pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 59942 from security:apparmor:factory

Browse Source 
Accepted submit request 59942 from user jeff_mahoney

OBS-URL: https://build.opensuse.org/request/show/59942
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=7
This commit is contained in:
Marcus Rückert 2011-02-03 21:31:10 +00:00 committed by Git OBS Bridge
parent 720dc78fa8
commit e0e7b0c209
5 changed files with 243 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
apparmor-profiles-dhclient Normal file
View File

@ -0,0 +1,119 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: profiles: update dhclient
References: bnc#561152
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor/profiles/extras/sbin.dhclient | 60 +++++++++++------
profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
2 files changed, 60 insertions(+), 21 deletions(-)
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
@@ -12,12 +12,12 @@
# raw sockets, and thus cannot be confined with NetDomain
#
# Should these programs have their own domains?
-# /bin/ps mixr,
-# /sbin/arp rmix,
-# /usr/bin/dig rmix,
-# /usr/bin/uptime rmix,
-# /usr/bin/vmstat rmix,
-# /usr/bin/w rmix,
+# /bin/ps mrix,
+# /sbin/arp mrix,
+# /usr/bin/dig mrix,
+# /usr/bin/uptime mrix,
+# /usr/bin/vmstat mrix,
+# /usr/bin/w mrix,
#include <tunables/global>
@@ -25,25 +25,29 @@
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
- /sbin/dhclient rmix,
- /sbin/dhclient-script rmix,
- /bin/bash rmix,
- /bin/df rmix,
+
+ network packet packet,
+
+ /sbin/dhclient mrix,
+
+ /sbin/dhclient-script mrix,
+ /bin/bash mrix,
+ /bin/df mrix,
/bin/netstat Px,
- /bin/ps mixr,
+ /bin/ps mrix,
/dev/random r,
/etc/dhclient.conf r,
- @{PROC}/ r,
- @{PROC}/interrupts r,
- @{PROC}/net/dev r,
- @{PROC}/rtc r,
+ @{PROC}/ r,
+ @{PROC}/interrupts r,
+ @{PROC}/*/net/dev r,
+ @{PROC}/rtc r,
# following rule shouldn't work, self is a symlink
- @{PROC}/self/status r,
- /sbin/arp rmix,
- /usr/bin/dig rmix,
- /usr/bin/uptime rmix,
- /usr/bin/vmstat rmix,
- /usr/bin/w rmix,
+ @{PROC}/self/status r,
+ /sbin/arp mrix,
+ /usr/bin/dig mrix,
+ /usr/bin/uptime mrix,
+ /usr/bin/vmstat mrix,
+ /usr/bin/w mrix,
/var/lib/dhcp/dhclient.leases rw,
/var/lib/dhcp/dhclient-*.leases rw,
/var/log/lastlog r,
@@ -53,4 +57,18 @@
/var/run/dhclient-*.pid rw,
/var/spool r,
/var/spool/mail r,
+
+ # This one will need to be fleshed out depending on what the user is doing
+ /sbin/dhclient-script mrpx,
+
+ /bin/grep mrix,
+ /bin/sleep mrix,
+ /etc/sysconfig/network/dhcp r,
+ /etc/sysconfig/network/scripts/functions.common r,
+ /etc/sysconfig/network/scripts/functions r,
+ /sbin/ip mrix,
+ /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
+ /var/lib/dhcp/* rw,
+ /var/run/nm-dhclient-*.conf r,
+
}
--- /dev/null
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
@@ -0,0 +1,21 @@
+# Last Modified: Tue Jan 25 16:48:30 2011
+#include <tunables/global>
+
+# dhclient-script will call plugins from /etc/netconfig.d, so this
+# will need to be extended on a per-site basis.
+
+/sbin/dhclient-script {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+
+ /bin/bash rix,
+ /bin/grep rix,
+ /bin/sleep rix,
+ /bin/touch rix,
+ /dev/.sysconfig/network/** r,
+ /etc/netconfig.d/* mrix,
+ /etc/sysconfig/network/** r,
+ /sbin/dhclient-script r,
+ /sbin/ip rix,
+}

56
apparmor-remove-repo Normal file
View File

@ -0,0 +1,56 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Allow repository to be completely disabled
This patch allows the repository to be completely disabled. It's been
subject to massive bitrot and isn't really maintained.
It will only confuse the user if they are asked for repository information
and it doesn't work.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 5 +++++
utils/logprof.conf | 4 ++++
2 files changed, 9 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -3107,6 +3107,8 @@ sub UI_repo_signup {
sub UI_ask_to_enable_repo {
my $q = { };
+ return if (defined $cfg->{settings}{allow_repository} &&
+ $cfg->{settings}{allow_repository} eq "no");
return if ( not defined $cfg->{repository}{url} );
$q->{headers} = [
gettext("Repository"), $cfg->{repository}{url},
@@ -3231,6 +3233,8 @@ sub get_preferred_user ($) {
sub repo_is_enabled () {
my $enabled;
+ return 0 if defined($cfg->{settings}{allow_repository}) &&
+ $cfg->{settings}{allow_repository} eq "no";
if ($cfg->{repository}{url} &&
$repo_cfg &&
$repo_cfg->{repository}{enabled} &&
@@ -3244,6 +3248,7 @@ sub repo_is_enabled () {
sub update_repo_profile {
my $profile = shift;
+ return undef if not repo_is_enabled();
return undef if ( not is_repo_profile($profile) );
my $distro = $cfg->{repository}{distro};
my $url = $profile->{repo}{url};
--- a/utils/logprof.conf
+++ b/utils/logprof.conf
@@ -35,6 +35,10 @@
# files.
custom_includes =
+ # whether to prompt to enable repositories (values: yes/no)
+ # This feature has fallen to bitrot and should not be used.
+ allow_repository = no
+
[repository]
distro = ubuntu-intrepid

