Accepting request 1037410 from home:cboltz

- update to AppArmor 3.1.2 - lots of cleanups, improvements and bugfixes in all areas - rework internal profile storage and handling in the aa-* tools - support boolean variable definitions in the aa-* tools - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.1 and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.2 for the detailed upstream changelog - remove upstream(ed) patches: - apparmor-3.0.7-egrep.patch - dnsmasq.diff - profiles-permit-php-fpm-pid-files-directly-under-run.patch - zgrep-profile-mr870.diff - no longer ship precompiled profile cache for Tumbleweed (boo#1205659) - BuildRequire iproute2 (needed for aa-unconfined tests) OBS-URL: https://build.opensuse.org/request/show/1037410 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=356
2022-11-22 21:07:29 +00:00 · 2022-11-22 21:07:29 +00:00 · f32cb3d585
commit f32cb3d585
parent 5fc84e780a
11 changed files with 48 additions and 231 deletions
--- a/apparmor-3.0.7-egrep.patch
+++ b/apparmor-3.0.7-egrep.patch
@ -1,39 +0,0 @@
-From e8f3a1b87853da22fa8c23c49ca876b6d6997a41 Mon Sep 17 00:00:00 2001
-From: Michal Vasilek <michal.vasilek@nic.cz>
-Date: Tue, 24 Aug 2021 09:44:07 +0200
-Subject: [PATCH] aa-decode: use grep -E instead of egrep
-
-egrep and fgrep are deprecated and will print a warning in the next grep
-release (3.8)
-
-https://git.savannah.gnu.org/cgit/grep.git/commit/?id=a9515624709865d480e3142fd959bccd1c9372d1
-Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
---
- utils/aa-decode | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/utils/aa-decode b/utils/aa-decode
-index 16f23b55b..35e426aff 100755
--- a/utils/aa-decode
-+++ b/utils/aa-decode
-@@ -37,7 +37,7 @@ EOM
- }
- 
- decode() {
-    if echo "$1" | egrep -q "^[0-9A-Fa-f]+$" ; then
-+    if echo "$1" | grep -E -q "^[0-9A-Fa-f]+$" ; then
-       python3 -c "import binascii; print(bytes.decode(binascii.unhexlify('$1'), errors='strict'));"
-     else
-       echo ""
-@@ -53,7 +53,7 @@ fi
- # if have an argument, then use it, otherwise process stdin
- if [ -n "$1" ]; then
-     e="$1"
-    if ! echo "$e" | egrep -q "^[0-9A-Fa-f]+$" ; then
-+    if ! echo "$e" | grep -E -q "^[0-9A-Fa-f]+$" ; then
-         echo "String should only contain hex characters (0-9, a-f, A-F)"
-         exit 1
-     fi
-- 
-GitLab
-
--- a/apparmor-3.0.7.tar.gz
+++ b/apparmor-3.0.7.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f7063637d7523a28a59696f89e878d9942985bf828194d4c4bae594bec57e2d1
-size 7946315
--- a/apparmor-3.0.7.tar.gz.asc
+++ b/apparmor-3.0.7.tar.gz.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmLyIkgaHGFwcGFybW9y
-QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLvV5xAAoo3TMB8E9MYkb58SyQnV
-OrnJk09DbI5QKkIIugUmLGIqVpsNdKoOK/uNj/OeU5p48zfHqVdzdD5ij648qums
-KU9s+oG8xS/4IuYqnMIkNXXpsvzh2055f0BaVcLxnZV0Dg+VYGHN8LQwpmaj+FpS
-otOwOaePy+6uGUu53Cq1/AW2lrJYevTlET1cXSVJrkwtXJDqwbo0CRvehGphhv9l
