From fcc884a7e3f5f0c2f54ef12fc051aa5570afa72d1c5498efc0688f50e8708ffa Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sat, 28 Jan 2017 12:45:16 +0000 Subject: [PATCH] Accepting request 453151 from home:cboltz - update to AppArmor 2.11.0 - apparmor_parser now supports parallel compiles and loads - add full support for dbus, ptrace and signal rules and events to the utils - full rewrite of the file rule handling in the utils - lots of improvements and fixes - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the detailed changelog - patches: - add sshd-profile-drop-local-include-r3615.diff to fix 'make check' - drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed - refresh apparmor-abstractions-no-multiline.diff - refresh apparmor-samba-include-permissions-for-shares.diff - spec changes: - aa-unconfined switched to using ss (from iproute2), adjust Recommends: - move libapparmor to /usr/lib*/ - drop %if %suse_version checks for 12.x - change several Obsoletes from %version to < 2.9. Those package names weren't used since years, and 2.9 is still a careful choice - include apparmor.service independent of %suse_version - techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires - drop latex2html, texlive-* and w3m BuildRequires - techdoc.txt and techdoc.html not included, drop them from the package - run most of utils/ make check (some tests expect /etc/apparmor.d/ and /sbin/apparmor_parser to exist, skip them) - BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests) - drop sed'ing python3 into aa-* shebang (upstreamed) - build binutils - aa-exec is now written in C and lives in /usr/bin/, move it to the apparmor_parser package and create a compability symlink in /usr/sbin/ - aa-exec manpage moved to section 1 - aa-enabled is a small new tool to find out if AppArmor is enabled - package new aa_stack_profile(2) manpage OBS-URL: https://build.opensuse.org/request/show/453151 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=165 --- aa-unconfined-fix-netstat-call-2.10r3380.diff | 39 ----- apparmor-2.10.2.tar.gz | 3 - apparmor-2.10.2.tar.gz.asc | 16 -- apparmor-2.11.0.tar.gz | 3 + apparmor-2.11.0.tar.gz.asc | 16 ++ apparmor-abstractions-no-multiline.diff | 128 +++++--------- ...-samba-include-permissions-for-shares.diff | 2 +- apparmor.changes | 37 ++++ apparmor.spec | 160 +++++++----------- sshd-profile-drop-local-include-r3615.diff | 30 ++++ 10 files changed, 190 insertions(+), 244 deletions(-) delete mode 100644 aa-unconfined-fix-netstat-call-2.10r3380.diff delete mode 100644 apparmor-2.10.2.tar.gz delete mode 100644 apparmor-2.10.2.tar.gz.asc create mode 100644 apparmor-2.11.0.tar.gz create mode 100644 apparmor-2.11.0.tar.gz.asc create mode 100644 sshd-profile-drop-local-include-r3615.diff diff --git a/aa-unconfined-fix-netstat-call-2.10r3380.diff b/aa-unconfined-fix-netstat-call-2.10r3380.diff deleted file mode 100644 index b23de6d..0000000 --- a/aa-unconfined-fix-netstat-call-2.10r3380.diff +++ /dev/null @@ -1,39 +0,0 @@ ------------------------------------------------------------- -revno: 3380 -committer: Steve Beattie -branch nick: 2.10 -timestamp: Mon 2017-01-09 09:22:58 -0800 -message: - Subject: utils/aa-unconfined: fix netstat invocation regression - - It was reported that converting the netstat command to examine - processes bound to ipv6 addresses broke on OpenSUSE due to the version - of nettools not supporting the short -4 -6 arguments. - - This patch fixes the invocation of netstat to use the "--protocol - inet,inet6" arguments instead, which should return the same results - as the short options. - - Signed-off-by: Steve Beattie - Acked-by: Christian Boltz - - -=== modified file 'utils/aa-unconfined' ---- utils/aa-unconfined 2016-12-05 09:21:27 +0000 -+++ utils/aa-unconfined 2017-01-09 17:22:58 +0000 -@@ -46,10 +46,10 @@ - regex_tcp_udp = re.compile(r"^(tcp|udp|raw)6?