Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2017-02-11 01:33:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2017-02-03 17:31:34.092783177 +0100 +++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes 2017-02-11 01:33:47.991524735 +0100 @@ -1,0 +2,54 @@ +Mon Jan 30 21:37:48 UTC 2017 - [email protected] + +- add upstream-changes-r3616..3628.diff: + - update abstractions/base, abstractions/apache2-common and dovecot profiles + - merge ask_the_questions() of aa-logprof and aa-mergeprof + - pass LDFLAGS when building parser, libapparmor perl bindings and pam_apparmor +- adjust deleting the cache in profiles %post to the new cache location +- silence errors when deleting the cache (boo#976914) + +------------------------------------------------------------------- +Sat Jan 28 21:40:11 UTC 2017 - [email protected] + +- split libapparmor into separate spec to get rid of build loop + involving mariadb, systemd, apparmor, libapr and mariadb again + (see the discussion in SR 448871 for details) + +------------------------------------------------------------------- +Fri Jan 27 20:08:03 UTC 2017 - [email protected] + +- update to AppArmor 2.11.0 + - apparmor_parser now supports parallel compiles and loads + - add full support for dbus, ptrace and signal rules and events to the + utils + - full rewrite of the file rule handling in the utils + - lots of improvements and fixes + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the + detailed changelog +- patches: + - add sshd-profile-drop-local-include-r3615.diff to fix 'make check' + - drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed + - refresh apparmor-abstractions-no-multiline.diff + - refresh apparmor-samba-include-permissions-for-shares.diff +- spec changes: + - aa-unconfined switched to using ss (from iproute2), adjust Recommends: + - move libapparmor to /usr/lib*/ + - drop %if %suse_version checks for 12.x + - change several Obsoletes from %version to < 2.9. Those package names + weren't used since years, and 2.9 is still a careful choice + - include apparmor.service independent of %suse_version + - techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires + - drop latex2html, texlive-* and w3m BuildRequires + - techdoc.txt and techdoc.html not included, drop them from the package + - run most of utils/ make check (some tests expect /etc/apparmor.d/ and + /sbin/apparmor_parser to exist, skip them) + - BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests) + - drop sed'ing python3 into aa-* shebang (upstreamed) + - build binutils + - aa-exec is now written in C and lives in /usr/bin/, move it to the + apparmor_parser package and create a compability symlink in /usr/sbin/ + - aa-exec manpage moved to section 1 + - aa-enabled is a small new tool to find out if AppArmor is enabled + - package new aa_stack_profile(2) manpage + +------------------------------------------------------------------- New Changes file: --- /dev/null 2017-01-26 09:49:33.150892021 +0100 +++ /work/SRC/openSUSE:Factory/.apparmor.new/libapparmor.changes 2017-02-11 01:33:48.099509496 +0100 @@ -0,0 +1,11 @@ +------------------------------------------------------------------- +Sat Jan 28 21:40:11 UTC 2017 - [email protected] + +- split libapparmor into separate spec to get rid of build loop + involving mariadb, systemd, apparmor, libapr and mariadb again + (see the discussion in SR 448871 for details) +- libapparmor.spec is based on the AppArmor 2.11 apparmor.spec, but + with minimum BuildRequires + + + Old: ---- aa-unconfined-fix-netstat-call-2.10r3380.diff apparmor-2.10.2.tar.gz apparmor-2.10.2.tar.gz.asc New: ---- apparmor-2.11.0.tar.gz apparmor-2.11.0.tar.gz.asc libapparmor.changes libapparmor.spec sshd-profile-drop-local-include-r3615.diff upstream-changes-r3616..3628.