pool/apparmor
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 57745 from security:apparmor:factory

Browse Source 
Accepted submit request 57745 from user jeff_mahoney

OBS-URL: https://build.opensuse.org/request/show/57745
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=1
This commit is contained in:
Marcus Rückert 2011-01-17 16:43:05 +00:00 committed by Git OBS Bridge
commit f270973a6c
43 changed files with 30026 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

45
apparmor-2.5.1-edirectory-profile Normal file
View File

@ -0,0 +1,45 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-profiles: Add support for eDirectory calls from nscd
References: bnc#621394
eDirectory hooks into nscd and provides its own libraries. In order for
this to operate properly with AppArmor, it needs to be told about these
libraries.
This patch adds a new abstract profile and includes it in the nameservice
profile.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor.d/abstractions/nameservice | 3 +++
profiles/apparmor.d/abstractions/novell-edirectory | 13 +++++++++++++
2 files changed, 16 insertions(+)
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -71,6 +71,9 @@
# kerberos
#include <abstractions/kerberosclient>
+ # Novell eDirectory
+ #include <abstractions/novell-edirectory>
+
# TCP/UDP network access
network inet stream,
network inet6 stream,
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/novell-edirectory
@@ -0,0 +1,13 @@
+# $Id$
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /opt/novell/eDirectory/lib/lib*so* r,
+ /opt/novell/eDirectory/lib64/lib*so* r,

26
apparmor-2.5.1-firefox-proc-fix Normal file
View File

@ -0,0 +1,26 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-profiles: Fix proc usage in firefox profile
References: bnc#436262
This patch corrects the use of the {proc} macro. It should be {PROC}.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
+++ b/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
@@ -32,9 +32,9 @@
/opt/kde3/share/applications/ r,
/opt/kde3/share/applications/mimeinfo.cache r,
- owner @{proc}/*/mounts r,
- @{proc}/meminfo r,
- @{proc}/sys/kernel/ngroups_max r,
+ owner @{PROC}/*/mounts r,
+ @{PROC}/meminfo r,
+ @{PROC}/sys/kernel/ngroups_max r,
/usr/lib/**.so mr,

43
apparmor-2.5.1-fix-parser-use-after-free Normal file
View File

@ -0,0 +1,43 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Fix use after free in regexp parser
There are two cases of use-after-free in the simply_tree_base code. It
worked in the past because there aren't any allocations between the
free and the use, so it was still around.
With glibc's memory perturbing feature (set _MALLOC_PERTURB to anything),
the freed memory is poisoned. This causes crashes in e.g. apparmor_parser
while parsing certain profiles.
This patch addresses it by saving a pointer to the node to free after
the node is advanced.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
parser/libapparmor_re/regexp.yy | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/parser/libapparmor_re/regexp.yy
+++ b/parser/libapparmor_re/regexp.yy
@@ -720,17 +720,19 @@ Node *simplify_tree_base(Node *t, int di
Node *i = t->child[!dir];
for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
if (t->child[dir]->eq(i->child[dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}
}
// last altnode of chain check other dir as well
if (t->child[dir]->eq(p->child[!dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}

59
apparmor-2.5.1-ldapclient-profile Normal file
View File

@ -0,0 +1,59 @@
Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
===================================================================
--- /dev/null
+++ apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
+ /etc/ldap.conf r,
+ /etc/ldap.secret r,
+ /etc/openldap/* r,
+ /etc/openldap/cacerts/* r,
+
+ # SASL plugins and config
+ /etc/sasl2/* r,
+ /usr/lib{,32,64}/sasl2/* r,
+
+ #include <abstractions/ssl_certs>
Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
===================================================================
--- apparmor-2.5.1.orig/profiles/apparmor.d/abstractions/nameservice
+++ apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
@@ -17,8 +17,6 @@
/etc/group r,
/etc/host.conf r,
/etc/hosts r,
- /etc/ldap.conf r,
- /etc/ldap.secret r,
/etc/nsswitch.conf r,
/etc/gai.conf r,
/etc/passwd r,
@@ -33,9 +31,6 @@
/etc/samba/lmhosts r,
/etc/services r,
- # all openldap config
- /etc/openldap/* r,
- /etc/ldap/** r,
# db backend
/var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading
@@ -59,6 +54,9 @@
# nis
#include <abstractions/nis>
+ # ldap
+ #include <abstractions/ldapclient>
+
# winbind
#include <abstractions/winbind>

28
apparmor-2.5.1-ntpd-proc-fixes Normal file
View File

@ -0,0 +1,28 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Fix incorrect /proc/*/sys usage in usr.sbin.ntpd
References: bnc#634801
/proc/sys/kernel exists, but /proc/*/sys/kernel doesn't. This patch
fixes the profile.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor.d/usr.sbin.ntpd | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -59,11 +59,11 @@
/var/run/ntpd.pid w,
/var/tmp/ntp* rwl,
@{PROC}/*/net/if_inet6 r,
- @{PROC}/*/sys/kernel/ngroups_max r,
+ @{PROC}/sys/kernel/ngroups_max r,
# allow access for when chrooted
/var/lib/ntp/@{PROC}/*/net/if_inet6 r,
- /var/lib/ntp/@{PROC}/*/sys/kernel/ngroups_max r,
+ /var/lib/ntp/@{PROC}/sys/kernel/ngroups_max r,
@{NTPD_DEVICE} rw,
}

82
apparmor-2.5.1-rpmlint-asprintf Normal file
View File

@ -0,0 +1,82 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Use _GNU_SOURCE when asprintf is used
There are a few places in the parser that use asprintf but don't actually
get the prototype from stdio.h. _GNU_SOURCE is needed for that.
It works as-is but rpmlint in the openSUSE Build Service complains about it.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
parser/Makefile.am | 1 +
parser/parser_include.c | 2 ++
parser/parser_interface.c | 1 +
parser/parser_lex.l | 4 ++++
parser/parser_main.c | 1 +
parser/parser_variable.c | 1 +
6 files changed, 10 insertions(+)
--- a/parser/Makefile.am
+++ b/parser/Makefile.am
@@ -14,6 +14,7 @@ dist_man_MANS = apparmor.d.5 apparmor.7
BUILT_SOURCES = parser_lex.c parser_yacc.c af_names.h cap_names.h
AM_YFLAGS = -d
AM_CFLAGS = -DLOCALEDIR=\"$(localedir)\"
+AM_LFLAGS = -D_GNU_SOURCE
apparmor_parser_SOURCES = parser_yacc.y parser_lex.l parser_include.c \
parser_interface.c parser_main.c parser_misc.c \
parser_merge.c parser_symtab.c parser_regex.c \
--- a/parser/parser_include.c
+++ b/parser/parser_include.c
@@ -35,6 +35,8 @@
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
+
#include <assert.h>
#include <ctype.h>
#include <stdio.h>
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -17,6 +17,7 @@
* along with this program; if not, contact Novell, Inc.
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
#include <assert.h>
#include <stdio.h>
#include <string.h>
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -20,6 +20,10 @@
/* Definitions section */
/* %option main */
+%{
+#define _GNU_SOURCE /* for asprintf in stdio.h */
+%}
+
/* eliminates need to link with libfl */
%option noyywrap
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -17,6 +17,7 @@
* along with this program; if not, contact Novell, Inc.
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -17,6 +17,7 @@
* along with this program; if not, contact Novell, Inc.
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
#include <stdio.h>
#include <stdarg.h>
#include <string.h>

57
apparmor-2.5.1-unconfined-fixes Normal file
View File

@ -0,0 +1,57 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
The version of AppArmor that was accepted into the mainline kernel
issues audit events for things like change_hat while unconfined.
Previous versions just returned -EPERM without the audit.
This results in logprof and friends spewing uninitialized value errors
when it hits events like:
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
... which happen any time an unconfined process does something with pam
when pam_apparmor is installed.
This patch skips those events.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2735,6 +2735,13 @@ sub add_event_to_tree ($) {
return if ($e->{operation} =~ /profile_set/);
my ($profile, $hat);
+
+ # The version of AppArmor that was accepted into the mainline kernel
+ # issues audit events for things like change_hat while unconfined.
+ # Previous versions just returned -EPERM without the audit so the
+ # events wouldn't have been picked up here.
+ return if (!$e->{profile});
+
# just convert new null profile style names to old before we begin processing
# profile and name can contain multiple layers of null- but all we care about
# currently is single level.
@@ -6625,10 +6632,15 @@ sub parse_event($) {
LibAppArmor::free_record($event);
#map new c and d to w as logprof doesn't support them yet
- $rmask =~ s/c/w/g;
- $rmask =~ s/d/w/g;
- $dmask =~ s/c/w/g;
- $dmask =~ s/d/w/g;
+ if ($rmask) {
+ $rmask =~ s/c/w/g;
+ $rmask =~ s/d/w/g;
+ }
+
+ if ($dmask) {
+ $dmask =~ s/c/w/g;
+ $dmask =~ s/d/w/g;
+ }
if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
fatal_error(sprintf(gettext('Log contains unknown mode %s.'),

27492
apparmor-2.5.1-unified-build Normal file
View File

File diff suppressed because it is too large Load Diff

3
apparmor-2.5.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:00334c3e5391fa1578aa177ec5da1232073bc88141c1a49c3ecb1814784cc99b
size 1293448

22
apparmor-docs-techdoc-grammar-fixes Normal file
View File

@ -0,0 +1,22 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-docs: Fix grammar error in techdoc.pdf
References: bnc#588235
This patch fixes a grammar error in techdoc.pdf.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
parser/techdoc.tex | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/techdoc.tex
+++ b/parser/techdoc.tex
@@ -213,7 +213,7 @@ files by controlling file descriptor pas
\subsection{Mount}
-Mounting can change a process's namespace in in almost arbitrary ways.
+Mounting can change a process's namespace in almost arbitrary ways.
This is a problem because AppArmor's file access control is pathname
based, and granting a process the right to arbitrarily change its
namespace would subvert this protection mechanism. AppArmor therefore