\s+\d+\s+\d+\s+\S+\:(\d+)\s+\S+\:(\*|\d+)\s+(LISTEN|\d+|\s+)\s+(\d+)\/(\S+)") - import subprocess - if sys.version_info < (3, 0): -- output = subprocess.check_output("LANG=C netstat -nlp46", shell=True).split("\n") -+ output = subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True).split("\n") - else: - #Python3 needs to translate a stream of bytes to string with specified encoding -- output = str(subprocess.check_output("LANG=C netstat -nlp46", shell=True), encoding='utf8').split("\n") -+ output = str(subprocess.check_output("LANG=C netstat -nlp --protocol inet,inet6", shell=True), encoding='utf8').split("\n") - - for line in output: - match = regex_tcp_udp.search(line) - - -vim:ft=diff diff --git a/apparmor-2.10.2.tar.gz b/apparmor-2.10.2.tar.gz deleted file mode 100644 index 4a4bae7..0000000 --- a/apparmor-2.10.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c253656820a2e6b0127af0ba8ceda36ffec1ae5c9dc0ee8793c3fe97121feac3 -size 4497918 diff --git a/apparmor-2.10.2.tar.gz.asc b/apparmor-2.10.2.tar.gz.asc deleted file mode 100644 index cd50488..0000000 --- a/apparmor-2.10.2.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQI3BAABCgAhBQJYcxByGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ -5k49NmS7KLcQAKNtJ8N81T/oOL05bZ6M1g4kjYZ1vIyTx8tFj8iBNBnxWGrWfIMj -EJJeaGFUwbAN9LeTxlbwaGHHukLzQa4rihXPgpmQZl3tYWqwMzMtgtzbjWFIRtGA -cZunTA0i5kOm0N/IEl1hR2JbDMopPgOWEyV7lZxklKYUavo5+8jrYloXKaSzbQGi -KMIms8RF7v4ANOGoqvl6vv3y11JMvvV2VZniPf+myVDcmHjk8jzdzdGEOFRcHvoY -Zg7ZMXbPjPh1VQYbzgdpK95SEXDM9X+4fJtcL2A0ofZQrO9rmFWOrtjxSz88DgWi -qdfepwIGN7uMBLeL2UMlp8OJVOgcsjY2E9XHzVaSUJYRVuPFa/z3fKzEkMh96HQa -xYnsicuQe6HUXxbRoXd/J12Rzla1Bkkvq2NYOwmh4kpZczGGaUK17GxlUryz7C/1 -VodpZd7pFzKmPuoCinKtO0VsQkDJ4qfKUiMSZOutDMR8eHyNxtVS6Qb5GycViLiF -mtHiTipqv0q1HIFZVj3bpbq8Jji9pNHJWI1pwiafYEAqh1hyfGtWGkH3muMROQgL -Qmjuoaw2x2VgPk+nnBSFwgOv4TUO/xVa95VD8HwCFjEHulpzlo8lx6k/9t5fZO6T -kaS6NBQWIQ8hunIKMifKgi+8fFk2FTaUhgZJUP91MiUm5rwPU0y48RY3 -=l0m2 ------END PGP SIGNATURE----- diff --git a/apparmor-2.11.0.tar.gz b/apparmor-2.11.0.tar.gz new file mode 100644 index 0000000..d2b70d2 --- /dev/null +++ b/apparmor-2.11.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b1c489ea11e7771b8e6b181532cafbf9ebe6603e3cb00e2558f21b7a5bdd739a +size 5013297 diff --git a/apparmor-2.11.0.tar.gz.asc b/apparmor-2.11.0.tar.gz.asc new file mode 100644 index 0000000..3aecf82 --- /dev/null +++ b/apparmor-2.11.0.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQI3BAABCgAhBQJYcxbLGhxhcHBhcm1vckBsaXN0cy51YnVudHUuY29tAAoJEGaJ +5k49NmS7Nh4P/Rf1b8NugcYkrXBA3LMS47KF4+fig+4j4jcAsUqY+aDgj02UYcEv +S6XpbzkTJykM0CJ2BLNHHfwUpbVrUDyfABhgh/m9aH0Y52zkteVfYt9tVNxz7OaH +s4M977g5HPvlOIsS2EXyk1g0IZ8WJ830sZpOZIKpgwptgSJeHKiFQJsCINzOzv7z +MKATzhnrnvb4KBwCC3MoUHhCheGvUmQlArn4+/LwCMERHxrrSYr/kl/nDxhqE7HZ +1wdO8TdrG+R595Yc/t0OO+LOCv7TBU5K7TLiN+1wqenrEfR+9RaxpLB2N8a5+LQ0 +kphfS07ht22oWhySG14WL76FrrvN0WBcRBc6hkxgbizCwb+XLLGBUfk50MIabBPu +GQJVnMtTEvlVdpvw0snG4RID8o7Tjv+2NsMi+67fR7dkksHO51jeQBlWeim1ZX+6 +GZPmEtWAuF0cZybnv66sfY7qokBXUaqP6Z9wYUXOVscJTK6XEmVGXinuistR1cJa +O2e0Gji+cxBBejB7QWyHCcssXYo26rHW5kT94hcshqn0Qx1ThH+yTV+PqYiEjsNA +R1AYgDMVCltu/UwuzHmtYo2es1W9Mcsk6htKhDLmT0ze3y+0f7Y463B8afs6RzWW +W28mpt5/PPoFLkWstj+B00GnwO1x2rDbLoq+zvCD5WasZWa8uNV24nRg +=aq9P +-----END PGP SIGNATURE----- diff --git a/apparmor-abstractions-no-multiline.diff b/apparmor-abstractions-no-multiline.diff index 2469a54..1e6b123 100644 --- a/apparmor-abstractions-no-multiline.diff +++ b/apparmor-abstractions-no-multiline.diff @@ -35,11 +35,11 @@ Index: profiles/apparmor.d/abstractions/dbus-accessibility-strict + dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), Index: profiles/apparmor.d/abstractions/dbus-session-strict =================================================================== ---- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2014-10-18 13:11:18.498652324 +0200 -+++ profiles/apparmor.d/abstractions/dbus-session-strict 2014-10-18 13:11:31.098494805 +0200 -@@ -13,16 +13,9 @@ - /etc/machine-id r, +--- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2017-01-11 21:20:01.381935015 +0100 ++++ profiles/apparmor.d/abstractions/dbus-session-strict 2017-01-11 21:20:07.641905170 +0100 +@@ -14,16 +14,9 @@ /var/lib/dbus/machine-id r, + owner /run/user/*/bus rw, - unix (connect, receive, send) - type=stream @@ -71,92 +71,42 @@ Index: profiles/apparmor.d/abstractions/dbus-strict - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus), + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), +Index: profiles/apparmor.d/abstractions/fcitx-strict +=================================================================== +--- profiles/apparmor.d/abstractions/fcitx-strict.orig 2017-01-11 21:44:55.726947350 +0100 ++++ profiles/apparmor.d/abstractions/fcitx-strict 2017-01-11 21:45:02.830914856 +0100 +@@ -11,11 +11,6 @@ + + #include + +- dbus send +- bus=fcitx +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} +- peer=(name=org.freedesktop.DBus), ++ dbus send bus=fcitx path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), + + owner @{HOME}/.config/fcitx/dbus/* r, +Index: profiles/apparmor.d/abstractions/libpam-systemd +=================================================================== +--- profiles/apparmor.d/abstractions/libpam-systemd.orig 2017-01-11 21:47:13.814315855 +0100 ++++ profiles/apparmor.d/abstractions/libpam-systemd 2017-01-11 21:47:19.490289904 +0100 +@@ -12,8 +12,4 @@ + #include + + # libpam-systemd notifies systemd-logind about session logins/logouts +- dbus send +- bus=system +- path=/org/freedesktop/login1 +- interface=org.freedesktop.login1.Manager +- member={CreateSession,ReleaseSession}, ++ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession}, Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base =================================================================== ---- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2014-10-18 13:11:18.497652337 +0200 -+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2014-10-18 13:11:31.098494805 +0200 -@@ -16,41 +16,16 @@ - #include - - # Allow connecting to session bus and where to connect to services -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=Hello -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=session -- path=/org/freedesktop/{db,DB}us -- interface=org.freedesktop.DBus -- member={Add,Remove}Match -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), - # NameHasOwner and GetNameOwner could leak running processes and apps - # depending on how services are implemented -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=GetNameOwner -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=NameHasOwner -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), - - # Allow starting services on the session bus (actual communications with - # the service are mediated elsewhere) -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=StartServiceByName -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), - - # Allow connecting to system bus and where to connect to services. Put these - # here so we don't need to repeat these rules in multiple places (actual -@@ -58,108 +36,47 @@ - # allow apps to brute-force enumerate system services, but our system - # services aren't a secret. - /{,var/}run/dbus/system_bus_socket rw, -- dbus (send) -- bus=system -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=Hello -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=system -- path=/org/freedesktop/{db,DB}us -- interface=org.freedesktop.DBus -- member={Add,Remove}Match -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), - # NameHasOwner and GetNameOwner could leak running processes and apps - # depending on how services are implemented -- dbus (send) -- bus=system -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=GetNameOwner -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=system -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=NameHasOwner -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), - +--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2017-01-11 21:20:07.641905170 +0100 ++++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2017-01-11 21:20:52.197692834 +0100 +@@ -21,78 +21,37 @@ # # Access required for connecting to/communication with Unity HUD # @@ -282,7 +232,7 @@ Index: profiles/apparmor.d/abstractions/gnome =================================================================== --- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200 +++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200 -@@ -91,6 +91,4 @@ +@@ -93,6 +93,4 @@ # Allow connecting to the GNOME vfs socket (still need corresponding DBus # rules) diff --git a/apparmor-samba-include-permissions-for-shares.diff b/apparmor-samba-include-permissions-for-shares.diff index ba34685..ed492b9 100644 --- a/apparmor-samba-include-permissions-for-shares.diff +++ b/apparmor-samba-include-permissions-for-shares.diff @@ -20,7 +20,7 @@ Signed-off-by: Christian Boltz === modified file 'profiles/apparmor.d/usr.sbin.smbd' --- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000 +++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000 -@@ -47,6 +47,10 @@ +@@ -53,6 +53,10 @@ @{HOMEDIRS}/** lrwk, diff --git a/apparmor.changes b/apparmor.changes index 65cbd2d..a8e780d 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,40 @@ +------------------------------------------------------------------- +Fri Jan 27 20:08:03 UTC 2017 - suse-beta@cboltz.de + +- update to AppArmor 2.11.0 + - apparmor_parser now supports parallel compiles and loads + - add full support for dbus, ptrace and signal rules and events to the + utils + - full rewrite of the file rule handling in the utils + - lots of improvements and fixes + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the + detailed changelog +- patches: + - add sshd-profile-drop-local-include-r3615.diff to fix 'make check' + - drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed + - refresh apparmor-abstractions-no-multiline.diff + - refresh apparmor-samba-include-permissions-for-shares.diff +- spec changes: + - aa-unconfined switched to using ss (from iproute2), adjust Recommends: + - move libapparmor to /usr/lib*/ + - drop %if %suse_version checks for 12.x + - change several Obsoletes from %version to < 2.9. Those package names + weren't used since years, and 2.9 is still a careful choice + - include apparmor.service independent of %suse_version + - techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires + - drop latex2html, texlive-* and w3m BuildRequires + - techdoc.txt and techdoc.html not included, drop them from the package + - run most of utils/ make check (some tests expect /etc/apparmor.d/ and + /sbin/apparmor_parser to exist, skip them) + - BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests) + - drop sed'ing python3 into aa-* shebang (upstreamed) + - build binutils + - aa-exec is now written in C and lives in /usr/bin/, move it to the + apparmor_parser package and create a compability symlink in /usr/sbin/ + - aa-exec manpage moved to section 1 + - aa-enabled is a small new tool to find out if