15
apparmor.changes
View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Tue Jan 25 23:25:28 CET 2011 - jeffm@suse.de
- Updated dhclient profile and added dhclient-script profile (bnc#561152).
-------------------------------------------------------------------
Tue Jan 25 18:11:00 CET 2011 - jeffm@suse.de
- Added ability to completely disable repositories.
-------------------------------------------------------------------
Mon Jan 24 21:27:45 CET 2011 - jeffm@suse.de
- Properly indent sub-profiles after genprof completion (bnc#480795).
-------------------------------------------------------------------
Mon Jan 24 20:16:03 CET 2011 - jeffm@suse.de

24
apparmor.spec
View File

@ -49,13 +49,13 @@ Name: apparmor
%endif
Summary: AppArmor userlevel parser utility
Version: %{srcversion}.%{bzr_commit}
Release: 1
Release: 49
Group: Productivity/Networking/Security
Source0: apparmor-%{srcversion}.tar.bz2
Source1: %{name}-profile-editor.png
Source2: %{name}-profile-editor.desktop
Source3: update-trans.sh
Patch: apparmor-2.5-%{bzr_commit}
Patch: apparmor-2.5-%{bzr_commit}
Patch1: pam-apparmor-include
Patch2: mod_apparmor-includes
Patch3: tomcat-build-fixes
@ -84,15 +84,16 @@ Patch25: apparmor-2.5.1-ntpd-proc-fixes
Patch26: apparmor-2.5.1-edirectory-profile
Patch27: apparmor-2.5.1-firefox-proc-fix
Patch28: apparmor-2.5.1-unconfined-fixes
Patch29: apparmor-utils-inherit-flags-during-profile-generation
Patch29: apparmor-utils-inherit-flags-during-profile-generation
Patch30: apparmor-2.5.1-ldapclient-profile
#Patch31:
#Patch32:
Patch31: genprof-whitespace-in-profile-fix
Patch32: apparmor-remove-repo
Patch33: apparmor-2.5.1-ntpd-sys_nice
Patch34: apparmor-2.5.1-ssl-fix
Patch35: apparmor-2.5.1-dnsmasq-libvirt-profile-fix
Patch36: klog-needs-CAP_SYSLOG
Patch37: apparmor-2.5.1-network-fixes
Patch35: apparmor-2.5.1-dnsmasq-libvirt-profile-fix
Patch36: klog-needs-CAP_SYSLOG
Patch37: apparmor-2.5.1-network-fixes
Patch38: apparmor-profiles-dhclient
License: GPLv2+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Url: https://launchpad.net/apparmor
@ -163,7 +164,7 @@ Provides: subdomain-parser-demo = %{version}
Provides: subdomain-parser-common = %{version}
Provides: subdomain-leaf-cert = %{version}
Provides: libimnxcert = %{version}
Provides: apparmor-parser(CAP_SYSLOG)
Provides: apparmor-parser(CAP_SYSLOG)
%description parser
The AppArmor Parser is a userlevel program that is used to load in
@ -318,7 +319,7 @@ Summary: AppArmor profiles that are loaded into the apparmor kernel modul
Group: Productivity/Security
Obsoletes: subdomain-profiles < %{version}
Provides: subdomain-profiles = %{version}
Requires: apparmor-parser(CAP_SYSLOG)
Requires: apparmor-parser(CAP_SYSLOG)
%description profiles
Base profiles. AppArmor is a file and network mandatory access control
@ -493,11 +494,14 @@ SubDomain.
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
%patch38 -p1
%build
export SUSE_ASNEEDED=0

39
genprof-whitespace-in-profile-fix Normal file
View File

@ -0,0 +1,39 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: setprofileflags() drops leading whitespace
References: bnc#480795
setprofileflags() drops leading whitespace for subprofiles. writeheader()
properly indents subprofiles 2 spaces per nesting level but when
genprof sets the profile to enforce mode at completion, the whitespace
is removed.
This patch adds the whitespace globbing to the regexp and uses it to
prefix the sub-profile with the correct spacing.
Reported at: https://bugzilla.novell.com/show_bug.cgi?id=480795
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1033,13 +1033,13 @@ sub setprofileflags ($$) {
if (open(PROFILE, "$filename")) {
if (open(NEWPROFILE, ">$filename.new")) {
while (<PROFILE>) {
- if (m/^\s*(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
- my ($binary, $flags) = ($1, $5);
+ if (m/^(\s*)(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
+ my ($space, $binary, $flags) = ($1, $2, $6);
if ($newflags) {
- $_ = "$binary flags=($newflags) {\n";
+ $_ = "$space$binary flags=($newflags) {\n";
} else {
- $_ = "$binary {\n";
+ $_ = "$space$binary {\n";
}
} elsif (m/^(\s*\^\S+)\s+(flags=\(.+\)\s+)*\{\s*$/) {
my ($hat, $flags) = ($1, $2);