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.MgBvpk/_old 2017-02-11 01:33:50.739136973 +0100 +++ /var/tmp/diff_new_pack.MgBvpk/_new 2017-02-11 01:33:50.739136973 +0100 @@ -24,23 +24,9 @@ %bcond_without pam %bcond_without apache %bcond_without perl -%if 0%{?suse_version} > 0 && 0%{?suse_version} <= 1210 - # disable python and ruby bindings on openSUSE <= 12.1 to avoid problems with rb_sitearch and python_sitearch - %bcond_with python - %bcond_with python3 - %bcond_with ruby -%else -%if 0%{?suse_version} == 1220 - # swig for python3 is broken on 12.2 - probably http://sourceforge.net/p/swig/bugs/1257/ - build python2 bindings instead - %bcond_without python - %bcond_with python3 - %bcond_without ruby -%else - %bcond_with python - %bcond_without python3 - %bcond_without ruby -%endif -%endif +%bcond_with python +%bcond_without python3 +%bcond_without ruby %define CATALINA_HOME /usr/share/tomcat6 #define APPARMOR_DOC_DIR /usr/share/doc/packages/apparmor-docs/ @@ -60,11 +46,12 @@ %if ! %{?distro:1}0 %define distro suse %endif -Version: 2.10.2 +Version: 2.11.0 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0+ Group: Productivity/Networking/Security +Url: https://launchpad.net/apparmor Source0: apparmor-%{version}.tar.gz Source1: apparmor-%{version}.tar.gz.asc Source2: %{name}.keyring @@ -82,9 +69,6 @@ # split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. Patch3: apparmor-utils-string-split -# fix regression in aa-unconfined netstat call (taken from upstream 2.10 branch r3380) -Patch4: aa-unconfined-fix-netstat-call-2.10r3380.diff - # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, [email protected] Patch5: ruby-2_0-mkmf-destdir.patch @@ -95,7 +79,12 @@ # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch -Url: https://launchpad.net/apparmor +# drop local/ include from sshd profile to prevent failure in "make check" (taken from upstream bzr trunk r3615) +Patch8: sshd-profile-drop-local-include-r3615.diff + +# upstream changes (trunk r3616..3628) +Patch9: upstream-changes-r3616..3628.diff + PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %{distro} == "suse" @@ -104,19 +93,14 @@ %endif %define apparmor_bin_prefix /lib/apparmor BuildRequires: bison +BuildRequires: dejagnu BuildRequires: flex BuildRequires: gcc-c++ -BuildRequires: latex2html BuildRequires: pcre-devel BuildRequires: pkg-config BuildRequires: python +BuildRequires: python3-pyflakes BuildRequires: perl(Locale::gettext) -%if 0%{?suse_version} > 1220 -BuildRequires: texlive-amsfonts -BuildRequires: texlive-cm-super -%endif -BuildRequires: texlive-latex -BuildRequires: w3m BuildRequires: swig @@ -149,12 +133,12 @@ Summary: AppArmor userlevel parser utility License: GPL-2.0+ Group: Productivity/Networking/Security -Obsoletes: libimnxcert < %{version} -Obsoletes: subdomain-leaf-cert < %{version} -Obsoletes: subdomain-parser < %{version} -Obsoletes: subdomain-parser-common < %{version} -Obsoletes: subdomain-parser-demo < %{version} -Obsoletes: subdomain_parser < %{version} +Obsoletes: libimnxcert < 2.9 +Obsoletes: subdomain-leaf-cert < 2.9 +Obsoletes: subdomain-parser < 2.9 +Obsoletes: subdomain-parser-common < 2.9 +Obsoletes: subdomain-parser-demo < 2.9 +Obsoletes: subdomain_parser < 2.9 Provides: libimnxcert = %{version} Provides: subdomain-leaf-cert = %{version} Provides: subdomain-parser = %{version} @@ -166,10 +150,8 @@ # initscript needs /lib/lsb/init-functions from insserv/insserv-compat Requires: insserv -%if 0%{?suse_version} > 1320 BuildRequires: systemd-rpm-macros %{?systemd_requires} -%endif %description parser The AppArmor Parser is a userlevel program that is used to load in @@ -209,35 +191,6 @@ %endif -%package -n libapparmor1 -Summary: Utility library for AppArmor -License: LGPL-2.1+ -Group: Development/Libraries/C and C++ -%ifarch ppc64 -Obsoletes: libapparmor-64bit < %{version} -Provides: libapparmor-64bit = %{version} -%endif -Provides: libapparmor = %{version} -#Provides: libimmunix = %{version} -Obsoletes: libapparmor < %{version} -#Obsoletes: libimmunix < %{version} - -%description -n libapparmor1 -This package provides the libapparmor library, which contains the -change_hat(2) symbol, used for sub-process confinement by AppArmor, as -well as functions to parse AppArmor log messages. - -%package -n libapparmor-devel -Summary: Development headers