Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2018-01-01 22:05:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Mon Jan 1 22:05:36 2018 rev:109 rq:560031 version:2.12 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2017-12-06 08:52:58.429318465 +0100 +++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes 2018-01-01 22:05:43.902938989 +0100 @@ -1,0 +2,44 @@ +Mon Dec 25 15:27:03 UTC 2017 - suse-b...@cboltz.de + +- update to AppArmor 2.12 + - add support for 'owner' rules in aa-logprof and aa-genprof + - add support for includes with absolute path in aa-logprof etc. (lp#1733700) + - update aa-decode to also decode PROCTITLE (lp#1736841) + - several profile and abstraction updates, including boo#1069470 + - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 + for the detailed upstream changelog +- drop upstreamed patches: + - read_inactive_profile-exactly-once.patch + - utils-fix-sorted-save_profiles-regression.diff +- lessopen profile: change all 'rix' rules to 'mrix' +- add 32-bit-no-uid.diff to fix handling of log events without ouid on + 32 bit systems + +------------------------------------------------------------------- +Tue Nov 30 10:30:33 UTC 2017 - suse-b...@cboltz.de + +- update to AppArmor 2.11.95 aka 2.12 beta1 + - add JSON interface to aa-logprof and aa-genprof (used by YaST) + - drop old YaST interface code + - update audio, base and nameservice abstractions + - allow @{pid} to match 7-digit pids + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 + for the detailed upstream changelog +- drop upstreamed patches + - apparmor-yast-cleanup.patch + - apparmor-json-support.patch + - nameservice-libtirpc.diff +- drop obsolete perl modules (YaST no longer needs them) +- drop patches that were only needed by the obsolete perl modules: + - apparmor-utils-string-split + - apparmor-abstractions-no-multiline.diff +- drop profiles-sockets-temporary-fix.patch - obsoleted by a fix in + apparmor_parser +- refresh utils-fix-sorted-save_profiles-regression.diff +- add aa-teardown (new script to unload all profiles) +- make ExecStop in apparmor.service a no-op (workaround for a systemd + restriction, see boo#996520 and boo#853019 for details) +- lessopen profile: allow capability dac_read_search and dac_override, + allow groff to execute several helpers (boo#1065388) + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/apparmor/libapparmor.changes 2017-10-27 13:47:54.953893850 +0200 +++ /work/SRC/openSUSE:Factory/.apparmor.new/libapparmor.changes 2018-01-01 22:05:43.934928299 +0100 @@ -1,0 +2,17 @@ +Mon Dec 25 15:32:35 UTC 2017 - suse-b...@cboltz.de + +- update to AppArmor 2.12 + - preserve errno across aa_*_unref() functions + - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.12 + for the detailed upstream changelog +- no longer package static libapparmor.a + +------------------------------------------------------------------- +Tue Oct 31 10:41:55 UTC 2017 - suse-b...@cboltz.de + +- update to AppArmor 2.11.95 aka 2.12 beta1 + - no changes in libapparmor + - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_95 + for the detailed upstream changelog + +------------------------------------------------------------------- Old: ---- apparmor-2.11.1.tar.gz apparmor-2.11.1.tar.gz.asc apparmor-abstractions-no-multiline.diff apparmor-json-support.patch apparmor-utils-string-split apparmor-yast-cleanup.patch nameservice-libtirpc.diff profiles-sockets-temporary-fix.patch read_inactive_profile-exactly-once.patch utils-fix-sorted-save_profiles-regression.diff New: ---- 32-bit-no-uid.diff aa-teardown apparmor-2.12.tar.gz apparmor-2.12.