Accepting request 59942 from security:apparmor:factory

Accepted submit request 59942 from user jeff_mahoney OBS-URL: https://build.opensuse.org/request/show/59942 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=7
2011-02-03 21:31:10 +00:00 · 2011-02-03 21:31:10 +00:00 · e0e7b0c209
commit e0e7b0c209
parent 720dc78fa8
5 changed files with 243 additions and 10 deletions
--- a/119
+++ b/119
@ -0,0 +1,119 @@
 From: Jeff Mahoney <jeffm@suse.com>
 Subject: profiles: update dhclient
 References: bnc#561152
 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
 ---
 profiles/apparmor/profiles/extras/sbin.dhclient        |   60 +++++++++++------
 profiles/apparmor/profiles/extras/sbin.dhclient-script |   21 +++++
 2 files changed, 60 insertions(+), 21 deletions(-)
 --- a/profiles/apparmor/profiles/extras/sbin.dhclient
 +++ b/profiles/apparmor/profiles/extras/sbin.dhclient
@@ -12,12 +12,12 @@
 # raw sockets, and thus cannot be confined with NetDomain
 #
 # Should these programs have their own domains?
 -# /bin/ps                     mixr,
 -# /sbin/arp                   rmix,
 -# /usr/bin/dig                rmix,
 -# /usr/bin/uptime             rmix,
 -# /usr/bin/vmstat             rmix,
 -# /usr/bin/w                  rmix,
 +# /bin/ps                     mrix,
 +# /sbin/arp                   mrix,
 +# /usr/bin/dig                mrix,
 +# /usr/bin/uptime             mrix,
 +# /usr/bin/vmstat             mrix,
 +# /usr/bin/w                  mrix,
 #include <tunables/global>
@@ -25,25 +25,29 @@
   #include <abstractions/base>
   #include <abstractions/bash>
   #include <abstractions/nameservice>
 -  /sbin/dhclient              rmix,
 -  /sbin/dhclient-script       rmix,
 -  /bin/bash                   rmix,
 -  /bin/df                     rmix,
 +
 +  network packet packet,
 +
 +  /sbin/dhclient              mrix,
 +
 +  /sbin/dhclient-script       mrix,
 +  /bin/bash                   mrix,
 +  /bin/df                     mrix,
   /bin/netstat                Px,
 -  /bin/ps                     mixr,
 +  /bin/ps                     mrix,
   /dev/random                 r,
   /etc/dhclient.conf          r,
 -  @{PROC}/                      r,
 -  @{PROC}/interrupts            r,
 -  @{PROC}/net/dev               r,
 -  @{PROC}/rtc                   r,
 +  @{PROC}/                    r,
 +  @{PROC}/interrupts          r,
 +  @{PROC}/*/net/dev           r,
 +  @{PROC}/rtc                 r,
   # following rule shouldn't work, self is a symlink
 -  @{PROC}/self/status           r,
 -  /sbin/arp                   rmix,
 -  /usr/bin/dig                rmix,
 -  /usr/bin/uptime             rmix,
 -  /usr/bin/vmstat             rmix,
 -  /usr/bin/w                  rmix,
 +  @{PROC}/self/status         r,
 +  /sbin/arp                   mrix,
 +  /usr/bin/dig                mrix,
 +  /usr/bin/uptime             mrix,
 +  /usr/bin/vmstat             mrix,
 +  /usr/bin/w                  mrix,
   /var/lib/dhcp/dhclient.leases     rw,
   /var/lib/dhcp/dhclient-*.leases   rw,
   /var/log/lastlog            r,
@@ -53,4 +57,18 @@
   /var/run/dhclient-*.pid     rw,
   /var/spool                  r,
   /var/spool/mail             r,
 +
 +  # This one will need to be fleshed out depending on what the user is doing
 +  /sbin/dhclient-script mrpx,
 +
 +  /bin/grep mrix,
 +  /bin/sleep mrix,
 +  /etc/sysconfig/network/dhcp r,
 +  /etc/sysconfig/network/scripts/functions.common r,
 +  /etc/sysconfig/network/scripts/functions r,
 +  /sbin/ip mrix,
 +  /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
 +  /var/lib/dhcp/* rw,
 +  /var/run/nm-dhclient-*.conf r,
 +
 }
 --- /dev/null
 +++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
@@ -0,0 +1,21 @@
 +# Last Modified: Tue Jan 25 16:48:30 2011
 +#include <tunables/global>
 +
 +# dhclient-script will call plugins from /etc/netconfig.d, so this
 +# will need to be extended on a per-site basis.
