Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at Fri Sep 9 11:06:31 CEST 2011.
-------- --- apparmor/apparmor.changes 2011-08-02 11:53:57.000000000 +0200 +++ /mounts/work_src_done/STABLE/apparmor/apparmor.changes 2011-09-07 17:13:33.000000000 +0200 @@ -1,0 +2,19 @@ +Mon Aug 22 11:54:21 UTC 2011 - [email protected] + +- install SubDomain.pm compat module (bnc#713408) + +------------------------------------------------------------------- +Wed Aug 3 02:46:08 CEST 2011 - [email protected] + +- Update to 2.6.1. + - One patch eliminated + - Lots of minor fixes + - Split out more common abstractions +- Add check_for_apparmor() helper. + +------------------------------------------------------------------- +Tue Aug 2 17:07:43 CEST 2011 - [email protected] + +- dhcpd: Fix apparmor profile (bnc#692428) + +------------------------------------------------------------------- @@ -8,0 +28,5 @@ +Sun Jul 17 20:04:18 UTC 2011 - [email protected] + +- Fixed typos in descriptions and summaries of apparmor.spec + +------------------------------------------------------------------- @@ -12,0 +37,5 @@ + +------------------------------------------------------------------- +Tue Jun 21 09:54:28 UTC 2011 - [email protected] + +- move the requires and prerequires to the right package calling whatdependson for head-i586 Old: ---- apparmor-2.6.0.tar.bz2 apparmor-no-caching-test New: ---- apparmor-2.6.0-dhcpd apparmor-2.6.1.tar.bz2 apparmor-compat-routines ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.yei52D/_old 2011-09-09 11:06:13.000000000 +0200 +++ /var/tmp/diff_new_pack.yei52D/_new 2011-09-09 11:06:13.000000000 +0200 @@ -45,8 +45,8 @@ %define distro suse %endif Summary: AppArmor userlevel parser utility -Version: 2.6.0 -Release: 58 +Version: 2.6.1 +Release: 1 Group: Productivity/Networking/Security Source0: apparmor-%{version}.tar.bz2 Source1: %{name}-profile-editor.png @@ -54,7 +54,6 @@ Source3: update-trans.sh Patch1: apparmor-scripts -Patch2: apparmor-no-caching-test Patch3: apparmor-utils-add-log-types Patch4: apparmor-utils-filenames-in-slash Patch5: apparmor-utils-string-split @@ -75,6 +74,8 @@ Patch20: apparmor-profiles-dhclient Patch21: apparmor-utils-subdomain-compat Patch22: apparmor-securityfs-systemd.patch +Patch23: apparmor-2.6.0-dhcpd +Patch24: apparmor-compat-routines License: GPLv2+ BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: https://launchpad.net/apparmor @@ -99,12 +100,6 @@ BuildRequires: ruby-devel swig %endif -%if %{with pam} -BuildRequires: pam-devel -Requires: pam pam-config -PreReq: pam pam-config -%endif - %if %{with apache} BuildRequires: apache2-devel %endif @@ -246,7 +241,7 @@ %description -n perl-apparmor This package provides the perl interface to AppArmor. It is used for perl -applications interfacing with AppArmor, including the AppArmor utiltities. +applications interfacing with AppArmor, including the AppArmor utilities. Authors: -------- @@ -365,8 +360,11 @@ %package -n pam_apparmor License: GPLv2 ; LGPLv2.1+ -Summary: PAM module to for AppArmor change_hat +Summary: PAM module for AppArmor change_hat Group: Productivity/Security +BuildRequires: pam-devel +Requires: pam pam-config +PreReq: pam pam-config %description -n pam_apparmor The pam_apparmor module provides the means for any PAM applications @@ -422,7 +420,7 @@ Group: System/GUI/GNOME %description -n apparmorapplet-gnome -This taskbar applet recieves AppArmor events over DBUS, and notifies +This taskbar applet receives AppArmor events over DBUS, and notifies the user when AppArmor prevents an application from functioning. @@ -448,7 +446,6 @@ %prep %setup -q -n %{name}-%{version} %patch1 -p1 -%patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 @@ -469,6 +466,8 @@ %patch20 -p1 %patch21 -p1 %patch22 -p1 +%patch23 -p1 +%patch24 -p1 %build export SUSE_ASNEEDED=0 ++++++ apparmor-2.5.1-edirectory-profile ++++++ --- /var/tmp/diff_new_pack.yei52D/_old 2011-09-09 11:06:13.000000000 +0200 +++ /var/tmp/diff_new_pack.yei52D/_new 2011-09-09 11:06:13.000000000 +0200 @@ -17,7 +17,7 @@ --- a/profiles/apparmor.d/abstractions/nameservice +++ b/profiles/apparmor.d/abstractions/nameservice -@@ -70,6 +70,9 @@ +@@ -72,6 +72,9 @@ # kerberos #include <abstractions/kerberosclient> ++++++ apparmor-2.5.1-ldapclient-profile ++++++ --- /var/tmp/diff_new_pack.yei52D/_old 2011-09-09 11:06:13.000000000 +0200 +++ /var/tmp/diff_new_pack.yei52D/_new 2011-09-09 11:06:13.000000000 +0200 @@ -48,7 +48,7 @@ # db backend /var/lib/misc/*.db r, # The Name Service Cache Daemon can cache lookups, sometimes leading -@@ -58,6 +53,9 @@ +@@ -60,6 +55,9 @@ # nis #include <abstractions/nis> ++++++ apparmor-2.5.1-unified-build ++++++ ++++ 15592 lines (skipped) ++++ between apparmor/apparmor-2.5.1-unified-build ++++ and /mounts/work_src_done/STABLE/apparmor/apparmor-2.5.1-unified-build ++++++ apparmor-2.6.0-dhcpd ++++++ From: Jeff Mahoney <[email protected]> Subject: dhcpd: Fix apparmor profile References: bnc#692428 This patch adds the network rules needed, corrects the path to dhcpd.leases, and adds the path for TSIG DNS keys. Reported-by: Andrew Beames <[email protected]> Signed-off-by: Jeff Mahoney <[email protected]> --- profiles/apparmor/profiles/extras/usr.sbin.dhcpd | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/profiles/apparmor/profiles/extras/usr.sbin.dhcpd +++ b/profiles/apparmor/profiles/extras/usr.sbin.dhcpd @@ -21,12 +21,17 @@ capability setuid, capability sys_chroot, + network inet raw, + network packet raw, + /db/dhcpd.leases* lrw, /etc/dhcpd.conf r, /etc/hosts.allow r, /etc/hosts.deny r, /usr/sbin/dhcpd rmix, - /var/lib/dhcp/dhcpd.leases* rwl, + /var/lib/dhcp/db/dhcpd.leases* rwl, /var/lib/dhcp/etc/dhcpd.conf r, /var/run/dhcpd.pid wl, + /etc/named.d/* r, + @{PROC}/net/dev r, } ++++++ apparmor-2.6.0.tar.bz2 -> apparmor-2.6.