Accepting request 780264 from home:mkraus:branches:Base:System

- Update to version 20200228:
  * chkstat: fix readline() on platforms with unsigned char

- Update to version 20200227:
  * remove capability whitelisting for radosgw
  * whitelist ceph log directory (bsc#1150366)
  * adjust testsuite to post CVE-2020-8013 link handling
  * testsuite: add option to not mount /proc
  * do not follow symlinks that are the final path element: CVE-2020-8013
  * add a test for symlinked directories
  * fix relative symlink handling
  * include cpp compat headers, not C headers
  * Move permissions and permissions.* except .local to /usr/share/permissions
  * regtest: fix the static PATH list which was missing /usr/bin
  * regtest: also unshare the PID namespace to support /proc mounting
  * regtest: bindMount(): explicitly reject read-only recursive mounts
  * Makefile: force remove upon clean target to prevent bogus errors
  * regtest: by default automatically (re)build chkstat before testing
  * regtest: add test for symlink targets
  * regtest: make capability setting tests optional
  * regtest: fix capability assertion helper logic
  * regtests: add another test case that catches set*id or caps in world-writable sub-trees
  * regtest: add another test that catches when privilege bits are set for special files
  * regtest: add test case for user owned symlinks
  * regtest: employ subuid and subgid feature in user namespace
  * regtest: add another test case that covers unknown user/group config
  * regtest: add another test that checks rejection of insecure mixed-owner paths
  * regtest: add test that checks for rejection of world-writable paths
  * regtest: add test for detection of unexpected parent directory ownership
  * regtest: add further helper functions, allow access to main instance

OBS-URL: https://build.opensuse.org/request/show/780264
OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=252

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
             <param name="url">https://github.com/openSUSE/permissions.git</param>
-          <param name="changesrevision">8676fc316fb0b9eb56ad9d354b8cafb8b1f2f258</param></service></servicedata>
+          <param name="changesrevision">bfa5f7c7437b3fa939b0a88007e2d1cc6de605c9</param></service></servicedata>

fix_version.sh

@@ -3,4 +3,4 @@
 version=`date '+%Y%m%d'`
 
 echo "setting version to ${version}"
-sed -E -i -e "s/^%define VERSION [0-9]+/%define VERSION ${version}/" permissions.spec
+sed -E -i -e "s/^%define VERSION_DATE [0-9]+/%define VERSION_DATE ${version}/" permissions.spec

permissions-20200213.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b7378f25982ade8a1983cb891bc5ee3962f1380d85b458078850686b65b9c895
-size 21532

permissions-20200228.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b779962f0f1ae43ef95a987d842861d65ddfabaa442204ce5d8bc7b3e4134c59
+size 36196

permissions.changes

@@ -1,3 +1,58 @@
+-------------------------------------------------------------------
+Fri Feb 28 12:00:44 UTC 2020 - malte.kraus@suse.com
+
+- Update to version 20200228:
+  * chkstat: fix readline() on platforms with unsigned char
+
+-------------------------------------------------------------------
+Thu Feb 27 12:29:29 UTC 2020 - malte.kraus@suse.com
+
+- Update to version 20200227:
+  * remove capability whitelisting for radosgw
+  * whitelist ceph log directory (bsc#1150366)
+  * adjust testsuite to post CVE-2020-8013 link handling
+  * testsuite: add option to not mount /proc
+  * do not follow symlinks that are the final path element: CVE-2020-8013
+  * add a test for symlinked directories
+  * fix relative symlink handling
+  * include cpp compat headers, not C headers
+  * Move permissions and permissions.* except .local to /usr/share/permissions
+  * regtest: fix the static PATH list which was missing /usr/bin
+  * regtest: also unshare the PID namespace to support /proc mounting
+  * regtest: bindMount(): explicitly reject read-only recursive mounts
+  * Makefile: force remove upon clean target to prevent bogus errors
+  * regtest: by default automatically (re)build chkstat before testing
+  * regtest: add test for symlink targets
+  * regtest: make capability setting tests optional
+  * regtest: fix capability assertion helper logic
+  * regtests: add another test case that catches set*id or caps in world-writable sub-trees
+  * regtest: add another test that catches when privilege bits are set for special files
+  * regtest: add test case for user owned symlinks
+  * regtest: employ subuid and subgid feature in user namespace
+  * regtest: add another test case that covers unknown user/group config
+  * regtest: add another test that checks rejection of insecure mixed-owner paths
+  * regtest: add test that checks for rejection of world-writable paths
+  * regtest: add test for detection of unexpected parent directory ownership
+  * regtest: add further helper functions, allow access to main instance
+  * regtest: introduce some basic coloring support to improve readability
+  * regtest: sort imports, another piece of rationale
+  * regtest: add capability test case
+  * regtest: improve error flagging of test cases and introduce warnings
+  * regtest: support caps
+  * regtest: add a couple of command line parameter test cases
+  * regtest: add another test that checks whether the default profile works
+  * regtests: add tests for correct application of local profiles
+  * regtest: add further test cases that test correct profile application
+  * regtest: simplify test implementation and readability
+  * regtest: add helpers for permissions.d per package profiles
+  * regtest: support read-only bind mounts, also bind-mount permissions repo
+  * tests: introduce a regression test suite for chkstat
+  * Makefile: allow to build test version programmatically
+  * README.md: add basic readme file that explains the repository's purpose
+  * chkstat: change and harmonize coding style
+  * chkstat: switch to C++ compilation unit
+- add suse_version to end of permissions package version
+
 -------------------------------------------------------------------
 Thu Feb 13 12:10:41 UTC 2020 - malte.kraus@suse.com
 

