Accepting request 453151 from home:cboltz

- update to AppArmor 2.11.0 - apparmor_parser now supports parallel compiles and loads - add full support for dbus, ptrace and signal rules and events to the utils - full rewrite of the file rule handling in the utils - lots of improvements and fixes - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the detailed changelog - patches: - add sshd-profile-drop-local-include-r3615.diff to fix 'make check' - drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed - refresh apparmor-abstractions-no-multiline.diff - refresh apparmor-samba-include-permissions-for-shares.diff - spec changes: - aa-unconfined switched to using ss (from iproute2), adjust Recommends: - move libapparmor to /usr/lib*/ - drop %if %suse_version checks for 12.x - change several Obsoletes from %version to < 2.9. Those package names weren't used since years, and 2.9 is still a careful choice - include apparmor.service independent of %suse_version - techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires - drop latex2html, texlive-* and w3m BuildRequires - techdoc.txt and techdoc.html not included, drop them from the package - run most of utils/ make check (some tests expect /etc/apparmor.d/ and /sbin/apparmor_parser to exist, skip them) - BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests) - drop sed'ing python3 into aa-* shebang (upstreamed) - build binutils - aa-exec is now written in C and lives in /usr/bin/, move it to the apparmor_parser package and create a compability symlink in /usr/sbin/ - aa-exec manpage moved to section 1 - aa-enabled is a small new tool to find out if AppArmor is enabled - package new aa_stack_profile(2) manpage OBS-URL: https://build.opensuse.org/request/show/453151 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=165
2017-01-28 12:45:16 +00:00 · 2017-01-28 12:45:16 +00:00 · fcc884a7e3
commit fcc884a7e3
parent 99869c0576
10 changed files with 190 additions and 244 deletions
--- a/aa-unconfined-fix-netstat-call-2.10r3380.diff
+++ b/aa-unconfined-fix-netstat-call-2.10r3380.diff
@ -1,39 +0,0 @@
------------------------------------------------------------
-revno: 3380
-committer: Steve Beattie <sbeattie@ubuntu.com>
-branch nick: 2.10
-timestamp: Mon 2017-01-09 09:22:58 -0800
-message:
-  Subject: utils/aa-unconfined: fix netstat invocation regression
-  
-  It was reported that converting the netstat command to examine
-  processes bound to ipv6 addresses broke on OpenSUSE due to the version
-  of nettools not supporting the short -4 -6 arguments.
-  
-  This patch fixes the invocation of netstat to use the "--protocol
-  inet,inet6" arguments instead, which should return the same results
-  as the short options.
-  
-  Signed-off-by: Steve Beattie <steve@nxnw.org>
-  Acked-by: Christian Boltz <apparmor@cboltz.de>
-
-
-=== modified file 'utils/aa-unconfined'
--- utils/aa-unconfined	2016-12-05 09:21:27 +0000
-+++ utils/aa-unconfined	2017-01-09 17:22:58 +0000
-@@ -46,10 +46,10 @@
-     regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)")
-     import subprocess
-     if sys.version_info < (3, 0):
-        output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n")
-+        output = subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True).split("\n")
-     else:
-         #Python3 needs to translate a stream of bytes to string with specified encoding