 +
 +/sbin/dhclient-script {
 +  #include <abstractions/base>
 +  #include <abstractions/bash>
 +  #include <abstractions/consoles>
 +
 +  /bin/bash rix,
 +  /bin/grep rix,
 +  /bin/sleep rix,
 +  /bin/touch rix,
 +  /dev/.sysconfig/network/** r,
 +  /etc/netconfig.d/* mrix,
 +  /etc/sysconfig/network/** r,
 +  /sbin/dhclient-script r,
 +  /sbin/ip rix,
 +}
--- a/56
+++ b/56
@ -0,0 +1,56 @@
 From: Jeff Mahoney <jeffm@suse.com>
 Subject: apparmor-utils: Allow repository to be completely disabled
 This patch allows the repository to be completely disabled. It's been
 subject to massive bitrot and isn't really maintained.
 It will only confuse the user if they are asked for repository information
 and it doesn't work.
 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
 ---
 utils/SubDomain.pm |    5 +++++
 utils/logprof.conf |    4 ++++
 2 files changed, 9 insertions(+)
 --- a/utils/SubDomain.pm
 +++ b/utils/SubDomain.pm
@@ -3107,6 +3107,8 @@ sub UI_repo_signup {
 sub UI_ask_to_enable_repo {
     my $q = { };
 +    return if (defined $cfg->{settings}{allow_repository} &&
 +		       $cfg->{settings}{allow_repository} eq "no");
     return if ( not defined $cfg->{repository}{url} );
     $q->{headers} = [
       gettext("Repository"), $cfg->{repository}{url},
@@ -3231,6 +3233,8 @@ sub get_preferred_user ($) {
 sub repo_is_enabled () {
     my $enabled;
 +    return 0 if defined($cfg->{settings}{allow_repository}) &&
 +		        $cfg->{settings}{allow_repository} eq "no";
     if ($cfg->{repository}{url} &&
         $repo_cfg &&
         $repo_cfg->{repository}{enabled} &&
@@ -3244,6 +3248,7 @@ sub repo_is_enabled () {
 sub update_repo_profile {
     my $profile = shift;
 +    return undef if not repo_is_enabled();
     return undef if ( not is_repo_profile($profile) );
     my $distro = $cfg->{repository}{distro};
     my $url    = $profile->{repo}{url};
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
@@ -35,6 +35,10 @@
   # files.
   custom_includes =
 +  # whether to prompt to enable repositories (values: yes/no)
 +  # This feature has fallen to bitrot and should not be used.
 +  allow_repository = no
 +
 [repository]
   distro         = ubuntu-intrepid
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Tue Jan 25 23:25:28 CET 2011 - jeffm@suse.de
 - Updated dhclient profile and added dhclient-script profile (bnc#561152).
 -------------------------------------------------------------------
 Tue Jan 25 18:11:00 CET 2011 - jeffm@suse.de
 - Added ability to completely disable repositories.
 -------------------------------------------------------------------
 Mon Jan 24 21:27:45 CET 2011 - jeffm@suse.de
 - Properly indent sub-profiles after genprof completion (bnc#480795).