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.BdJeh3/_old 2018-01-01 22:05:44.922598245 +0100 +++ /var/tmp/diff_new_pack.BdJeh3/_new 2018-01-01 22:05:44.922598245 +0100 @@ -35,7 +35,7 @@ %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) Name: apparmor -Version: 2.11.1 +Version: 2.12 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0+ @@ -50,6 +50,7 @@ Source7: apparmor-rpmlintrc Source8: apparmor.service Source9: apparmor.systemd +Source10: aa-teardown # enable caching of profiles (= massive performance speedup when loading profiles) Patch1: apparmor-enable-profile-cache.diff @@ -57,35 +58,14 @@ # include autogenerated profile sniplet for samba shares (bnc#688040) Patch2: apparmor-samba-include-permissions-for-shares.diff -# split a long string in AppArmor.pm. Not accepted upstream because they want a solution without hardcoded width. -Patch3: apparmor-utils-string-split - # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkae...@suse.de Patch5: ruby-2_0-mkmf-destdir.patch -# change multiline rules in abstractions to one line - needed because YaST still uses the perl module, which doesn't support multiline rules -# (bnc#900013, not for upstream) -Patch6: apparmor-abstractions-no-multiline.diff - # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch -# add JSON support to aa-logprof and aa-genprof (will be in upstream 2.12) -Patch12: apparmor-yast-cleanup.patch -Patch13: apparmor-json-support.patch - -# temporary solution for unix dgram and unix stream - boo#1061195 (sent for upstream review, but will probably stay openSUSE only) -# TODO: replace with proper unix rules when Kernel 4.15 arrives -Patch15: profiles-sockets-temporary-fix.patch - -# fix NIS/YP logins - libtirpc needs to read /etc/netconfig - commited upstream 2017-10-20 (trunk r3716, 2.11 r3682, 2.10 r3408, 2.9 r3069) -Patch16: nameservice-libtirpc.diff - -# Fix sorted() regression in save_profiles() - submitted upstream 2017-10-22 -Patch17: utils-fix-sorted-save_profiles-regression.diff - -# bsc#1069346 -Patch18: read_inactive_profile-exactly-once.patch +# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a log event on 32 bit systems (submitted upstream 2017-12-26) +Patch8: 32-bit-no-uid.diff PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -193,18 +173,12 @@ Group: Development/Libraries/Perl Requires: libapparmor1 = %{version} Requires: perl = %{perl_version} -Requires: perl(DBD::SQLite) -Requires: perl(Locale::gettext) -Requires: perl(RPC::XML) -Requires: perl(RPC::XML) -Requires: perl(Term::ReadKey) -Requires: perl(Term::ReadKey) Provides: perl-libapparmor = %{version} Obsoletes: perl-libapparmor < 2.5 %description -n perl-apparmor This package provides the perl interface to AppArmor. It is used for perl -applications interfacing with AppArmor, including the AppArmor utilities. +applications interfacing with AppArmor. %endif @@ -378,19 +352,9 @@ %setup -q %patch1 -p1 %patch2 -%patch3 -p1 %patch5 -p1 -%patch6 -%patch7 -p1 -%patch12 -p1 -%patch13 -p1 -%patch15 -p1 -%patch16 -%patch17 -%patch18 -p1 - -# search for left-over multiline rules -test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)" +%patch7 +%patch8 -p1 %build export SUSE_ASNEEDED=0 @@ -426,11 +390,6 @@ # binutils make -C binutils -# deprecated/utils (perl modules still needed by YaST) -%if %{with perl} -make -C deprecated/utils -%endif - # parser: make -C parser V=1 @@ -485,11 +444,6 @@ %makeinstall -C binutils ( cd %{buildroot}/%{_sbindir} && ln -s %{_bindir}/aa-exec exec ) -# deprecated/utils (perl modules still needed by YaST) -%if %{with perl} -%makeinstall -C deprecated/utils -%endif - %makeinstall -C profiles %makeinstall -C parser @@ -541,8 +495,12 @@ rm -fv %{buildroot}%{_libdir}/libapparmor.la # Adjust for systemd +test ! -f %{buildroot}%{_unitdir}/apparmor.service install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service +test ! -f %{buildroot}%{apparmor_bin_prefix}/apparmor.systemd install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix} +test ! -f %{buildroot}%{_sbindir}/aa-teardown +install -m0755 %{S:10} %{buildroot}%{_sbindir} rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor rm %{buildroot}/sbin/rcsubdomain ln -sf service %{buildroot}/sbin/rcapparmor @@ -569,6 +527,7 @@ /sbin/apparmor_parser %{_bindir}/aa-enabled %{_bindir}/aa-exec +%{_sbindir}/aa-teardown %dir %attr(-, root, root) %{_sysconfdir}/apparmor %dir %{_sysconfdir}/apparmor.d %{_sysconfdir}/apparmor.d/cache @@ -625,7 +584,20 @@ %config(noreplace) %{_sysconfdir}/apparmor/logprof.conf %config(noreplace) %{_sysconfdir}/apparmor/notify.conf %config(noreplace) %{_sysconfdir}/apparmor/severity.db -%{_sbindir}/aa-* +%{_sbindir}/aa-audit +%{_sbindir}/aa-autodep +%{_sbindir}/aa-cleanprof +%{_sbindir}/aa-complain +%{_sbindir}/aa-decode +%{_sbindir}/aa-disable +%{_sbindir}/aa-enforce +%{_sbindir}/aa-genprof +%{_sbindir}/aa-logprof +%{_sbindir}/aa-mergeprof +%{_sbindir}/aa-notify +%{_sbindir}/aa-remove-unknown +%{_sbindir}/aa-status +%{_sbindir}/aa-unconfined %{_sbindir}/apparmor_status %{_sbindir}/audit %{_sbindir}/autodep @@ -645,7 +617,22 @@ %dir %{_localstatedir}/log/apparmor %doc %{_mandir}/man5/logprof.conf.5.gz %doc %{_mandir}/man8/apparmor_notify.8.gz -%doc %{_mandir}/man8/aa-*.gz +%doc %{_mandir}/man8/aa-audit.8.gz +%doc %{_mandir}/man8/aa-autodep.8.gz +%doc %{_mandir}/man8/aa-cleanprof.8.gz +%doc %{_mandir}/man8/aa-complain.8.gz +%doc %{_mandir}/man8/aa-decode.8.gz +%doc %{_mandir}/man8/aa-disable.8.gz +%doc %{_mandir}/man8/aa-easyprof.8.gz +%doc %{_mandir}/man8/aa-enforce.8.gz +%doc %{_mandir}/man8/aa-genprof.8.gz +%doc %{_mandir}/man8/aa-logprof.8.gz +%doc %{_mandir}/man8/aa-mergeprof.8.gz +%doc %{_mandir}/man8/aa-notify.8.gz +%doc %{_mandir}/man8/aa-remove-unknown.8.gz +%doc %{_mandir}/man8/aa-status.8.gz +%doc %{_mandir}/man8/aa-unconfined.8.gz + %doc %{_mandir}/man8/apparmor_status.8.gz %doc %{_mandir}/man8/audit.8.gz %doc %{_mandir}/man8/autodep.8.gz @@ -664,7 +651,6 @@ %if %{with perl} %files -n perl-apparmor %defattr(-,root,root) -%{perl_vendorlib}/Immunix %{perl_vendorarch}/auto/LibAppArmor/ %{perl_vendorarch}/LibAppArmor.pm %endif ++++++ libapparmor.spec ++++++ --- /var/tmp/diff_new_pack.BdJeh3/_old 2018-01-01 22:05:44.950588890 +0100 +++ /var/tmp/diff_new_pack.BdJeh3/_new 2018-01-01 22:05:44.954587554 +0100 @@ -18,7 +18,7 @@ Name: libapparmor -Version: 2.11.1 +Version: 2.12 Release: 0 Summary: Utility library for AppArmor License: LGPL-2.1+ @@ -87,8 +87,9 @@ # create symlink for old change_hat(2) manpage ( cd %{buildroot}/%{_mandir}/man2/ && ln -s aa_change_hat.2 change_hat.2 ) -# remove *.la files +# remove *.la and *.a files rm -fv %{buildroot}%{_libdir}/libapparmor.la +rm -fv %{buildroot}%{_libdir}/libapparmor.a %post -n libapparmor1 -p /sbin/ldconfig @@ -100,7 +101,6 @@ %files -n libapparmor-devel %defattr(-,root,root) -%{_libdir}/libapparmor.a %{_libdir}/libapparmor.so %{_libdir}/pkgconfig/libapparmor.pc %doc %{_mandir}/man2/aa_change_hat.2.gz ++++++ 32-bit-no-uid.diff ++++++ diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py index 0e74c3f5..5738bb10 100644 --- a/utils/apparmor/logparser.py +++ b/utils/apparmor/logparser.py @@ -118,7 +118,7 @@ class ReadLog: ev['protocol'] = event.net_protocol ev['sock_type'] = event.net_sock_type - if event.ouid != 18446744073709551615: # 2^64 - 1 + if event.ouid != 18446744073709551615 and event.ouid != 4294967295: # 2^64 - 1 and 2^32 - 1 ev['fsuid'] = event.fsuid ev['ouid'] = event.ouid ++++++ aa-teardown ++++++ #!