-        output = str(subprocess.check_output("LANG=C netstat -nlp46", shell=True), encoding='utf8').split("\n")
-+        output = str(subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True), encoding='utf8').split("\n")
- 
-     for line in output:
-         match = regex_tcp_udp.search(line)
-
-
-vim:ft=diff
--- a/apparmor-2.10.2.tar.gz
+++ b/apparmor-2.10.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c253656820a2e6b0127af0ba8ceda36ffec1ae5c9dc0ee8793c3fe97121feac3
-size 4497918
--- a/apparmor-2.10.2.tar.gz.asc
+++ b/apparmor-2.10.2.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQI3BAABCgAhBQJYcxByGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
-5k49NmS7KLcQAKNtJ8N81T/oOL05bZ6M1g4kjYZ1vIyTx8tFj8iBNBnxWGrWfIMj
-EJJeaGFUwbAN9LeTxlbwaGHHukLzQa4rihXPgpmQZl3tYWqwMzMtgtzbjWFIRtGA
-cZunTA0i5kOm0N/IEl1hR2JbDMopPgOWEyV7lZxklKYUavo5+8jrYloXKaSzbQGi
-KMIms8RF7v4ANOGoqvl6vv3y11JMvvV2VZniPf+myVDcmHjk8jzdzdGEOFRcHvoY
-Zg7ZMXbPjPh1VQYbzgdpK95SEXDM9X+4fJtcL2A0ofZQrO9rmFWOrtjxSz88DgWi
-qdfepwIGN7uMBLeL2UMlp8OJVOgcsjY2E9XHzVaSUJYRVuPFa/z3fKzEkMh96HQa
-xYnsicuQe6HUXxbRoXd/J12Rzla1Bkkvq2NYOwmh4kpZczGGaUK17GxlUryz7C/1
-VodpZd7pFzKmPuoCinKtO0VsQkDJ4qfKUiMSZOutDMR8eHyNxtVS6Qb5GycViLiF
-mtHiTipqv0q1HIFZVj3bpbq8Jji9pNHJWI1pwiafYEAqh1hyfGtWGkH3muMROQgL
-Qmjuoaw2x2VgPk+nnBSFwgOv4TUO/xVa95VD8HwCFjEHulpzlo8lx6k/9t5fZO6T
-kaS6NBQWIQ8hunIKMifKgi+8fFk2FTaUhgZJUP91MiUm5rwPU0y48RY3
-=l0m2
-----END PGP SIGNATURE-----
--- a/apparmor-2.11.0.tar.gz
+++ b/apparmor-2.11.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b1c489ea11e7771b8e6b181532cafbf9ebe6603e3cb00e2558f21b7a5bdd739a
+size 5013297
--- a/apparmor-2.11.0.tar.gz.asc
+++ b/apparmor-2.11.0.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQI3BAABCgAhBQJYcxbLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ
+5k49NmS7Nh4P/Rf1b8NugcYkrXBA3LMS47KF4+fig+4j4jcAsUqY+aDgj02UYcEv
+S6XpbzkTJykM0CJ2BLNHHfwUpbVrUDyfABhgh/m9aH0Y52zkteVfYt9tVNxz7OaH
+s4M977g5HPvlOIsS2EXyk1g0IZ8WJ830sZpOZIKpgwptgSJeHKiFQJsCINzOzv7z
+MKATzhnrnvb4KBwCC3MoUHhCheGvUmQlArn4+/LwCMERHxrrSYr/kl/nDxhqE7HZ
+1wdO8TdrG+R595Yc/t0OO+LOCv7TBU5K7TLiN+1wqenrEfR+9RaxpLB2N8a5+LQ0
+kphfS07ht22oWhySG14WL76FrrvN0WBcRBc6hkxgbizCwb+XLLGBUfk50MIabBPu
+GQJVnMtTEvlVdpvw0snG4RID8o7Tjv+2NsMi+67fR7dkksHO51jeQBlWeim1ZX+6
+GZPmEtWAuF0cZybnv66sfY7qokBXUaqP6Z9wYUXOVscJTK6XEmVGXinuistR1cJa
+O2e0Gji+cxBBejB7QWyHCcssXYo26rHW5kT94hcshqn0Qx1ThH+yTV+PqYiEjsNA
+R1AYgDMVCltu/UwuzHmtYo2es1W9Mcsk6htKhDLmT0ze3y+0f7Y463B8afs6RzWW
+W28mpt5/PPoFLkWstj+B00GnwO1x2rDbLoq+zvCD5WasZWa8uNV24nRg
+=aq9P
+-----END PGP SIGNATURE-----
--- a/apparmor-abstractions-no-multiline.diff
+++ b/apparmor-abstractions-no-multiline.diff
@ -35,11 +35,11 @@ Index: profiles/apparmor.d/abstractions/dbus-accessibility-strict
 +  dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
 Index: profiles/apparmor.d/abstractions/dbus-session-strict
 ===================================================================
--- profiles/apparmor.d/abstractions/dbus-session-strict.orig	2014-10-18 13:11:18.498652324 +0200
-+++ profiles/apparmor.d/abstractions/dbus-session-strict	2014-10-18 13:11:31.098494805 +0200
-@@ -13,16 +13,9 @@
-   /etc/machine-id r,
+--- profiles/apparmor.d/abstractions/dbus-session-strict.orig	2017-01-11 21:20:01.381935015 +0100
+++ profiles/apparmor.d/abstractions/dbus-session-strict	2017-01-11 21:20:07.641905170 +0100
+@@ -14,16 +14,9 @@
   /var/lib/dbus/machine-id r,
+   owner /run/user/*/bus rw,
 
