Accepting request 563667 from home:kukuk:branches:security:apparmor

- disable write cache if filesystem is read-only and don't bail out (bsc#1069906, bsc#1074429) OBS-URL: https://build.opensuse.org/request/show/563667 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=199
2018-01-16 19:32:25 +00:00 · 2018-01-16 19:32:25 +00:00 · ede3b9fa12
commit ede3b9fa12
parent c6c48cc166
3 changed files with 30 additions and 9 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jan 11 18:14:47 CET 2018 - kukuk@suse.de
+
+- disable write cache if filesystem is read-only and don't bail
+  out (bsc#1069906, bsc#1074429)
+
 -------------------------------------------------------------------
 Thu Jan  4 13:20:20 UTC 2018 - suse-beta@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@ -70,6 +70,9 @@ Patch8:         32-bit-no-uid.diff
 # make cache write failures a warning instead of an error - (patch from https://gitlab.com/apparmor/apparmor/merge_requests/49 2018-01-04)
 Patch9:         parser-write-cache-warn-only.diff

+# Disable write cache if filesystem is read-only, don't abort
+Patch10:        disable-cache-on-ro-fs.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@ -172,7 +175,7 @@ The documentation is in the apparmor-admin_en package.

 %package -n perl-apparmor
 Summary:        Perl interface for libapparmor functions
-License:        GPL-2.0 and LGPL-2.1+
+License:        GPL-2.0 AND LGPL-2.1+
 Group:          Development/Libraries/Perl
 Requires:       libapparmor1 = %{version}
 Requires:       perl = %{perl_version}
@ -189,7 +192,7 @@ applications interfacing with AppArmor.

 %package -n python-apparmor
 Summary:        Python 2 interface for libapparmor functions
-License:        GPL-2.0 and LGPL-2.1+
+License:        GPL-2.0 AND LGPL-2.1+
 Group:          Development/Libraries/Python
 BuildRequires:  python
 Requires:       libapparmor1 = %{version}
@ -208,7 +211,7 @@ applications interfacing with AppArmor.

 %package -n python3-apparmor
 Summary:        Python 3 interface for libapparmor functions
-License:        GPL-2.0 and LGPL-2.1+
+License:        GPL-2.0 AND LGPL-2.1+
 Group:          Development/Libraries/Python
 Requires:       libapparmor1 = %{version}
 Requires:       python = %{py3_ver}
@ -225,7 +228,7 @@ applications interfacing with AppArmor.

 %package -n ruby-apparmor
 Summary:        Ruby interface for libapparmor functions
-License:        GPL-2.0 and LGPL-2.1+
+License:        GPL-2.0 AND LGPL-2.1+
 Group:          Development/Languages/Ruby
 Requires:       libapparmor1 = %{version}
 Requires:       ruby = %(rpm -q --qf '%%{version}' ruby)
@ -240,7 +243,7 @@ applications interfacing with AppArmor.

 %package abstractions
 Summary:        AppArmor abstractions and directory structure
-License:        GPL-2.0 and LGPL-2.1+
+License:        GPL-2.0 AND LGPL-2.1+
 Group:          Productivity/Security
 Requires:       apparmor-parser(CAP_SYSLOG)
 BuildArch:      noarch
@ -259,7 +262,7 @@ SubDomain.

 %package profiles
 Summary:        AppArmor profiles that are loaded into the apparmor kernel module
-License:        GPL-2.0 and LGPL-2.1+
+License:        GPL-2.0 AND LGPL-2.1+
 Group:          Productivity/Security
 Requires:       apparmor-abstractions >= %{version}
 Requires:       apparmor-parser(CAP_SYSLOG)
@ -278,7 +281,7 @@ SubDomain.

 %package utils
 Summary:        AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
-License:        GPL-2.0 and LGPL-2.1+
+License:        GPL-2.0 AND LGPL-2.1+
 Group:          Productivity/Security
 Requires:       libapparmor1 = %{version}
 # some of the tools are still perl-based (aa-decode and aa-notify)
@ -307,7 +310,7 @@ It is part of a suite of tools that used to be named SubDomain.

 %package -n tomcat_apparmor
 Summary:        Tomcat 6 plugin for AppArmor change_hat
-License:        GPL-2.0 and LGPL-2.1+
+License:        GPL-2.0 AND LGPL-2.1+
 Group:          System/Libraries
 Requires:       libapparmor1 = %{version}
 Requires:       tomcat6
@ -325,7 +328,7 @@ created for individual URL processing or per servlet.

 %package -n pam_apparmor
 Summary:        PAM module for AppArmor change_hat
-License:        GPL-2.0 and LGPL-2.1+
+License:        GPL-2.0 AND LGPL-2.1+
 Group:          Productivity/Security
 BuildRequires:  pam-devel
 PreReq:         pam
@ -359,6 +362,7 @@ SubDomain.
 %patch7
 %patch8 -p1
 %patch9 -p1
+%patch10 -p0

 %build
 export SUSE_ASNEEDED=0
--- a/disable-cache-on-ro-fs.diff
+++ b/disable-cache-on-ro-fs.diff
@ -0,0 +1,11 @@
+--- parser/parser_main.c
+++ parser/parser_main.c	2018/01/11 16:52:00
+@@ -1124,7 +1124,7 @@
+ 		retval = aa_policy_cache_new(&policy_cache, features,
+ 					     AT_FDCWD, cacheloc, max_caches);
+ 		if (retval) {
+-			if (errno != ENOENT && errno != EEXIST) {
+			if (errno != ENOENT && errno != EEXIST && errno != EROFS) {
+ 				PERROR(_("Failed setting up policy cache (%s): %s\n"),
+ 				       cacheloc, strerror(errno));
+ 				return 1;