/bin/bash test $# = 0 || { echo "Usage: $0" echo echo "Unloads all AppArmor profiles" exit 1 } /lib/apparmor/apparmor.systemd stop ++++++ apparmor-2.11.1.tar.gz -> apparmor-2.12.tar.gz ++++++ /work/SRC/openSUSE:Factory/apparmor/apparmor-2.11.1.tar.gz /work/SRC/openSUSE:Factory/.apparmor.new/apparmor-2.12.tar.gz differ: char 5, line 1 ++++++ apparmor-lessopen-profile.patch ++++++ --- /var/tmp/diff_new_pack.BdJeh3/_old 2018-01-01 22:05:45.022564838 +0100 +++ /var/tmp/diff_new_pack.BdJeh3/_new 2018-01-01 22:05:45.022564838 +0100 @@ -1,9 +1,9 @@ -Index: apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen +Index: profiles/apparmor.d/usr.bin.lessopen.sh =================================================================== ---- /dev/null -+++ apparmor-2.9.0/profiles/apparmor.d/usr.bin.lessopen.sh -@@ -0,0 +1,40 @@ -+# Last Modified: Fri Nov 28 08:01:09 2014 +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ profiles/apparmor.d/usr.bin.lessopen.sh 2017-10-28 14:15:12.624358664 +0200 +@@ -0,0 +1,49 @@ ++# vim: ft=apparmor +#include <tunables/global> + +/usr/bin/lessopen.sh { @@ -12,34 +12,43 @@ + #include <abstractions/consoles> + #include <abstractions/perl> + ++ capability dac_override, ++ capability dac_read_search, ++ + /** rk, -+ /bin/bash ix, -+ /bin/rpm rix, -+ /bin/tar rix, ++ /bin/bash mrix, ++ /bin/rpm mrix, ++ /bin/tar mrix, + /tmp/less.* rw, -+ /usr/bin/bzip2 rix, -+ /usr/bin/cabextract rix, -+ /usr/bin/cat rix, -+ /usr/bin/colordiff rix, -+ /usr/bin/dvi2tty rix, -+ /usr/bin/file rix, -+ /usr/bin/grep rix, -+ /usr/bin/groff rix, -+ /usr/bin/gzip rix, -+ /usr/bin/head rix, -+ /usr/bin/lynx rix, -+ /usr/bin/mktemp rix, -+ /usr/bin/nm rix, -+ /usr/bin/pdftotext rix, -+ /usr/bin/ps2ascii rix, -+ /usr/bin/rm rix, -+ /usr/bin/seq rix, -+ /usr/bin/tar rix, -+ /usr/bin/unzip rix, -+ /usr/bin/unzip-plain rix, -+ /usr/bin/w3m rix, -+ /usr/bin/which rix, -+ /usr/bin/xz rix, ++ /usr/bin/bzip2 mrix, ++ /usr/bin/cabextract mrix, ++ /usr/bin/cat mrix, ++ /usr/bin/colordiff mrix, ++ /usr/bin/dvi2tty mrix, ++ /usr/bin/eqn mrix, ++ /usr/bin/file mrix, ++ /usr/bin/grep mrix, ++ /usr/bin/groff mrix, ++ /usr/bin/grotty mrix, ++ /usr/bin/gzip mrix, ++ /usr/bin/head mrix, ++ /usr/bin/lynx mrix, ++ /usr/bin/mktemp mrix, ++ /usr/bin/nm mrix, ++ /usr/bin/pic mrix, ++ /usr/bin/pdftotext mrix, ++ /usr/bin/ps2ascii mrix, ++ /usr/bin/rm mrix, ++ /usr/bin/seq mrix, ++ /usr/bin/soelim mrix, ++ /usr/bin/tar mrix, ++ /usr/bin/tbl mrix, ++ /usr/bin/troff mrix, ++ /usr/bin/unzip mrix, ++ /usr/bin/unzip-plain mrix, ++ /usr/bin/w3m mrix, ++ /usr/bin/which mrix, ++ /usr/bin/xz mrix, + + #include <local/usr.bin.lessopen.sh> +} ++++++ apparmor.service ++++++ --- /var/tmp/diff_new_pack.BdJeh3/_old 2018-01-01 22:05:45.062551475 +0100 +++ /var/tmp/diff_new_pack.BdJeh3/_new 2018-01-01 22:05:45.062551475 +0100 @@ -8,9 +8,17 @@ [Service] Type=oneshot -ExecStart=/lib/apparmor/apparmor.systemd start +ExecStart=/lib/apparmor/apparmor.systemd reload ExecReload=/lib/apparmor/apparmor.systemd reload -ExecStop=/lib/apparmor/apparmor.systemd stop + +# systemd maps 'restart' to 'stop; start' which means removing AppArmor confinement +# from running processes (and not being able to re-apply it later). +# Upstream systemd developers refused to implement an option that allows overriding +# this behaviour, therefore we have to make ExecStop a no-op to error out on the +# safe side. +# +# If you really want to unload all AppArmor profiles, run aa-teardown +ExecStop=/bin/true RemainAfterExit=yes [Install]