 -  unix (connect, receive, send)
 -       type=stream
@ -71,92 +71,42 @@ Index: profiles/apparmor.d/abstractions/dbus-strict
 -       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
 -       peer=(name=org.freedesktop.DBus),
 +  dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
+Index: profiles/apparmor.d/abstractions/fcitx-strict
+===================================================================
+--- profiles/apparmor.d/abstractions/fcitx-strict.orig	2017-01-11 21:44:55.726947350 +0100
+++ profiles/apparmor.d/abstractions/fcitx-strict	2017-01-11 21:45:02.830914856 +0100
+@@ -11,11 +11,6 @@
+ 
+   #include <abstractions/dbus-session-strict>
+ 
+-  dbus send
+-      bus=fcitx
+-      path=/org/freedesktop/DBus
+-      interface=org.freedesktop.DBus
+-      member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+-      peer=(name=org.freedesktop.DBus),
+  dbus send bus=fcitx path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
+ 
+   owner @{HOME}/.config/fcitx/dbus/* r,
+Index: profiles/apparmor.d/abstractions/libpam-systemd
+===================================================================
+--- profiles/apparmor.d/abstractions/libpam-systemd.orig	2017-01-11 21:47:13.814315855 +0100
+++ profiles/apparmor.d/abstractions/libpam-systemd	2017-01-11 21:47:19.490289904 +0100
+@@ -12,8 +12,4 @@
+ #include <abstractions/dbus-strict>
+ 
+   # libpam-systemd notifies systemd-logind about session logins/logouts
+-  dbus send
+-    bus=system
+-    path=/org/freedesktop/login1
+-    interface=org.freedesktop.login1.Manager
+-    member={CreateSession,ReleaseSession},
+  dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession},
 Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base
 ===================================================================
--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig	2014-10-18 13:11:18.497652337 +0200
-+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base	2014-10-18 13:11:31.098494805 +0200
-@@ -16,41 +16,16 @@
- #include <abstractions/gnome>
- 
-   # Allow connecting to session bus and where to connect to services
-  dbus (send)
-       bus=session
-       path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member=Hello
-       peer=(name=org.freedesktop.DBus),
-  dbus (send)
-       bus=session
-       path=/org/freedesktop/{db,DB}us
-       interface=org.freedesktop.DBus
-       member={Add,Remove}Match
-       peer=(name=org.freedesktop.DBus),
-+  dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus),
-+  dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus),
-   # NameHasOwner and GetNameOwner could leak running processes and apps
-   # depending on how services are implemented
-  dbus (send)
-       bus=session
-       path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member=GetNameOwner
-       peer=(name=org.freedesktop.DBus),
-  dbus (send)
-       bus=session
-       path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member=NameHasOwner
-       peer=(name=org.freedesktop.DBus),
-+  dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus),
-+  dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus),
- 
-   # Allow starting services on the session bus (actual communications with
-   # the service are mediated elsewhere)
-  dbus (send)
-       bus=session
-       path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member=StartServiceByName
-       peer=(name=org.freedesktop.DBus),
-+  dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus),
- 
-   # Allow connecting to system bus and where to connect to services. Put these
-   # here so we don't need to repeat these rules in multiple places (actual
-@@ -58,108 +36,47 @@
-   # allow apps to brute-force enumerate system services, but our system
-   # services aren't a secret.
-   /{,var/}run/dbus/system_bus_socket rw,
-  dbus (send)
-       bus=system
-       path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member=Hello
-       peer=(name=org.freedesktop.DBus),
-  dbus (send)
-       bus=system
-       path=/org/freedesktop/{db,DB}us
-       interface=org.freedesktop.DBus
-       member={Add,Remove}Match
-       peer=(name=org.freedesktop.DBus),
-+  dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus),
-+  dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus),
-   # NameHasOwner and GetNameOwner could leak running processes and apps
-   # depending on how services are implemented
-  dbus (send)
-       bus=system
-       path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member=GetNameOwner
-       peer=(name=org.freedesktop.DBus),
-  dbus (send)
-       bus=system
-       path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member=NameHasOwner
-       peer=(name=org.freedesktop.DBus),
-+  dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus),
-+  dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus),
- 
+--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig	2017-01-11 21:20:07.641905170 +0100
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base	2017-01-11 21:20:52.197692834 +0100
+@@ -21,78 +21,37 @@
   #
   # Access required for connecting to/communication with Unity HUD
   #
@ -282,7 +232,7 @@ Index: profiles/apparmor.d/abstractions/gnome
 ===================================================================
 --- profiles/apparmor.d/abstractions/gnome.orig	2014-10-06 21:06:23.000000000 +0200
 +++ profiles/apparmor.d/abstractions/gnome	2014-10-18 13:17:22.661505791 +0200
-@@ -91,6 +91,4 @@
+@@ -93,6 +93,4 @@
 
