Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2024-06-06 12:31:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Thu Jun 6 12:31:39 2024 rev:211 rq:1178600 version:4.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2024-05-30 15:31:29.518134536 +0200 +++ /work/SRC/openSUSE:Factory/.apparmor.new.24587/apparmor.changes 2024-06-06 12:31:47.774676023 +0200 @@ -1,0 +2,7 @@ +Tue Jun 4 19:48:47 UTC 2024 - Christian Boltz <suse-b...@cboltz.de> + +- add sddm-xauth.diff - sddm uses a new path for xauth (boo#1223900) +- add plasmashell.diff - fix QtWebEngineProcess path to prevent a + crash in plasmashell (boo#1225961) + +------------------------------------------------------------------- New: ---- plasmashell.diff sddm-xauth.diff BETA DEBUG BEGIN: New:- add sddm-xauth.diff - sddm uses a new path for xauth (boo#1223900) - add plasmashell.diff - fix QtWebEngineProcess path to prevent a crash in plasmashell (boo#1225961) New: - add sddm-xauth.diff - sddm uses a new path for xauth (boo#1223900) - add plasmashell.diff - fix QtWebEngineProcess path to prevent a BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.5R0UE8/_old 2024-06-06 12:31:48.718710426 +0200 +++ /var/tmp/diff_new_pack.5R0UE8/_new 2024-06-06 12:31:48.722710571 +0200 @@ -98,6 +98,12 @@ Patch14: utils-relax-mount-rules.diff Patch15: utils-relax-mount-rules-2.diff +# Fix QtWebEngineProcess path in plasmashell profile (merged upstream 2024-06-04 in 4.0 and master - https://gitlab.com/apparmor/apparmor/-/merge_requests/1248) +Patch16: plasmashell.diff + +# latest sddm uses yet another path for xauth (submitted upstream 2024-06-04 https://gitlab.com/apparmor/apparmor/-/merge_requests/1249) +Patch17: sddm-xauth.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf @@ -371,6 +377,8 @@ %patch -P 13 -p1 %patch -P 14 -p1 %patch -P 15 -p1 +%patch -P 16 -p1 +%patch -P 17 -p1 %build export SUSE_ASNEEDED=0 ++++++ plasmashell.diff ++++++ commit 64469afa2c65eb8a90a19d2b658a9559fb3964b0 Author: Christian Boltz <appar...@cboltz.de> Date: Tue Jun 4 21:14:50 2024 +0200 Add openSUSE path to plasmashell profile While on it, - add some comments explaining what the profile does - adjust the rule with the Debian/Ubuntu path to work with Qt6 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225961 diff --git a/profiles/apparmor.d/plasmashell b/profiles/apparmor.d/plasmashell index d743ff7a3..51c50a689 100644 --- a/profiles/apparmor.d/plasmashell +++ b/profiles/apparmor.d/plasmashell @@ -17,8 +17,13 @@ profile plasmashell /usr/bin/plasmashell { unix, ptrace, - /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess, + # allow executing QtWebEngineProcess with full permissions including userns (using profile stacking to avoid no_new_privs issues) + /usr/lib/x86_64-linux-gnu/qt[56]/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess, + /usr/libexec/qt[56]/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess, + + # allow to execute all other programs under their own profile, or to run unconfined /** pux, + /{,**} mrwlk, profile QtWebEngineProcess { ++++++ sddm-xauth.diff ++++++ commit 0c6e031c02fb18affd3bb7f15e269d9dd5c3317a Author: Christian Boltz <appar...@cboltz.de> Date: Tue Jun 4 21:45:06 2024 +0200 abstractions/X: add another xauth path This time it's /tmp/xauth_?????? r, which gets used by latest sddm. Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1223900 diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X index 6f0272d64..6df891185 100644 --- a/profiles/apparmor.d/abstractions/X +++ b/profiles/apparmor.d/abstractions/X @@ -28,6 +28,7 @@ owner @{run}/user/*/gdm/Xauthority r, owner @{run}/user/*/X11/Xauthority r, owner @{run}/user/*/xauth_* r, + owner /tmp/xauth_?????? r, # the unix socket to use to connect to the display /tmp/.X11-unix/* rw,
