Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2026-05-29 18:05:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Fri May 29 18:05:10 2026 rev:236 rq:1355648 version:5.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2026-05-17 18:56:43.448056533 +0200 +++ /work/SRC/openSUSE:Factory/.apparmor.new.1937/apparmor.changes 2026-05-29 18:06:35.349075086 +0200 @@ -1,0 +2,35 @@ +Thu May 28 14:05:15 UTC 2026 - Christian Boltz <[email protected]> + +- add revert-plasmashell.diff - the profile changes caused strange + problems (see SR 1355200). Revert for now to get the other fixes out. + +------------------------------------------------------------------- +Tue May 26 12:20:09 UTC 2026 - Christian Boltz <[email protected]> + +- add changes-since-v5.0.0.diff with all changes since the 5.0.0 + release: + - small fixes in parser and utils + - lots of profile updates: + - abstractions/nameservice (part of boo#1265394) + - alsamixer (boo#1265452) + - avahi-daemon (boo#1266041) + - dig (boo#1265459) + - fusermount3 (boo#1265951) + - lsof + - php-fpm (boo#1265864) + - plasmashell + - proftpd (boo#1265862) + - Samba profiles (boo#1265865) + - transmission-daemon (boo#1265863) + - various dovecot profiles +- add wg-quick.diff to fix wg-quick (boo#1265394) +- add curl.diff to fix curl for usage with rpmdevtools (boo#1266273) +- add who.diff to fix who (boo#1265860) +- remove upstreamed patches (included in changes-since-v5.0.0.diff): + - allow-read-slash.diff + - lsusb.diff + - postfix-profiles-slash.diff + - syslog-ng-slashes.diff + - wpa_supplicant.diff + +------------------------------------------------------------------- Old: ---- allow-read-slash.diff lsusb.diff postfix-profiles-slash.diff syslog-ng-slashes.diff wpa_supplicant.diff New: ---- changes-since-v5.0.0.diff curl.diff revert-plasmashell.diff wg-quick.diff who.diff ----------(Old B)---------- Old:- remove upstreamed patches (included in changes-since-v5.0.0.diff): - allow-read-slash.diff - lsusb.diff Old: - allow-read-slash.diff - lsusb.diff - postfix-profiles-slash.diff Old: - lsusb.diff - postfix-profiles-slash.diff - syslog-ng-slashes.diff Old: - postfix-profiles-slash.diff - syslog-ng-slashes.diff - wpa_supplicant.diff Old: - syslog-ng-slashes.diff - wpa_supplicant.diff ----------(Old E)---------- ----------(New B)---------- New: - add changes-since-v5.0.0.diff with all changes since the 5.0.0 release: New:- add wg-quick.diff to fix wg-quick (boo#1265394) - add curl.diff to fix curl for usage with rpmdevtools (boo#1266273) - add who.diff to fix who (boo#1265860) New: - add revert-plasmashell.diff - the profile changes caused strange problems (see SR 1355200). Revert for now to get the other fixes out. New: - various dovecot profiles - add wg-quick.diff to fix wg-quick (boo#1265394) - add curl.diff to fix curl for usage with rpmdevtools (boo#1266273) New:- add curl.diff to fix curl for usage with rpmdevtools (boo#1266273) - add who.diff to fix who (boo#1265860) - remove upstreamed patches (included in changes-since-v5.0.0.diff): ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.TyquHb/_old 2026-05-29 18:06:38.713214403 +0200 +++ /var/tmp/diff_new_pack.TyquHb/_new 2026-05-29 18:06:38.713214403 +0200 @@ -86,20 +86,20 @@ # /usr/etc/krb5.conf - boo#1246689 - not submitted upstream yet since https://github.com/krb5/krb5/pull/1437/ is still open Patch11: kerberosclient-usrmerge.diff -# allow "/ r," which is needed since systemd 260 (boo#1263051) -# taken from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/2079 (merged into 4.0..master) -Patch12: allow-read-slash.diff -# taken from upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/2087 (merged into 5.0 and master) -Patch13: postfix-profiles-slash.diff +# upstream changes in the 5.0 branch since 5.0.0 release +Patch12: changes-since-v5.0.0.diff -# avoid double slashes (and therefore a path mismatch) in syslog-ng