   # Allow connecting to the GNOME vfs socket (still need corresponding DBus
   # rules)
--- a/apparmor-samba-include-permissions-for-shares.diff
+++ b/apparmor-samba-include-permissions-for-shares.diff
@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz <apparmor@cboltz.de>
 === modified file 'profiles/apparmor.d/usr.sbin.smbd'
 --- profiles/apparmor.d/usr.sbin.smbd	2011-08-27 18:50:42 +0000
 +++ profiles/apparmor.d/usr.sbin.smbd	2011-10-19 09:37:04 +0000
-@@ -47,6 +47,10 @@
+@@ -53,6 +53,10 @@
 
   @{HOMEDIRS}/** lrwk,
 
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Fri Jan 27 20:08:03 UTC 2017 - suse-beta@cboltz.de
+
+- update to AppArmor 2.11.0
+  - apparmor_parser now supports parallel compiles and loads
+  - add full support for dbus, ptrace and signal rules and events to the
+    utils
+  - full rewrite of the file rule handling in the utils
+  - lots of improvements and fixes
+  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the
+    detailed changelog
+- patches:
+  - add sshd-profile-drop-local-include-r3615.diff to fix 'make check'
+  - drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed
+  - refresh apparmor-abstractions-no-multiline.diff
+  - refresh apparmor-samba-include-permissions-for-shares.diff
+- spec changes:
+  - aa-unconfined switched to using ss (from iproute2), adjust Recommends:
+  - move libapparmor to /usr/lib*/
+  - drop %if %suse_version checks for 12.x
+  - change several Obsoletes from %version to < 2.9. Those package names
+    weren't used since years, and 2.9 is still a careful choice
+  - include apparmor.service independent of %suse_version
+  - techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires
+    - drop latex2html, texlive-* and w3m BuildRequires
+    - techdoc.txt and techdoc.html not included, drop them from the package
+  - run most of utils/ make check (some tests expect /etc/apparmor.d/ and
+    /sbin/apparmor_parser to exist, skip them)
+  - BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests)
+  - drop sed'ing python3 into aa-* shebang (upstreamed)
+  - build binutils
+    - aa-exec is now written in C and lives in /usr/bin/, move it to the
+      apparmor_parser package and create a compability symlink in /usr/sbin/
+    - aa-exec manpage moved to section 1
+    - aa-enabled is a small new tool to find out if AppArmor is enabled
+  - package new aa_stack_profile(2) manpage
+
 -------------------------------------------------------------------
 Tue Jan 24 13:40:30 UTC 2017 - suse-beta@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@ -24,23 +24,9 @@
 %bcond_without pam
 %bcond_without apache
 %bcond_without perl
-%if 0%{?suse_version} > 0 && 0%{?suse_version} <= 1210
- # disable python and ruby bindings on openSUSE <= 12.1 to avoid problems with rb_sitearch and python_sitearch
- %bcond_with python
- %bcond_with python3
- %bcond_with ruby
-%else
-%if 0%{?suse_version} == 1220
- # swig for python3 is broken on 12.2 - probably http://sourceforge.net/p/swig/bugs/1257/ - build python2 bindings instead
- %bcond_without python
- %bcond_with python3
- %bcond_without ruby
-%else
- %bcond_with python
- %bcond_without python3
- %bcond_without ruby
-%endif
-%endif
+%bcond_with python
+%bcond_without python3
+%bcond_without ruby

