From 5958c64a3e5a7e7cc505637ad9c76564e8ad5b0d61d35368b24c9da3d0a994e6 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 4 Oct 2017 11:33:29 +0000 Subject: [PATCH 1/2] Accepting request 530988 from home:goldwynr:branches:security:apparmor added the temporary fix to profiles abstractions/nameservice OBS-URL: https://build.opensuse.org/request/show/530988 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=185 --- apparmor.changes | 6 +++++ apparmor.spec | 4 +++ profiles-sockets-temporary-fix.patch | 39 ++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 profiles-sockets-temporary-fix.patch diff --git a/apparmor.changes b/apparmor.changes index e1cbb70..63089d4 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 3 16:28:52 UTC 2017 - rgoldwyn@suse.com + +- profiles-sockets-temporary-fix.patch to cater to nameservices + with the new sockets mediation, until unix rules are upstreamed. + ------------------------------------------------------------------- Sun Sep 24 09:14:02 UTC 2017 - coolo@suse.com diff --git a/apparmor.spec b/apparmor.spec index 453d296..131e619 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -88,6 +88,9 @@ Patch13: apparmor-json-support.patch # https://marc.info/?l=apparmor-dev&m=150151113011870&q=p7 Patch14: apparmor-fix-podsyntax.patch +#boo 1061195 +Patch15: profiles-sockets-temporary-fix.patch + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix /lib/apparmor @@ -395,6 +398,7 @@ touch libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.err %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" diff --git a/profiles-sockets-temporary-fix.patch b/profiles-sockets-temporary-fix.patch new file mode 100644 index 0000000..cfd023c --- /dev/null +++ b/profiles-sockets-temporary-fix.patch @@ -0,0 +1,39 @@ +Subject: [PATCH] Temporarily fix socket mediation in nameservice +References: bsc#1061195 + + +As per the conversation on IRC: +cboltz: ah yes, the upstreamed version fixes a couple +holes in the old patch suse carried + +One of these "holes" were unix events, which explains the denials you noticed (and that I also see now after installing 4.14rc2). + +The final solution will be to add some "unix" rules - but that's hard at the moment because 4.14 doesn't log all details needed for unix rules. + +Instead, I'll add a temporary patch for abstractions/nameservice that adds + network unix dgram, + network unix stream, + +(including a TODO note to replace it as soon as support for unix rules + was upstreamed, probably 4.15). These rules are broader than needed, +but should avoid user-visible breakage - and at least with 4.14, unix +rules would get downgraded to network unix anyway ;-) + +--- + profiles/apparmor.d/abstractions/nameservice | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/profiles/apparmor.d/abstractions/nameservice ++++ b/profiles/apparmor.d/abstractions/nameservice +@@ -92,5 +92,11 @@ + # Netlink raw needed for nscd + network netlink raw, + ++ # This is a temporary fix for nameservices with the new socket ++ # mediations in 4.14-rc2 ++ # TODO: To be replaced once unix rules are upstreamed ++ network unix dgram, ++ network unix stream, ++ + # interface details + @{PROC}/@{pid}/net/route r, From 60a2ec39cc1def7866223a9c85f37fa98e16b9178da5ccc63680725b7fa99426 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Wed, 4 Oct 2017 11:35:57 +0000 Subject: [PATCH 2/2] better patch description and changelog for profiles-sockets-temporary-fix.patch OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=186 --- apparmor.changes | 4 ++-- apparmor.spec | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.changes b/apparmor.changes index 63089d4..ef054bd 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,8 +1,8 @@ ------------------------------------------------------------------- Tue Oct 3 16:28:52 UTC 2017 - rgoldwyn@suse.com -- profiles-sockets-temporary-fix.patch to cater to nameservices - with the new sockets mediation, until unix rules are upstreamed. +- profiles-sockets-temporary-fix.patch to cater to nameservices with the + new sockets mediation, until unix rules are upstreamed (boo#1061195) ------------------------------------------------------------------- Sun Sep 24 09:14:02 UTC 2017 - coolo@suse.com diff --git a/apparmor.spec b/apparmor.spec index 131e619..b4a88f3 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -88,7 +88,8 @@ Patch13: apparmor-json-support.patch # https://marc.info/?l=apparmor-dev&m=150151113011870&q=p7 Patch14: apparmor-fix-podsyntax.patch -#boo 1061195 +# temporary solution for unix dgram and unix stream - boo#1061195 (sent for upstream review, but will probably stay openSUSE only) +# TODO: replace with proper unix rules when Kernel 4.15 arrives Patch15: profiles-sockets-temporary-fix.patch PreReq: sed