and libraries for libapparmor -License: LGPL-2.1+ -Group: Development/Libraries/C and C++ -Requires: libapparmor1 = %{version} -Provides: libapparmor:/usr/include/sys/apparmor.h - -%description -n libapparmor-devel -These libraries are needed for developing software that makes use of the -AppArmor API. - %if %{with perl} %package -n perl-apparmor @@ -338,7 +291,7 @@ Group: Productivity/Security Requires: apparmor-abstractions >= %{version} Requires: apparmor-parser(CAP_SYSLOG) -Obsoletes: subdomain-profiles < %{version} +Obsoletes: subdomain-profiles < 2.9 Provides: subdomain-profiles = %{version} BuildArch: noarch @@ -356,7 +309,7 @@ License: GPL-2.0 and LGPL-2.1+ Group: Productivity/Security Requires: libapparmor1 = %{version} -# some of the tools are still perl-based (aa-decode, aa-exec and aa-notify) +# some of the tools are still perl-based (aa-decode and aa-notify) Requires: perl = %{perl_version} Requires: perl-apparmor = %{version} %if %{with python3} @@ -366,12 +319,8 @@ Requires: python-apparmor = %{version} Requires: python-base %endif -# aa-unconfined needs netstat -%if 0%{?suse_version} > 1320 -Recommends: net-tools-deprecated -%else -Recommends: net-tools -%endif +# aa-unconfined needs ss +Recommends: iproute2 # aa-notify -p needs notify-send Recommends: libnotify-tools BuildArch: noarch @@ -435,27 +384,20 @@ %patch1 -p1 %patch2 %patch3 -p1 -%patch4 # Ruby 2.0 mkmf prefixes every path with $(DESTDIR) -%if 0%{?suse_version} > 1230 %patch5 -p1 -%endif %patch6 %patch7 -p1 +%patch8 +%patch9 # search for left-over multiline rules test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" %build -echo _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 - export SUSE_ASNEEDED=0 -# re-define _libdir to /lib or /lib64 -%define _libdir /%{_lib} - -echo new _libdir: %{_libdir} ruby: %{rb_sitearch} python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1 %if %{with python3} export PYTHON=/usr/bin/python3 @@ -485,6 +427,9 @@ # Utilities: make -C utils +# binutils +make -C binutils + # deprecated/utils (perl modules still needed by YaST) %if %{with perl} make -C deprecated/utils @@ -492,8 +437,6 @@ # parser: make -C parser V=1 -# techdoc.txt depends on techdoc.pdf and techdoc/index.html, so make techdoc.txt should be enough -make -C parser V=1 techdoc.txt # Apache mod_apparmor: %if %{with apache} @@ -508,8 +451,6 @@ # Profiles: make -C profiles -##configure --disable-static --with-pic \ -#--with-perl \ %if %{with tomcat} make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME} %endif @@ -522,11 +463,24 @@ make check -C libraries/libapparmor make check -C parser +make check -C binutils + # profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks # also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory) (cd profiles && make check-parser) -# utils make check fails if profiles don't exist in /etc/apparmor.d/ -# make check -C utils + +# these tests fail if /etc/apparmor.d/abstractions/* or /sbin/apparmor_parser don't exist +# (aa.py doesn't allow to inject in-tree paths early enough) +rm -v utils/test/test-aa.py +rm -v utils/test/test-aa-easyprof.py +rm -v utils/test/test-libapparmor-test_multi.py +rm -v utils/test/test-mount_parse.py +rm -v utils/test/test-parser-simple-tests.py +rm -v utils/test/test-pivot_root_parse.py +rm -v utils/test/test-regex_matches.py +rm -v utils/test/test-unix_parse.py + +make check -C utils %install @@ -534,22 +488,17 @@ export PYTHON=/usr/bin/python3 %endif -# libapparmor -# override pkgconfigdir for now - TODO: don't redefine libdir when packaging AppArmor 3.0 -%makeinstall -C libraries/libapparmor pkgconfigdir=/usr/%{_lib}/pkgconfig/ -# create symlink for old change_hat(2) manpage -( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 ) +# libapparmor: swig bindings only, libapparmor is packaged via libapparmor.spec +%makeinstall -C libraries/libapparmor/swig # utilities %makeinstall -C utils test ! -x %{buildroot}/%{_bindir}/aa-easyprof && chmod +x %{buildroot}/%{_bindir}/aa-easyprof # https://bugs.launchpad.net/apparmor/+bug/1366568 