 %define CATALINA_HOME /usr/share/tomcat6
 #define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/
@ -60,11 +46,12 @@ Name:           apparmor
 %if ! %{?distro:1}0
  %define distro suse
 %endif
-Version:        2.10.2
+Version:        2.11.0
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security
+Url:            https://launchpad.net/apparmor
 Source0:        apparmor-%{version}.tar.gz
 Source1:        apparmor-%{version}.tar.gz.asc
 Source2:        %{name}.keyring
@ -82,9 +69,6 @@ Patch2:         apparmor-samba-include-permissions-for-shares.diff
 # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width.
 Patch3:         apparmor-utils-string-split

-# fix regression in aa-unconfined netstat call (taken from upstream 2.10 branch r3380)
-Patch4:         aa-unconfined-fix-netstat-call-2.10r3380.diff
-
 # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
 Patch5:         ruby-2_0-mkmf-destdir.patch

@ -95,7 +79,9 @@ Patch6:         apparmor-abstractions-no-multiline.diff
 # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
 Patch7:         apparmor-lessopen-profile.patch

-Url:            https://launchpad.net/apparmor
+# drop local/ include from sshd profile to prevent failure in "make check" (taken from upstream bzr trunk r3615)
+Patch8:         sshd-profile-drop-local-include-r3615.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if %{distro} == "suse"
@ -104,19 +90,14 @@ PreReq:         aaa_base
 %endif
 %define apparmor_bin_prefix /lib/apparmor
 BuildRequires:  bison
+BuildRequires:  dejagnu
 BuildRequires:  flex
 BuildRequires:  gcc-c++
-BuildRequires:  latex2html
 BuildRequires:  pcre-devel
 BuildRequires:  pkg-config
 BuildRequires:  python
+BuildRequires:  python3-pyflakes
 BuildRequires:  perl(Locale::gettext)
-%if 0%{?suse_version} > 1220
-BuildRequires:  texlive-amsfonts
-BuildRequires:  texlive-cm-super
-%endif
-BuildRequires:  texlive-latex
-BuildRequires:  w3m

 BuildRequires:  swig

@ -149,12 +130,12 @@ BuildRequires:  tomcat6
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security
-Obsoletes:      libimnxcert < %{version}
-Obsoletes:      subdomain-leaf-cert < %{version}
-Obsoletes:      subdomain-parser < %{version}
-Obsoletes:      subdomain-parser-common < %{version}
-Obsoletes:      subdomain-parser-demo < %{version}
-Obsoletes:      subdomain_parser < %{version}
+Obsoletes:      libimnxcert < 2.9
+Obsoletes:      subdomain-leaf-cert < 2.9
+Obsoletes:      subdomain-parser < 2.9
+Obsoletes:      subdomain-parser-common < 2.9
+Obsoletes:      subdomain-parser-demo < 2.9
+Obsoletes:      subdomain_parser < 2.9
 Provides:       libimnxcert = %{version}
 Provides:       subdomain-leaf-cert = %{version}
 Provides:       subdomain-parser = %{version}
@ -166,10 +147,8 @@ Provides:       apparmor-parser(CAP_SYSLOG)
 # initscript needs /lib/lsb/init-functions from insserv/insserv-compat
 Requires:       insserv

-%if 0%{?suse_version} > 1320
 BuildRequires:  systemd-rpm-macros
 %{?systemd_requires}
-%endif

 %description parser
 The AppArmor Parser is a userlevel program that is used to load in
@ -214,13 +193,11 @@ Summary:        Utility library for AppArmor
 License:        LGPL-2.1+
 Group:          Development/Libraries/C and C++
 %ifarch ppc64
-Obsoletes:      libapparmor-64bit < %{version}
+Obsoletes:      libapparmor-64bit < 2.9
 Provides:       libapparmor-64bit = %{version}
 %endif
 Provides:       libapparmor = %{version}
-#Provides:       libimmunix = %{version}
-Obsoletes:      libapparmor < %{version}
-#Obsoletes:      libimmunix < %{version}
+Obsoletes:      libapparmor < 2.9

 %description -n libapparmor1
 This package provides the libapparmor library, which contains the
@ -338,7 +315,7 @@ License:        GPL-2.0 and LGPL-2.1+
 Group:          Productivity/Security
 Requires:       apparmor-abstractions >= %{version}
 Requires:       apparmor-parser(CAP_SYSLOG)
-Obsoletes:      subdomain-profiles < %{version}
+Obsoletes:      subdomain-profiles < 2.9
 Provides:       subdomain-profiles = %{version}
 BuildArch:      noarch