15
apparmor-no-caching-test Normal file
View File

@ -0,0 +1,15 @@
---
parser/tst/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/tst/Makefile
+++ b/parser/tst/Makefile
@@ -12,7 +12,7 @@ endif
all: tests
.PHONY: tests error_output parser_sanity caching
-tests: error_output parser_sanity caching
+tests: error_output parser_sanity
error_output: $(PARSER)
$(PARSER) -S -I errors >/dev/null errors/okay.sd

19
apparmor-parser-string-fixes Normal file
View File

@ -0,0 +1,19 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-parser: Fix up translations
References: bnc#586070
---
parser/parser_interface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -77,7 +77,7 @@ static void print_error(int error)
PERROR(_("Out of memory\n"));
break;
case -EFAULT:
- PERROR(_("Couldn't copy profile Bad memory address\n"));
+ PERROR(_("Couldn't copy profile: Bad memory address\n"));
break;
case -EPROTO:
PERROR(_("Profile doesn't conform to protocol\n"));

16
apparmor-perl Normal file
View File

@ -0,0 +1,16 @@
---
utils/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -41,7 +41,8 @@ all: ${MANPAGES} ${HTMLMANPAGES}
DESTDIR=/
BINDIR=${DESTDIR}/usr/sbin
CONFDIR=${DESTDIR}/etc/apparmor
-PERLDIR=${DESTDIR}/usr/lib/perl5/vendor_perl/Immunix
+VENDOR_PERL ?= /usr/lib/perl5/vendor_perl
+PERLDIR := ${DESTDIR}${VENDOR_PERL}/Immunix
po/${NAME}.pot: ${TOOLS}
make -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} SubDomain.pm Repository.pm Config.pm Reports.pm"

10
apparmor-profile-editor.desktop Normal file
View File

@ -0,0 +1,10 @@
[Desktop Entry]
Encoding=UTF-8
Name=AppArmor Profile Editor
Comment=Edit AppArmor profiles
Exec=profileeditor %f
Terminal=false
Type=Application
Icon=apparmor-profile-editor
Categories=Utility;TextEditor;
X-KDE-SubstituteUID=true

3
apparmor-profile-editor.png Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:99e35156e4b59d83f418dc348626ea88651e548d9d734c7316d89b500adcce41
size 3754

59
apparmor-profiles-cupsd-fix Normal file
View File

@ -0,0 +1,59 @@
---
profiles/apparmor/profiles/extras/usr.sbin.cupsd | 25 ++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
@@ -16,20 +16,31 @@
capability setuid,
/bin/bash ixr,
+ /bin/cat ix,
+
+ /usr/bin/foomatic-rip ixr,
+ /etc/foomatic/** r,
+
+ /usr/bin/gs ix,
+ /usr/lib/ghostscript/** m,
+ /usr/lib64/ghostscript/** m,
+ /usr/share/ghostscript/** r,
+ /etc/ghostscript/** r,
+
/dev/lp0 rw,
/dev/tty rw,
/dev/ttyS? w,
/etc/cups rw,
/etc/cups/ r,
- /etc/cups/* r,
+ /etc/cups/** r,
/etc/cups/certs w,
/etc/cups/certs/* w,
- /etc/cups/classes.conf rw,
- /etc/cups/cupsd.conf rw,
+ /etc/cups/*.conf* rw,
/etc/cups/ppd rw,
+ /etc/printcap rw,
/etc/cups/printcap rw,
- /etc/cups/printers.conf rw,
/etc/cups/ssl rw,
+ /etc/cups/yes/* rw,
/etc/hosts.allow r,
/etc/hosts.deny r,
/proc/meminfo r,
@@ -39,11 +50,15 @@
/usr/bin/smbspool ixr,
/usr/lib/cups/backend/* ixr,
/usr/lib/cups/filter/* ixr,
- /usr/sbin/cupsd mr,
+ /usr/sbin/cupsd mixr,
/usr/share/cups/** r,
/var/log/cups/access_log rw,
/var/log/cups/error_log rw,
/var/spool/cups rw,
+ /var/spool/cups/** rw,
/var/spool/cups/tmp w,
/var/spool/cups/tmp/ r,
+ /var/run/cups/** rw,
+ /var/cache/cups/ rw,
+ /var/cache/cups/** rw,
}

38
apparmor-profiles-sshd-fix Normal file
View File

@ -0,0 +1,38 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: Fix for sshd profile
References: bnc#457072
Without this patch, sshd won't work in enforce mode.
libselinux accesses /proc/filesystems to determine if it's enabled
bash won't execute
audit_control is probably from libselinux too
---
profiles/apparmor/profiles/extras/usr.sbin.sshd | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@@ -30,6 +30,8 @@
capability kill,
capability setgid,
capability setuid,
+ capability audit_control,
+ capability sys_ptrace,
/dev/ptmx rw,
/dev/urandom r,
@@ -44,11 +46,12 @@
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/loginuid w,
+ @{PROC}/filesystems r,
# should only be here for use in non-change-hat openssh
# duplicated from EXEC hat
/bin/ash Ux,
- /bin/bash Ux,
+ /bin/bash rUx,
/bin/bash2 Ux,
/bin/bsh Ux,
/bin/csh Ux,

33
apparmor-profiles-syslog-ng-fix Normal file
View File

@ -0,0 +1,33 @@
--- a/profiles/apparmor.d/sbin.syslog-ng.old 2008-11-05 15:53:00.000000000 +0100
+++ b/profiles/apparmor.d/sbin.syslog-ng 2010-11-05 09:11:23.186489224 +0100
@@ -19,12 +19,14 @@
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
+ #include <abstractions/mysql>
capability chown,
capability dac_override,
capability fsetid,
capability fowner,
capability sys_tty_config,
+ capability sys_resource,
/dev/log w,
/dev/syslog w,
@@ -35,11 +37,14 @@
/etc/hosts.deny r,
/etc/hosts.allow r,
/sbin/syslog-ng mr,
+ /usr/share/syslog-ng/** r,
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
- @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist rw,
+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
@{CHROOT_BASE}/var/log/** w,
@{CHROOT_BASE}/var/run/syslog-ng.pid krw,
+ @{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
+ /var/run/syslog-ng/additional-log-sockets.conf r,
}

119
apparmor-scripts Normal file
View File

@ -0,0 +1,119 @@
---
parser/rc.aaeventd.suse | 2 +-
parser/rc.apparmor.functions | 16 ++++++++--------
parser/rc.apparmor.suse | 23 ++++++++++++++++++++++-
3 files changed, 31 insertions(+), 10 deletions(-)
--- a/parser/rc.aaeventd.suse
+++ b/parser/rc.aaeventd.suse
@@ -30,7 +30,7 @@
### BEGIN INIT INFO
# Provides: aaeventd
# Required-Start: apparmor
-# Required-Stop:
+# Required-Stop: $null
# Default-Start: 2 3 5
# Default-Stop:
# Short-Description: AppArmor Notification and Reporting
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -111,9 +111,7 @@ is_apparmor_present() {
# check for subdomainfs version of module
grep -qE "^($modules)[[:space:]]" /proc/modules
- if [ $? -ne 0 ] ; then
- ls /sys/module/apparmor 2>/dev/null | grep -qE "^($modules)"
- fi
+ [ $? -ne 0 -a -d /sys/module/apparmor ]
return $?
}
@@ -380,10 +378,11 @@ apparmor_start() {
configure_owlsm
# if there is anything in the profiles file don't load
- cat "$SFS_MOUNTPOINT/profiles" | if ! read line ; then
+ if ! read line < "$SFS_MOUNTPOINT/profiles"; then
parse_profiles load
else
- aa_log_skipped_msg "AppArmor already loaded with profiles."
+ aa_log_skipped_msg ": already loaded with profiles."
+ return 0
fi
aa_log_end_msg 0
return 0
@@ -415,7 +414,8 @@ remove_profiles() {
#them so stor to tmp first
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
- cat "$MODULE_PLIST" | while read profile ; do
+ # Skip subprofiles, they'll be removed with the owning profile
+ grep -v // "$MODULE_PLIST" | while IFS= read profile ; do
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
rc=$?
if [ ${rc} -ne 0 ] ; then
@@ -430,7 +430,7 @@ apparmor_stop() {
aa_log_daemon_msg "Unloading AppArmor profiles "
remove_profiles
rc=$?
- log_end_msg $rc
+ aa_log_end_msg $rc
return $rc
}
@@ -468,7 +468,7 @@ __apparmor_restart() {
profiles_names_list ${PNAMES_LIST}
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
- sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while read profile ; do
+ sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
done
rm "$MODULE_PLIST"
--- a/parser/rc.apparmor.suse
+++ b/parser/rc.apparmor.suse
@@ -34,6 +34,7 @@
# Required-Start: boot.cleanup
# Required-Stop: $null
# Should-Start: $local_fs
+# Should-Stop: $null
# Default-Start: B
# Default-Stop:
# Short-Description: AppArmor initialization
@@ -76,7 +77,19 @@ aa_log_warning_msg() {
}
aa_log_failure_msg() {
- log_failure_msg $*
+ log_failure_msg '\n'$*
+}
+
+aa_log_action_begin() {
+ echo -n
+}
+
+aa_log_action_end() {
+ echo -n
+}
+
+aa_log_daemon_msg() {
+ echo -en "$@ "
}
aa_log_skipped_msg() {
@@ -84,6 +97,14 @@ aa_log_skipped_msg() {
echo -e "$rc_skipped"
}
+aa_log_end_msg() {
+ v="-v"
+ if [ "$1" != '0' ]; then
+ rc="-v$1"
+ fi
+ rc_status $v
+}
+
usage() {
echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
}