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/Makefile new/apparmor-2.6.1/Makefile --- old/apparmor-2.6.0/Makefile 2011-02-24 10:32:08.000000000 +0100 +++ new/apparmor-2.6.1/Makefile 2011-03-10 19:08:24.000000000 +0100 @@ -16,7 +16,7 @@ common \ tests -REPO_URL?=lp:apparmor +REPO_URL?=lp:apparmor/2.6 # alternate possibilities to export from #REPO_URL=. #REPO_URL="bzr+ssh://bazaar.launchpad.net/~sbeattie/+junk/apparmor-dev/" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/README new/apparmor-2.6.1/README --- old/apparmor-2.6.0/README 2010-07-26 18:26:26.000000000 +0200 +++ new/apparmor-2.6.1/README 2011-03-19 07:15:43.000000000 +0100 @@ -17,7 +17,8 @@ and change_profile(2) to be used by non-GPL binaries). For more information, you can read the techdoc.pdf (available after -building the parser) and http://apparmor.wiki.kernel.org. +building the parser) and by visiting the http://apparmor.net/ web +site. ------------- @@ -29,13 +30,26 @@ changehat/ source for using changehat with Apache, PAM and Tomcat common/ common makefile rules desktop/ empty -kernel-patches/ patches for various kernel versions +kernel-patches/ compatibility patches for various kernel versions libraries/ libapparmor source and language bindings parser/ source for parser/loader and corresponding documentation profiles/ configuration files, reference profiles and abstractions tests/ regression and stress testsuites utils/ high-level utilities for working with AppArmor +-------------------------------------- +Important note on AppArmor kernel code +-------------------------------------- + +While most of the kernel AppArmor code has been accepted in the +upstream Linux kernel, a few important pieces were not included. These +missing pieces unfortunately are important bits for AppArmor userspace +and kernel interaction; therefore we have included compatibility +patches in the kernel-patches/ subdirectory, versioned by upstream +kernel (2.6.37 patches should apply cleanly to 2.6.38 source). + +Without these patches applied to the kernel, the AppArmor userspace +will not function correctly. ------------------------------------------ Building and Installing AppArmor Userspace @@ -48,10 +62,14 @@ libapparmor: $ cd ./libraries/libapparmor $ sh ./autogen.sh -$ sh ./configure --prefix=/usr --with-perl +$ sh ./configure --prefix=/usr --with-perl # see below $ make $ make check +[optional arguments to libapparmor's configure include --with-python + and --with-ruby, to generate python and ruby bindings to libapparmor, + respectively.] + Utilities: $ cd utils @@ -69,23 +87,23 @@ Apache mod_apparmor: $ cd changehat/mod_apparmor -$ LIBS="-lapparmor" make +$ make # depends on libapparmor having been built first $ make install PAM AppArmor: $ cd changehat/pam_apparmor -$ LIBS="-lapparmor -lpam" make +$ make # depends on libapparmor having been built first $ make install Profiles: $ cd profiles $ make +$ make check # depends on the parser having been built first $ make install - ------------------- AppArmor Testsuites ------------------- @@ -123,6 +141,14 @@ $ cd libraries/libapparmor $ make check +Profile checks +-------------- +A basic consistency check to ensure that the parser and aa-logprof parse +successfully the current set of shipped profiles. The system or other +parser and logprof can be passed in by overriding the PARSER and LOGPROF +variables. +$ cd profiles +$ make && make check Stress Tests ------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/changehat/mod_apparmor/Makefile new/apparmor-2.6.1/changehat/mod_apparmor/Makefile --- old/apparmor-2.6.0/changehat/mod_apparmor/Makefile 2011-02-08 17:18:36.000000000 +0100 +++ new/apparmor-2.6.1/changehat/mod_apparmor/Makefile 2011-03-18 07:35:45.000000000 +0100 @@ -41,12 +41,15 @@ fi ) APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR) DESTDIR= -LIBAPPARMOR_FLAGS="-I../../libraries/libapparmor/src -L../../libraries/libapparmor/src/.libs -lapparmor" +# Need to pass -Wl twice here to get past both apxs2 and libtool, as +# libtool will add the path to the RPATH of the library if passed -L/some/path +LIBAPPARMOR_FLAGS=-I../../libraries/libapparmor/src -Wl,-Wl,-L../../libraries/libapparmor/src/.libs +LDLIBS=-lapparmor all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES} %.so: %.c - ${APXS} ${LIBAPPARMOR_FLAGS} -c $< + ${APXS} ${LIBAPPARMOR_FLAGS} -c $< ${LDLIBS} mv .libs/$@ . .PHONY: install diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/common/.stamp_rev new/apparmor-2.6.1/common/.stamp_rev --- old/apparmor-2.6.0/common/.stamp_rev 2011-02-24 10:34:42.000000000 +0100 +++ new/apparmor-2.6.1/common/.stamp_rev 2011-03-24 00:21:20.000000000 +0100 @@ -1 +1 @@ -lp:apparmor 1673 +lp:apparmor/2.6 1692 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/common/Version new/apparmor-2.6.1/common/Version --- old/apparmor-2.6.0/common/Version 2011-02-24 00:55:03.000000000 +0100 +++ new/apparmor-2.6.1/common/Version 2011-03-23 23:01:51.000000000 +0100 @@ -1 +1 @@ -2.6.0 +2.6.