-7UvLqKP2qGwMzj9mu2slteFWaOBYXViKPc2zwBw69fPmWaGftO9/dEh+XsR6bPbu
-XEJYdAw9EQMJzYDLAr8xGGFyEW3+r+SM9Qotue212RFpLVD6dFvWkjm4HE2a7Kkq
-qcBcpMMcgJG8a8a8Z6FJ5wMgEw4sy40qXzFN6EFtjWFYjLX2wHXNOcGsYOh0s5Ss
-xMuSnJEaB4s23+7/OHpt9x8O/s3yvha5UqgAyGcoa8wPR67zQ1y64vk7RvWTmRHb
-gVGvTB17XdpBGXoLu0zYvOnv30nVIFFILq1iQm5uK8qXDeZ4jjiXXn4f1BMNx99X
-ZstRgRQMh7LdRpow2b+GfOx90yMFOeVlv2sdX+0XfSXCESMZtYNTSJiG3LGwqy/Q
-Ex54xnOSvEG9f6xM1qHVaxqCS9OCM+u5r1cygHbo6/TSigeLBDCZnLT/VmRhlx2A
-LnnWqjGckC7oAoPnEcZoktQ=
-=/81p
-----END PGP SIGNATURE-----
--- a/apparmor-3.1.2.tar.gz
+++ b/apparmor-3.1.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7cbd0b2f6393abf57acaf25dc2b32b2ae197c0b5b0d661e14be46127df93a5eb
+size 7955759
--- a/apparmor-3.1.2.tar.gz.asc
+++ b/apparmor-3.1.2.tar.gz.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAmNpUt4aHGFwcGFybW9y
+QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLv3KBAAtyXSGLM6vX2MflFtYbxd
+0WrdhjKPvMer165f9RaUCzO5zdqKaAFm9vDkwQl/S3uWr0lmN8AWGhkcqNZq2BXQ
+68Oyd74P2pT8Rt3bJwwqJnubh4GK3YohpXaoo7TEO/rLgB0Di9dZFOmF539TWIOg
+kHj71kbxtsVCoX+TptzjJGaR+xeLebV9UaHRZpMt8j8f6M7bUUQELW2lRhDfqJL5
+1wTp3mnSfNQlZvKDlMu+Tv0tH3k4tD6+w1mvACUS5mHJ7N3W9NS5/EahbY1rmRNp
+4VPO5zKyD0781NFDwkX/zN9kEHIKjtTr/gEm7ZBoHMR6okeMCwv/GEzUBsTKYPJE
+wegqVOUV+jGpW8O6Md425JjlWU2QXKN8O5vYFTZ5zkPx7G9j54UbvUYOqUz3jNKi
+28WCOkJXoOdO8tUuxJu+haavikX2j//J44KqieB5kmVMkMt8CC2Rha+oARJGUdVY
+FTjrcvd3MJGfW7WnUriHnhvv0X/MoGN3LTPBYFnRTWGB5B/ziwFqUrZZ4VKF7hv/
+vTbDtv761JS6eT8KfUsllSnsbRvw5GBs9p6n21i9DyyD3c/Pcdl8RyZ3iTasE/yM
+m17h9OwaW2rbr7E92EniQ+XXpuxiSE9UkM5+4y7cfJO9KkTv5JfJgqYXBhg0Dsfd
+DboJouLwNvPXPH/Pk/by4Fk=
+=qSnn
+-----END PGP SIGNATURE-----
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Nov 22 18:54:46 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>
+
+- update to AppArmor 3.1.2
+  - lots of cleanups, improvements and bugfixes in all areas
+  - rework internal profile storage and handling in the aa-* tools
+  - support boolean variable definitions in the aa-* tools
+  - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.1
+    and https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.1.2
+    for the detailed upstream changelog
+- remove upstream(ed) patches:
+  - apparmor-3.0.7-egrep.patch
+  - dnsmasq.diff
+  - profiles-permit-php-fpm-pid-files-directly-under-run.patch
+  - zgrep-profile-mr870.diff
+- no longer ship precompiled profile cache for Tumbleweed (boo#1205659)
+- BuildRequire iproute2 (needed for aa-unconfined tests)
+
 -------------------------------------------------------------------
 Sun Sep  4 18:08:28 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@ -37,7 +37,14 @@
 %bcond_without perl
 %bcond_without python3
 %bcond_without ruby
+
+%if 0%{?suse_version} <= 1550
+# enable precompiled profile cache on <= 15.x
 %bcond_without precompiled_cache
+%else
+# don't build precompiled profile cache on Tumbleweed as long as it's purely validated based on timestamps (boo#1205659)
+%bcond_with precompiled_cache
+%endif