mkdir -p %{buildroot}%{_localstatedir}/log/apparmor -%if %{with python3} - # enforce usage of python3 - for file in %{buildroot}/%{_sbindir}/aa-* ; do - sed -i '1s,^#! /usr/bin/env python$,#! /usr/bin/env python3,' "$file" - done -%endif + +# binutils +%makeinstall -C binutils +( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec ) # deprecated/utils (perl modules still needed by YaST) %if %{with perl} @@ -569,7 +518,7 @@ %endif %if %{with pam} - %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}%{_libdir}/security + %makeinstall -C changehat/pam_apparmor SECDIR=%{buildroot}/%{_lib}/security %endif %if %{with tomcat} @@ -577,8 +526,8 @@ %makeinstall -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{buildroot}/%{CATALINA_HOME} %endif -find %{buildroot} -name .packlist -exec rm -f {} \; -find %{buildroot} -name perllocal.pod -exec rm -f {} \; +find %{buildroot} -name .packlist -exec rm -vf {} \; +find %{buildroot} -name perllocal.pod -exec rm -vf {} \; # Re-create the links to the old names, but only for tools and manpages that had it for historic reasons[tm]. # Tools and manpages added in >= 2.9 won't get symlinks without aa- prefix @@ -587,7 +536,7 @@ f=$(basename $file) case "${f#aa-}" in audit | autodep | complain | decode | disable | enforce | exec | genprof | logprof | notify | status | unconfined | \ - audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.8* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* ) + audit.8* | autodep.8* | complain.8* | disable.8* | easyprof.8* | enforce.8* | exec.1* | genprof.8* | logprof.8* | notify.8 | status.8 | unconfined.8* ) if [ "${f#aa-}" != "$f" ]; then ln -s $f $d/${f#aa-} fi @@ -599,16 +548,14 @@ mv -f %{buildroot}%{_mandir}/man8/{notify.8,apparmor_notify.8} rm -f %{buildroot}%{_mandir}/man8/decode.8 -for pkg in apparmor-utils apparmor-parser; do +for pkg in apparmor-utils apparmor-parser aa-binutils; do %find_lang $pkg done # remove *.la files rm -fv %{buildroot}%{_libdir}/libapparmor.la -%if 0%{?suse_version} > 1320 install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service -%endif echo ------------------------------------------------------------------- #find -ls @@ -621,7 +568,7 @@ %doc parser/*.[1-9].html %doc utils/vim/apparmor.vim.5.html %doc common/apparmor.css -%doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt +%doc parser/techdoc.pdf # apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file %dir %{_datadir}/apparmor %{_datadir}/apparmor/apparmor.vim @@ -630,6 +577,8 @@ %defattr(-,root,root) %doc parser/README parser/COPYING.GPL /sbin/apparmor_parser +%{_bindir}/aa-enabled +%{_bindir}/aa-exec %dir %attr(-, root, root) %{_sysconfdir}/apparmor %dir %{_sysconfdir}/apparmor.d %{_sysconfdir}/apparmor.d/cache @@ -640,14 +589,15 @@ %else %{_sysconfdir}/init.d/apparmor %endif -%if 0%{?suse_version} > 1320 %{_unitdir}/apparmor.service -%endif %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf %config(noreplace) %{_sysconfdir}/apparmor/parser.conf %{_localstatedir}/lib/apparmor %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions +%doc %{_mandir}/man1/aa-enabled.1.gz +%doc %{_mandir}/man1/aa-exec.1.gz +%doc %{_mandir}/man1/exec.1.gz %doc %{_mandir}/man5/apparmor.d.5.gz %doc %{_mandir}/man5/apparmor.vim.5.gz %doc %{_mandir}/man5/subdomain.conf.5.gz @@ -658,34 +608,10 @@ if [ -f %{_sysconfdir}/init.d/subdomain ] ; then chkconfig --del subdomain fi -%if 0%{?suse_version} > 1320 %service_add_pre apparmor.service -%endif - -%files parser-lang -f apparmor-parser.lang -%files -n libapparmor1 +%files parser-lang -f apparmor-parser.lang -f aa-binutils.lang %defattr(-,root,root) -%{_libdir}/libapparmor.so.