 -------------------------------------------------------------------
 Mon Jan 24 20:16:03 CET 2011 - jeffm@suse.de
--- a/apparmor.spec
+++ b/apparmor.spec
@ -49,13 +49,13 @@ Name:           apparmor
 %endif
 Summary:        AppArmor userlevel parser utility
 Version:        %{srcversion}.%{bzr_commit}
-Release:        1
+Release:        49
 Group:          Productivity/Networking/Security
 Source0:        apparmor-%{srcversion}.tar.bz2
 Source1:        %{name}-profile-editor.png
 Source2:        %{name}-profile-editor.desktop
 Source3:        update-trans.sh
-Patch:          apparmor-2.5-%{bzr_commit}
+Patch:		apparmor-2.5-%{bzr_commit}
 Patch1:         pam-apparmor-include
 Patch2:         mod_apparmor-includes
 Patch3:         tomcat-build-fixes
@ -84,15 +84,16 @@ Patch25:        apparmor-2.5.1-ntpd-proc-fixes
 Patch26:        apparmor-2.5.1-edirectory-profile
 Patch27:        apparmor-2.5.1-firefox-proc-fix
 Patch28:        apparmor-2.5.1-unconfined-fixes
-Patch29:        apparmor-utils-inherit-flags-during-profile-generation
+Patch29:	apparmor-utils-inherit-flags-during-profile-generation
 Patch30:        apparmor-2.5.1-ldapclient-profile
-#Patch31:
+Patch31:	genprof-whitespace-in-profile-fix
-#Patch32:
+Patch32:	apparmor-remove-repo
 Patch33:        apparmor-2.5.1-ntpd-sys_nice
 Patch34:        apparmor-2.5.1-ssl-fix
-Patch35:        apparmor-2.5.1-dnsmasq-libvirt-profile-fix
+Patch35:	apparmor-2.5.1-dnsmasq-libvirt-profile-fix
-Patch36:        klog-needs-CAP_SYSLOG
+Patch36:	klog-needs-CAP_SYSLOG
-Patch37:        apparmor-2.5.1-network-fixes
+Patch37:	apparmor-2.5.1-network-fixes
 Patch38:	apparmor-profiles-dhclient
 License:        GPLv2+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Url:            https://launchpad.net/apparmor
@ -163,7 +164,7 @@ Provides:       subdomain-parser-demo = %{version}
 Provides:       subdomain-parser-common = %{version}
 Provides:       subdomain-leaf-cert = %{version}
 Provides:       libimnxcert = %{version}
-Provides:       apparmor-parser(CAP_SYSLOG)
+Provides:	apparmor-parser(CAP_SYSLOG)
 %description parser
 The AppArmor Parser is a userlevel program that is used to load in
@ -318,7 +319,7 @@ Summary:        AppArmor profiles that are loaded into the apparmor kernel modul
 Group:          Productivity/Security
 Obsoletes:      subdomain-profiles < %{version}
 Provides:       subdomain-profiles = %{version}
-Requires:       apparmor-parser(CAP_SYSLOG)
+Requires:	apparmor-parser(CAP_SYSLOG)
 %description profiles
 Base profiles. AppArmor is a file and network mandatory access control
@ -493,11 +494,14 @@ SubDomain.
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
 %patch31 -p1
 %patch32 -p1
 %patch33 -p1
 %patch34 -p1
 %patch35 -p1
 %patch36 -p1
 %patch37 -p1
 %patch38 -p1
 %build
 export SUSE_ASNEEDED=0
--- a/39
+++ b/39
@ -0,0 +1,39 @@
 From: Jeff Mahoney <jeffm@suse.com>
 Subject: apparmor-utils: setprofileflags() drops leading whitespace
 References: bnc#480795
 setprofileflags() drops leading whitespace for subprofiles. writeheader()
 properly indents subprofiles 2 spaces per nesting level but when
 genprof sets the profile to enforce mode at completion, the whitespace
 is removed.
 This patch adds the whitespace globbing to the regexp and uses it to
 prefix the sub-profile with the correct spacing.
 Reported at: https://bugzilla.novell.com/show_bug.cgi?id=480795
 Signed-off-by: Jeff Mahoney <jeffm@suse.com>
 ---
 utils/SubDomain.pm |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 --- a/utils/SubDomain.pm
 +++ b/utils/SubDomain.pm
@@ -1033,13 +1033,13 @@ sub setprofileflags ($$) {
     if (open(PROFILE, "$filename")) {
         if (open(NEWPROFILE, ">$filename.new")) {
             while (<PROFILE>) {
 -                if (m/^\s*(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
 -                    my ($binary, $flags) = ($1, $5);
 +                if (m/^(\s*)(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
 +                    my ($space, $binary, $flags) = ($1, $2, $6);
                     if ($newflags) {
 -                        $_ = "$binary flags=($newflags) {\n";
 +                        $_ = "$space$binary flags=($newflags) {\n";
                     } else {
 -                        $_ = "$binary {\n";
 +                        $_ = "$space$binary {\n";
                     }
                 } elsif (m/^(\s*\^\S+)\s+(flags=\(.+\)\s+)*\{\s*$/) {
                     my ($hat, $flags) = ($1, $2);