --- parser/Makefile	2011-09-01 18:57:54 +0000
 +++ parser/Makefile	2011-10-07 21:43:54 +0000
@@ -246,17 +246,14 @@
 install-redhat:
 	install -m 755 -d $(DESTDIR)/etc/init.d
 	install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor
 -	install -m 755 rc.aaeventd.redhat $(DESTDIR)/etc/init.d/aaeventd
 .PHONY: install-suse
 install-suse:
 	install -m 755 -d $(DESTDIR)/etc/init.d
 	install -m 755 rc.apparmor.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/boot.apparmor
 -	install -m 755 rc.aaeventd.$(subst install-,,$(@)) $(DESTDIR)/etc/init.d/aaeventd
 	install -m 755 -d $(DESTDIR)/sbin
 	ln -sf /etc/init.d/boot.apparmor $(DESTDIR)/sbin/rcapparmor
 	ln -sf rcapparmor $(DESTDIR)/sbin/rcsubdomain
 -	ln -sf /etc/init.d/aaeventd $(DESTDIR)/sbin/rcaaeventd
 .PHONY: install-slackware
 install-slackware:
@@ -288,6 +285,7 @@
 install-indep:
 	install -m 755 -d $(INSTALL_CONFDIR)
 	install -m 644 subdomain.conf $(INSTALL_CONFDIR)
 +	install -m 644 parser.conf $(INSTALL_CONFDIR)
 	install -m 755 -d ${DESTDIR}/var/lib/apparmor
 	install -m 755 -d $(APPARMOR_BIN_PREFIX)
 	install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX)
 === modified file 'parser/apparmor-parser.spec.in'
 --- parser/apparmor-parser.spec.in	2010-12-20 20:29:10 +0000
 +++ parser/apparmor-parser.spec.in	2011-10-07 21:43:54 +0000
@@ -103,6 +103,7 @@
   /etc/init.d/aaeventd
 %endif
 %config(noreplace) /etc/apparmor/subdomain.conf
 +%config(noreplace) /etc/apparmor/parser.conf
 /var/lib/apparmor
 %dir %attr(-, root, root) %{apparmor_bin_prefix}
 %{apparmor_bin_prefix}/rc.apparmor.functions
 === modified file 'parser/parser_main.c'
 --- parser/parser_main.c	2011-08-09 13:52:43 +0000
 +++ parser/parser_main.c	2011-10-07 21:42:55 +0000
@@ -1007,8 +1007,7 @@
 		}
 		else {
 			unlink(cachetemp);
 -			if (show_cache)
 -				PERROR("Removed cache attempt: %s\n", cachetemp);
 +			PERROR("Warning failed to create cache: %s\n", basename);
 		}
 		free(cachetemp);
 	}
 --- /dev/null
 +++ parser/parser.conf
@@ -0,0 +1,58 @@
 +# parser.conf is a global AppArmor config file for the apparmor_parser
 +#
 +# It can be used to specify the default options for the parser, which
 +# can then be overriden by options passed on the command line.
 +#
 +# Leading whitespace is ignored and lines that begin with # are treated
 +# as comments.
 +#
 +# Config options are specified one per line using the same format as the
 +# longform command line options (without the preceding --).
 +#
 +# If a value is specified twice the last version to appear is used.