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/libraries/libapparmor/autom4te.cache/output.0 new/apparmor-2.6.1/libraries/libapparmor/autom4te.cache/output.0 --- old/apparmor-2.6.0/libraries/libapparmor/autom4te.cache/output.0 2011-02-24 10:34:54.000000000 +0100 +++ new/apparmor-2.6.1/libraries/libapparmor/autom4te.cache/output.0 2011-03-24 00:21:32.000000000 +0100 @@ -2808,7 +2808,7 @@ # Define the identity of the package. PACKAGE=libapparmor1 - VERSION=2.6.0 + VERSION=2.6.1 cat >>confdefs.h <<_ACEOF diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/libraries/libapparmor/autom4te.cache/output.1 new/apparmor-2.6.1/libraries/libapparmor/autom4te.cache/output.1 --- old/apparmor-2.6.0/libraries/libapparmor/autom4te.cache/output.1 2011-02-24 10:34:55.000000000 +0100 +++ new/apparmor-2.6.1/libraries/libapparmor/autom4te.cache/output.1 2011-03-24 00:21:33.000000000 +0100 @@ -2808,7 +2808,7 @@ # Define the identity of the package. PACKAGE=libapparmor1 - VERSION=2.6.0 + VERSION=2.6.1 cat >>confdefs.h <<_ACEOF diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/libraries/libapparmor/autom4te.cache/traces.0 new/apparmor-2.6.1/libraries/libapparmor/autom4te.cache/traces.0 --- old/apparmor-2.6.0/libraries/libapparmor/autom4te.cache/traces.0 2011-02-24 10:34:54.000000000 +0100 +++ new/apparmor-2.6.1/libraries/libapparmor/autom4te.cache/traces.0 2011-03-24 00:21:32.000000000 +0100 @@ -2322,7 +2322,7 @@ m4trace:configure.in:6: -1- m4_pattern_allow([^build_alias$]) m4trace:configure.in:6: -1- m4_pattern_allow([^host_alias$]) m4trace:configure.in:6: -1- m4_pattern_allow([^target_alias$]) -m4trace:configure.in:8: -1- AM_INIT_AUTOMAKE([libapparmor1], [2.6.0]) +m4trace:configure.in:8: -1- AM_INIT_AUTOMAKE([libapparmor1], [2.6.1]) m4trace:configure.in:8: -1- m4_pattern_allow([^AM_[A-Z]+FLAGS$]) m4trace:configure.in:8: -1- AM_SET_CURRENT_AUTOMAKE_VERSION m4trace:configure.in:8: -1- AM_AUTOMAKE_VERSION([1.11.1]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/libraries/libapparmor/autom4te.cache/traces.1 new/apparmor-2.6.1/libraries/libapparmor/autom4te.cache/traces.1 --- old/apparmor-2.6.0/libraries/libapparmor/autom4te.cache/traces.1 2011-02-24 10:34:55.000000000 +0100 +++ new/apparmor-2.6.1/libraries/libapparmor/autom4te.cache/traces.1 2011-03-24 00:21:33.000000000 +0100 @@ -148,7 +148,7 @@ m4trace:configure.in:6: -1- AC_SUBST([target_alias]) m4trace:configure.in:6: -1- AC_SUBST_TRACE([target_alias]) m4trace:configure.in:6: -1- m4_pattern_allow([^target_alias$]) -m4trace:configure.in:8: -1- AM_INIT_AUTOMAKE([libapparmor1], [2.6.0]) +m4trace:configure.in:8: -1- AM_INIT_AUTOMAKE([libapparmor1], [2.6.1]) m4trace:configure.in:8: -1- m4_pattern_allow([^AM_[A-Z]+FLAGS$]) m4trace:configure.in:8: -1- AM_AUTOMAKE_VERSION([1.11.1]) m4trace:configure.in:8: -1- AC_REQUIRE_AUX_FILE([install-sh]) @@ -171,7 +171,7 @@ m4trace:configure.in:8: -1- AC_SUBST([PACKAGE], [libapparmor1]) m4trace:configure.in:8: -1- AC_SUBST_TRACE([PACKAGE]) m4trace:configure.in:8: -1- m4_pattern_allow([^PACKAGE$]) -m4trace:configure.in:8: -1- AC_SUBST([VERSION], [2.6.0]) +m4trace:configure.in:8: -1- AC_SUBST([VERSION], [2.6.1]) m4trace:configure.in:8: -1- AC_SUBST_TRACE([VERSION]) m4trace:configure.in:8: -1- m4_pattern_allow([^VERSION$]) m4trace:configure.in:8: -1- AC_DEFINE_TRACE_LITERAL([PACKAGE]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/libraries/libapparmor/configure new/apparmor-2.6.1/libraries/libapparmor/configure --- old/apparmor-2.6.0/libraries/libapparmor/configure 2011-02-24 10:34:55.000000000 +0100 +++ new/apparmor-2.6.1/libraries/libapparmor/configure 2011-03-24 00:21:33.000000000 +0100 @@ -2808,7 +2808,7 @@ # Define the identity of the package. PACKAGE=libapparmor1 - VERSION=2.6.0 + VERSION=2.6.1 cat >>confdefs.h <<_ACEOF diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/parser/Makefile new/apparmor-2.6.1/parser/Makefile --- old/apparmor-2.6.0/parser/Makefile 2010-12-20 22:44:14.000000000 +0100 +++ new/apparmor-2.6.1/parser/Makefile 2011-03-17 19:18:43.000000000 +0100 @@ -196,7 +196,7 @@ # These are the families that it doesn't make sense for apparmor to mediate. # We use PF_ here since that is what is required in bits/socket.h, but we will # rewrite these as AF_. -FILTER_FAMILIES=PF_RXRPC PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK PF_LLC PF_IUCV PF_TIPC PF_CAN PF_ISDN PF_PHONET +FILTER_FAMILIES=PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/parser/parser.h new/apparmor-2.6.1/parser/parser.h --- old/apparmor-2.6.0/parser/parser.h 2010-12-20 21:29:10.000000000 +0100 +++ new/apparmor-2.6.1/parser/parser.h 2011-03-04 00:45:10.000000000 +0100 @@ -179,6 +179,7 @@ #define FLAG_CHANGEHAT_1_4 2 #define FLAG_CHANGEHAT_1_5 3 extern int kernel_supports_network; +extern int