18
apparmor-startproc.patch Normal file
View File

@ -0,0 +1,18 @@
---
parser/rc.aaeventd.suse | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/parser/rc.aaeventd.suse
+++ b/parser/rc.aaeventd.suse
@@ -81,9 +81,9 @@ usage() {
start_aa_event() {
if [ -x "$AA_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
- sd_action "Starting AppArmor Event daemon" startproc -f -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
+ sd_action "Starting AppArmor Event daemon" startproc -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
elif [ -x "$SD_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
- sd_action "Starting AppArmor Event daemon" startproc -f -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
+ sd_action "Starting AppArmor Event daemon" startproc -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
fi
}

15
apparmor-swig-build-fix Normal file
View File

@ -0,0 +1,15 @@
---
libraries/libapparmor/swig/perl/Makefile.am | 1 +
1 file changed, 1 insertion(+)
--- a/libraries/libapparmor/swig/perl/Makefile.am
+++ b/libraries/libapparmor/swig/perl/Makefile.am
@@ -9,6 +9,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibA
Makefile.perl: Makefile.PL
$(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
+ sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
LibAppArmor.so: libapparmor_wrap.c Makefile.perl
if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi

24
apparmor-translation-fixes Normal file
View File

@ -0,0 +1,24 @@
---
utils/SubDomain.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2304,7 +2304,7 @@ sub handlechildren {
unless (-e getprofilefilename($exec_target)) {
my $ynans = "y";
if ($exec_mode & str_to_mode("i")) {
- $ynans = UI_YesNo(sprintf(gettext("A profile for %s does not exist create one?"), $exec_target), "n");
+ $ynans = UI_YesNo(sprintf(gettext("A profile for %s does not exist. Create one?"), $exec_target), "n");
}
if ($ynans eq "y") {
$helpers{$exec_target} = "enforce";
@@ -2331,7 +2331,7 @@ sub handlechildren {
unless ($sd{$profile}{$exec_target}) {
my $ynans = "y";
if ($exec_mode & str_to_mode("i")) {
- $ynans = UI_YesNo(sprintf(gettext("A local profile for %s does not exist create one?"), $exec_target), "n");
+ $ynans = UI_YesNo(sprintf(gettext("A local profile for %s does not exist. Create one?"), $exec_target), "n");
}
if ($ynans eq "y") {
$hat = $exec_target;

107
apparmor-utils-SubDomain Normal file
View File

@ -0,0 +1,107 @@
---
utils/Reports.pm | 2 +-
utils/SubDomain.pm | 2 +-
utils/genprof | 4 ++--
utils/rc.sd-event-dispatch.suse | 10 +++++-----
utils/unconfined | 2 +-
5 files changed, 10 insertions(+), 10 deletions(-)
--- a/utils/Reports.pm
+++ b/utils/Reports.pm
@@ -14,7 +14,7 @@ package Immunix::Reports;
################################################################################
# /usr/lib/perl5/site_perl/Reports.pm
#
-# - Parses /var/log/messages for SubDomain messages
+# - Parses /var/log/messages for AppArmor messages
# - Writes results to .html or comma-delimited (.csv) files (Optional)
#
# Requires:
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1590,7 +1590,7 @@ my %CMDS = (
CMD_GLOBEXT => "Glob w/(E)xt",
CMD_ADDHAT => "(A)dd Requested Hat",
CMD_USEDEFAULT => "(U)se Default Hat",
- CMD_SCAN => "(S)can system log for SubDomain events",
+ CMD_SCAN => "(S)can system log for AppArmor events",
CMD_HELP => "(H)elp",
CMD_VIEW_PROFILE => "(V)iew Profile",
CMD_USE_PROFILE => "(U)se Profile",
--- a/utils/genprof
+++ b/utils/genprof
@@ -52,7 +52,7 @@ GetOptions(
my $sd_mountpoint = check_for_subdomain();
unless ($sd_mountpoint) {
- fatal_error(gettext("SubDomain does not appear to be started. Please enable SubDomain and try again."));
+ fatal_error(gettext("AppArmor does not appear to be started. Please enable AppArmor and try again."));
}
# let's convert it to full path...
@@ -166,7 +166,7 @@ for my $p (sort keys %helpers) {
}
}
-UI_Info(gettext("Reloaded SubDomain profiles in enforce mode."));
+UI_Info(gettext("Reloaded AppArmor profiles in enforce mode."));
UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
exit 0;
--- a/utils/rc.sd-event-dispatch.suse
+++ b/utils/rc.sd-event-dispatch.suse
@@ -7,14 +7,14 @@
# /usr/sbin/rcsd-event-dispatch
#
# chkconfig: 2345 01 99
-# description: SubDomain event dispatcher
+# description: AppArmor event dispatcher
#
### BEGIN INIT INFO
# Provides: sd-event-dispatch
# Required-Start: subdomain
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
-# Description: Start the SubDomain event dispacher
+# Description: Start the AppArmor event dispacher
### END INIT INFO
SD_EV_BIN=/usr/sbin/sd-event-dispatch.pl
@@ -38,7 +38,7 @@ rc_reset
case "$1" in
start)
- echo -n "Starting SubDomain Event daemon"
+ echo -n "Starting AppArmor Event daemon"
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
@@ -48,7 +48,7 @@ case "$1" in
rc_status -v
;;
stop)
- echo -n "Shutting down SubDomain Event daemon"
+ echo -n "Shutting down AppArmor Event daemon"
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
@@ -75,7 +75,7 @@ case "$1" in
rc_status
;;
status)
- echo -n "Checking for SubDomain Event daemon"
+ echo -n "Checking for AppArmor Event daemon"
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
--- a/utils/unconfined
+++ b/utils/unconfined
@@ -54,7 +54,7 @@ sub usage {
my $subdomainfs = check_for_subdomain();
-die gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.") . "\n"
+die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
unless $subdomainfs;
my @pids;

26
apparmor-utils-add-log-types Normal file
View File

@ -0,0 +1,26 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Add support for creds and path operations
References: bnc#564316
2.6.29 introduced the path security_operations and credentials
This patch adds support for those operations to the log parser.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2789,7 +2789,9 @@ sub add_event_to_tree ($) {
""
);
}
- } elsif ($e->{operation} =~ m/file_/) {
+ } elsif ($e->{operation} =~ m/file_/ or
+ # These are the path operations introduced in 2.6.29
+ $e->{operation} =~ m/^(open|unlink|mkdir|rmdir|mknod|truncate|symlink_create|link|rename_src|rename_dest)$/) {
add_to_tree( $e->{pid},
$e->{parent},
"path",

29
apparmor-utils-cleanup-on-abort Normal file
View File

@ -0,0 +1,29 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: [PATCH] apparmor-utils: cleanup after abort in genprof
References: bnc#307067
The initial generation of the base profile is required to be written out
to put the process in complain mode for observation. If the user
decides to abort the profiling session, that base profile is left
behind.
This patch removes all profiles created during the run up to an abort.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 3 +++
1 file changed, 3 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1750,6 +1750,9 @@ sub confirm_and_abort {
if ($ans eq "y") {
UI_Info(gettext("Abandoning all changes."));
shutdown_yast();
+ foreach my $prof (@created) {
+ delete_profile($prof);
+ }
exit 0;
}
}

36
apparmor-utils-filenames-in-slash Normal file
View File

@ -0,0 +1,36 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Fix handling of files in /
References: bnc#397883
The separate handling of files and directories with realpath is broken.
For files e.g. /foo, $dir ends up being empty since the / is eaten by
the regex. realpath resolves an empty argument as the current directory,
resulting in an incorrect path.
There's no explanation of why the separate handling was used in the
first place.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -511,14 +511,7 @@ sub get_full_path ($) {
}
}
- if (-f $path) {
- my ($dir, $file) = $path =~ m/^(.*)\/(.+)$/;
- $path = realpath($dir) . "/$file";
- } else {
- $path = realpath($path);
- }
-
- return $path;
+ return realpath($path);
}
sub findexecutable ($) {

25
apparmor-utils-null-path-fix Normal file
View File

@ -0,0 +1,25 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: Subdomain.pm: Fix for null path
References: bnc#407959
When handling the following log entry, logprof will spew perl errors and
ultimately generate an invalid config: "r,"
Since there is nothing to do with a null path, just skip to the next entry.
type=APPARMOR_DENIED msg=audit(1214497030.421:39): operation="inode_permission" info="Failed name resolution - object not a valid entry" requested_mask="r" denied_mask="r" pid=31367 profile="/usr/sbin/httpd2-worker
---
utils/SubDomain.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1905,7 +1905,7 @@ sub handlechildren {
$hat = $h;
}
- next unless $profile && $hat;
+ next unless $profile && $hat && $detail;
my $domainchange = ($type eq "exec") ? "change" : "nochange";
# escape special characters that show up in literal paths

24
apparmor-utils-string-split Normal file
View File

@ -0,0 +1,24 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: SubDomain.pm: Split long string
The string split here ends up not displaying well in yast.
---
utils/SubDomain.pm | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -6241,7 +6241,12 @@ sub check_qualifiers {
if ($cfg->{qualifiers}{$program}) {
unless($cfg->{qualifiers}{$program} =~ /p/) {
- fatal_error(sprintf(gettext("\%s is currently marked as a program that should not have it's own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you're doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $program));
+ fatal_error(sprintf(gettext(
+"\%s is currently marked as a program that should not have its own\n".
+"profile. Usually, programs are marked this way if creating a profile for \n".
+"them is likely to break the rest of the system. If you know what you're\n".
+"doing and are certain you want to create a profile for this program, edit\n".
+"the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $program));
}
}
}

