From 0525bb6f3c2b8c1e1191639cd917eb9d4beeabf6da61fd7c31eea87e024ca8f6 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sat, 2 Aug 2014 10:37:10 +0000 Subject: [PATCH 1/2] Accepting request 243065 from home:jeff_mahoney:branches:security:apparmor - add perl-apparmor-fix-bare-network-keyword-handling.diff: perl-apparmor: Fix handling of network (or network all) (bnc#889650) - add perl-apparmor-handle-bare-capability-keyword.diff: perl-apparmor: Fix handling of capability keyword (bnc#889651) - add perl-apparmor-properly-handle-bare-file-keyword.diff: perl-apparmor: Properly handle bare file keyword (bnc#889652) OBS-URL: https://build.opensuse.org/request/show/243065 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=90 --- apparmor.changes | 12 +++ apparmor.spec | 12 +++ ...mor-fix-bare-network-keyword-handling.diff | 34 +++++++++ ...parmor-handle-bare-capability-keyword.diff | 43 +++++++++++ ...mor-properly-handle-bare-file-keyword.diff | 73 +++++++++++++++++++ 5 files changed, 174 insertions(+) create mode 100644 perl-apparmor-fix-bare-network-keyword-handling.diff create mode 100644 perl-apparmor-handle-bare-capability-keyword.diff create mode 100644 perl-apparmor-properly-handle-bare-file-keyword.diff diff --git a/apparmor.changes b/apparmor.changes index e23eb47..84d56e6 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Wed Jul 30 17:35:13 UTC 2014 - jeffm@suse.com + +- add perl-apparmor-fix-bare-network-keyword-handling.diff: + perl-apparmor: Fix handling of network (or network all) (bnc#889650) + +- add perl-apparmor-handle-bare-capability-keyword.diff: + perl-apparmor: Fix handling of capability keyword (bnc#889651) + +- add perl-apparmor-properly-handle-bare-file-keyword.diff: + perl-apparmor: Properly handle bare file keyword (bnc#889652) + ------------------------------------------------------------------- Thu Jul 3 14:45:14 UTC 2014 - ddiss@suse.com diff --git a/apparmor.spec b/apparmor.spec index 9a01109..8e4f8cb 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -123,6 +123,15 @@ Patch23: apparmor-2.8.2-nm-dnsmasq-config.patch # Permit clustered Samba access to CTDB socket and databases (bnc#885317, commited upstream trunk r2556 - TODO: merge into 2.8 branch) Patch24: apparmor-profiles-clustered-samba.diff +# perl-apparmor: Fix handling of network (or network all) (bnc#889650) +Patch25: perl-apparmor-fix-bare-network-keyword-handling.diff + +# perl-apparmor: Fix handling of capability keyword (bnc#889651) +Patch26: perl-apparmor-handle-bare-capability-keyword.diff + +# perl-apparmor: Properly handle bare file keyword (bnc#889652) +Patch27: perl-apparmor-properly-handle-bare-file-keyword.diff + Url: https://launchpad.net/apparmor PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -507,6 +516,9 @@ SubDomain. %endif %patch24 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 # profile for winbindd (bnc#748499, commited upstream trunk r2078, updated in trunk r2328) test ! -e profiles/apparmor.d/usr.sbin.winbindd diff --git a/perl-apparmor-fix-bare-network-keyword-handling.diff b/perl-apparmor-fix-bare-network-keyword-handling.diff new file mode 100644 index 0000000..d936662 --- /dev/null +++ b/perl-apparmor-fix-bare-network-keyword-handling.diff @@ -0,0 +1,34 @@ +From: Jeff Mahoney +Subject: perl-apparmor: Fix bare 'network' keyword handling +References: bnc#889650 + +The 'network' bare keyword was being printed as "audit network all" due to +two different bugs: + +1) {audit}{all} was always being set to 1, regardless of whether the audit + keyword was used +2) {rule} eq 'all' is the wrong test - it should be {rule}{all} + +With these fixed, 'network' is properly handled. + +Signed-off-by: Jeff Mahoney +--- a/utils/Immunix/AppArmor.pm ++++ b/utils/Immunix/AppArmor.pm +@@ -5353,7 +5368,7 @@ + $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{$fam} = $audit; + } else { + $profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{all} = 