net_af_max_override; extern int flag_changehat_version; extern int read_implies_exec; extern dfaflags_t dfaflags; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/parser/parser_main.c new/apparmor-2.6.1/parser/parser_main.c --- old/apparmor-2.6.0/parser/parser_main.c 2011-02-22 23:58:49.000000000 +0100 +++ new/apparmor-2.6.1/parser/parser_main.c 2011-03-08 23:49:03.000000000 +0100 @@ -90,6 +90,7 @@ int regex_type = AARE_DFA; int perms_create = 0; /* perms contain create flag */ int kernel_supports_network = 1; /* kernel supports network rules */ +int net_af_max_override = -1; /* use kernel to determine af_max */ char *profile_namespace = NULL; int flag_changehat_version = FLAG_CHANGEHAT_1_5; FILE *ofile = NULL; @@ -804,6 +805,7 @@ char * cachename = NULL; char * cachetemp = NULL; char *basename = NULL; + FILE *cmd; /* per-profile states */ force_complain = opt_force_complain; @@ -851,6 +853,12 @@ update_mru_tstamp(yyin); } + cmd = fopen("/proc/self/exe", "r"); + if (cmd) { + update_mru_tstamp(cmd); + fclose(cmd); + } + retval = yyparse(); if (retval != 0) goto out; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/parser/parser_misc.c new/apparmor-2.6.1/parser/parser_misc.c --- old/apparmor-2.6.0/parser/parser_misc.c 2010-12-20 21:29:10.000000000 +0100 +++ new/apparmor-2.6.1/parser/parser_misc.c 2011-03-04 00:53:23.000000000 +0100 @@ -29,6 +29,10 @@ #include <linux/limits.h> #include <arpa/inet.h> #include <linux/capability.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <unistd.h> #include "parser.h" #include "parser_yacc.h" @@ -203,6 +207,69 @@ {NULL, 0, NULL, 0, NULL, 0} }; +/* The apparmor kernel patches up until 2.6.38 didn't handle networking + * tables with sizes > AF_MAX correctly. This could happen when the + * parser was built against newer kernel headers and then used to load + * policy on an older kernel. This could happen during upgrades or + * in multi-kernel boot systems. + * + * Try to detect the running kernel version and use that to determine + * AF_MAX + */ +#define PROC_VERSION "/proc/sys/kernel/osrelease" +static size_t kernel_af_max(void) { + char buffer[32]; + int major; + int fd, res; + + if (!net_af_max_override) { + return 0; + } + /* the override parameter is specifying the max value */ + if (net_af_max_override > 0) + return net_af_max_override; + + fd = open(PROC_VERSION, O_RDONLY); + if (!fd) + /* fall back to default provided during build */ + return 0; + res = read(fd, &buffer, sizeof(buffer)); + close(fd); + if (!res) + return 0; + buffer[sizeof(buffer)-1] = '\0'; + res = sscanf(buffer, "2.6.%d", &major); + if (res != 1) + return 0; + + switch(major) { + case 24: + case 25: + case 26: + return 34; + case 27: + return 35; + case 28: + case 29: + case 30: + return 36; + case 31: + case 32: + case 33: + case 34: + case 35: + return 37; + case 36: + case 37: + return 38; + /* kernels .38 and later should handle this correctly so no + * static mapping needed + */ + default: + return 0; + } +} + /* Yuck. We grab AF_* values to define above from linux/socket.h because * they are more accurate than sys/socket.h for what the kernel actually * supports. However, we can't just include linux/socket.h directly, @@ -213,13 +280,29 @@ * hence the wrapping function. */ size_t get_af_max() { + size_t af_max; /* HACK: declare that version without "create" had a static AF_MAX */ - if (!perms_create) return 36; + if (!perms_create && !net_af_max_override) + net_af_max_override = -1; + #if AA_AF_MAX > AF_MAX - return AA_AF_MAX; + af_max = AA_AF_MAX; #else - return AF_MAX; + af_max = AF_MAX; #endif + + /* HACK: some kernels didn't handle network tables from parsers + * compiled against newer kernel headers as they are larger than + * the running kernel expected. If net_override is defined check + * to see if there is a static max specified for that kernel + */ + if (net_af_max_override) { + size_t max = kernel_af_max(); + if (max && max < af_max) + return max; + } + + return af_max; } struct aa_network_entry *new_network_ent(unsigned int family, unsigned int type, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/parser/parser_regex.c new/apparmor-2.6.1/parser/parser_regex.c --- old/apparmor-2.6.0/parser/parser_regex.c 2010-12-20 21:29:10.000000000 +0100 +++ new/apparmor-2.6.1/parser/parser_regex.c 2011-03-08 19:12:09.000000000 +0100 @@ -392,6 +392,8 @@ name = local_name(cod->name); ptype = convert_aaregex_to_pcre(name, 0, tbuf, PATH_MAX + 3, &cod->xmatch_len); + if (ptype == ePatternBasic) + cod->xmatch_len = strlen(name); if (ptype == ePatternInvalid) { PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name); @@ -414,8 +416,14 @@ struct alt_name *alt; list_for_each(cod->altnames, alt) { int len; - convert_aaregex_to_pcre(alt->name, 0, tbuf, - PATH_MAX + 3, &len); + ptype = convert_aaregex_to_pcre(alt->name, 0, + tbuf, + PATH_MAX + 3, + &len); + if (ptype == ePatternBasic) + len = strlen(alt->name); + if (len < cod->xmatch_len) + cod->xmatch_len = len; if (!aare_add_rule(rule, tbuf, 0, AA_MAY_EXEC, 0, dfaflags)) { aare_delete_ruleset(rule); return FALSE; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/parser/rc.apparmor.functions new/apparmor-2.6.1/parser/rc.apparmor.functions --- old/apparmor-2.6.0/parser/rc.apparmor.functions 2011-02-22 23:24:29.000000000 +0100 +++ new/apparmor-2.6.1/parser/rc.apparmor.functions 2011-03-17 18:24:25.000000000 +0100 @@ -170,7 +170,7 @@ exit 1 ;; esac - aa_log_action_begin "$PARSER_MSG" + aa_log_action_start "$PARSER_MSG" # run the parser on all of the apparmor profiles if [ ! -f "$PARSER" ]; then aa_log_failure_msg "AppArmor parser not found" @@ -409,9 +409,9 @@ retval=0 #the list of profiles isn't stable once we start adding or removing - #them so stor to tmp first + #them so store to tmp first (in reverse order so hat profiles are removed first) MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX) - sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST" + sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort -r > "$MODULE_PLIST" cat "$MODULE_PLIST" | while read profile ; do echo -n "$profile" > "$SFS_MOUNTPOINT/.remove" rc=$? @@ -427,7 +427,7 @@ aa_log_daemon_msg "Unloading AppArmor profiles " remove_profiles rc=$? - log_end_msg $rc + aa_log_end_msg $rc return $rc } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/parser/tst/caching.sh new/apparmor-2.6.1/parser/tst/caching.sh --- old/apparmor-2.6.0/parser/tst/caching.sh 2011-02-15 19:41:29.000000000 +0100 +++ new/apparmor-2.6.1/parser/tst/caching.sh 2011-03-08 23:52:32.000000000 +0100 @@ -94,3 +94,13 @@ touch $basedir/cache/$profile ../apparmor_parser $ARGS -v -r $basedir/$profile | grep -q 'Cached reload succeeded' || { echo "FAIL"; exit 1; } echo "ok" + +echo -n "Cache reading is skipped when parser is newer: " +mkdir $basedir/parser +cp ../apparmor_parser $basedir/parser/ +$basedir/parser/apparmor_parser $ARGS -v -r $basedir/$profile | grep -q 'Replacement succeeded for' || { echo "FAIL"; exit 1; } +echo "ok" + +echo -n "Cache reading is skipped when parser in \$PATH is newer: " +(PATH=$basedir/parser/ /bin/sh -c "apparmor_parser $ARGS -v -r $basedir/$profile") | grep -q 'Replacement succeeded for' || { echo "FAIL"; exit 1; } +echo "ok" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/profiles/Makefile new/apparmor-2.6.1/profiles/Makefile --- old/apparmor-2.6.0/profiles/Makefile 2010-08-10 23:42:00.000000000 +0200 +++ new/apparmor-2.6.1/profiles/Makefile 2011-03-24 00:07:55.000000000 +0100 @@ -20,7 +20,7 @@ # Makefile for LSM-based AppArmor profiles NAME=apparmor-profiles -ALL: +ALL: local COMMONDIR=../common/ include common/Make.rules @@ -38,7 +38,7 @@ EXTRAS_SOURCE=./apparmor/profiles/extras/ SUBDIRS_MUST_BE_SKIPPED=${PROFILES_SOURCE}/abstractions ${PROFILES_SOURCE}/apache2.d ${PROFILES_SOURCE}/program-chunks ${PROFILES_SOURCE}/tunables ${PROFILES_SOURCE}/local PROFILES_TO_COPY=$(filter-out ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*)) -TUNABLES_TO_COPY=$(filter-out ${PROFILES_SOURCE}/tunables/home.d, $(wildcard ${PROFILES_SOURCE}/tunables/*)) +TUNABLES_TO_COPY=$(filter-out ${PROFILES_SOURCE}/tunables/home.d ${PROFILES_SOURCE}/tunables/multiarch.d, $(wildcard ${PROFILES_SOURCE}/tunables/*)) ABSTRACTIONS_TO_COPY=$(filter-out ${PROFILES_SOURCE}/abstractions/ubuntu-browsers.d, $(wildcard ${PROFILES_SOURCE}/abstractions/*)) local: @@ -64,6 +64,7 @@ install -m 644 ${PROFILES_SOURCE}/program-chunks/* ${PROFILES_DEST}/program-chunks install -m 644 ${TUNABLES_TO_COPY} ${PROFILES_DEST}/tunables install -m 644 ${PROFILES_SOURCE}/tunables/home.d/* ${PROFILES_DEST}/tunables/home.d + install -m 644 ${PROFILES_SOURCE}/tunables/multiarch.d/* ${PROFILES_DEST}/tunables/multiarch.d install -m 755 -d ${EXTRAS_DEST} install -m 644 ${EXTRAS_SOURCE}/* ${EXTRAS_DEST} install -m 644 ${PROFILES_SOURCE}/local/* ${PROFILES_DEST}/local @@ -81,23 +82,22 @@ ifndef PARSER # use system parser -PARSER=/sbin/apparmor_parser +PARSER=../parser/apparmor_parser endif ifndef LOGPROF -# use system logprof -LOGPROF=/usr/sbin/aa-logprof +# use ../utils logprof +LOGPROF=perl -I../utils/ ../utils/aa-logprof endif -EXTRAS_PATH=${EXTRAS_SOURCE}/profiles/extras -IGNORE_FILES=${EXTRAS_PATH}/README -CHECK_PROFILES=$(filter-out ${IGNORE_FILES}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_PATH}/*)) +IGNORE_FILES=${EXTRAS_SOURCE}/README +CHECK_PROFILES=$(filter-out ${IGNORE_FILES} ${SUBDIRS_MUST_BE_SKIPPED}, $(wildcard ${PROFILES_SOURCE}/*) $(wildcard ${EXTRAS_SOURCE}/*)) .PHONY: check check: - @echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_PATH} against apparmor_parser" + @echo "*** Checking profiles from ${PROFILES_SOURCE} and ${EXTRAS_SOURCE} against apparmor_parser" $(Q)for profile in ${CHECK_PROFILES} ; do \ - ${PARSER} -S -I ${PWD}/apparmor.d $${profile} > /dev/null ; \ + ${PARSER} -S -b ${PWD}/apparmor.d $${profile} > /dev/null || exit 1; \ done @echo "*** Checking profiles from ${PROFILES_SOURCE} against logprof" - $(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null + $(Q)${LOGPROF} -d ${PROFILES_SOURCE} -f /dev/null || exit 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox new/apparmor-2.6.1/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox --- old/apparmor-2.6.0/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox 2011-01-12 18:51:22.000000000 +0100 +++ new/apparmor-2.6.1/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox 2011-03-19 