24
apparmor-utils-support-newer-auditd-formatted-messages Normal file
View File

@ -0,0 +1,24 @@
From: Steve Beattie <sbeattie@ubuntu.com>
Subject: apparmor-utils: Support newer auditd formatted messages.
Patch from mancha on irc.
This is lp:apparmor/2.5 commit r1444.
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
---
utils/SubDomain.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2420,7 +2420,7 @@
my $RE_LOG_v2_1_audit =
qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
my $RE_LOG_v2_6_audit =
- qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/;
+ qr/type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=/;
sub prefetch_next_log_entry {
# if we already have an existing cache entry, something's broken

54
apparmor-utils-translation-unification Normal file
View File

@ -0,0 +1,54 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor-utils: Translation unification
References: bnc#586072
This patch removes small inconsistencies between identical strings to
allow for easier translation.
Reported-by: Isis Binder <isis.binder@gmail.com>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
utils/Reports.pm | 6 +++---
utils/unconfined | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/utils/Reports.pm
+++ b/utils/Reports.pm
@@ -967,7 +967,7 @@ sub getEssStats {
};
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
@@ -980,7 +980,7 @@ sub getEssStats {
};
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
@@ -988,7 +988,7 @@ sub getEssStats {
eval { $ret = $dbh->selectall_arrayref("$query"); };
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
--- a/utils/unconfined
+++ b/utils/unconfined
@@ -54,7 +54,7 @@ sub usage {
my $subdomainfs = check_for_subdomain();
-die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
+die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
unless $subdomainfs;
my @pids;

95
apparmor.changes Normal file
View File

@ -0,0 +1,95 @@
-------------------------------------------------------------------
Mon Jan 10 19:27:01 CET 2011 - jeffm@suse.de
- apparmor-utils: Support newer auditd formatted messages.
- Fix two x transition conflict bugs. (bnc#662928)
-------------------------------------------------------------------
Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de
- Splitted ldap related things from nameservice into separate
profile and added some missing paths (bnc#662761)
-------------------------------------------------------------------
Wed Dec 22 03:41:43 CET 2010 - jeffm@suse.de
- Fixed pod2man macros with older versions of GNU make
-------------------------------------------------------------------
Tue Dec 21 00:36:39 CET 2010 - jeffm@suse.de
- Fixed building of perl and ruby SWIG modules. The former
is required for apparmor-utils to work properly.
-------------------------------------------------------------------
Tue Dec 7 18:22:55 CET 2010 - jeffm@suse.de
- Fixed use-after-free issue in apparmor_parser.
-------------------------------------------------------------------
Tue Dec 7 17:52:59 CET 2010 - jeffm@suse.de
- Added fixes for logprof issuing uninitialized variable errors
while encountering audit messages for unconfined processes.
-------------------------------------------------------------------
Wed Dec 1 19:52:58 CET 2010 - jeffm@suse.de
- Updated cupsd profile (bnc#539401)
-------------------------------------------------------------------
Wed Dec 1 19:00:56 CET 2010 - jeffm@suse.de
- Fix {proc} vs {PROC} macro usage in firefox profile (bnc#436262)
-------------------------------------------------------------------
Wed Dec 1 18:41:31 CET 2010 - jeffm@suse.de
- Added support for eDirectory nameservice (bnc#621394)
-------------------------------------------------------------------
Wed Dec 1 18:05:44 CET 2010 - jeffm@suse.de
- Fixed incorrect /proc/*/sys usage in usr.sbin.ntpd profile (bnc#634801)
-------------------------------------------------------------------
Wed Dec 1 17:39:08 CET 2010 - jeffm@suse.de
- Added fix for another case of whitespace affecting profile
removal (bnc#510740)
-------------------------------------------------------------------
Tue Nov 30 12:00:00 CET 2010 - jeffm@suse.de
- Added support for unified build, which massively simplified
the packaging.
-------------------------------------------------------------------
Fri Nov 15 21:22:46 CET 2010 - czanik@balabit.hu
- Fix for syslog-ng profile to allow upgrade to v3.2
- add mysql support to syslog-ng profile
-------------------------------------------------------------------
Thu Oct 21 15:16:38 CEST 2010 - jeffm@suse.de
- Added support for enabling/disabling the module automatically
during installation/removal (bnc#623246)
-------------------------------------------------------------------
Tue Oct 5 17:58:31 CEST 2010 - jeffm@suse.de
- Converted archive to tar.bz2.
-------------------------------------------------------------------
Tue Oct 5 17:49:16 CEST 2010 - jeffm@suse.de
- Updated to 2.5.1-final.
- Lots of testcase updates.
-------------------------------------------------------------------
Fri Aug 27 21:21:38 CEST 2010 - jeffm@suse.de
- Initial packaging of AppArmor 2.5
- Now contained in a single archive so built from a single spec file