AppArmor is enabled + - package new aa_stack_profile(2) manpage + ------------------------------------------------------------------- Tue Jan 24 13:40:30 UTC 2017 - suse-beta@cboltz.de diff --git a/apparmor.spec b/apparmor.spec index 6e54282..9fb2d45 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -24,23 +24,9 @@ %bcond_without pam %bcond_without apache %bcond_without perl -%if 0%{?suse_version} > 0 && 0%{?suse_version} <= 1210 - # disable python and ruby bindings on openSUSE <= 12.1 to avoid problems with rb_sitearch and python_sitearch - %bcond_with python - %bcond_with python3 - %bcond_with ruby -%else -%if 0%{?suse_version} == 1220 - # swig for python3 is broken on 12.2 - probably http://sourceforge.net/p/swig/bugs/1257/ - build python2 bindings instead - %bcond_without python - %bcond_with python3 - %bcond_without ruby -%else - %bcond_with python - %bcond_without python3 - %bcond_without ruby -%endif -%endif +%bcond_with python +%bcond_without python3 +%bcond_without ruby %define CATALINA_HOME /usr/share/tomcat6 #define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/ @@ -60,11 +46,12 @@ Name: apparmor %if ! %{?distro:1}0 %define distro suse %endif -Version: 2.10.2 +Version: 2.11.0 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0+ Group: Productivity/Networking/Security +Url: https://launchpad.net/apparmor Source0: apparmor-%{version}.tar.gz Source1: apparmor-%{version}.tar.gz.asc Source2: %{name}.keyring @@ -82,9 +69,6 @@ Patch2: apparmor-samba-include-permissions-for-shares.diff # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. Patch3: apparmor-utils-string-split -# fix regression in aa-unconfined netstat call (taken from upstream 2.10 branch r3380) -Patch4: aa-unconfined-fix-netstat-call-2.10r3380.diff - # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de Patch5: ruby-2_0-mkmf-destdir.patch @@ -95,7 +79,9 @@ Patch6: apparmor-abstractions-no-multiline.diff # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch -Url: https://launchpad.net/apparmor +# drop local/ include from sshd profile to prevent failure in "make check" (taken from upstream bzr trunk r3615) +Patch8: sshd-profile-drop-local-include-r3615.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %{distro} == "suse" @@ -104,19 +90,14 @@ PreReq: aaa_base %endif %define apparmor_bin_prefix /lib/apparmor BuildRequires: bison +BuildRequires: dejagnu BuildRequires: flex BuildRequires: gcc-c++ -BuildRequires: latex2html BuildRequires: pcre-devel BuildRequires: pkg-config BuildRequires: python +BuildRequires: python3-pyflakes BuildRequires: perl(Locale::gettext) -%if 0%{?suse_version} > 1220 -BuildRequires: texlive-amsfonts -BuildRequires: texlive-cm-super -%endif -BuildRequires: texlive-latex -BuildRequires: w3m BuildRequires: swig @@ -149,12 +130,12 @@ BuildRequires: tomcat6 Summary: AppArmor userlevel parser utility License: GPL-2.0+ Group: Productivity/Networking/Security -Obsoletes: libimnxcert < %{version} -Obsoletes: subdomain-leaf-cert < %{version} -Obsoletes: subdomain-parser < %{version} -Obsoletes: subdomain-parser-common < %{version} -Obsoletes: subdomain-parser-demo < %{version} -Obsoletes: subdomain_parser < %{version} +Obsoletes: libimnxcert < 2.9 +Obsoletes: subdomain-leaf-cert < 2.9 +Obsoletes: subdomain-parser < 2.9 +Obsoletes: subdomain-parser-common < 2.9 +Obsoletes: subdomain-parser-demo < 2.9 +Obsoletes: subdomain_parser < 2.9 Provides: libimnxcert = %{version} Provides: subdomain-leaf-cert = %{version} Provides: subdomain-parser = %{version} @@ -166,10 +147,8 @@ Provides: apparmor-parser(CAP_SYSLOG) # initscript needs /lib/lsb/init-functions from insserv/insserv-compat Requires: insserv -%if 0%{?suse_version} > 1320 BuildRequires: systemd-rpm-macros %{?systemd_requires} -%endif %description parser The AppArmor Parser is a userlevel program that is used to load in @@ -214,13 +193,11 @@ Summary: Utility library for AppArmor License: LGPL-2.1+ Group: Development/Libraries/C and C++ %ifarch ppc64 -Obsoletes: libapparmor-64bit < %{version} +Obsoletes: libapparmor-64bit < 2.9 Provides: libapparmor-64bit = %{version} %endif Provides: libapparmor = %{version} -#Provides: libimmunix = %{version} -Obsoletes: libapparmor < %{version} -#Obsoletes: libimmunix < %{version} +Obsoletes: libapparmor < 2.9 %description -n libapparmor1 This package provides the libapparmor library, which contains the @@ -338,7 +315,7 @@ License: GPL-2.0 and LGPL-2.1+ Group: Productivity/Security Requires: apparmor-abstractions >= %{version} Requires: apparmor-parser(CAP_SYSLOG) -Obsoletes: subdomain-profiles < %{version} +Obsoletes: subdomain-profiles < 2.9 Provides: subdomain-profiles = %{version} BuildArch: noarch @@ -356,7 +333,7 @@ Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profi License: GPL-2.0 and LGPL-2.1+ Group: Productivity/Security Requires: libapparmor1 = %{version} -# some of the tools are still perl-based (aa-decode, aa-exec and aa-notify) +# some of the tools are still perl-based (aa-decode and aa-notify) Requires: perl = %{perl_version} Requires: perl-apparmor = %{version} %if %{with python3} @@ -366,12 +343,8 @@ Requires: python3-base Requires: python-apparmor = %{version} Requires: python-base %endif -# aa-unconfined needs netstat -%if 0%{?suse_version} > 1320 -Recommends: net-tools-deprecated -%else -Recommends: net-tools -%endif +# aa-unconfined needs ss +Recommends: iproute2 # aa-notify -p needs notify-send Recommends: libnotify-tools BuildArch: noarch @@ -435,27 +408,19 @@ SubDomain. %patch1 -p1 %patch2 %patch3 -p1 -%patch4 # Ruby 2.0 mkmf prefixes every path with $(DESTDIR) -%if 0%{?suse_version} > 1230 %patch5 -p1 -%endif %patch6 %patch7 -p1 +%patch8 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" %build -echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 - export SUSE_ASNEEDED=0 -# re-define _libdir to /lib or /lib64 -%define _libdir /%{_lib} - -echo new _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 %if %{with python3} export PYTHON=/usr/bin/python3 @@ -485,6 +450,9 @@ export PYTHON=/usr/bin/python3 # Utilities: make -C utils +# binutils +make -C binutils + # deprecated/utils (perl modules still needed by YaST) %if %{with perl} make -C deprecated/utils @@ -492,8 +460,6 @@ make -C deprecated/utils # parser: make -C parser V=1 -# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough -make -C parser V=1 techdoc.txt # Apache mod_apparmor: %if %{with apache} @@ -508,8 +474,6 @@ make -C parser V=1 techdoc.txt # Profiles: make -C profiles -##configure --disable-static --with-pic \ -#--with-perl \ %if %{with tomcat} make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME} %endif @@ -522,11 +486,24 @@ export PYTHON_VERSIONS=python3 make check -C libraries/libapparmor make check -C parser +make check -C binutils + # profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks # also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory) (cd profiles && make check-parser) -# utils make check fails if profiles don't exist in /etc/apparmor.d/ -# make check -C utils + +# these tests fail if /etc/apparmor.d/abstractions/* or /sbin/apparmor_parser don't exist +# (aa.py doesn't allow to inject in-tree paths early enough) +rm -v utils/test/test-aa.py +rm -v utils/test/test-aa-easyprof.py +rm -v utils/test/test-libapparmor-test_multi.py +rm -v utils/test/test-mount_parse.py +rm -v utils/test/test-parser-simple-tests.py +rm -v utils/test/test-pivot_root_parse.py +rm -v utils/test/test-regex_matches.py +rm -v