permissions.spec

@@ -16,26 +16,28 @@
 #
 
 
-%define VERSION 20200213
+%define VERSION_DATE 20200228
 
 Name:           permissions
-Version:        %{VERSION}
+Version:        %{VERSION_DATE}.%{suse_version}
 Release:        0
 Summary:        SUSE Linux Default Permissions
 # Maintained in github by the security team.
 License:        GPL-2.0-or-later
 Group:          Productivity/Security
 URL:            http://github.com/openSUSE/permissions
-Source:         permissions-%{version}.tar.xz
+Source:         permissions-%{VERSION_DATE}.tar.xz
 Source1:        fix_version.sh
+BuildRequires:  gcc-c++
 BuildRequires:  libcap-devel
+BuildRequires:  libcap-progs
 Requires:       chkstat
 Requires:       permissions-config
 Recommends:     permissions-doc
-Provides:       aaa_base:%{_sysconfdir}/permissions
+Provides:       aaa_base:%{_datadir}/permissions
 
 %prep
-%setup -q
+%setup -q -n permissions-%{VERSION_DATE}
 
 %build
 make %{?_smp_mflags} CFLAGS="-W -Wall %{optflags}" FSCAPS_DEFAULT_ENABLED=0
@@ -43,6 +45,10 @@ make %{?_smp_mflags} CFLAGS="-W -Wall %{optflags}" FSCAPS_DEFAULT_ENABLED=0
 %install
 %make_install fillupdir=%{_fillupdir}
 
+# regression tests disabled for the moment, needs adjustment for the new /usr/share world
+#%check
+#tests/regtest.py
+
 %description
 Permission settings of files and directories depending on the local
 security settings. The local security setting ("easy", "secure", or "paranoid")
@@ -55,11 +61,11 @@ This package does not contain files, it just requires the necessary packages.
 %package doc
 Summary:        SUSE Linux Default Permissions documentation
 Group:          Documentation/Man
-Version:        %{suse_version}_%{VERSION}
+Version:        %{suse_version}_%{VERSION_DATE}
 Release:        0
 
 %description doc
-Documentation for the permission files /etc/permissions*.
+Documentation for the permission files /usr/share/permissions/permissions*.
 
 %files doc
 %{_mandir}/man5/permissions.5%{ext_man}
@@ -67,7 +73,7 @@ Documentation for the permission files /etc/permissions*.
 %package config
 Summary:        SUSE Linux Default Permissions config files
 Group:          Productivity/Security
-Version:        %{suse_version}_%{VERSION}
+Version:        %{suse_version}_%{VERSION_DATE}
 Release:        0
 Requires(post): %fillup_prereq
 Requires(post): chkstat
@@ -75,13 +81,15 @@ Requires(post): chkstat
 Requires(pre):  group(trusted)
 
 %description config
-The actual permissions configuration files, /etc/permission.*.
+The actual permissions configuration files, /usr/share/permissions/permission.*.
 
 %files config
-%config %{_sysconfdir}/permissions
-%config %{_sysconfdir}/permissions.easy
-%config %{_sysconfdir}/permissions.secure
-%config %{_sysconfdir}/permissions.paranoid
+%defattr(644, root, root, 755)
+%dir %{_datadir}/permissions
+%{_datadir}/permissions/permissions
+%{_datadir}/permissions/permissions.easy
+%{_datadir}/permissions/permissions.secure
+%{_datadir}/permissions/permissions.paranoid
 %config(noreplace) %{_sysconfdir}/permissions.local
 %{_fillupdir}/sysconfig.security
 
@@ -93,7 +101,7 @@ The actual permissions configuration files, /etc/permission.*.
 %package -n chkstat
 Summary:        SUSE Linux Default Permissions tool
 Group:          Productivity/Security
-Version:        %{suse_version}_%{VERSION}
+Version:        %{suse_version}_%{VERSION_DATE}
 Release:        0
 
 %description -n chkstat
@@ -105,7 +113,7 @@ Tool to check and set file permissions.
 
 %package -n permissions-zypp-plugin
 BuildArch:      noarch
-Requires:       permissions = %{VERSION}
+Requires:       permissions = %{VERSION_DATE}.%{suse_version}
 Requires:       python3-zypp-plugin
 Requires:       libzypp(plugin:commit) = 1
 Summary:        A zypper commit plugin for calling chkstat