 +
 +## Suppress Warnings
 +#quiet
 +
 +## Be verbose
 +#verbose
 +
 +## Set include path
 +#Include /etc/apparmor.d/abstractions
 +
 +## Set location of apparmor filesystem
 +#subdomainfs /sys/kernel/security/apparmor
 +
 +## Set match-string to use - for forcing compiler to treat different kernels
 +## the same
 +# match-string "pattern=aadfa audit perms=crwxamlk/ user::other"
 +
 +## Turn creating/updating of the cache on by default
 +#write-cache
 +
 +## Show cache hits
 +#show-cache
 +
 +## skip cached policy
 +#skip-cache
 +
 +## skip reading cache but allow updating
 +#skip-read-cache
 +
 +
 +#### Set Optimizaions.  Multiple Optimizations can be set, one per line ####
 +# For supported optimizations see
 +#   apparmor_parser --help=O
 +
 +## Turn on equivalence classes
 +#equiv
 +
 +## Turn off expr tree simplification
 +#Optimize=no-expr-simplify
 +
 +## Turn off DFA minimization
 +#Optimize=no-minimize
 +
 +## Adjust compression
 +#Optimize=compress-small
 +#Optimize=compress-fast
 === modified file 'utils/aa-notify'
 --- utils/aa-notify	2011-08-17 14:48:12 +0000
 +++ utils/aa-notify	2011-09-30 23:00:52 +0000
@@ -36,6 +36,8 @@
 my $conf = "/etc/apparmor/notify.conf";
 my $user_conf = "$ENV{HOME}/.apparmor/notify.conf";
 my $notify_exe = "/usr/bin/notify-send";
 +my $notify_home = "";
 +my $notify_display = "";
 my $last_exe = "/usr/bin/last";
 my $ps_exe = "/bin/ps";
 my $url = "https://wiki.ubuntu.com/DebuggingApparmor";
@@ -154,6 +156,12 @@
 if ($opt_p) {
     -x "$notify_exe" or _error("Could not find '$notify_exe'. Please install libnotify-bin. Aborting");
 +
 +    # we need correct values for $HOME and $DISPLAY environment variables,
 +    # otherwise $notify_exe won't be able to connect to DBUS to display the
 +    # message. Do this here to avoid excessive lookups.
 +    $notify_home = (getpwuid $>)[7]; # homedir of the user
 +# TODO: set $notify_display;
 } elsif ($opt_l) {
     -x "$last_exe" or _error("Could not find '$last_exe'. Aborting");
 }
@@ -305,6 +313,9 @@
         # notify-send needs $< to be the unprivileged user
         $< = $>;
 +        $notify_home ne "" and $ENV{'HOME'} = $notify_home;
 +        $notify_display ne "" and $ENV{'DISPLAY'} = $notify_display;
 +
         # 'system' uses execvp() so no shell metacharacters here.
         # $notify_exe is an absolute path so execvp won't search PATH.
         system "$notify_exe", "-i", "gtk-dialog-warning", "-u", "critical", "--", "AppArmor Message", "$msg";
--- a/apparmor-2.7.beta2.tar.gz
+++ b/apparmor-2.7.beta2.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:f9e4ef359eac63834839f07497d9772e37d8b85accf96f03d354aa6543593915
 size 1426345
--- a/apparmor-2.7.rc1.tar.gz
+++ b/apparmor-2.7.rc1.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:e4e93cbca008cbec2da080931a5e8d7dc170c993fd5f070fdc04c4062a687ce3
 size 1427050
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,12 @@
 -------------------------------------------------------------------
 Thu Oct 13 22:52:24 UTC 2011 - opensuse@cboltz.de
 - update to AppArmor 2.7.0 rc1
  - aa-notify: add --display option and warn if $DISPLAY is not set
    (important for usage with sudo on openSUSE)
  - fix syntax error on "rcapparmor stop"
  - allow read access to /proc/*/mounts in the dovecot profile
 -------------------------------------------------------------------
 Sun Oct  9 19:42:05 UTC 2011 - opensuse@cboltz.de
--- a/apparmor.spec
+++ b/apparmor.spec
@ -43,9 +43,9 @@ Name:           apparmor
 %if ! %{?distro:1}0
  %define distro suse
 %endif
-Version:        2.7.beta2
+Version:        2.7.rc1
 Release:        1
-%define versiondir        2.7.0~beta2
+%define versiondir        2.7.0~rc1
 Summary:        AppArmor userlevel parser utility
 Group:          Productivity/Networking/Security
 Source0:        apparmor-%{version}.tar.gz
@ -53,9 +53,6 @@ Source1:        %{name}-profile-editor.png
 Source2:        %{name}-profile-editor.desktop
 Source3:        update-trans.sh
 # upstream changes since 2.7beta2 release
 Patch:          apparmor-2.7-changes-since-beta2.diff
 # enable caching of profiles (= massive performance speedup when loading profiles)
 Patch1:         apparmor-enable-profile-cache.diff
@ -403,7 +400,6 @@ SubDomain.
 %prep
 %setup -q -n %{name}-%{versiondir}
 %patch -p0
 %patch1 -p1
 %patch5 -p1
 #%patch10 -p1 # disabled, see above