utils/test/test-unix_parse.py + +make check -C utils %install @@ -535,8 +512,7 @@ export PYTHON=/usr/bin/python3 %endif # libapparmor -# override pkgconfigdir for now - TODO: don't redefine libdir when packaging AppArmor 3.0 -%makeinstall -C libraries/libapparmor pkgconfigdir=/usr/%{_lib}/pkgconfig/ +%makeinstall -C libraries/libapparmor # create symlink for old change_hat(2) manpage ( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 ) @@ -544,12 +520,10 @@ export PYTHON=/usr/bin/python3 %makeinstall -C utils test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568 mkdir -p %{buildroot}%{_localstatedir}/log/apparmor -%if %{with python3} - # enforce usage of python3 - for file in %{buildroot}/%{_sbindir}/aa-* ; do - sed -i '1s,^#! /usr/bin/env python$,#! /usr/bin/env python3,' "$file" - done -%endif + +# binutils +%makeinstall -C binutils +( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec ) # deprecated/utils (perl modules still needed by YaST) %if %{with perl} @@ -569,7 +543,7 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache %endif %if %{with pam} - %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security + %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}/%{_lib}/security %endif %if %{with tomcat} @@ -577,8 +551,8 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache %makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME} %endif -find %{buildroot} -name .packlist -exec rm -f {} \; -find %{buildroot} -name perllocal.pod -exec rm -f {} \; +find %{buildroot} -name .packlist -exec rm -vf {} \; +find %{buildroot} -name perllocal.pod -exec rm -vf {} \; # Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm]. # Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix @@ -587,7 +561,7 @@ for file in %{buildroot}%{_prefix}/{sbin,share/man/man[0-9]}/aa-*; do f=$(basename $file) case "${f#aa-}" in audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \ - audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.8* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* ) + audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.1* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* ) if [ "${f#aa-}" != "$f" ]; then ln -s $f $d/${f#aa-} fi @@ -599,16 +573,14 @@ mv -f %{buildroot}%{_mandir}/man8/{status.8,apparmor_status.8} mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8} rm -f %{buildroot}%{_mandir}/man8/decode.8 -for pkg in apparmor-utils apparmor-parser; do +for pkg in apparmor-utils apparmor-parser aa-binutils; do %find_lang $pkg done # remove *.la files -rm -fv %{buildroot}%{_libdir}/libapparmor.la +rm -fv %{buildroot}%{_libdir}/libapparmor.la -%if 0%{?suse_version} > 1320 install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service -%endif echo ------------------------------------------------------------------- #find -ls @@ -621,7 +593,7 @@ echo ------------------------------------------------------------------- %doc parser/*.[1-9].html %doc utils/vim/apparmor.vim.5.html %doc common/apparmor.css -%doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt +%doc parser/techdoc.pdf # apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file %dir %{_datadir}/apparmor %{_datadir}/apparmor/apparmor.vim @@ -630,6 +602,8 @@ echo ------------------------------------------------------------------- %defattr(-,root,root) %doc parser/README parser/COPYING.GPL /sbin/apparmor_parser +%{_bindir}/aa-enabled +%{_bindir}/aa-exec %dir %attr(-, root, root) %{_sysconfdir}/apparmor %dir %{_sysconfdir}/apparmor.d %{_sysconfdir}/apparmor.d/cache @@ -640,14 +614,15 @@ echo ------------------------------------------------------------------- %else %{_sysconfdir}/init.d/apparmor %endif -%if 0%{?suse_version} > 1320 %{_unitdir}/apparmor.service -%endif %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf %config(noreplace) %{_sysconfdir}/apparmor/parser.conf %{_localstatedir}/lib/apparmor %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions +%doc %{_mandir}/man1/aa-enabled.1.gz +%doc %{_mandir}/man1/aa-exec.1.gz +%doc %{_mandir}/man1/exec.1.gz %doc %{_mandir}/man5/apparmor.d.5.gz %doc %{_mandir}/man5/apparmor.vim.5.gz %doc %{_mandir}/man5/subdomain.conf.5.gz @@ -658,11 +633,10 @@ echo ------------------------------------------------------------------- if [ -f %{_sysconfdir}/init.d/subdomain ] ; then chkconfig --del subdomain fi -%if 0%{?suse_version} > 1320 %service_add_pre apparmor.service -%endif -%files parser-lang -f apparmor-parser.lang +%files parser-lang -f apparmor-parser.lang -f aa-binutils.lang +%defattr(-,root,root) %files -n libapparmor1 %defattr(-,root,root) @@ -672,8 +646,10 @@ fi %defattr(-,root,root) %{_libdir}/libapparmor.a %{_libdir}/libapparmor.so -/usr/%{_lib}/pkgconfig/libapparmor.pc +%{_libdir}/pkgconfig/libapparmor.pc %doc %{_mandir}/man2/aa_change_hat.2.gz +%doc %{_mandir}/man2/aa_change_profile.2.gz +%doc %{_mandir}/man2/aa_stack_profile.2.gz %doc %{_mandir}/man2/change_hat.2.gz %doc %{_mandir}/man2/aa_find_mountpoint.2.gz %doc %{_mandir}/man2/aa_getcon.2.gz @@ -732,7 +708,6 @@ fi %dir %{_datadir}/apparmor %{_datadir}/apparmor/easyprof/ %dir %{_localstatedir}/log/apparmor -%doc %{_mandir}/man2/aa_change_profile.2.gz %doc %{_mandir}/man5/logprof.conf.5.gz %doc %{_mandir}/man8/apparmor_notify.8.gz %doc %{_mandir}/man8/aa-*.gz @@ -743,7 +718,6 @@ fi %doc %{_mandir}/man8/disable.8.gz %doc %{_mandir}/man8/easyprof.8.gz %doc %{_mandir}/man8/enforce.8.gz -%doc %{_mandir}/man8/exec.8.gz %doc %{_mandir}/man8/genprof.8.gz %doc %{_mandir}/man8/logprof.8.gz %doc %{_mandir}/man8/unconfined.8.gz @@ -800,7 +774,7 @@ fi %files -n pam_apparmor %defattr(444,root,root,755) -%attr(555,root,root) %{_libdir}/security/pam_apparmor.so +%attr(555,root,root) /%{_lib}/security/pam_apparmor.so %endif %if %{with tomcat} @@ -853,9 +827,7 @@ fi fi %endif -%if 0%{?suse_version} > 1320 %service_add_post apparmor.service -%endif %preun parser if [ "$1" = 0 ] ; then @@ -867,9 +839,7 @@ if [ "$1" = 0 ] ; then %endif fi -%if 0%{?suse_version} > 1320 %service_del_preun apparmor.service -%endif %postun parser %if %{distro} == "suse" @@ -885,11 +855,9 @@ fi %{insserv_cleanup} || true %endif -%if 0%{?suse_version} > 1320 # don't call try-restart, see bnc#853019 export DISABLE_RESTART_ON_UPDATE="yes" %service_del_postun apparmor.service -%endif %post abstractions %if %{distro} == "suse" diff --git a/sshd-profile-drop-local-include-r3615.diff b/sshd-profile-drop-local-include-r3615.diff new file mode 100644 index 0000000..bab6aca --- /dev/null +++ b/sshd-profile-drop-local-include-r3615.diff @@ -0,0 +1,30 @@ +------------------------------------------------------------ +revno: 3615 +committer: Christian Boltz +branch nick: apparmor +timestamp: Thu 2017-01-12 22:01:11 +0100 +message: + sshd profile: drop local/ include + + The local/ include in the sshd profile in extras causes some trouble: + - it breaks "make check" because the parser can't find the local/ file + - it results in a broken profile if someone uses this profile as + starting point, but doesn't notice it needs the local include + + + Acked-by: Steve Beattie + + +=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd' +--- profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-12-07 19:00:06 +0000 ++++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2017-01-12 21:01:11 +0000 +@@ -140,5 +140,5 @@ + /usr/lib/openssh/sftp-server PUx, + + # Site-specific additions and overrides. See local/README for details. +- #include ++ ## include + } + + +vim:ft=diff