07:07:19.000000000 +0100 @@ -122,5 +122,7 @@ deny /usr/share/mozilla/ w, # Site-specific additions and overrides. See local/README for details. - #include <local/usr.bin.firefox> + # Local path is disabled, we only enable them for profiles we promote + # out of extras. + ## include <local/usr.bin.firefox> } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/profiles/apparmor.d/abstractions/authentication new/apparmor-2.6.1/profiles/apparmor.d/abstractions/authentication --- old/apparmor-2.6.0/profiles/apparmor.d/abstractions/authentication 2010-12-20 21:29:10.000000000 +0100 +++ new/apparmor-2.6.1/profiles/apparmor.d/abstractions/authentication 2011-03-23 20:27:16.000000000 +0100 @@ -1,7 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009 Canonical Ltd +# Copyright (C) 2009-2011 Canonical Ltd # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -25,6 +25,9 @@ /lib{,32,64}/security/pam_filter/* mr, /lib{,32,64}/security/pam_*.so mr, /lib{,32,64}/security/ r, + /lib/@{multiarch}/security/pam_filter/* mr, + /lib/@{multiarch}/security/pam_*.so mr, + /lib/@{multiarch}/security/ r, # kerberos #include <abstractions/kerberosclient> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/profiles/apparmor.d/abstractions/base new/apparmor-2.6.1/profiles/apparmor.d/abstractions/base --- old/apparmor-2.6.0/profiles/apparmor.d/abstractions/base 2010-06-05 02:43:11.000000000 +0200 +++ new/apparmor-2.6.1/profiles/apparmor.d/abstractions/base 2011-03-23 20:27:16.000000000 +0100 @@ -2,7 +2,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -36,6 +36,8 @@ /usr/lib{,32,64}/locale/** mr, /usr/lib{,32,64}/gconv/*.so mr, /usr/lib{,32,64}/gconv/gconv-modules* mr, + /usr/lib/@{multiarch}/gconv/*.so mr, + /usr/lib/@{multiarch}/gconv/gconv-modules mr, # used by glibc when binding to ephemeral ports /etc/bindresvport.blacklist r, @@ -45,17 +47,26 @@ /etc/ld.so.cache mr, /lib{,32,64}/ld{,32,64}-*.so mrix, /lib{,32,64}/**/ld{,32,64}-*.so mrix, + /lib/@{multiarch}/ld{,32,64}-*.so mrix, /lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix, + /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix, /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix, # we might as well allow everything to use common libraries /lib{,32,64}/** r, /lib{,32,64}/lib*.so* mr, /lib{,32,64}/**/lib*.so* mr, + /lib/@{multiarch}/** r, + /lib/@{multiarch}/lib*.so* mr, + /lib/@{multiarch}/**/lib*.so* mr, /usr/lib{,32,64}/** r, /usr/lib{,32,64}/*.so* mr, /usr/lib{,32,64}/**/lib*.so* mr, + /usr/lib/@{multiarch}/** r, + /usr/lib/@{multiarch}/lib*.so* mr, + /usr/lib/@{multiarch}/**/lib*.so* mr, /lib/tls/i686/{cmov,nosegneg}/lib*.so* mr, + /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so* mr, # /dev/null is pretty harmless and frequently used /dev/null rw, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/profiles/apparmor.d/abstractions/gnome new/apparmor-2.6.1/profiles/apparmor.d/abstractions/gnome --- old/apparmor-2.6.0/profiles/apparmor.d/abstractions/gnome 2010-12-20 21:29:10.000000000 +0100 +++ new/apparmor-2.6.1/profiles/apparmor.d/abstractions/gnome 2011-03-23 20:27:16.000000000 +0100 @@ -2,7 +2,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009-2010 Canonical Ltd. +# Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -19,6 +19,7 @@ /etc/gnome/gtkrc* r, /etc/gtk/* r, /usr/lib{,32,64}/gtk/** mr, + /usr/lib/@{multiarch}/gtk/** mr, /usr/share/themes/** r, # for gnome 1 applications @@ -31,6 +32,9 @@ /usr/lib{,32,64}/pango/** mr, /usr/lib{,32,64}/gtk-*/** mr, /usr/lib{,32,64}/gdk-pixbuf-*/** mr, + /usr/lib/@{multiarch}/pango/** mr, + /usr/lib/@{multiarch}/gtk-*/** mr, + /usr/lib/@{multiarch}/gdk-pixbuf-*/** mr, # per-user gtk configuration @{HOME}/.gnome/Gnome r, @@ -60,6 +64,7 @@ /etc/gnome-vfs-2.0/modules/ r, /etc/gnome-vfs-2.0/modules/* r, /usr/lib/gnome-vfs-2.0/modules/*.so mr, + /usr/lib/@{multiarch}/gnome-vfs-2.0/modules/*.so mr, # gvfs /usr/share/gvfs/remote-volume-monitors/ r, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/profiles/apparmor.d/abstractions/kde new/apparmor-2.6.1/profiles/apparmor.d/abstractions/kde --- old/apparmor-2.6.0/profiles/apparmor.d/abstractions/kde 2010-12-20 21:29:10.000000000 +0100 +++ new/apparmor-2.6.1/profiles/apparmor.d/abstractions/kde 2011-03-23 20:27:16.000000000 +0100 @@ -1,7 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2006 Novell/SUSE -# Copyright (C) 2009-2010 Canonical Ltd. +# Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -38,10 +38,17 @@ /usr/lib*/kde3/plugins/styles/ r, /usr/lib*/kde3/plugins/styles/* mr, /usr/lib*/kde3/lib*so* mr, +/usr/lib/@{multiarch}/kde3/plugins/styles/ r, +/usr/lib/@{multiarch}/kde3/plugins/styles/* mr, +/usr/lib/@{multiarch}/kde3/lib*so* mr, /usr/lib*/qt3/lib*/lib*so* mr, /usr/lib*/qt3/plugins/** mr, +/usr/lib/@{multiarch}/qt3/lib*/lib*so* mr, +/usr/lib/@{multiarch}/qt3/plugins/** mr, /usr/lib*/libqt-mt*so* mr, /usr/lib*/libqui*so* mr, +/usr/lib/@{multiarch}/libqt-mt*so* mr, +/usr/lib/@{multiarch}/libqui*so* mr, /usr/share/qt3/lib*/libqt-mt*so* mr, /usr/share/qt3/lib*/libqui*so* mr, @@ -49,6 +56,11 @@ /usr/lib*/kde4/plugins/*/*.so mr, /usr/lib*/kde4/plugins/*/ r, /usr/lib*/kde4/lib*so* mr, +/usr/lib/@{multiarch}/kde4/plugins/*/*.so