1; +- $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = 1; ++ $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = $audit; + } + } elsif (/^\s*(tcp_connect|tcp_accept|udp_send|udp_receive)/) { + # just ignore and drop old style network +@@ -5708,7 +5729,7 @@ + # dump out the netdomain entries... + if (exists $profile_data->{$allow}{netdomain}) { + if ( $profile_data->{$allow}{netdomain}{rule} && +- $profile_data->{$allow}{netdomain}{rule} eq 'all') { ++ $profile_data->{$allow}{netdomain}{rule}{all}) { + $audit = "audit " if $profile_data->{$allow}{netdomain}{audit}{all}; + push @data, "${pre}${audit}network,"; + } else { diff --git a/perl-apparmor-handle-bare-capability-keyword.diff b/perl-apparmor-handle-bare-capability-keyword.diff new file mode 100644 index 0000000..e18fc13 --- /dev/null +++ b/perl-apparmor-handle-bare-capability-keyword.diff @@ -0,0 +1,43 @@ +From: Jeff Mahoney +Subject: perl-apparmor: Handle bare 'capability' keyword +References: bnc#889651 + +Specifying 'capability' implies all capabilities, but the perl code didn't +recognize it. + +Signed-off-by: Jeff Mahoney +--- a/utils/Immunix/AppArmor.pm ++++ b/utils/Immunix/AppArmor.pm +@@ -5151,7 +5151,7 @@ + + $initial_comment = ""; + +- } elsif (m/^\s*(audit\s+)?(deny\s+)?capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry ++ } elsif (m/^\s*(audit\s+)?(deny\s+)?capability(\s+(\S+))?\s*,\s*(#.*)?$/) { # capability entry + if (not $profile) { + die sprintf(gettext('%s contains syntax errors.'), $file) . "\n"; + } +@@ -5159,7 +5159,7 @@ + my $audit = $1 ? 1 : 0; + my $allow = $2 ? 'deny' : 'allow'; + $allow = 'deny' if ($2); +- my $capability = $3; ++ my $capability = $3 ? $3 : 'all'; + $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{set} = 1; + $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{audit} = $audit; + } elsif (m/^\s*set capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry +@@ -5675,7 +5690,13 @@ + + my @data; + if (exists $profile_data->{$allow}{capability}) { +- for my $cap (sort keys %{$profile_data->{$allow}{capability}}) { ++ my $audit; ++ if (exists $profile_data->{$allow}{capability}{all}) { ++ $audit = ($profile_data->{$allow}{capability}{all}{audit}) ? 'audit ' : ''; ++ push @data, "${pre}${audit}${allowstr}capability,"; ++ } ++ for my $cap (sort keys %{$profile_data->{$allow}{capability}}) { ++ next if ($cap eq "all"); + my $audit = ($profile_data->{$allow}{capability}{$cap}{audit}) ? 'audit ' : ''; + if ($profile_data->{$allow}{capability}{$cap}{set}) { + push @data, "${pre}${audit}${allowstr}capability ${cap},"; diff --git a/perl-apparmor-properly-handle-bare-file-keyword.diff b/perl-apparmor-properly-handle-bare-file-keyword.diff new file mode 100644 index 0000000..b3a6511 --- /dev/null +++ b/perl-apparmor-properly-handle-bare-file-keyword.diff @@ -0,0 +1,73 @@ +From: Jeff Mahoney +Subject: perl-apparmor: Properly handle bare 'file' keyword +References: bnc#889652 + +The bare file keyword is a shortcut for /{**,}. There are also implied +permissions that go with it. + +This patch accepts the file keyword as well as allowing for missing mode +specifiers. + +Signed-off-by: Jeff Mahoney +--- + + utils/Immunix/AppArmor.pm | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +--- a/utils/Immunix/AppArmor.pm ++++ b/utils/Immunix/AppArmor.pm +@@ -5252,7 +5252,7 @@ + } elsif (m/^\s*if\s+(not\s+)?(\$\{?[[:alpha:]][[:alnum:]_]*\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean + } elsif (m/^\s*if\s+(not\s+)?defined\s+(@\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- variable defined + } elsif (m/^\s*if\s+(not\s+)?defined\s+(\$\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean defined +- } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?([\"\@\/].*?)\s+(\S+)(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry ++ } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?(file|([\"\@\/].*?)