Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2014-08-05 12:59:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2014-07-16 16:37:28.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes 2014-08-05 13:00:00.000000000 +0200 @@ -1,0 +2,18 @@ +Thu Jul 31 14:17:30 UTC 2014 - [email protected] + +- Rename rpmlintrc to %{name}-rpmlintrc. + Follow the packaging guidelines. + +------------------------------------------------------------------- +Wed Jul 30 17:35:13 UTC 2014 - [email protected] + +- add perl-apparmor-fix-bare-network-keyword-handling.diff: + perl-apparmor: Fix handling of network (or network all) (bnc#889650) + +- add perl-apparmor-handle-bare-capability-keyword.diff: + perl-apparmor: Fix handling of capability keyword (bnc#889651) + +- add perl-apparmor-properly-handle-bare-file-keyword.diff: + perl-apparmor: Properly handle bare file keyword (bnc#889652) + +------------------------------------------------------------------- Old: ---- rpmlintrc New: ---- apparmor-rpmlintrc perl-apparmor-fix-bare-network-keyword-handling.diff perl-apparmor-handle-bare-capability-keyword.diff perl-apparmor-properly-handle-bare-file-keyword.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.g6l647/_old 2014-08-05 13:00:02.000000000 +0200 +++ /var/tmp/diff_new_pack.g6l647/_new 2014-08-05 13:00:02.000000000 +0200 @@ -75,7 +75,7 @@ Source4: %{name}-profile-editor.desktop Source5: update-trans.sh Source6: baselibs.conf -Source7: rpmlintrc +Source7: apparmor-rpmlintrc # profile for winbindd (bnc#748499, submitted upstream 2012-11-06, trunk r2078) Source10: usr.sbin.winbindd @@ -123,6 +123,15 @@ # Permit clustered Samba access to CTDB socket and databases (bnc#885317, commited upstream trunk r2556 - TODO: merge into 2.8 branch) Patch24: apparmor-profiles-clustered-samba.diff +# perl-apparmor: Fix handling of network (or network all) (bnc#889650) (commited upstream trunk r2571, 2.8 r2135) +Patch25: perl-apparmor-fix-bare-network-keyword-handling.diff + +# perl-apparmor: Fix handling of capability keyword (bnc#889651) (commited upstream trunk r2572, 2.8 r2136) +Patch26: perl-apparmor-handle-bare-capability-keyword.diff + +# perl-apparmor: Properly handle bare file keyword (bnc#889652) (commited upstream trunk r2573, 2.8 ) +Patch27: perl-apparmor-properly-handle-bare-file-keyword.diff + Url: https://launchpad.net/apparmor PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -507,6 +516,9 @@ %endif %patch24 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 # profile for winbindd (bnc#748499, commited upstream trunk r2078, updated in trunk r2328) test ! -e profiles/apparmor.d/usr.sbin.winbindd ++++++ apparmor-rpmlintrc ++++++ addFilter("devel-file-in-non-devel-package.*/usr/lib64/libJNIChangeHat.so") addFilter("devel-file-in-non-devel-package.*/usr/lib/libJNIChangeHat.so") addFilter("shlib-policy-name-error.*libJNIChangeHat0") ++++++ perl-apparmor-fix-bare-network-keyword-handling.diff ++++++ From: Jeff Mahoney <[email protected]> Subject: perl-apparmor: Fix bare 'network' keyword handling References: bnc#889650 The 'network' bare keyword was being printed as "audit network all" due to two different bugs: 1) {audit}{all} was always being set to 1, regardless of whether the audit keyword was used 2) {rule} eq 'all' is the wrong test - it should be {rule}{all} With these fixed, 'network' is properly handled. Signed-off-by: Jeff Mahoney <[email protected]> --- a/utils/Immunix/AppArmor.pm +++ b/utils/Immunix/AppArmor.pm @@ -5353,7 +5368,7 @@ $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{$fam} = $audit; } else { $profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{all} = 1; - $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = 1; + $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = $audit; } } elsif (/^\s*(tcp_connect|tcp_accept|udp_send|udp_receive)/) { # just ignore and drop old style network @@ -5708,7 +5729,7 @@ # dump out the netdomain entries... if (exists $profile_data->{$allow}{netdomain}) { if ( $profile_data->{$allow}{netdomain}{rule} && - $profile_data->{$allow}{netdomain}{rule} eq 'all') { + $profile_data->{$allow}{netdomain}{rule}{all}) { $audit = "audit " if $profile_data->{$allow}{netdomain}{audit}{all}; push @data, "${pre}${audit}network,"; } else { ++++++ perl-apparmor-handle-bare-capability-keyword.diff ++++++ From: Jeff Mahoney <[email protected]> Subject: perl-apparmor: Handle bare 'capability' keyword References: bnc#889651 Specifying 'capability' implies all capabilities, but the perl code didn't recognize it. Signed-off-by: Jeff Mahoney <[email protected]> --- a/utils/Immunix/AppArmor.pm +++ b/utils/Immunix/AppArmor.pm @@ -5151,7 +5151,7 @@ $initial_comment = ""; - } elsif (m/^\s*(audit\s+)?