809
apparmor.spec Normal file
View File

@ -0,0 +1,809 @@
#
# spec file for package apparmor-parser (Version 2.3.1)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
%bcond_without tomcat
%bcond_without pam
%bcond_without apache
%bcond_with python
%bcond_with ruby
%bcond_with gnome
%bcond_with dbus
%bcond_with editor
%define CATALINA_HOME /usr/share/tomcat6
%define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
%define JNI_SO libJNIChangeHat.so
%define JAR_FILE changeHatValve.jar
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
Name: apparmor
%if ! %{?distro:1}0
%if %{?suse_version:1}0
%define distro suse
%endif
%if %{?fedora_version:1}0
%define distro redhat
%endif
%endif
%if ! %{?distro:1}0
%define distro suse
%endif
Summary: AppArmor userlevel parser utility
Version: 2.5.1
Release: 42
Group: Productivity/Networking/Security
Source0: apparmor-%{version}.tar.bz2
Source1: %{name}-profile-editor.png
Source2: %{name}-profile-editor.desktop
Source3: update-trans.sh
Patch: testsuite-build-fix
Patch1: pam-apparmor-include
Patch2: mod_apparmor-includes
Patch3: tomcat-build-fixes
Patch4: apparmor-swig-build-fix
Patch5: apparmor-scripts
Patch6: apparmor-translation-fixes
Patch7: apparmor-perl
Patch8: apparmor-no-caching-test
Patch9: apparmorapplet-gnome-build-fix
Patch10: apparmor-utils-SubDomain
Patch11: apparmor-utils-cleanup-on-abort
Patch12: apparmor-utils-translation-unification
Patch13: apparmor-utils-add-log-types
Patch14: apparmor-utils-filenames-in-slash
Patch15: apparmor-utils-null-path-fix
Patch16: apparmor-utils-string-split
Patch17: apparmor-profiles-cupsd-fix
Patch18: apparmor-profiles-sshd-fix
Patch19: apparmor-profiles-syslog-ng-fix
Patch20: apparmor-docs-techdoc-grammar-fixes
Patch21: apparmor-parser-string-fixes
Patch22: apparmor-startproc.patch
Patch23: apparmor-2.5.1-unified-build
Patch24: apparmor-2.5.1-rpmlint-asprintf
Patch25: apparmor-2.5.1-ntpd-proc-fixes
Patch26: apparmor-2.5.1-edirectory-profile
Patch27: apparmor-2.5.1-firefox-proc-fix
Patch28: apparmor-2.5.1-unconfined-fixes
Patch29: apparmor-2.5.1-fix-parser-use-after-free
Patch30: apparmor-2.5.1-ldapclient-profile
Patch31: apparmor-utils-support-newer-auditd-formatted-messages
Patch32: fix-two-x-transition-conflict-bugs
License: GPLv2+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Url: https://launchpad.net/apparmor
PreReq: sed
%if %{distro} == "suse"
PreReq: %{insserv_prereq} aaa_base
%endif
BuildRequires: gcc-c++
BuildRequires: pkg-config
BuildRequires: pcre-devel
%define apparmor_bin_prefix /lib/apparmor
BuildRequires: bison flex latex2html w3m
BuildRequires: texlive-latex
BuildRequires: swig
%if %{with python}
BuildRequires: swig python-devel
%endif
%if %{with ruby}
BuildRequires: swig ruby-devel
%endif
%if %{with pam}
BuildRequires: pam-devel
Requires: pam pam-config
PreReq: pam pam-config
%endif
%if %{with apache}
BuildRequires: apache2-devel
%endif
%if %{with tomcat}
BuildRequires: java-devel >= 1.6.0 ant tomcat6
%endif
%if %{with editor}
BuildRequires: gcc-c++ update-desktop-files wxGTK-devel
%endif
%if %{with gnome}
BuildRequires: gnome-common
BuildRequires: pkgconfig(dbus-1)
BuildRequires: pkgconfig(gtk+-2.0)
BuildRequires: pkgconfig(libgnome-2.0)
BuildRequires: pkgconfig(libpanelapplet-2.0)
%endif
%if %{with dbus}
BuildRequires: audit-devel dbus-1-devel libapparmor-devel pkg-config
%endif
%package parser
Summary: AppArmor userlevel parser utility
Group: Productivity/Networking/Security
Obsoletes: subdomain_parser < %{version}
Obsoletes: subdomain-parser < %{version}
Obsoletes: subdomain-parser-demo < %{version}
Obsoletes: subdomain-parser-common < %{version}
Obsoletes: subdomain-leaf-cert < %{version}
Obsoletes: libimnxcert < %{version}
Provides: subdomain_parser = %{version}
Provides: subdomain-parser = %{version}
Provides: subdomain-parser-demo = %{version}
Provides: subdomain-parser-common = %{version}
Provides: subdomain-leaf-cert = %{version}
Provides: libimnxcert = %{version}
%description parser
The AppArmor Parser is a userlevel program that is used to load in
program profiles to the AppArmor Security kernel module.
This package is part of a suite of tools that used to be named
SubDomain.
%package docs
Summary: AppArmor Documentation package
Group: Documentation/Other
%description docs
This package contains documentation for AppArmor.
This package is part of a suite of tools that used to be named
SubDomain.
Authors:
--------
lcambell@novell.com
Seth Arnold <seth.arnold@novell.com>
%if %{with apache}
%package -n apache2-mod_apparmor
Summary: AppArmor module for apache2
Group: Productivity/Security
%description -n apache2-mod_apparmor
apache2-modapparmor adds support to apache2 to provide AppArmor
confinement to individual cgi scripts handled by apache modules like
mod_php and mod_perl.
This package is part of a suite of tools that used to be named
SubDomain.
The documentation is in the apparmor-admin_en package.
Authors:
--------
sbeattie@suse.de
%endif
%package -n libapparmor1
Summary: Utility library for AppArmor
Group: Development/Libraries/C and C++
License: LGPL v2.1 or later
%ifarch ppc64
Obsoletes: libapparmor-64bit < %{version}
Provides: libapparmor-64bit = ${version}
%endif
Provides: libapparmor = %{version}
Provides: libimmunix = %{version}
Obsoletes: libapparmor < %{version}
Obsoletes: libimmunix < %{version}
%description -n libapparmor1
This package provides the libapparmor library, which contains the
change_hat(2) symbol, used for sub-process confinement by AppArmor, as
well as functions to parse AppArmor log messages.
Authors:
--------
Steve Beattie <sbeattie@suse.de>
Matt Barringer <mbarringer@suse.de>
%package -n libapparmor-devel
License: LGPL v2.1 or later
Requires: libapparmor1 = %{version}-%{release}
Group: Development/Libraries/C and C++
Provides: libapparmor:/usr/include/sys/apparmor.h
Summary: Development headers and libraries for libapparmor
%description -n libapparmor-devel
These libraries are needed for developing software that makes use of the
AppArmor API.
Authors:
--------
Steve Beattie <sbeattie@suse.de>
Matt Barringer <mbarringer@suse.de>
%package -n perl-apparmor
License: GPL v2 only ; LGPL v2.1 or later
Requires: libapparmor1 = %{version}
Requires: perl = %{perl_version}
Group: Development/Libraries/Perl
Summary: Perl interface for libapparmor functions
Provides: perl-libapparmor
Obsoletes: perl-libapparmor < 2.5
%description -n perl-apparmor
This package provides the perl interface to AppArmor. It is used for perl
applications interfacing with AppArmor, including the AppArmor utiltities.
Authors:
--------
Steve Beattie <sbeattie@suse.de>
Matt Barringer <mbarringer@suse.de>
%if %{with python}
%package -n python-apparmor
License: GPL v2 only ; LGPL v2.1 or later
Requires: libapparmor1 = %{version}
BuildRequires: python
Requires: python = %{python_version}
Group: Development/Libraries/Python
Summary: Python interface for libapparmor functions
Provides: python-libapparmor
Obsoletes: python-libapparmor < 2.5
%description -n python-apparmor
This package provides the python interface to AppArmor. It is used for python
applications interfacing with AppArmor.
Authors:
--------
Steve Beattie <sbeattie@suse.de>
Matt Barringer <mbarringer@suse.de>
%endif
%if %{with ruby}
%package -n ruby-apparmor
License: GPL v2 only ; LGPL v2.1 or later
Requires: libapparmor1 = %{version}
Requires: ruby = %{ruby_version}
Group: Development/Libraries/Ruby
Summary: Ruby interface for libapparmor functions
Provides: ruby-libapparmor
Obsoletes: ruby-libapparmor < 2.5
%description -n ruby-apparmor
This package provides the ruby interface to AppArmor. It is used for ruby
applications interfacing with AppArmor.
Authors:
--------
Steve Beattie <sbeattie@suse.de>
Matt Barringer <mbarringer@suse.de>
%endif
%package profiles
Summary: AppArmor profiles that are loaded into the apparmor kernel module
Group: Productivity/Security
Obsoletes: subdomain-profiles < %{version}
Provides: subdomain-profiles = %{version}
%description profiles
Base profiles. AppArmor is a file and network mandatory access control
mechanism. AppArmor confines processes to the resources allowed by the
systems administrator and can constrain the scope of potential security
vulnerabilities.
This package is part of a suite of tools that used to be named
SubDomain.
Authors:
--------
seth.arnold@suse.de
sbeattie@suse.de
jjohansen@suse.de
%package utils
Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
Group: Productivity/Security
Requires: perl = %{perl_version}
Requires: libapparmor1 = %{version}
Requires: perl-apparmor = %{version}
BuildArch: noarch
%description utils
This package provides the aa-logprof, aa-genprof, aa-autodep,
aa-enforce, and aa-complain tools to assist with profile authoring.
Besides it provides the aa-unconfined server information tool and the
aa-eventd event reporting system. It is part of a suite of tools that
used to be named SubDomain.
Authors:
--------
jmichael@suse.de
seth.arnold@suse.de
%if %{with tomcat}
%package -n tomcat_apparmor
Summary: Tomcat 6 plugin for AppArmor change_hat
Group: System/Libraries
Requires: libapparmor1 = %{version} tomcat6
%description -n tomcat_apparmor
tomcat_apparmor - is a plugin for Apache Tomcat version 6 that
provides support for AppArmor change_hat for creating AppArmor
containers that are bound to discrete elements of processing within the
Tomcat servlet container. The AppArmor containers, or "hats", can be
created for individual URL processing or per servlet.
Authors:
--------
dreynolds@suse.de
%endif
%if %{with pam}
%package -n pam_apparmor
Summary: PAM module to for AppArmor change_hat
Group: Productivity/Security
%description -n pam_apparmor
The pam_apparmor module provides the means for any PAM applications
that call pam_open_session() to automatically perform an AppArmor
change_hat operation in order to switch to a user-specific security
policy.
Authors:
--------