\s+(\S+))(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry + if (not $profile) { + die sprintf(gettext('%s contains syntax errors.'), $file) . "\n"; + } +@@ -5260,7 +5260,19 @@ + my $audit = $1 ? 1 : 0; + my $allow = $2 ? 'deny' : 'allow'; + my $user = $3 ? 1 : 0; +- my ($path, $mode, $nt_name) = ($4, $5, $7); ++ my ($path, $mode, $nt_name) = ($5, $6, $8); ++ my $file_keyword = 0; ++ my $use_mode = 1; ++ ++ if ($4 eq "file") { ++ $path = "/{**,}"; ++ $file_keyword = 1; ++ if (!$mode) { ++ # what the parser uses, but we don't care ++ $mode = "rwixlka"; ++ $use_mode = 0; ++ } ++ } + + # strip off any trailing spaces. + $path =~ s/\s+$//; +@@ -5281,6 +5293,9 @@ + fatal_error(sprintf(gettext('Profile %s contains invalid mode %s.'), $file, $mode)); + } + ++ $profile_data->{$profile}{$hat}{$allow}{path}{$path}{use_mode} = $use_mode; ++ $profile_data->{$profile}{$hat}{$allow}{path}{$path}{file_keyword} = 1 if $file_keyword; ++ + my $tmpmode; + if ($user) { + $tmpmode = str_to_mode("${mode}::"); +@@ -5838,7 +5859,13 @@ + } + $tmpmode &= ~$tmpaudit; + } +- if ($tmpmode) { ++ my $kw = $profile_data->{$allow}{path}{$path}{file_keyword}; ++ my $use_mode = $profile_data->{$allow}{path}{$path}{use_mode}; ++ if ($kw) { ++ my $modestr = ""; ++ $modestr = " " . mode_to_str($tmpmode) if $use_mode; ++ push @data, "${pre}${allowstr}${ownerstr}file${modestr}${tail},"; ++ } elsif ($tmpmode) { + my $modestr = mode_to_str($tmpmode); + if ($path =~ /\s/) { + push @data, "${pre}${allowstr}${ownerstr}\"$path\" ${modestr}${tail},"; From 95b82b4e5dddae307341bb68b2db5ffb583b1bc15cabcc79117a5ecfa5fbf868 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sat, 2 Aug 2014 10:53:38 +0000 Subject: [PATCH 2/2] Maually merge SR 243200 by dimstar Descr: Rename rpmlintrc as per pkg guideline to %{name}-rpmlintrc Also add upstream commit revisions for the perl-apparmor* patches OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=91 --- rpmlintrc => apparmor-rpmlintrc | 0 apparmor.changes | 6 ++++++ apparmor.spec | 8 ++++---- 3 files changed, 10 insertions(+), 4 deletions(-) rename rpmlintrc => apparmor-rpmlintrc (100%) diff --git a/rpmlintrc b/apparmor-rpmlintrc similarity index 100% rename from rpmlintrc rename to apparmor-rpmlintrc diff --git a/apparmor.changes b/apparmor.changes index 84d56e6..08467f3 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jul 31 14:17:30 UTC 2014 - dimstar@opensuse.org + +- Rename rpmlintrc to %{name}-rpmlintrc. + Follow the packaging guidelines. + ------------------------------------------------------------------- Wed Jul 30 17:35:13 UTC 2014 - jeffm@suse.com diff --git a/apparmor.spec b/apparmor.spec index 8e4f8cb..6eb1b5f 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -75,7 +75,7 @@ Source3: %{name}-profile-editor.png Source4: %{name}-profile-editor.desktop Source5: update-trans.sh Source6: baselibs.conf -Source7: rpmlintrc +Source7: apparmor-rpmlintrc # profile for winbindd (bnc#748499, submitted upstream 2012-11-06, trunk r2078) Source10: usr.sbin.winbindd @@ -123,13 +123,13 @@ Patch23: apparmor-2.8.2-nm-dnsmasq-config.patch # Permit clustered Samba access to CTDB socket and databases (bnc#885317, commited upstream trunk r2556 - TODO: merge into 2.8 branch) Patch24: apparmor-profiles-clustered-samba.diff -# perl-apparmor: Fix handling of network (or network all) (bnc#889650) +# perl-apparmor: Fix handling of network (or network all) (bnc#889650) (commited upstream trunk r2571, 2.8 r2135) Patch25: perl-apparmor-fix-bare-network-keyword-handling.diff -# perl-apparmor: Fix handling of capability keyword (bnc#889651) +# perl-apparmor: Fix handling of capability keyword (bnc#889651) (commited upstream trunk r2572, 2.8 r2136) Patch26: perl-apparmor-handle-bare-capability-keyword.diff -# perl-apparmor: Properly handle bare file keyword (bnc#889652) +# perl-apparmor: Properly handle bare file keyword (bnc#889652) (commited upstream trunk r2573, 2.8 ) Patch27: perl-apparmor-properly-handle-bare-file-keyword.diff Url: https://launchpad.net/apparmor