From 0d233a7a59346691672ab68d220e376dacad985eea32a2f565c5821d324fb86f Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Tue, 27 Oct 2020 07:43:21 +0000 Subject: [PATCH] Accepting request 844172 from home:cboltz:branches:Virtualization - Add firejail-apparmor-3.0.diff to make the AppArmor profile compatible with AppArmor 3.0 (add missing include ) I'll submit AppArmor 3.0 to Factory in the next days. Please forward this fix ASAP - without it, the firejail AppArmor profile will fail to load. OBS-URL: https://build.opensuse.org/request/show/844172 OBS-URL: https://build.opensuse.org/package/show/Virtualization/firejail?expand=0&rev=30 --- firejail-apparmor-3.0.diff | 37 +++++++++++++++++++++++++++++++++++++ firejail.changes | 6 ++++++ firejail.spec | 3 +++ 3 files changed, 46 insertions(+) create mode 100644 firejail-apparmor-3.0.diff diff --git a/firejail-apparmor-3.0.diff b/firejail-apparmor-3.0.diff new file mode 100644 index 0000000..cf2833b --- /dev/null +++ b/firejail-apparmor-3.0.diff @@ -0,0 +1,37 @@ +Note: this patch is backported/modified - upstream moved the AppArmor profile +to etc/apparmor/firejail-default in the meantime +-- cboltz, 2020-10-26 + + + +commit bba750c73469ea315d859464ddd19e495d830a72 +Author: Kristóf Marussy +Date: Sat Oct 10 13:27:42 2020 +0200 + + Fix AppArmor 3.0 support (closes #3659) + + AppArmor introduces the @{run} variable, which is used in + and among + other places. Thus, we follow suit of the built-in profiles and #include + , which includes in AppArmor 3.0, + defining the variable. + + As exists in previous versions of AppArmor, too, this + patch does not introduce a backward-compatibility issue with Apparmor + 2.x. + +diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default +index 68e20d9b..e396ae7d 100644 +--- a/etc/firejail-default ++++ b/etc/firejail-default +@@ -2,6 +2,10 @@ + # Generic Firejail AppArmor profile + ######################################### + ++# AppArmor 3.0 uses the @{run} variable in ++# and . ++#include ++ + ########## + # A simple PID declaration based on Ubuntu's @{pid} + # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. diff --git a/firejail.changes b/firejail.changes index c7d76da..e6e915e 100644 --- a/firejail.changes +++ b/firejail.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Oct 26 22:34:02 UTC 2020 - Christian Boltz + +- Add firejail-apparmor-3.0.diff to make the AppArmor profile compatible with + AppArmor 3.0 (add missing include ) + ------------------------------------------------------------------- Wed Aug 19 06:15:16 UTC 2020 - Paolo Stivanin diff --git a/firejail.spec b/firejail.spec index 37a06ee..d2a30b0 100644 --- a/firejail.spec +++ b/firejail.spec @@ -27,6 +27,8 @@ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar. Source1: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.xz.asc # PATCH-FIX-OPENSUSE firejail-0.9.62-fix-usr-etc.patch -- https://github.com/netblue30/firejail/issues/3145 two patches combined, source see file Patch0: firejail-0.9.62-fix-usr-etc.patch +# PATCH-FIX-UPSTREAM firejail-apparmor-3.0.diff -- https://github.com/netblue30/firejail/issues/3659 +Patch1: firejail-apparmor-3.0.diff BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libapparmor-devel @@ -45,6 +47,7 @@ Linux namespace support. It supports sandboxing specific users upon login. %prep %setup -q %patch0 -p1 +%patch1 -p1 sed -i '1s/^#!\/usr\/bin\/env /#!\/usr\/bin\//' contrib/fj-mkdeb.py contrib/fjclip.py contrib/fjdisplay.py contrib/fjresize.py contrib/sort.py %build