 %define CATALINA_HOME /usr/share/tomcat6
 #define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
@ -45,7 +52,7 @@
 %define JAR_FILE changeHatValve.jar

 Name:           apparmor
-Version:        3.0.7
+Version:        3.1.2
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0-or-later
@ -79,22 +86,9 @@ Patch5:         apparmor-lessopen-nfs-workaround.diff
 # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
 Patch6:         apache-extra-profile-include-if-exists.diff

-# add zgrep and xzgrep profile (merged upstream 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + merged upstream 2022-04-18 https://gitlab.com/apparmor/apparmor/-/merge_requests/873
-#                               + merged upstream 2022-06-29 https://gitlab.com/apparmor/apparmor/-/merge_requests/892 - master only)
-Patch9:         zgrep-profile-mr870.diff
-
-# add missing r permissions for dnsmasc//libvirt-leaseshelper (merged upstream 2022-08-22 https://gitlab.com/apparmor/apparmor/-/merge_requests/905)
-Patch10:        dnsmasq.diff
-
-# permit php-fpm pid files under run (merged upstream 2022-08-26 https://gitlab.com/apparmor/apparmor/-/merge_requests/914)
-Patch11:        profiles-permit-php-fpm-pid-files-directly-under-run.patch
-
 # allow reading /sys/devices/system/cpu/possible in dnsmasc//libvirt-leaseshelper (boo#1202849, submitted upstream 2022-08-28 https://gitlab.com/apparmor/apparmor/-/merge_requests/917)
 Patch12:        dnsmasq-cpu-possible.diff

-# avoid warnings with GNU grep 3.8 (boo#1203092, from upstream)
-Patch13:        apparmor-3.0.7-egrep.patch
-
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor
@ -102,6 +96,7 @@ BuildRequires:  bison
 BuildRequires:  dejagnu
 BuildRequires:  flex
 BuildRequires:  gcc-c++
+BuildRequires:  iproute2
 BuildRequires:  pcre-devel
 BuildRequires:  pkg-config
 BuildRequires:  python3
@ -359,11 +354,7 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch4
 %patch5
 %patch6
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
 %patch12 -p1
-%patch13 -p1

 %build
 export SUSE_ASNEEDED=0
--- a/dnsmasq.diff
+++ b/dnsmasq.diff
@ -1,27 +0,0 @@
-commit c9c5208f77d560467965619fadbf350ada9a0bc2
-Author: Christian Boltz <apparmor@cboltz.de>
-Date:   Mon Aug 8 20:48:12 2022 +0200
-
-    dnsmasq: Add missing r permissions for libvirt_leaseshelper
-    
-    Note: This was reported for /usr/libexec/libvirt_leaseshelper, but since
-    this is probably unrelated to the path or a path change, this commit
-    also adds r permissions for the previous path.
-    
-    Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1202161
-
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index bffc09b4..406b2599 100644
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -117,8 +117,8 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
- 
-     /etc/libnl-3/classid r,
- 
-    /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
-    /usr/libexec/libvirt_leaseshelper m,
-+    /usr/lib{,64}/libvirt/libvirt_leaseshelper mr,
-+    /usr/libexec/libvirt_leaseshelper mr,
- 
-     owner @{PROC}/@{pid}/net/psched r,
-     owner @{PROC}/@{pid}/status r,
--- a/libapparmor.spec
+++ b/libapparmor.spec
@ -18,7 +18,7 @@