jmichael@suse.de
sbeattie@suse.de
%endif
%if %{with dbus}
%package dbus
Summary: Audit dispatcher for sending AppArmor events over DBUS
Group: System/Monitoring
%description dbus
An audit dispatcher for sending AppArmor events over the DBUS system
bus.
Authors:
--------
Matt Barringer <mbarringer@suse.de>
%endif
%if %{with editor}
%package profile-editor
Summary: AppArmor profile editor
Group: Productivity/Editors/Other
%description profile-editor
A syntax highlighting editor for AppArmor profiles.
Authors:
--------
Matt Barringer <mbarringer@suse.de>
%endif
%if %{with gnome}
%package -n apparmorapplet-gnome
Summary: An AppArmor event notification applet for GNOME
Group: System/GUI/GNOME
%description -n apparmorapplet-gnome
This taskbar applet recieves AppArmor events over DBUS, and notifies
the user when AppArmor prevents an application from functioning.
Authors:
--------
Matt Barringer <mbarringer@suse.de>
%endif
%description
The AppArmor Parser is a userlevel program that is used to load in
program profiles to the AppArmor Security kernel module.
This package is part of a suite of tools that used to be named
SubDomain.
%lang_package -n apparmor-utils
%lang_package -n apparmor-parser
%if %{with gnome}
%lang_package -n apparmorapplet-gnome
%endif
%prep
%setup -q
%patch -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%build
export SUSE_ASNEEDED=0
autoreconf -fiv
%define _libdir /%{_lib}
%configure --disable-static --with-pic \
--with-perl \
%if %{with python}
--with-python \
%else
--without-python \
%endif
%if %{with ruby}
--with-ruby \
%else
--without-ruby \
%endif
%if %{with tomcat}
--with-tomcat \
%else
--without-tomcat \
%endif
%if %{with pam}
--with-pam \
%else
--without-pam \
%endif
%if %{with apache}
--with-apache \
%else
--without-apache \
%endif
%if %{with gnome}
--with-gnome \
%else
--without-gnome \
%endif
%if %{with dbus}
--with-dbus \
%else
--without-dbus \
%endif
%if %{with editor}
--with-profileeditor \
%else
--without-profileeditor \
%endif
%{__make} %{?jobs:-j%jobs}
%if %{with ruby}
#rm libraries/libapparmor/swig/ruby/Makefile.ruby
#make -C libraries/libapparmor/swig/ruby
%endif
%install
%{make_install}
find $RPM_BUILD_ROOT -name .packlist -exec rm -f {} \;
find $RPM_BUILD_ROOT -name perllocal.pod -exec rm -f {} \;
# create symlink for old change_hat(2) manpage
ln -s aa_change_hat.2 ${RPM_BUILD_ROOT}/%{_mandir}/man2/change_hat.2
mkdir ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d
install parser/rc.apparmor.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/boot.apparmor
install parser/rc.aaeventd.suse ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/aaeventd
ln -s %{_sysconfdir}/init.d/aaeventd ${RPM_BUILD_ROOT}/sbin/rcaaeventd
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcapparmor
ln -s %{_sysconfdir}/init.d/boot.apparmor ${RPM_BUILD_ROOT}/sbin/rcsubdomain
for script in ${RPM_BUILD_ROOT}/usr/sbin/*; do
d=$(dirname $script)
f=$(basename $script)
if [ "${f#aa-}" = "$f" ]; then
ln -s /usr/sbin/$f $d/aa-$f
fi
done
for man in ${RPM_BUILD_ROOT}/usr/share/man/man[18]/*; do
d=$(dirname $man)
f=$(basename $man)
if [ "${f#aa-}" = "$f" ]; then
ln -s $f $d/aa-$f
fi
done
%if %{with editor}
%suse_update_desktop_file -i %{name}-profile-editor Utility TextEditor
%endif
%if %{with gnome}
%find_lang apparmorapplet-gnome
%endif
for pkg in apparmor-utils apparmor-parser; do
%find_lang $pkg
done
# Clean up profiles that are provided by other packages now
rm -f $RPM_BUILD_DIR%{_sysconfdir}/apparmor.d/usr.sbin.nscd
%clean
rm -rf $RPM_BUILD_ROOT
%files docs
%defattr(-,root,root)
%doc parser/*.[1-9].html
%doc common/apparmor.css
%doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt
%files parser
%defattr(-,root,root)
%doc parser/README parser/COPYING.GPL
/sbin/apparmor_parser
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
%if %{distro} == "suse"
/sbin/rcsubdomain
/sbin/rcapparmor
%{_sysconfdir}/init.d/boot.apparmor
/sbin/rcaaeventd
%{_sysconfdir}/init.d/aaeventd
%else
%{_sysconfdir}/init.d/apparmor
%{_sysconfdir}/init.d/aaeventd
%endif
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
/var/lib/apparmor
%dir %attr(-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix}/rc.apparmor.functions
%doc %{_mandir}/man5/apparmor.d.5.gz
%doc %{_mandir}/man5/apparmor.vim.5.gz
%doc %{_mandir}/man5/subdomain.conf.5.gz
%doc %{_mandir}/man7/apparmor.7.gz
%doc %{_mandir}/man8/apparmor_parser.8.gz
%if %{distro} == "redhat" || %{distro} == "rhel4"
%pre parser
if [ -f %{_sysconfdir}/init.d/subdomain ] ; then
chkconfig --del subdomain
fi
%endif
%files parser-lang -f apparmor-parser.lang
%files -n libapparmor1
%defattr(-,root,root)
%{_libdir}/libapparmor.la
%{_libdir}/libimmunix.la
%{_libdir}/libapparmor.so*
%{_libdir}/libimmunix.so*
%files -n libapparmor-devel
%defattr(-,root,root)
%{_libdir}/libapparmor.so
%{_libdir}/libimmunix.so
%doc %{_mandir}/man2/aa_change_hat.2.gz
%doc %{_mandir}/man2/change_hat.2.gz
%dir %{_includedir}/aalogparse
%{_includedir}/sys/apparmor.h
%{_includedir}/aalogparse/*
# hrm, still need to enumerate each directory in these paths in files :(
%define extras_dir %{_sysconfdir}/apparmor/profiles/extras/
%define profiles_dir %{_sysconfdir}/apparmor.d/
%files profiles
%defattr(-,root,root)
%attr(644, root, root) %config(noreplace) %{profiles_dir}/*
%attr(644, root, root) %config(noreplace) %{extras_dir}/*
%dir %{_sysconfdir}/apparmor.d/
%dir %{_sysconfdir}/apparmor/
%dir %{_sysconfdir}/apparmor/profiles
%dir %{_sysconfdir}/apparmor/profiles/extras
%files utils
%defattr(-,root,root)
%dir %{_sysconfdir}/apparmor
%config(noreplace) %{_sysconfdir}/apparmor/logprof.conf
%config(noreplace) %{_sysconfdir}/apparmor/notify.conf
%config(noreplace) %{_sysconfdir}/apparmor/severity.db
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
%{_prefix}/sbin/*
%dir /var/log/apparmor
%doc %{_mandir}/man5/logprof.conf.5.gz
%doc %{_mandir}/man8/apparmor_notify.8.gz
%doc %{_mandir}/man8/aa-*.gz
%doc %{_mandir}/man8/apparmor_status.8.gz
%doc %{_mandir}/man8/audit.8.gz
%doc %{_mandir}/man8/autodep.8.gz
%doc %{_mandir}/man8/complain.8.gz
%doc %{_mandir}/man8/enforce.8.gz
%doc %{_mandir}/man8/genprof.8.gz
%doc %{_mandir}/man8/logprof.8.gz
%doc %{_mandir}/man8/unconfined.8.gz
%doc utils/*.[0-9].html
%doc common/apparmor.css
%files utils-lang -f apparmor-utils.lang
%files -n perl-apparmor
%defattr(-,root,root)
%{perl_vendorlib}/Immunix
%dir %{perl_vendorarch}/auto/LibAppArmor
%{perl_vendorarch}/auto/LibAppArmor/*
%{perl_vendorarch}/LibAppArmor.pm
%if %{with python}
%files -n python-apparmor
%defattr(-,root,root)
%{python_sitearch}/LibAppArmor-2.5.1-py2.7.egg-info
%{python_sitearch}/libapparmor1/*
%endif
%if %{with ruby}
%files -n ruby-apparmor
%defattr(-,root,root)
%{_prefix}/%{rb_sitearch}/*
%endif
%if %{with pam}
%files -n pam_apparmor
%defattr(444,root,root,755)
%attr(555,root,root) %{_libdir}/security/pam_apparmor.so
%attr(555,root,root) %{_libdir}/security/pam_apparmor.la
%endif
%if %{with tomcat}
%files -n tomcat_apparmor
%defattr(-,root,root)
%{CATALINA_HOME}/lib/%{JAR_FILE}
%{_libdir}/libJNI*
%doc %attr(0644,root,root) changehat/tomcat_apparmor/tomcat_5_5/README.tomcat_apparmor
%endif
%if %{with apache}
%files -n apache2-mod_apparmor
%defattr(-,root,root)
%{apache_module_path}/mod_apparmor.so
%{apache_module_path}/mod_apparmor.la
%doc %{_mandir}/man8/mod_apparmor.8.gz
%endif
%if %{with dbus}
%files dbus
%defattr(0750, root, root)
%{_bindir}/apparmor-dbus
%endif
%if %{with editor}
%files profile-editor
%defattr(-, root, root)
%{_datadir}/applications/%{name}-profile-editor.desktop
%{_datadir}/pixmaps/%{name}-profile-editor.png
%{_bindir}/profileeditor
%{_docdir}/profileeditor/AppArmorProfileEditor.htb
%if 0
%{_prefix}/share/doc/profileeditor/AppArmorProfileEditor.htb
%endif
%dir %{_prefix}/share/doc/profileeditor
%endif
%if %{with gnome}
%files -n apparmorapplet-gnome
%defattr(-, root, root)
%{_libdir}/bonobo/servers/*.server
%{_prefix}/lib/apparmorapplet
%{_datadir}/pixmaps/*
%files -n apparmorapplet-gnome-lang -f apparmorapplet-gnome.lang
%endif
%post parser
%if %{distro} == "suse"
# SUSE uses insserv
# For package renaming from subdomain -> apparmor
# we check the existence of the AppArmor 1.1 and
# AppArmor 1.2 based init script to help determine
# whether we are upgrading
SUBDOMAIN_PARSER_INSTALLED="no"
if test -e %{_sysconfdir}/init.d/boot.subdomain -o -e %{_sysconfdir}/init.d/subdomain; then
SUBDOMAIN_PARSER_INSTALLED="yes"
fi
if test "$1" == 1 -a $SUBDOMAIN_PARSER_INSTALLED = "no"; then
%{insserv_force_if_yast boot.apparmor}
elif test -e %{_sysconfdir}/rc.d/boot.d/S??boot.subdomain -o \
-e %{_sysconfdir}/rc.d/boot.d/S??boot.apparmor -o \
-e %{_sysconfdir}/rc.d/rc3.d/S??subdomain ; then
%{insserv_force_if_yast boot.apparmor}
else
%{fillup_and_insserv -f boot.apparmor}
fi
%endif
%if %{distro} == "redhat" || %{distro} == "rhel4"
chkconfig --add apparmor
%endif
%if %{distro} == "slackware"
if grep -qs "# BEGIN rc.subdomain INSERTION" %{_sysconfdir}/rc.d/rc.M ; then true ; else
%{apparmor_bin_prefix}/install/frob_slack_rc --init
fi
if grep -qs "# BEGIN rc.subdomain INSERTION" %{_sysconfdir}/rc.d/rc.K ; then true ; else
%{apparmor_bin_prefix}/install/frob_slack_rc --shutdown
fi
%endif
%preun parser
if [ "$1" = 0 ] ; then
%if %{distro} == "suse"
%{stop_on_removal aaeventd}
%{stop_on_removal boot.apparmor}
%endif
%if %{distro} == "redhat" || %{distro} == "rhel4"
chkconfig --del aaeventd
chkconfig --del apparmor
%endif
fi
%postun parser
%if %{distro} == "suse"
%restart_on_update aaeventd boot.apparmor
%{insserv_cleanup} || true
%endif
%post -n libapparmor1 -p /sbin/ldconfig
%postun -n libapparmor1 -p /sbin/ldconfig
%if %{with tomcat}
%post -n tomcat_apparmor -p /sbin/ldconfig
%postun -n tomcat_apparmor -p /sbin/ldconfig
%endif
%if %{with pam}
%post -n pam_apparmor
pam-config -a --apparmor
pam-config --update
%postun -n pam_apparmor
pam-config -d --apparmor
pam-config --update
%endif
%changelog