profile (merged upstream 2026-05-05 https://gitlab.com/apparmor/apparmor/-/merge_requests/2090 for 5.0 and master, will be in 5.0.1) -Patch14: syslog-ng-slashes.diff +# fix wg-quick profile - boo#1265394 - submitted upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/2123 +Patch13: wg-quick.diff -# wpa_supplicant profile additions (boo#1265377) (submitted upstream 2026-05-16 https://gitlab.com/apparmor/apparmor/-/merge_requests/2103 for 5.0 and master) -Patch15: wpa_supplicant.diff +# fix curl profile for usage with rpmdevtools - boo#1266273 - submitted upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/2125 +Patch14: curl.diff -# lsusb profile additions (submitted upstream 2026-05-16 https://gitlab.com/apparmor/apparmor/-/merge_requests/2102 for 5.0 and master) -Patch16: lsusb.diff +# fix who profile - boo#1265860 - https://gitlab.com/apparmor/apparmor/-/merge_requests/2109 merged into master, not picked into 5.0 branch yet +Patch15: who.diff + +# revert plasmashell changes - causes strange errors in openQA (to be debugged) +Patch16: revert-plasmashell.diff PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ changes-since-v5.0.0.diff ++++++ ++++ 887 lines (skipped) ++++++ curl.diff ++++++ commit 56d471dd5198a5060cd6b1c46b495c38ff9fc525 Author: Christian Boltz <[email protected]> Date: Tue May 26 13:00:54 2026 +0200 curl: allow reading rpmdevtools curlrc Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1266273 diff --git a/profiles/apparmor.d/curl b/profiles/apparmor.d/curl index a05bd9452..9cce43cc9 100644 --- a/profiles/apparmor.d/curl +++ b/profiles/apparmor.d/curl @@ -43,6 +43,9 @@ profile curl /usr/bin/curl { # or profile refactoring file rw @{run}/snapd.socket, + # rpmdev-spectool runs curl with its own curlrc + /etc/rpmdevtools/curlrc r, + # Site-specific additions and overrides. See local/README for details. include if exists <local/curl> } ++++++ revert-plasmashell.diff ++++++ diff --git a/profiles/apparmor.d/plasmashell b/profiles/apparmor.d/plasmashell index dd0049497..4df823ac6 100644 --- a/profiles/apparmor.d/plasmashell +++ b/profiles/apparmor.d/plasmashell @@ -2,7 +2,7 @@ abi <abi/5.0>, include <tunables/global> -profile plasmashell /usr/bin/plasmashell flags=(attach_disconnected.path=/att/plasmashell/) { +profile plasmashell /usr/bin/plasmashell { include <abstractions/dbus-session> capability, @@ -26,9 +26,6 @@ profile plasmashell /usr/bin/plasmashell { /{,**} mrwlk, @{exec_path} mr, - # even if it's covered by the very generous rules above... (to document the disconnected path) - /att/plasmashell/systemd/journal/socket w, - profile QtWebEngineProcess { capability, userns, ++++++ wg-quick.diff ++++++ https://gitlab.com/apparmor/apparmor/-/merge_requests/2123 commit d778b15fa21e14a418c1df4cb099728078e1d1f8 Author: Christian Boltz <[email protected]> Date: Mon May 25 13:24:57 2026 +0200 Fix wg-quick to work on openSUSE and with DNS= option Yes, it really (ab)uses mount etc. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1265394 diff --git a/profiles/apparmor.d/wg-quick b/profiles/apparmor.d/wg-quick index cf04a0a11..83122b092 100644 --- a/profiles/apparmor.d/wg-quick +++ b/profiles/apparmor.d/wg-quick @@ -1,6 +1,7 @@ # vim: ft=apparmor #------------------------------------------------------------------ # Copyright (C) 2024 Canonical Ltd. +# Copyright (C) 2026 Christian Boltz # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public @@ -21,7 +22,7 @@ profile wg-quick /usr/bin/wg-quick flags=(attach_disconnected) { network netlink raw, network unix stream, - # use wg aa profile + # use wg aa profile file mrpx /usr/bin/wg -> wg, # binaries called from within wg-quick @@ -57,7 +58,7 @@ profile wg-quick /usr/bin/wg-quick flags=(attach_disconnected) { # Sub-profile for nft tool restrictions file mrCx /usr/sbin/nft, profile nft /usr/sbin/nft { - include <abstractions/base> + include <abstractions/base> capability net_admin, @@ -72,15 +73,18 @@ profile wg-quick /usr/bin/wg-quick flags=(attach_disconnected) { } # Sub-profile for IP tool restrictions - file mrCx /usr/bin/ip, - profile ip /usr/bin/ip { + file mrCx /usr/{s,}bin/ip -> ip, + profile ip { include <abstractions/base> capability net_admin, capability sys_module, + /usr/lib*/glibc-hwcaps/x86-64-v3/libz.so.