 Name:           libapparmor
-Version:        3.0.7
+Version:        3.1.2
 Release:        0
 Summary:        Utility library for AppArmor
 License:        LGPL-2.1-or-later
--- a/profiles-permit-php-fpm-pid-files-directly-under-run.patch
+++ b/profiles-permit-php-fpm-pid-files-directly-under-run.patch
@ -1,39 +0,0 @@
-From d8533ec851ccf188b17136fdab67d0481cae357d Mon Sep 17 00:00:00 2001
-From: David Disseldorp <ddiss@suse.de>
-Date: Thu, 25 Aug 2022 23:44:16 +0200
-Subject: [PATCH] profiles: permit php-fpm pid files directly under run/
-
-The upstream php-fpm.conf file carries the following pid file example
-path:
-  [global]
-  ; Pid file
-  ; Note: the default prefix is @EXPANDED_LOCALSTATEDIR@
-  ; Default Value: none
-  ;pid = run/php-fpm.pid
-
-Add this path to profiles/apparmor.d/php-fpm, alongside the current
-nested "@{run}/php{,-fpm}/php*-fpm.pid" wildcard.
-
-Fixes: https://gitlab.com/apparmor/apparmor/-/issues/267
-
-Suggested-by: Ali Abdallah <ali.abdallah@suse.com>
-Signed-off-by: David Disseldorp <ddiss@suse.de>
---
- profiles/apparmor.d/php-fpm | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/profiles/apparmor.d/php-fpm b/profiles/apparmor.d/php-fpm
-index 14b3c719..0dcc8c7d 100644
--- a/profiles/apparmor.d/php-fpm
-+++ b/profiles/apparmor.d/php-fpm
-@@ -35,6 +35,7 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
- 
-   # we need to be able to create all sockets
-   @{run}/php{,-fpm}/php*-fpm.pid rw,
-+  @{run}/php*-fpm.pid rw,
-   @{run}/php{,-fpm}/php*-fpm.sock rwlk,
- 
-   # to reload
-- 
-2.35.3
-
--- a/zgrep-profile-mr870.diff
+++ b/zgrep-profile-mr870.diff
@ -1,87 +0,0 @@
-[Extended to include the fix from https://gitlab.com/apparmor/apparmor/-/merge_requests/873]
-[Extended to include the fix from https://gitlab.com/apparmor/apparmor/-/merge_requests/892]
-
-
-From 3a3b49ccd93d00cbc373319b90c6acecdd6f45fa Mon Sep 17 00:00:00 2001
-From: Christian Boltz <apparmor@cboltz.de>
-Date: Sun, 10 Apr 2022 15:03:08 +0200
-Subject: [PATCH] Add zgrep and xzgrep profile
-
-This prevents exploiting https://www.openwall.com/lists/oss-security/2022/04/08/2
-(code execution via "funny" filenames)
---
- profiles/apparmor.d/zgrep | 59 +++++++++++++++++++++++++++++++++++++++
- 1 file changed, 59 insertions(+)
- create mode 100644 profiles/apparmor.d/zgrep
-
-Index: apparmor-3.0.4/profiles/apparmor.d/zgrep
-===================================================================
--- /dev/null
-+++ apparmor-3.0.4/profiles/apparmor.d/zgrep
-@@ -0,0 +1,66 @@
-+# ------------------------------------------------------------------
-+#
-+#    Copyright (C) 2022 Christian Boltz
-+#
-+#    This program is free software; you can redistribute it and/or
-+#    modify it under the terms of version 2 of the GNU General Public
-+#    License published by the Free Software Foundation.
-+#
-+# ------------------------------------------------------------------
-+
-+abi <abi/3.0>,
-+
-+include <tunables/global>
-+
-+profile zgrep /usr/bin/{x,}zgrep {
-+  include <abstractions/base>
-+  include <abstractions/bash>
-+
-+  /dev/tty rw,
-+  /usr/bin/{ba,da,}sh ix,
-+  /usr/bin/bzip2 Cx -> helper,
-+  /usr/bin/cat ix,
-+  /usr/bin/egrep Cx -> helper,
-+  /usr/bin/expr ix,
-+  /usr/bin/fgrep Cx -> helper,
-+  /usr/bin/grep Cx -> helper,
-+  /usr/bin/gzip Cx -> helper,
-+  /usr/bin/mktemp ix,
-+  /usr/bin/rm ix,
-+  /usr/bin/sed Cx -> sed,
-+  /usr/bin/xz Cx -> helper,
-+  /usr/bin/xzgrep r,
-+  /usr/bin/zgrep Cx -> helper,
-+  /usr/bin/zstd Cx -> helper,
-+  owner /tmp/zgrep* rw,
-+  /usr/bin/zgrep r,
-+
-+  include if exists <local/zgrep>
-+
-+  profile helper {
-+    include <abstractions/base>
-+
-+    capability dac_override,
-+    capability dac_read_search,
-+
-+    /dev/tty w,
-+
-+    /usr/bin/{ba,da,}sh ix,
-+    /usr/bin/bzip2 mr,
-+    /usr/bin/grep mrix,
-+    /usr/bin/gzip mr,
-+    /usr/bin/xz mr,
-+    /usr/bin/zstd mr,
-+    /{,**} r,
-+
-+  }
-+
-+  profile sed {
-+    include <abstractions/base>
-+
-+    /dev/tty rw,
-+    /usr/bin/{ba,da,}sh ix,
-+    /usr/bin/sed mr,
-+
-+  }
-+}