14
apparmorapplet-gnome-build-fix Normal file
View File

@ -0,0 +1,14 @@
---
deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c | 1 +
1 file changed, 1 insertion(+)
--- a/deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
+++ b/deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
@@ -11,6 +11,7 @@
#include <stdlib.h>
#include <string.h>
#include <glib/gi18n.h>
+#include <libgnome/gnome-program.h>
#include "preferences_dialog.h"
#include "reject_list.h"
#include "apparmor-applet.h"

5
baselibs.conf Normal file
View File

@ -0,0 +1,5 @@
pam_apparmor
supplements "packageand(pam_apparmor:pam-<targettype>)"
libapparmor1
obsoletes "libapparmor-<targettype> <= <version>"
provides "libapparmor-<targettype> = <version>"

277
fix-two-x-transition-conflict-bugs Normal file
View File

@ -0,0 +1,277 @@
From: John Johansen <john.johansen@canonical.com>
Subject: Fix two x transition conflict bugs.
References: bnc#662928 lpn#693082
This is lp:apparmor/2.5 commit r1443.
The is_merged_x_consistend macro was incorrect in that is tested for
USER_EXEC_TYPE to determine if there was an x transition. This fails
for unconfined execs so an unconfined exec would not correctly conflict
with another exec type.
The dfa match flag table for xtransitions was not large enough and not
indexed properly for pux, and cux transitions. The index calculation did
not take into account the pux flag so that pux and px aliased to the same
location and cux and cx aliased to the same location.
This would result in the first rule being processed defining what the
transition type was for all following rules of the type following. So
if a px transition was processed first all pux, transitions in the profile
would be treated pux.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Add auto generation of xtransition conflict tests
All the combiniation of xtransition conflics where not well represented in
the regression test suite. Instead of relying on multiple static test
files, automatically generate all possible conflicts.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
diff:
=== modified file 'parser/immunix.h'
parser/immunix.h | 4
parser/libapparmor_re/regexp.yy | 10 -
parser/tst/Makefile | 10 +
parser/tst/gen-xtrans.pl | 152 +++++++++++++++++++++++++++++
parser/tst/simple_tests/generated_x/readme | 2
5 files changed, 169 insertions(+), 9 deletions(-)
--- a/parser/immunix.h 2009-08-20 15:41:10 +0000
+++ b/parser/immunix.h 2011-01-07 20:46:15 +0000
@@ -148,12 +148,12 @@
#include <stdio.h>
static inline int is_merged_x_consistent(int a, int b)
{
- if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
+ if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
{ fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
return 0;
}
- if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
+ if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
{ fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
return 0;
=== modified file 'parser/libapparmor_re/regexp.yy'
--- a/parser/libapparmor_re/regexp.yy 2010-07-24 14:16:14 +0000
+++ b/parser/libapparmor_re/regexp.yy 2011-01-07 20:46:15 +0000
@@ -2581,9 +2581,9 @@
#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
extern "C" void aare_reset_matchflags(void)
{
@@ -2644,8 +2644,8 @@
flip_tree(tree);
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
=== modified file 'parser/tst/Makefile'
--- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000
+++ b/parser/tst/Makefile 2011-01-07 20:46:15 +0000
@@ -11,8 +11,11 @@
all: tests
-.PHONY: tests error_output parser_sanity caching
-tests: error_output parser_sanity
+.PHONY: tests error_output gen_xtrans parser_sanity caching
+tests: error_output gen_xtrans parser_sanity
+
+gen_xtrans:
+ perl ./gen-xtrans.pl
error_output: $(PARSER)
$(PARSER) -S -I errors >/dev/null errors/okay.sd
@@ -34,3 +37,6 @@
$(PARSER):
make -C $(PARSER_DIR) $(PARSER_BIN)
+
+clean:
+ rm -f simple_tests/generated_x/*
=== added file 'parser/tst/gen-xtrans.pl'
--- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000
+++ b/parser/tst/gen-xtrans.pl 2011-01-07 20:46:15 +0000
@@ -0,0 +1,152 @@
+#!/usr/bin/perl
+
+use strict;
+use Locale::gettext;
+use POSIX;
+
+setlocale(LC_MESSAGES, "");
+
+my $prefix="simple_tests/generated_x";
+
+my @trans_types = ("p", "P", "c", "C", "u", "i");
+my @modifiers = ("i", "u");
+my %trans_modifiers = (
+ "p" => \@modifiers,
+ "P" => \@modifiers,
+ "c" => \@modifiers,
+ "C" => \@modifiers,
+ );
+
+my @targets = ("", "target", "target2");
+my @null_target = ("");
+
+my %named_trans = (
+ "p" => \@targets,
+ "P" => \@targets,
+ "c" => \@targets,
+ "C" => \@targets,
+ "u" => \@null_target,
+ "i" => \@null_target,
+ );
+
+# audit qualifier disabled for now it really shouldn't affect the conflict
+# test but it may be worth checking every once in awhile
+#my @qualifiers = ("", "owner", "audit", "audit owner");
+my @qualifiers = ("", "owner");
+
+my $count = 0;
+
+gen_conflicting_x();
+gen_overlap_re_exact();
+gen_dominate_re_re();
+gen_ambiguous_re_re();
+
+print "Generated $count xtransition interaction tests\n";
+
+sub gen_list {
+ my @output;
+ foreach my $trans (@trans_types) {
+ if ($trans_modifiers{$trans}) {
+ foreach my $mod (@{$trans_modifiers{$trans}}) {
+ push @output, "${trans}${mod}x";
+ }
+ }
+ push @output, "${trans}x";
+ }
+ return @output;
+}
+
+sub print_rule($$$$) {
+ my ($file, $name, $perm, $target) = @_;
+ print $file "\t${name} ${perm}";
+ if ($target ne "") {
+ print $file " -> $target";
+ }
+ print $file ",\n";
+}
+
+sub gen_file($$$$$$$$) {
+ my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
+
+# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
+
+ my $file;
+ unless (open $file, ">$name") {
+ print("couldn't open $name\n");
+ exit 1;
+ }
+
+ print $file "#\n";
+ print $file "#=DESCRIPTION ${name}\n";
+ print $file "#=EXRESULT ${xres}\n";
+ print $file "#\n";
+ print $file "/usr/bin/foo {\n";
+ print_rule($file, $rule1, $perm1, $target1);
+ print_rule($file, $rule2, $perm2, $target2);
+ print $file "}";
+ close($file);
+
+ $count++;
+}
+
+#NOTE: currently we don't do px to cx, or cx to px conversion
+# so
+# /foo {
+# /* px -> /foo//bar,
+# /* cx -> bar,
+#
+# will conflict
+#
+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords
+# It is assumed that there are extra tests to verify 1 to 1 coorispondance
+sub gen_files($$$$) {
+ my ($name, $rule1, $rule2, $default) = @_;
+
+ my @perms = gen_list();
+
+# print "@perms\n";
+
+ foreach my $i (@perms) {
+ foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
+ foreach my $q (@qualifiers) {
+ foreach my $j (@perms) {
+ foreach my $u (@{$named_trans{substr($j, 0, 1)}}) {
+ foreach my $r (@qualifiers) {
+ my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd";
+# print "$file\n";
+
+ #override failures when transitions are the same
+ my $xres = ${default};
+ if ($i eq $j && $t eq $u) {
+ $xres = "PASS";
+ }
+
+
+# print "foo $xres $rule1 $i $t $rule2 $j $u\n";
+ gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
+ }
+ }
+ }
+ }
+ }
+ }
+
+}
+
+sub gen_conflicting_x {
+ gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL");
+}
+
+sub gen_overlap_re_exact {
+
+ gen_files("exact", "/bin/cat", "/bin/*", "PASS");
+}
+
+# we currently don't support this, once supported change to "PASS"
+sub gen_dominate_re_re {
+ gen_files("dominate", "/bin/*", "/bin/**", "FAIL");
+}
+
+sub gen_ambiguous_re_re {
+ gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
+}
=== added directory 'parser/tst/simple_tests/generated_x'
=== added file 'parser/tst/simple_tests/generated_x/readme'
--- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000
+++ b/parser/tst/simple_tests/generated_x/readme 2011-01-07 20:46:15 +0000
@@ -0,0 +1,2 @@
+Directory for auto generated x-transition tests
+

35
mod_apparmor-includes Normal file
View File

@ -0,0 +1,35 @@
---
changehat/mod_apparmor/Makefile | 6 +-----
changehat/mod_apparmor/mod_apparmor.c | 6 +-----
2 files changed, 2 insertions(+), 10 deletions(-)
--- a/changehat/mod_apparmor/Makefile
+++ b/changehat/mod_apparmor/Makefile
@@ -42,11 +42,7 @@ APXS:=$(shell if [ -x "/usr/sbin/apxs2"
fi )
APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR)
DESTDIR=
-LIBAPPARMOR_FLAGS=$(shell if [ -f /usr/lib/libapparmor.so -o -f /usr/lib64/libapparmor.so ] ; then \
- echo -lapparmor ; \
- else \
- echo -DUSE_COMPAT_IMMUNIX_H -limmunix ;\
- fi)
+LIBAPPARMOR_FLAGS="-I../../libraries/libapparmor/src -L../../libraries/libapparmor/src/.libs -lapparmor"
all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
--- a/changehat/mod_apparmor/mod_apparmor.c
+++ b/changehat/mod_apparmor/mod_apparmor.c
@@ -24,11 +24,7 @@
#include "apr_strings.h"
#include "apr_lib.h"
-#ifndef USE_COMPAT_IMMUNIX_H
-#include <sys/apparmor.h>
-#else
-#include <sys/immunix.h>
-#endif
+#include "apparmor.h"
#include <unistd.h>
/* #define DEBUG */