@ -356,7 +333,7 @@ Summary:        AppArmor User-Level Utilities Useful for Creating AppArmor Profi
 License:        GPL-2.0 and LGPL-2.1+
 Group:          Productivity/Security
 Requires:       libapparmor1 = %{version}
-# some of the tools are still perl-based (aa-decode, aa-exec and aa-notify)
+# some of the tools are still perl-based (aa-decode and aa-notify)
 Requires:       perl = %{perl_version}
 Requires:       perl-apparmor = %{version}
 %if %{with python3}
@ -366,12 +343,8 @@ Requires:       python3-base
 Requires:       python-apparmor = %{version}
 Requires:       python-base
 %endif
-# aa-unconfined needs netstat
-%if 0%{?suse_version} > 1320
-Recommends:     net-tools-deprecated
-%else
-Recommends:     net-tools
-%endif
+# aa-unconfined needs ss
+Recommends:     iproute2
 # aa-notify -p needs notify-send
 Recommends:     libnotify-tools
 BuildArch:      noarch
@ -435,27 +408,19 @@ SubDomain.
 %patch1 -p1
 %patch2
 %patch3 -p1
-%patch4

 # Ruby 2.0 mkmf prefixes every path with $(DESTDIR)
-%if 0%{?suse_version} > 1230
 %patch5 -p1
-%endif

 %patch6
 %patch7 -p1
+%patch8

 # search for left-over multiline rules
 test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"

 %build
-echo _libdir: %{_libdir}  ruby: %{rb_sitearch}  python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1
-
 export SUSE_ASNEEDED=0
-# re-define _libdir to /lib or /lib64
-%define _libdir /%{_lib}
-
-echo new _libdir: %{_libdir}  ruby: %{rb_sitearch}  python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1

 %if %{with python3}
 export PYTHON=/usr/bin/python3
@ -485,6 +450,9 @@ export PYTHON=/usr/bin/python3
 # Utilities:
 make -C utils

+# binutils
+make -C binutils
+
 # deprecated/utils (perl modules still needed by YaST)
 %if %{with perl}
 make -C deprecated/utils
@ -492,8 +460,6 @@ make -C deprecated/utils

 # parser:
 make -C parser V=1
-# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough
-make -C parser V=1 techdoc.txt

 # Apache mod_apparmor:
 %if %{with apache}
@ -508,8 +474,6 @@ make -C parser V=1 techdoc.txt
 # Profiles:
 make -C profiles

-##configure --disable-static --with-pic \
-#--with-perl \
 %if %{with tomcat}
  make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
 %endif
@ -522,11 +486,24 @@ export PYTHON_VERSIONS=python3

 make check -C libraries/libapparmor
 make check -C parser
+make check -C binutils
+
 # profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
 # also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
 (cd profiles && make check-parser)
-# utils make check fails if profiles don't exist in /etc/apparmor.d/
-# make check -C utils
+
+# these tests fail if /etc/apparmor.d/abstractions/* or /sbin/apparmor_parser don't exist
+# (aa.py doesn't allow to inject in-tree paths early enough)
+rm -v utils/test/test-aa.py
+rm -v utils/test/test-aa-easyprof.py
+rm -v utils/test/test-libapparmor-test_multi.py
+rm -v utils/test/test-mount_parse.py
+rm -v utils/test/test-parser-simple-tests.py
+rm -v utils/test/test-pivot_root_parse.py
+rm -v utils/test/test-regex_matches.py
+rm -v utils/test/test-unix_parse.py
+
+make check -C utils

 %install

@ -535,8 +512,7 @@ export PYTHON=/usr/bin/python3
 %endif

 # libapparmor
-# override pkgconfigdir for now - TODO: don't redefine libdir when packaging AppArmor 3.0
-%makeinstall -C libraries/libapparmor pkgconfigdir=/usr/%{_lib}/pkgconfig/
+%makeinstall -C libraries/libapparmor
 # create symlink for old change_hat(2) manpage
 ( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 )