* mr, + /usr/lib*/glibc-hwcaps/x86-64-v3/libzstd.so.* mr, + # Allow executable mapping and read for the binary - file mr /usr/bin/ip, + file mr /usr/{s,}bin/ip, # Network access rules network netlink raw, @@ -89,15 +93,15 @@ profile wg-quick /usr/bin/wg-quick flags=(attach_disconnected) { file r /usr/share/iproute2/rt_tables, file r @{run}/netns/{,**}, } - + # Sub-profile for sysctl tool restrictions file mrCx /usr/sbin/sysctl, profile sysctl /usr/sbin/sysctl { - include <abstractions/base> - + include <abstractions/base> + # Allow executable mapping and read for the binary file mr /usr/sbin/sysctl, - + file w @{PROC}/sys/net/ipv4/conf/all/src_valid_mark, } @@ -110,6 +114,103 @@ profile wg-quick /usr/bin/wg-quick flags=(attach_disconnected) { # Process-specific access file r @{PROC}/@{pid}/net/ip_tables_names, + + # alts (actually /usr/sbin/iptables-save) + /usr/bin/alts Cx -> wg-quick//alts, + profile alts { + include <abstractions/base> + + /usr/bin/alts r, + + /usr/share/libalternatives/ r, + /usr/share/libalternatives/ip6tables-save/ r, + /usr/share/libalternatives/ip6tables-save/*.conf r, + /usr/share/libalternatives/iptables-save/ r, + /usr/share/libalternatives/iptables-save/*.conf r, + + /usr/sbin/xtables-nft-multi Px -> wg-quick//xtables-nft-multi, + } + + profile xtables-nft-multi { + include <abstractions/base> + + capability net_admin, + + @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/@{pid}/net/ip6_tables_names r, + + /usr/sbin/xtables-nft-multi r, + } + + + # DNS= option if using https://git.zx2c4.com/wireguard-tools/tree/contrib/dns-hatchet/hatchet.bash uses unshare, mount etc. to bind-mount /etc/resolv.conf + @{PROC}/@{pid}/cgroup r, + /usr/bin/unshare Cx -> unshare, + + profile unshare { + include <abstractions/base> + + capability sys_admin, + + /{usr/,}bin/bash Px -> wg-quick//unshare-bash, + /usr/bin/unshare r, + } + + profile unshare-bash { + include <abstractions/base> + + /{usr/,}bin/bash r, + /{usr/,}bin/cat rix, + /{usr/,}bin/mount Px -> wg-quick//unshare-mount, + /{usr/,}bin/stat rix, + + /{usr/,}lib/bash/ r, + + /etc/ r, + /etc/resolv.conf r, + + /dev/shm/resolv.conf w, # r needed? + /dev/tty rw, + + @{PROC}/filesystems r, + } + + profile unshare-mount { + include <abstractions/base> + + capability sys_admin, + + /{usr/,}bin/mount r, + + / r, + /etc/fstab r, + + @{run}/mount/utab r, + + @{PROC}/@{pid}/mountinfo r, + @{PROC}/filesystems r, + + /dev/shm/ r, + } + + + # umount private /dev/shm/ on VPN shutdown + /{usr/,}bin/umount Cx -> umount, + profile umount { + capability sys_admin, + + /{usr/,}bin/umount r, + + @{run}/mount/utab r, + @{run}/mount/utab.act wk, + @{run}/mount/utab.lock rwk, + @{run}/netconfig/resolv.conf r, + + @{PROC}/@{pid}/mountinfo r, + @{PROC}/filesystems r, + } + + # Site-specific additions and overrides. See local/README for details. include if exists <local/wg-quick> } ++++++ who.diff ++++++ --- a/profiles/apparmor.d/who 2026-02-27 00:21:24.123695275 +0100 +++ b/profiles/apparmor.d/who 2026-05-25 21:38:06.473530856 +0200 @@ -23,14 +23,22 @@ # man page # Overall result: the above calls are not mediated by LSMs + # Nevertheless, /dev/pts/ is needed + /dev/pts/ r, + /usr/bin/who mr, + # uutils ships Fluent localization files used for translated output + /usr/share/coreutils/locales/** r, + + /run/systemd/sessions/@{int} r, + # who sends the "exists" signal via kill(pid, 0) capability kill, # Deny the writes allowed by abstractions/wutmp audit deny /var/** w, audit deny @{run}/utmp w, - + include if exists <local/who> }