* - -%files -n libapparmor-devel -%defattr(-,root,root) -%{_libdir}/libapparmor.a -%{_libdir}/libapparmor.so -/usr/%{_lib}/pkgconfig/libapparmor.pc -%doc %{_mandir}/man2/aa_change_hat.2.gz -%doc %{_mandir}/man2/change_hat.2.gz -%doc %{_mandir}/man2/aa_find_mountpoint.2.gz -%doc %{_mandir}/man2/aa_getcon.2.gz -%doc %{_mandir}/man2/aa_query_label.2.gz -%doc %{_mandir}/man3/aa_features.3.gz -%doc %{_mandir}/man3/aa_kernel_interface.3.gz -%doc %{_mandir}/man3/aa_policy_cache.3.gz -%doc %{_mandir}/man3/aa_splitcon.3.gz -%dir %{_includedir}/aalogparse -%{_includedir}/sys/apparmor.h -%{_includedir}/sys/apparmor_private.h -%{_includedir}/aalogparse/* %files abstractions %defattr(644,root,root,755) @@ -732,7 +658,6 @@ %dir %{_datadir}/apparmor %{_datadir}/apparmor/easyprof/ %dir %{_localstatedir}/log/apparmor -%doc %{_mandir}/man2/aa_change_profile.2.gz %doc %{_mandir}/man5/logprof.conf.5.gz %doc %{_mandir}/man8/apparmor_notify.8.gz %doc %{_mandir}/man8/aa-*.gz @@ -743,7 +668,6 @@ %doc %{_mandir}/man8/disable.8.gz %doc %{_mandir}/man8/easyprof.8.gz %doc %{_mandir}/man8/enforce.8.gz -%doc %{_mandir}/man8/exec.8.gz %doc %{_mandir}/man8/genprof.8.gz %doc %{_mandir}/man8/logprof.8.gz %doc %{_mandir}/man8/unconfined.8.gz @@ -800,7 +724,7 @@ %files -n pam_apparmor %defattr(444,root,root,755) -%attr(555,root,root) %{_libdir}/security/pam_apparmor.so +%attr(555,root,root) /%{_lib}/security/pam_apparmor.so %endif %if %{with tomcat} @@ -853,9 +777,7 @@ fi %endif -%if 0%{?suse_version} > 1320 %service_add_post apparmor.service -%endif %preun parser if [ "$1" = 0 ] ; then @@ -867,9 +789,7 @@ %endif fi -%if 0%{?suse_version} > 1320 %service_del_preun apparmor.service -%endif %postun parser %if %{distro} == "suse" @@ -885,11 +805,9 @@ %{insserv_cleanup} || true %endif -%if 0%{?suse_version} > 1320 # don't call try-restart, see bnc#853019 export DISABLE_RESTART_ON_UPDATE="yes" %service_del_postun apparmor.service -%endif %post abstractions %if %{distro} == "suse" @@ -907,7 +825,7 @@ %post profiles %if %{distro} == "suse" # workaround for bnc#904620#c8 / lp#1392042 - rm -f /var/cache/apparmor/* + rm -f /var/lib/apparmor/cache/* 2>/dev/null #restart_on_update boot.apparmor - but non-broken (bnc#853019) # (copy&paste from parser postun script) test -n "$FIRST_ARG" || FIRST_ARG=$1 @@ -919,10 +837,6 @@ fi %endif -%post -n libapparmor1 -p /sbin/ldconfig - -%postun -n libapparmor1 -p /sbin/ldconfig - %if %{with tomcat} %post -n tomcat_apparmor -p /sbin/ldconfig ++++++ libapparmor.spec ++++++ # # spec file for package libapparmor # # Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2011-2017 Christian Boltz # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libapparmor Version: 2.11.0 Release: 0 Summary: Utility library for AppArmor License: LGPL-2.1+ Group: Development/Libraries/C and C++ Url: https://launchpad.net/apparmor Source0: apparmor-%{version}.tar.gz Source1: apparmor-%{version}.tar.gz.asc BuildRequires: bison BuildRequires: dejagnu BuildRequires: flex BuildRequires: pkg-config BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This package provides the libapparmor library, which contains the change_hat(2) symbol, used for sub-process confinement by AppArmor, as well as functions to parse AppArmor log messages. %package -n libapparmor1 Summary: Utility library for AppArmor Group: Development/Libraries/C and C++ %ifarch ppc64 Obsoletes: libapparmor-64bit < 2.9 Provides: libapparmor-64bit = %{version} %endif Provides: libapparmor = %{version} Obsoletes: libapparmor < 2.9 %description -n libapparmor1 This package provides the libapparmor library, which contains the change_hat(2) symbol, used for sub-process confinement by AppArmor, as well as functions to parse AppArmor log messages. %package -n libapparmor-devel Summary: Development headers and libraries for libapparmor Group: Development/Libraries/C and C++ Requires: libapparmor1 = %{version} Provides: libapparmor:/usr/include/sys/apparmor.h %description -n libapparmor-devel These libraries are needed for developing software that makes use of the AppArmor API. %prep %setup -q -n apparmor-%{version} %build ( cd ./libraries/libapparmor %configure \ --without-perl \ --without-python \ --without-ruby \ make ) %check make check -C libraries/libapparmor %install %makeinstall -C libraries/libapparmor # create symlink for old change_hat(2) manpage ( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 ) # remove *.la files rm -fv %{buildroot}%{_libdir}/libapparmor.la %post -n libapparmor1 -p /sbin/ldconfig %postun -n libapparmor1 -p /sbin/ldconfig %files -n libapparmor1 %defattr(-,root,root) %{_libdir}/libapparmor.so.