42
pam-apparmor-include Normal file
View File

@ -0,0 +1,42 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: Fix pam includes/linking
---
changehat/pam_apparmor/Makefile | 6 +++---
changehat/pam_apparmor/pam_apparmor.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/changehat/pam_apparmor/Makefile
+++ b/changehat/pam_apparmor/Makefile
@@ -27,8 +27,8 @@ common/Make.rules: $(COMMONDIR)/Make.rul
ln -sf $(COMMONDIR) .
endif
-EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall
-LINK_FLAGS=-Xlinker -x
+EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall -I../../libraries/libapparmor/src/
+LINK_FLAGS=-Xlinker -x -L../../libraries/libapparmor/src/.libs
LIBS=-lpam -lapparmor
OBJECTS=${NAME}.o get_options.o
@@ -42,7 +42,7 @@ $(NAME).so: ${OBJECTS}
# need some better way of determining this
DESTDIR=/
-SECDIR=${DESTDIR}/lib/security
+SECDIR ?= ${DESTDIR}/lib/security
.PHONY: install
install: $(NAME).so
--- a/changehat/pam_apparmor/pam_apparmor.c
+++ b/changehat/pam_apparmor/pam_apparmor.c
@@ -27,7 +27,7 @@
#include <grp.h>
#include <syslog.h>
#include <errno.h>
-#include <sys/apparmor.h>
+#include "apparmor.h"
#include <security/pam_ext.h>
#include <security/pam_modutil.h>

3
rpmlintrc Normal file
View File

@ -0,0 +1,3 @@
addFilter("devel-file-in-non-devel-package.*/usr/lib64/libJNIChangeHat.so")
addFilter("devel-file-in-non-devel-package.*/usr/lib/libJNIChangeHat.so")
addFilter("shlib-policy-name-error.*libJNIChangeHat0")

23
testsuite-build-fix Normal file
View File

@ -0,0 +1,23 @@
From: Jeff Mahoney <jeffm@suse.com>
Subject: testsuite: Fix linking with shared in-tree libapparmor
This patch stops the static linking with libapparmor and uses the
shared library instead. Before it's installed, it'll have the in-tree
rpath and the testsuite will work as expected.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
libraries/libapparmor/testsuite/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/libraries/libapparmor/testsuite/Makefile.am
+++ b/libraries/libapparmor/testsuite/Makefile.am
@@ -12,7 +12,7 @@ noinst_PROGRAMS = test_multi.multi
test_multi_multi_SOURCES = test_multi.c
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
test_multi_multi_LDFLAGS = $(LDFLAGS)
-test_multi_multi_LDADD = ../src/.libs/libapparmor.a
+test_multi_multi_LDADD = -L../src/.libs -lapparmor
clean-local:
rm -f tmp.err.* tmp.out.* site.exp site.bak

77
tomcat-build-fixes Normal file
View File

@ -0,0 +1,77 @@
---
changehat/tomcat_apparmor/tomcat_5_5/build.xml | 15 +++++-----
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c | 2 -
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile | 4 +-
3 files changed, 11 insertions(+), 10 deletions(-)
--- a/changehat/tomcat_apparmor/tomcat_5_5/build.xml
+++ b/changehat/tomcat_apparmor/tomcat_5_5/build.xml
@@ -4,8 +4,8 @@
<property name="jni_src" location="src/jni_src"/>
<property name="build" location="build"/>
<property name="install_root" location="/"/>
- <property name="catalina_home" location="/usr/share/tomcat5"/>
- <property name="lib" location="lib"/>
+ <property name="catalina_home" location="/usr/share/tomcat6"/>
+ <property name="lib" location="/usr/share/tomcat6/bin"/>
<property name="install_lib" value="/lib"/>
<property name="dist" location="dist"/>
<property name="jarfile" location="${dist}/${ant.project.name}.jar"/>
@@ -18,10 +18,11 @@
<include name="**/*.jar"/>
</fileset>
- <fileset id="tomcat.jars" dir="${catalina_home}/server/lib">
+ <fileset id="tomcat.jars" dir="${catalina_home}/lib">
<include name="**/*.jar"/>
</fileset>
- <fileset id="servlet.jars" dir="${catalina_home}/common/lib">
+
+ <fileset id="servlet.jars" dir="${catalina_home}/lib">
<include name="**/*.jar"/>
</fileset>
@@ -80,9 +81,9 @@
</target>
<target name="install_jar" depends="jni_so" description="Install jar file">
- <mkdir dir="${install_root}/${catalina_home}/server/lib/"/>
- <copy file="${jarfile}" tofile="${install_root}/${catalina_home}/server/lib/${ant.project.name}.jar"/>
- <chmod perm="644" file="${install_root}/${catalina_home}/server/lib/${ant.project.name}.jar"/>
+ <mkdir dir="${install_root}/${catalina_home}/lib/"/>
+ <copy file="${jarfile}" tofile="${install_root}/${catalina_home}/lib/${ant.project.name}.jar"/>
+ <chmod perm="644" file="${install_root}/${catalina_home}/lib/${ant.project.name}.jar"/>
</target>
<target name="clean" description="Remove build and dist directories">
--- a/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
+++ b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
@@ -13,7 +13,7 @@
#include "jni.h"
#include <errno.h>
-#include "sys/apparmor.h"
+#include "apparmor.h"
#include "com_novell_apparmor_JNIChangeHat.h"
/* c intermediate lib call for Java -> JNI -> c library execution of the change_hat call */
--- a/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile
+++ b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile
@@ -4,7 +4,7 @@ LIB = lib/
LIBDIR = /usr/${LIB}
INCLUDE = ${LIBDIR}/jvm/java/include
CFLAGS = -g -O2 -Wall -Wstrict-prototypes -Wl,-soname,$@.${SO_VERS} -pipe -fpic -D_REENTRANT
-INCLUDES = -I$(INCLUDE) -I$(INCLUDE)/linux
+INCLUDES = -I$(INCLUDE) -I$(INCLUDE)/linux -I$(TOP)/../../../libraries/libapparmor/src/
CLASSFILE = ${CLASSPATH}/com/novell/apparmor/${JAVA_CLASSNAME}.class
DESTDIR = ${TOP}/dist
SO_VERS = 1
@@ -20,7 +20,7 @@ ${JAVA_CLASSNAME}.java com_novell_apparm
javah -jni -classpath ${CLASSPATH} com.novell.apparmor.${JAVA_CLASSNAME}
${TARGET}.so: ${JAVA_CLASSNAME}.c ${JAVA_CLASSNAME}.java com_novell_apparmor_${JAVA_CLASSNAME}.h
- gcc ${INCLUDES} ${CFLAGS} -shared -o ${TARGET}.so ${JAVA_CLASSNAME}.c -lapparmor
+ gcc ${INCLUDES} ${CFLAGS} -shared -o ${TARGET}.so ${JAVA_CLASSNAME}.c -L$(TOP)/../../../libraries/libapparmor/src/.libs -lapparmor
install: ${TARGET}.so
install -d $(DESTDIR)/${LIB} $(DESTDIR)${LIBDIR}

71
update-trans.sh Normal file
View File

@ -0,0 +1,71 @@
CFILES="
deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
deprecated/management/applets/apparmorapplet-gnome/src/preferences_dialog.c
deprecated/management/applets/apparmorapplet-gnome/src/reject_list.c
parser/parser_alias.c
parser/parser_include.c
parser/parser_interface.c
parser/parser_lex.l
parser/parser_main.c
parser/parser_merge.c
parser/parser_misc.c
parser/parser_policy.c
parser/parser_regex.c
parser/parser_symtab.c
parser/parser_variable.c
parser/parser_yacc.y
"
CPPFILES="
deprecated/management/profile-editor/src/AboutDialog.cpp
deprecated/management/profile-editor/src/AboutDialog.h
deprecated/management/profile-editor/src/Configuration.cpp
deprecated/management/profile-editor/src/Preferences.cpp
deprecated/management/profile-editor/src/Preferences.h
deprecated/management/profile-editor/src/profileeditor.cpp
deprecated/management/profile-editor/src/SearchAllProfiles.cpp
deprecated/management/profile-editor/src/SearchAllProfiles.h
parser/libapparmor_re/regexp.yy
"
PERLFILES="
utils/aa-repo.pl
utils/audit
utils/autodep
utils/complain
utils/enforce
utils/genprof
utils/logprof
utils/Reports.pm
utils/SubDomain.pm
utils/unconfined
"
ARGS="--keyword=_ --keyword=N_ -n --force-po"
xgettext $ARGS --output=apparmor-C.pot -L C $CFILES
xgettext $ARGS --output=apparmor-CPP.pot -L C++ $CPPFILES
xgettext $ARGS --output=apparmor-PERL.pot -L Perl $PERLFILES
msgcat apparmor-*.pot > apparmor.pot
sed \
-e 's/Project-Id-Version: PACKAGE VERSION/Project-Id-Version: apparmor/g' \
-e 's/PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE/PO-Revision-Date: 2009-02-05 13:38/' \
-e 's/Report-Msgid-Bugs-To: /Report-Msgid-Bugs-To: apparmor-general@forge.novell.com/' \
-e 's/Last-Translator: FULL NAME <EMAIL@ADDRESS>/Last-Translator: Novell Language <language@novell.com>/' \
-e 's/Language-Team: LANGUAGE <LL@li.org>/Language-Team: Novell Language <language@novell.com>/' \
-e 's/Content-Type: text\/plain; charset=CHARSET/Content-Type: text\/plain; charset=UTF-8/' \
< apparmor.pot > apparmor.pot.new
mv apparmor.pot.new apparmor.pot
for file in $(find . -name '*.po'); do
f=$(basename $file)
msgmerge -U apparmor.pot $file
if [ -e "po/$f" ]; then
msgcat $file po/$f > $f
mv $f po/$f
else
cp $file po/$f
fi
done