Accepting request 964948 from security:apparmor

- Add update-samba-bgqd.diff to add new rule to fix 'DENIED' open on /proc/{pid}/fd for samba-bgqd (bnc#1196850). - Add update-usr-sbin-smbd.diff to add new rule to allow reading of openssl.cnf (bnc#1195463). OBS-URL: https://build.opensuse.org/request/show/964948 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=165
2022-03-28 15:00:35 +00:00
parent 8ef65ccef3 3154bca472
commit fe99ae5b7e
4 changed files with 49 additions and 0 deletions
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Mar 24 14:09:58 UTC 2022 - Noel Power <nopower@suse.com>
+
+- Add update-samba-bgqd.diff to add new rule to fix 'DENIED' open on
+  /proc/{pid}/fd for samba-bgqd (bnc#1196850).
+- Add update-usr-sbin-smbd.diff to add new rule to allow reading of
+  openssl.cnf (bnc#1195463).
+
 -------------------------------------------------------------------
 Thu Feb 10 16:55:38 UTC 2022 - Christian Boltz <suse-beta@cboltz.de>

--- a/apparmor.spec
+++ b/apparmor.spec
@@ -77,6 +77,14 @@ Patch5:         apparmor-lessopen-nfs-workaround.diff

 # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527)
 Patch6:         apache-extra-profile-include-if-exists.diff
+# bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd
+# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/860)
+# bsc#1195463 add rule to allow reading of openssl.cnf
+# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862)
+Patch7:         update-samba-bgqd.diff
+# bsc#1195463 add rule to allow reading of openssl.cnf
+# see (https://gitlab.com/apparmor/apparmor/-/merge_requests/862)
+Patch8:         update-usr-sbin-smbd.diff

 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -340,6 +348,8 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch3 -p1
 %patch4
 %patch5
+%patch7 -p1
+%patch8 -p1

 %build
 %define _lto_cflags %{nil}
--- a/update-samba-bgqd.diff
+++ b/update-samba-bgqd.diff
@@ -0,0 +1,19 @@
+Index: apparmor-3.0.4/profiles/apparmor.d/samba-bgqd
+===================================================================
+--- apparmor-3.0.4.orig/profiles/apparmor.d/samba-bgqd
+++ apparmor-3.0.4/profiles/apparmor.d/samba-bgqd
+@@ -6,11 +6,14 @@ profile samba-bgqd /usr/lib*/samba/samba
+   include <abstractions/base>
+   include <abstractions/cups-client>
+   include <abstractions/nameservice>
+  include <abstractions/openssl>
+   include <abstractions/samba>
+ 
+   signal receive set=term peer=smbd,
+ 
+   @{PROC}/sys/kernel/core_pattern r,
+  owner @{PROC}/@{pid}/fd/ r,
+
+   @{run}/samba/samba-bgqd.pid wk,
+ 
+   /usr/lib*/samba/samba-bgqd m,
--- a/update-usr-sbin-smbd.diff
+++ b/update-usr-sbin-smbd.diff
@@ -0,0 +1,12 @@
+Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
+===================================================================
+--- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd
+++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd
+@@ -8,6 +8,7 @@ profile smbd /usr/{bin,sbin}/smbd {
+   include <abstractions/consoles>
+   include <abstractions/cups-client>
+   include <abstractions/nameservice>
+  include <abstractions/openssl>
+   include <abstractions/samba>
+   include <abstractions/user-tmp>
+   include <abstractions/wutmp>