@ -544,12 +520,10 @@ export PYTHON=/usr/bin/python3
 %makeinstall -C utils
 test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568
 mkdir -p %{buildroot}%{_localstatedir}/log/apparmor
-%if %{with python3}
-    # enforce usage of python3
-    for file in %{buildroot}/%{_sbindir}/aa-* ; do
-        sed -i '1s,^#! /usr/bin/env python$,#! /usr/bin/env python3,' "$file"
-    done
-%endif
+
+# binutils
+%makeinstall -C binutils
+( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec )

 # deprecated/utils (perl modules still needed by YaST)
 %if %{with perl}
@ -569,7 +543,7 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
 %endif

 %if %{with pam}
-  %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security
+  %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}/%{_lib}/security
 %endif

 %if %{with tomcat}
@ -577,8 +551,8 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
  %makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME}
 %endif

-find %{buildroot} -name .packlist -exec rm -f {} \;
-find %{buildroot} -name perllocal.pod -exec rm -f {} \;
+find %{buildroot} -name .packlist -exec rm -vf {} \;
+find %{buildroot} -name perllocal.pod -exec rm -vf {} \;

 # Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm].
 # Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix
@ -587,7 +561,7 @@ for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do
    f=$(basename $file)
    case "${f#aa-}" in
        audit    | autodep    | complain    | decode | disable                  | enforce    | exec    | genprof    | logprof    | notify   | status   | unconfined  | \
-        audit.8* | autodep.8* | complain.8*          | disable.8* | easyprof.8* | enforce.8* | exec.8* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* )
+        audit.8* | autodep.8* | complain.8*          | disable.8* | easyprof.8* | enforce.8* | exec.1* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* )
            if [ "${f#aa-}" != "$f" ]; then
                ln -s $f $d/${f#aa-}
            fi
@ -599,16 +573,14 @@ mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8}
 mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8}
 rm -f %{buildroot}%{_mandir}/man8/decode.8

-for pkg in apparmor-utils apparmor-parser; do
+for pkg in apparmor-utils apparmor-parser aa-binutils; do
    %find_lang $pkg
 done

 # remove *.la files
-rm -fv %{buildroot}%{_libdir}/libapparmor.la 
+rm -fv %{buildroot}%{_libdir}/libapparmor.la

-%if 0%{?suse_version} > 1320
 install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
-%endif

 echo -------------------------------------------------------------------
 #find -ls
@ -621,7 +593,7 @@ echo -------------------------------------------------------------------
 %doc parser/*.[1-9].html
 %doc utils/vim/apparmor.vim.5.html
 %doc common/apparmor.css
-%doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt
+%doc parser/techdoc.pdf
 # apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file
 %dir %{_datadir}/apparmor
 %{_datadir}/apparmor/apparmor.vim
@ -630,6 +602,8 @@ echo -------------------------------------------------------------------
 %defattr(-,root,root)
 %doc parser/README parser/COPYING.GPL
 /sbin/apparmor_parser
+%{_bindir}/aa-enabled
+%{_bindir}/aa-exec
 %dir %attr(-, root, root) %{_sysconfdir}/apparmor
 %dir %{_sysconfdir}/apparmor.d
 %{_sysconfdir}/apparmor.d/cache
@ -640,14 +614,15 @@ echo -------------------------------------------------------------------
 %else
  %{_sysconfdir}/init.d/apparmor
 %endif
-%if 0%{?suse_version} > 1320
 %{_unitdir}/apparmor.service
-%endif
 %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
 %config(noreplace) %{_sysconfdir}/apparmor/parser.conf
 %{_localstatedir}/lib/apparmor
 %dir %attr(-, root, root) %{apparmor_bin_prefix}
 %{apparmor_bin_prefix}/rc.apparmor.functions
+%doc %{_mandir}/man1/aa-enabled.1.gz
+%doc %{_mandir}/man1/aa-exec.1.gz
+%doc %{_mandir}/man1/exec.1.gz
 %doc %{_mandir}/man5/apparmor.d.5.gz
 %doc %{_mandir}/man5/apparmor.vim.5.gz
 %doc %{_mandir}/man5/subdomain.conf.5.gz
@ -658,11 +633,10 @@ echo -------------------------------------------------------------------
 if [ -f %{_sysconfdir}/init.d/subdomain ] ; then
  chkconfig --del subdomain
 fi
-%if 0%{?suse_version} > 1320
 %service_add_pre apparmor.service
-%endif