(deny\s+)?capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry + } elsif (m/^\s*(audit\s+)?(deny\s+)?capability(\s+(\S+))?\s*,\s*(#.*)?$/) { # capability entry if (not $profile) { die sprintf(gettext('%s contains syntax errors.'), $file) . "\n"; } @@ -5159,7 +5159,7 @@ my $audit = $1 ? 1 : 0; my $allow = $2 ? 'deny' : 'allow'; $allow = 'deny' if ($2); - my $capability = $3; + my $capability = $3 ? $3 : 'all'; $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{set} = 1; $profile_data->{$profile}{$hat}{$allow}{capability}{$capability}{audit} = $audit; } elsif (m/^\s*set capability\s+(\S+)\s*,\s*(#.*)?$/) { # capability entry @@ -5675,7 +5690,13 @@ my @data; if (exists $profile_data->{$allow}{capability}) { - for my $cap (sort keys %{$profile_data->{$allow}{capability}}) { + my $audit; + if (exists $profile_data->{$allow}{capability}{all}) { + $audit = ($profile_data->{$allow}{capability}{all}{audit}) ? 'audit ' : ''; + push @data, "${pre}${audit}${allowstr}capability,"; + } + for my $cap (sort keys %{$profile_data->{$allow}{capability}}) { + next if ($cap eq "all"); my $audit = ($profile_data->{$allow}{capability}{$cap}{audit}) ? 'audit ' : ''; if ($profile_data->{$allow}{capability}{$cap}{set}) { push @data, "${pre}${audit}${allowstr}capability ${cap},"; ++++++ perl-apparmor-properly-handle-bare-file-keyword.diff ++++++ From: Jeff Mahoney <[email protected]> Subject: perl-apparmor: Properly handle bare 'file' keyword References: bnc#889652 The bare file keyword is a shortcut for /{**,}. There are also implied permissions that go with it. This patch accepts the file keyword as well as allowing for missing mode specifiers. Signed-off-by: Jeff Mahoney <[email protected]> --- utils/Immunix/AppArmor.pm | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) --- a/utils/Immunix/AppArmor.pm +++ b/utils/Immunix/AppArmor.pm @@ -5252,7 +5252,7 @@ } elsif (m/^\s*if\s+(not\s+)?(\$\{?[[:alpha:]][[:alnum:]_]*\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean } elsif (m/^\s*if\s+(not\s+)?defined\s+(@\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- variable defined } elsif (m/^\s*if\s+(not\s+)?defined\s+(\$\{?[[:alpha:]][[:alnum:]_]+\}?)\s*\{\s*(#.*)?$/) { # conditional -- boolean defined - } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?([\"\@\/].*?)\s+(\S+)(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry + } elsif (m/^\s*(audit\s+)?(deny\s+)?(owner\s+)?(file|([\"\@\/].*?)\s+(\S+))(\s+->\s*(.*?))?\s*,\s*(#.*)?$/) { # path entry if (not $profile) { die sprintf(gettext('%s contains syntax errors.'), $file) . "\n"; } @@ -5260,7 +5260,19 @@ my $audit = $1 ? 1 : 0; my $allow = $2 ? 'deny' : 'allow'; my $user = $3 ? 1 : 0; - my ($path, $mode, $nt_name) = ($4, $5, $7); + my ($path, $mode, $nt_name) = ($5, $6, $8); + my $file_keyword = 0; + my $use_mode = 1; + + if ($4 eq "file") { + $path = "/{**,}"; + $file_keyword = 1; + if (!$mode) { + # what the parser uses, but we don't care + $mode = "rwixlka"; + $use_mode = 0; + } + } # strip off any trailing spaces. $path =~ s/\s+$//; @@ -5281,6 +5293,9 @@ fatal_error(sprintf(gettext('Profile %s contains invalid mode %s.'), $file, $mode)); } + $profile_data->{$profile}{$hat}{$allow}{path}{$path}{use_mode} = $use_mode; + $profile_data->{$profile}{$hat}{$allow}{path}{$path}{file_keyword} = 1 if $file_keyword; + my $tmpmode; if ($user) { $tmpmode = str_to_mode("${mode}::"); @@ -5838,7 +5859,13 @@ } $tmpmode &= ~$tmpaudit; } - if ($tmpmode) { + my $kw = $profile_data->{$allow}{path}{$path}{file_keyword}; + my $use_mode = $profile_data->{$allow}{path}{$path}{use_mode}; + if ($kw) { + my $modestr = ""; + $modestr = " " . mode_to_str($tmpmode) if $use_mode; + push @data, "${pre}${allowstr}${ownerstr}file${modestr}${tail},"; + } elsif ($tmpmode) { my $modestr = mode_to_str($tmpmode); if ($path =~ /\s/) { push @data, "${pre}${allowstr}${ownerstr}\"$path\" ${modestr}${tail},"; -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