mr, +/usr/lib/@{multiarch}/kde4/plugins/*/ r, +/usr/lib/@{multiarch}/kde4/lib*so* mr, /usr/lib*/qt4/lib*/lib*so* mr, /usr/lib*/qt4/plugins/** mr, +/usr/lib/@{multiarch}/qt4/lib*/lib*so* mr, +/usr/lib/@{multiarch}/qt4/plugins/** mr, /usr/share/qt4/** r, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/profiles/apparmor.d/abstractions/kerberosclient new/apparmor-2.6.1/profiles/apparmor.d/abstractions/kerberosclient --- old/apparmor-2.6.0/profiles/apparmor.d/abstractions/kerberosclient 2010-12-20 21:29:10.000000000 +0100 +++ new/apparmor-2.6.1/profiles/apparmor.d/abstractions/kerberosclient 2011-03-23 20:27:16.000000000 +0100 @@ -1,7 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -12,9 +12,13 @@ # files required by kerberos client programs /usr/lib{,32,64}/krb5/plugins/libkrb5/ r, /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr, + /usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r, + /usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr, /usr/lib{,32,64}/krb5/plugins/preauth/ r, /usr/lib{,32,64}/krb5/plugins/preauth/* mr, + /usr/lib/@{multiarch}/krb5/plugins/preauth/ r, + /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr, /etc/krb5.keytab r, /etc/krb5.conf r, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/profiles/apparmor.d/abstractions/nameservice new/apparmor-2.6.1/profiles/apparmor.d/abstractions/nameservice --- old/apparmor-2.6.0/profiles/apparmor.d/abstractions/nameservice 2010-12-20 21:29:10.000000000 +0100 +++ new/apparmor-2.6.1/profiles/apparmor.d/abstractions/nameservice 2011-03-23 20:27:16.000000000 +0100 @@ -1,7 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2009-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -50,6 +50,8 @@ # they are available /lib{,32,64}/libnss_*.so* mr, /usr/lib{,32,64}/libnss_*.so* mr, + /lib/@{multiarch}/libnss_*.so* mr, + /usr/lib/@{multiarch}/libnss_*.so* mr, /etc/default/nss r, # avahi-daemon is used for mdns4 resolution diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/profiles/apparmor.d/tunables/global new/apparmor-2.6.1/profiles/apparmor.d/tunables/global --- old/apparmor-2.6.0/profiles/apparmor.d/tunables/global 2010-12-20 21:29:10.000000000 +0100 +++ new/apparmor-2.6.1/profiles/apparmor.d/tunables/global 2011-03-23 20:27:16.000000000 +0100 @@ -1,7 +1,7 @@ # ------------------------------------------------------------------ # # Copyright (C) 2006-2009 Novell/SUSE -# Copyright (C) 2010 Canonical Ltd. +# Copyright (C) 2010-2011 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -13,5 +13,6 @@ # should be included here #include <tunables/home> +#include <tunables/multiarch> #include <tunables/proc> #include <tunables/alias> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/profiles/apparmor.d/tunables/multiarch new/apparmor-2.6.1/profiles/apparmor.d/tunables/multiarch --- old/apparmor-2.6.0/profiles/apparmor.d/tunables/multiarch 1970-01-01 01:00:00.000000000 +0100 +++ new/apparmor-2.6.1/profiles/apparmor.d/tunables/multiarch 2011-03-23 21:45:41.000000000 +0100 @@ -0,0 +1,17 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2010 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# @{multiarch} is the set of patterns matching multi-arch library +# install prefixes. +@{multiarch}=*-linux-gnu* + +# Also, include files in tunables/multiarch.d for site and packaging +# specific adjustments to @{multiarch}. +#include <tunables/multiarch.d> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/profiles/apparmor.d/tunables/multiarch.d/site.local new/apparmor-2.6.1/profiles/apparmor.d/tunables/multiarch.d/site.local --- old/apparmor-2.6.0/profiles/apparmor.d/tunables/multiarch.d/site.local 1970-01-01 01:00:00.000000000 +0100 +++ new/apparmor-2.6.1/profiles/apparmor.d/tunables/multiarch.d/site.local 2011-03-23 20:27:16.000000000 +0100 @@ -0,0 +1,14 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2011 Canonical Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +# The following is a space-separated list of where additional multipath +# prefixes are stored, each should not have a trailing '/'. Directories +# added here are appended to @{multiarch}. See tunables/mutliarch for details. Eg: +#@{multiarch}+=*-freebsd* s390-hurd-zomg diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/tests/regression/apparmor/Makefile new/apparmor-2.6.1/tests/regression/apparmor/Makefile --- old/apparmor-2.6.0/tests/regression/apparmor/Makefile 2011-01-07 19:35:47.000000000 +0100 +++ new/apparmor-2.6.1/tests/regression/apparmor/Makefile 2011-03-02 14:02:45.000000000 +0100 @@ -143,6 +143,7 @@ setattr \ symlink \ syscall \ + tcp \ unix_fd_server \ unlink\ xattrs\ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apparmor-2.6.0/tests/regression/apparmor/tcp.sh new/apparmor-2.6.1/tests/regression/apparmor/tcp.sh --- old/apparmor-2.6.0/tests/regression/apparmor/tcp.sh 2010-12-20 21:29:10.000000000 +0100 +++ new/apparmor-2.6.1/tests/regression/apparmor/tcp.sh 2011-03-02 14:02:45.000000000 +0100 @@ -21,18 +21,37 @@ #badperm1=r #badperm2=w -# PASS TEST - no netdomain rules +# PASS TEST - no apparmor rules +runchecktest "TCP (no apparmor)" pass $port + +# FAIL TEST - no network rules genprofile -runchecktest "TCP" pass $port +runchecktest "TCP (accept, connect) no network rules" fail $port -# PASS TEST - simple -genprofile tcp_accept: tcp_connect: -runchecktest "TCP (accept, connect)" pass $port +# PASS TEST - allow tcp +genprofile network:tcp +runchecktest "TCP (accept, connect) allow tcp" pass $port + +# PASS TEST - allow inet +genprofile network:inet +runchecktest "TCP (accept, connect) allow inet" pass $port + +# PASS TEST - allow inet stream +genprofile "network:inet stream" +runchecktest "TCP (accept, connect) allow inet stream" pass $port # PASS TEST - simple / low-numbered port # you damn well better not be running telnet -genprofile tcp_accept: tcp_connect: cap:net_bind_service -runchecktest "TCP (accept, connect)" pass 23 +genprofile network:inet cap:net_bind_service +runchecktest "TCP (accept, connect) low numbered port/bind cap" pass 23 + +# FAIL TEST - simple / low-numbered port +# will always fail unless process has net_bind_service capability. +# you damn well better not be running telnetd. +genprofile network:inet +runchecktest "TCP (accept, connect) low numbered port/no bind cap" fail 23 + +exit 0 # PASS TEST - accept via interface genprofile tcp_accept:via:lo tcp_connect: @@ -62,12 +81,6 @@ genprofile tcp_accept:to:127.0.0.0/255.255.192.0::${port} tcp_connect: runchecktest "TCP (accept, connect)" pass $port -# FAIL TEST - simple / low-numbered port -# will always fail unless process has net_bind_service capability. -# you damn well better not be running telnetd. -genprofile tcp_accept: tcp_connect: -runchecktest "TCP (accept, connect, port 23)" fail 23 - # PASS TEST - simple / low-numbered port # will always fail unless process has net_bind_service capability. # you damn well better not be running telnetd. ++++++ apparmor-compat-routines ++++++ From: Jeff Mahoney <[email protected]> Subject: apparmor-utils: Add check_for_apparmor helper. This should be an alias but those get complicated quickly in perl. Signed-off-by: Jeff Mahoney <[email protected]> --- utils/Immunix/AppArmor.pm | 4 ++++ 1 file changed, 4 insertions(+) --- a/utils/Immunix/AppArmor.pm +++ b/utils/Immunix/AppArmor.pm @@ -463,6 +463,10 @@ sub check_for_subdomain () { return $sd_mountpoint; } +sub check_for_apparmor () { + return check_for_subdomain(); +} + sub which ($) { my $file = shift; ++++++ apparmor-scripts ++++++ --- /var/tmp/diff_new_pack.yei52D/_old 2011-09-09 11:06:14.000000000 +0200 +++ /var/tmp/diff_new_pack.yei52D/_new 2011-09-09 11:06:14.000000000 +0200 @@ -1,9 +1,9 @@ --- parser/rc.aaeventd.suse | 2 +- - parser/rc.apparmor.functions | 14 +++++++------- + parser/rc.apparmor.functions | 9 ++++----- parser/rc.apparmor.suse | 23 ++++++++++++++++++++++- - 3 files changed, 30 insertions(+), 9 deletions(-) + 3 files changed, 27 insertions(+), 7 deletions(-) --- a/parser/rc.aaeventd.suse +++ b/parser/rc.aaeventd.suse @@ -43,25 +43,6 @@ fi aa_log_end_msg 0 return 0 -@@ -412,7 +411,8 @@ remove_profiles() { - #them so stor to tmp first - MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX) - sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST" -- cat "$MODULE_PLIST" | while read profile ; do -+ # Skip subprofiles, they'll be removed with the owning profile -+ grep -v // "$MODULE_PLIST" | while IFS= read profile ; do - echo -n "$profile" > "$SFS_MOUNTPOINT/.remove" - rc=$? - if [ ${rc} -ne 0 ] ; then -@@ -427,7 +427,7 @@ apparmor_stop() { - aa_log_daemon_msg "Unloading AppArmor profiles " - remove_profiles - rc=$? -- log_end_msg $rc -+ aa_log_end_msg $rc - return $rc - } - --- a/parser/rc.apparmor.suse +++ b/parser/rc.apparmor.suse @@ -31,6 +31,7 @@ ++++++ apparmor-securityfs-systemd.patch ++++++ --- /var/tmp/diff_new_pack.yei52D/_old 2011-09-09 11:06:14.000000000 +0200 +++ /var/tmp/diff_new_pack.yei52D/_new 2011-09-09 11:06:14.000000000 +0200 @@ -1,7 +1,16 @@ -Index: apparmor-2.6.0/parser/rc.apparmor.functions -=================================================================== ---- apparmor-2.6.0.orig/parser/rc.apparmor.functions -+++ apparmor-2.6.0/parser/rc.apparmor.functions +From: Federic Crozat <[email protected]> +Subkect: apparmor: Let systemd automount securityfs +References: bnc#704460 + + Do not mount securityfs when running under systemd, just access + the directory, systemd will automount it + +--- + parser/rc.apparmor.functions | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/parser/rc.apparmor.functions ++++ b/parser/rc.apparmor.functions @@ -295,7 +295,7 @@ is_apparmor_loaded() { } ++++++ klog-needs-CAP_SYSLOG ++++++ --- /var/tmp/diff_new_pack.yei52D/_old 2011-09-09 11:06:14.000000000 +0200 +++ /var/tmp/diff_new_pack.yei52D/_new 2011-09-09 11:06:14.000000000 +0200 @@ -5,7 +5,7 @@ --- a/parser/parser_misc.c +++ b/parser/parser_misc.c -@@ -125,6 +125,9 @@ static int get_table_token(const char *n +@@ -129,6 +129,9 @@ static int get_table_token(const char *n static struct keyword_table capability_table[] = { /* capabilities */ #include "cap_names.h" @@ -15,7 +15,7 @@ /* terminate */ {NULL, 0} }; -@@ -783,6 +786,7 @@ static const char *capnames[] = { +@@ -866,6 +869,7 @@ static const char *capnames[] = { "audit_control", "setfcap", "mac_override" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
