From fb230fe709dfb7e6e947515b1f264b01fa5c46304142a1f12474cafdae399acc Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Tue, 5 Mar 2013 18:19:50 +0000 Subject: [PATCH] Accepting request 157409 from home:cboltz - nscd profile: add missing permissions and deny capability block_suspend (bnc#807104) Please also add this patch to openSUSE 12.3 The patch only adds permissions, which means it can't break anything. Even "deny capability block_suspend" doesn't take away any permissions (everything that is not allowed is denied by default). The deny rule just disables the logging for capability block_suspend. OBS-URL: https://build.opensuse.org/request/show/157409 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=33 --- apparmor-profiles-nscd.diff | 32 ++++++++++++++++++++++++++++++++ apparmor.changes | 6 ++++++ apparmor.spec | 4 ++++ 3 files changed, 42 insertions(+) create mode 100644 apparmor-profiles-nscd.diff diff --git a/apparmor-profiles-nscd.diff b/apparmor-profiles-nscd.diff new file mode 100644 index 0000000..7155f22 --- /dev/null +++ b/apparmor-profiles-nscd.diff @@ -0,0 +1,32 @@ +=== modified file 'profiles/apparmor.d/usr.sbin.nscd' +--- profiles/apparmor.d/usr.sbin.nscd 2011-08-23 22:57:42 +0000 ++++ profiles/apparmor.d/usr.sbin.nscd 2013-03-05 17:45:49 +0000 +@@ -16,6 +16,7 @@ + #include + #include + ++ deny capability block_suspend, + capability net_bind_service, + capability setgid, + capability setuid, +@@ -31,9 +32,9 @@ + /{,var/}run/.nscd_socket wl, + /{,var/}run/avahi-daemon/socket w, + /{,var/}run/nscd/ rw, +- /{,var/}run/nscd/db* wl, ++ /{,var/}run/nscd/db* rwl, + /{,var/}run/nscd/socket wl, +- /var/{cache,run}/nscd/{passwd,group,services,hosts} rw, ++ /var/{cache,run}/nscd/{passwd,group,services,hosts,netgroup} rw, + /{,var/}run/{nscd/,}nscd.pid rwl, + /var/log/nscd.log rw, + @{PROC}/[0-9]*/fd/ r, +@@ -41,6 +42,7 @@ + @{PROC}/[0-9]*/maps r, + @{PROC}/[0-9]*/mounts r, + @{PROC}/filesystems r, ++ @{PROC}/sys/vm/overcommit_memory r, + + # Site-specific additions and overrides. See local/README for details. + #include + diff --git a/apparmor.changes b/apparmor.changes index 9a5402f..d2a6622 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 5 17:49:42 UTC 2013 - opensuse@cboltz.de + +- nscd profile: add missing permissions and deny capability block_suspend + (bnc#807104) + ------------------------------------------------------------------- Sun Feb 17 09:59:48 UTC 2013 - jengelh@inai.de diff --git a/apparmor.spec b/apparmor.spec index 4dae626..e61f91c 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -70,6 +70,9 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff # changed paths for MySQL, add MariaDB support (bnc#798183, commited upstream 2013-01-13, trunk r2104, 2.8 branch r2070) Patch3: apparmor-abstractions-mysql-path.diff +# nscd profile: add missing permissions and deny capability block_suspend (bnc#807104, patch sent upstream 2013-03-05) +Patch4: apparmor-profiles-nscd.diff + # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. Patch5: apparmor-utils-string-split @@ -413,6 +416,7 @@ SubDomain. %patch1 -p1 %patch2 -p0 %patch3 -p0 +%patch4 -p0 %patch5 -p1 %patch12 -p1