-%files parser-lang -f apparmor-parser.lang
+%files parser-lang -f apparmor-parser.lang -f aa-binutils.lang
+%defattr(-,root,root)

 %files -n libapparmor1
 %defattr(-,root,root)
@ -672,8 +646,10 @@ fi
 %defattr(-,root,root)
 %{_libdir}/libapparmor.a
 %{_libdir}/libapparmor.so
-/usr/%{_lib}/pkgconfig/libapparmor.pc
+%{_libdir}/pkgconfig/libapparmor.pc
 %doc %{_mandir}/man2/aa_change_hat.2.gz
+%doc %{_mandir}/man2/aa_change_profile.2.gz
+%doc %{_mandir}/man2/aa_stack_profile.2.gz
 %doc %{_mandir}/man2/change_hat.2.gz
 %doc %{_mandir}/man2/aa_find_mountpoint.2.gz
 %doc %{_mandir}/man2/aa_getcon.2.gz
@ -732,7 +708,6 @@ fi
 %dir %{_datadir}/apparmor
 %{_datadir}/apparmor/easyprof/
 %dir %{_localstatedir}/log/apparmor
-%doc %{_mandir}/man2/aa_change_profile.2.gz
 %doc %{_mandir}/man5/logprof.conf.5.gz
 %doc %{_mandir}/man8/apparmor_notify.8.gz
 %doc %{_mandir}/man8/aa-*.gz
@ -743,7 +718,6 @@ fi
 %doc %{_mandir}/man8/disable.8.gz
 %doc %{_mandir}/man8/easyprof.8.gz
 %doc %{_mandir}/man8/enforce.8.gz
-%doc %{_mandir}/man8/exec.8.gz
 %doc %{_mandir}/man8/genprof.8.gz
 %doc %{_mandir}/man8/logprof.8.gz
 %doc %{_mandir}/man8/unconfined.8.gz
@ -800,7 +774,7 @@ fi

 %files -n pam_apparmor
 %defattr(444,root,root,755)
-%attr(555,root,root) %{_libdir}/security/pam_apparmor.so
+%attr(555,root,root) /%{_lib}/security/pam_apparmor.so
 %endif

 %if %{with tomcat}
@ -853,9 +827,7 @@ fi
  fi
 %endif

-%if 0%{?suse_version} > 1320
 %service_add_post apparmor.service
-%endif

 %preun parser
 if [ "$1" = 0 ] ; then
@ -867,9 +839,7 @@ if [ "$1" = 0 ] ; then
 %endif
 fi

-%if 0%{?suse_version} > 1320
 %service_del_preun apparmor.service
-%endif

 %postun parser
 %if %{distro} == "suse"
@ -885,11 +855,9 @@ fi
  %{insserv_cleanup} || true
 %endif

-%if 0%{?suse_version} > 1320
 # don't call try-restart, see bnc#853019
 export DISABLE_RESTART_ON_UPDATE="yes"
 %service_del_postun apparmor.service
-%endif

 %post abstractions
 %if %{distro} == "suse"
--- a/sshd-profile-drop-local-include-r3615.diff
+++ b/sshd-profile-drop-local-include-r3615.diff
@ -0,0 +1,30 @@
+------------------------------------------------------------
+revno: 3615
+committer: Christian Boltz <apparmor@cboltz.de>
+branch nick: apparmor
+timestamp: Thu 2017-01-12 22:01:11 +0100
+message:
+  sshd profile: drop local/ include
+  
+  The local/ include in the sshd profile in extras causes some trouble:
+  - it breaks "make check" because the parser can't find the local/ file
+  - it results in a broken profile if someone uses this profile as
+    starting point, but doesn't notice it needs the local include
+  
+  
+  Acked-by: Steve Beattie <steve@nxnw.org>
+
+
+=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
+--- profiles/apparmor/profiles/extras/usr.sbin.sshd	2016-12-07 19:00:06 +0000
+++ profiles/apparmor/profiles/extras/usr.sbin.sshd	2017-01-12 21:01:11 +0000
+@@ -140,5 +140,5 @@
+   /usr/lib/openssh/sftp-server PUx,
+ 
+   # Site-specific additions and overrides. See local/README for details.
+-  #include <local/usr.sbin.sshd>
+  ## include <local/usr.sbin.sshd>
+ }
+
+
+vim:ft=diff