* %files -n libapparmor-devel %defattr(-,root,root) %{_libdir}/libapparmor.a %{_libdir}/libapparmor.so %{_libdir}/pkgconfig/libapparmor.pc %doc %{_mandir}/man2/aa_change_hat.2.gz %doc %{_mandir}/man2/aa_change_profile.2.gz %doc %{_mandir}/man2/aa_stack_profile.2.gz %doc %{_mandir}/man2/change_hat.2.gz %doc %{_mandir}/man2/aa_find_mountpoint.2.gz %doc %{_mandir}/man2/aa_getcon.2.gz %doc %{_mandir}/man2/aa_query_label.2.gz %doc %{_mandir}/man3/aa_features.3.gz %doc %{_mandir}/man3/aa_kernel_interface.3.gz %doc %{_mandir}/man3/aa_policy_cache.3.gz %doc %{_mandir}/man3/aa_splitcon.3.gz %dir %{_includedir}/aalogparse %{_includedir}/sys/apparmor.h %{_includedir}/sys/apparmor_private.h %{_includedir}/aalogparse/* %changelog ++++++ apparmor-2.10.2.tar.gz -> apparmor-2.11.0.tar.gz ++++++ ++++ 90432 lines of diff (skipped) ++++++ apparmor-abstractions-no-multiline.diff ++++++ --- /var/tmp/diff_new_pack.MgBvpk/_old 2017-02-11 01:33:51.691002638 +0100 +++ /var/tmp/diff_new_pack.MgBvpk/_new 2017-02-11 01:33:51.691002638 +0100 @@ -35,11 +35,11 @@ + dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), Index: profiles/apparmor.d/abstractions/dbus-session-strict =================================================================== ---- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2014-10-18 13:11:18.498652324 +0200 -+++ profiles/apparmor.d/abstractions/dbus-session-strict 2014-10-18 13:11:31.098494805 +0200 -@@ -13,16 +13,9 @@ - /etc/machine-id r, +--- profiles/apparmor.d/abstractions/dbus-session-strict.orig 2017-01-11 21:20:01.381935015 +0100 ++++ profiles/apparmor.d/abstractions/dbus-session-strict 2017-01-11 21:20:07.641905170 +0100 +@@ -14,16 +14,9 @@ /var/lib/dbus/machine-id r, + owner /run/user/*/bus rw, - unix (connect, receive, send) - type=stream @@ -71,92 +71,42 @@ - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus), + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), -Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base +Index: profiles/apparmor.d/abstractions/fcitx-strict =================================================================== ---- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2014-10-18 13:11:18.497652337 +0200 -+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2014-10-18 13:11:31.098494805 +0200 -@@ -16,41 +16,16 @@ - #include <abstractions/gnome> +--- profiles/apparmor.d/abstractions/fcitx-strict.orig 2017-01-11 21:44:55.726947350 +0100 ++++ profiles/apparmor.d/abstractions/fcitx-strict 2017-01-11 21:45:02.830914856 +0100 +@@ -11,11 +11,6 @@ - # Allow connecting to session bus and where to connect to services -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=Hello -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=session -- path=/org/freedesktop/{db,DB}us -- interface=org.freedesktop.DBus -- member={Add,Remove}Match -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), - # NameHasOwner and GetNameOwner could leak running processes and apps - # depending on how services are implemented -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=GetNameOwner -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=NameHasOwner -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), - - # Allow starting services on the session bus (actual communications with - # the service are mediated elsewhere) -- dbus (send) -- bus=session -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=StartServiceByName -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus), + #include <abstractions/dbus-session-strict> - # Allow connecting to system bus and where to connect to services. Put these - # here so we don't need to repeat these rules in multiple places (actual -@@ -58,108 +36,47 @@ - # allow apps to brute-force enumerate system services, but our system - # services aren't a secret. - /{,var/}run/dbus/system_bus_socket rw, -- dbus (send) -- bus=system -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=Hello -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=system -- path=/org/freedesktop/{db,DB}us -- interface=org.freedesktop.DBus -- member={Add,Remove}Match -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus), - # NameHasOwner and GetNameOwner could leak running processes and apps - # depending on how services are implemented -- dbus (send) -- bus=system -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=GetNameOwner -- peer=(name=org.freedesktop.DBus), -- dbus (send) -- bus=system -- path=/org/freedesktop/DBus -- interface=org.freedesktop.DBus -- member=NameHasOwner -- peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus), -+ dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus), +- dbus send +- bus=fcitx +- path=/org/freedesktop/DBus +- interface=org.freedesktop.DBus +- member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} +- peer=(name=org.freedesktop.DBus), ++ dbus send bus=fcitx path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), + + owner @{HOME}/.config/fcitx/dbus/* r, +Index: profiles/apparmor.d/abstractions/libpam-systemd +=================================================================== +--- profiles/apparmor.d/abstractions/libpam-systemd.orig 2017-01-11 21:47:13.814315855 +0100 ++++ profiles/apparmor.d/abstractions/libpam-systemd 2017-01-11 21:47:19.490289904 +0100 +@@ -12,8 +12,4 @@ + #include <abstractions/dbus-strict> + # libpam-systemd notifies systemd-logind about session logins/logouts +- dbus send +- bus=system +- path=/org/freedesktop/login1 +- interface=org.freedesktop.login1.Manager +- member={CreateSession,ReleaseSession}, ++ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession}, +Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base +=================================================================== +--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig 2017-01-11 21:20:07.641905170 +0100 ++++ profiles/apparmor.d/abstractions/ubuntu-unity7-base 2017-01-11 21:20:52.197692834 +0100 +@@ -21,78 +21,37 @@ # # Access required for connecting to/communication with Unity HUD # @@ -282,7 +232,7 @@ =================================================================== --- profiles/apparmor.d/abstractions/gnome.orig 2014-10-06 21:06:23.000000000 +0200 +++ profiles/apparmor.d/abstractions/gnome 2014-10-18 13:17:22.661505791 +0200 -@@ -91,6 +91,4 @@ +@@ -93,6 +93,4 @@ # Allow connecting to the GNOME vfs socket (still need corresponding DBus # rules) ++++++ apparmor-samba-include-permissions-for-shares.diff ++++++ --- /var/tmp/diff_new_pack.MgBvpk/_old 2017-02-11 01:33:51.722998123 +0100 +++ /var/tmp/diff_new_pack.MgBvpk/_new 2017-02-11 01:33:51.722998123 +0100 @@ -20,7 +20,7 @@ === modified file 'profiles/apparmor.d/usr.sbin.smbd' --- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000 +++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000 -@@ -47,6 +47,10 @@ +@@ -53,6 +53,10 @@ @{HOMEDIRS}/** lrwk, ++++++ sshd-profile-drop-local-include-r3615.diff ++++++ ------------------------------------------------------------ revno: 3615 committer: Christian Boltz <[email protected]> branch nick: apparmor timestamp: Thu 2017-01-12 22:01:11 +0100 message: sshd profile: drop local/ include The local/ include in the sshd profile in extras causes some trouble: - it breaks "make check" because the parser can't find the local/ file - it results in a broken profile if someone uses this profile as starting point, but doesn't notice it needs the local include Acked-by: Steve Beattie <[email protected]> === modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd' --- profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-12-07 19:00:06 +0000 +++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2017-01-12 21:01:11 +0000 @@ -140,5 +140,5 @@ /usr/lib/openssh/sftp-server PUx, # Site-specific additions and overrides. See local/README for details. - #include <local/usr.sbin.sshd> + ## include <local/usr.sbin.sshd> } vim:ft=diff ++++++ upstream-changes-r3616..3628.diff ++++++ ++++ 1101 lines (skipped)
