commit apparmor for openSUSE:Factory

root Tue, 17 Apr 2018 02:09:03 -0700

Hello community,

here is the log from the commit of package apparmor for openSUSE:Factory 
checked in at 2018-04-17 11:08:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apparmor (Old)
 and      /work/SRC/openSUSE:Factory/.apparmor.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "apparmor"

Tue Apr 17 11:08:40 2018 rev:113 rq:595790 version:2.12

Changes:
--------
--- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes        2018-03-05 
13:36:28.146958182 +0100
+++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes   2018-04-17 
11:08:44.215105205 +0200
@@ -1,0 +2,8 @@
+Wed Apr 11 20:28:13 UTC 2018 - [email protected]
+
+- add dovecot-stats.diff:
+  - add dovecot/stats profile and allow dovecot to run it (boo#1088161)
+  - allow dovecot/auth to write /run/dovecot/old-stats-user (part of 
boo#1087753)
+- update 32-bit-no-uid.diff with upstream fix
+
+-------------------------------------------------------------------

New:
----
  dovecot-stats.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ apparmor.spec ++++++
--- /var/tmp/diff_new_pack.SLyZA8/_old  2018-04-17 11:08:45.175060450 +0200
+++ /var/tmp/diff_new_pack.SLyZA8/_new  2018-04-17 11:08:45.179060263 +0200
@@ -64,15 +64,18 @@
 # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
 Patch7:         apparmor-lessopen-profile.patch
 
-# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a 
log event on 32 bit systems (submitted upstream 2017-12-26)
+# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a 
log event on 32 bit systems (fixed upstream 2018-03-07)
 Patch8:         32-bit-no-uid.diff
 
 # make cache write failures a warning instead of an error - (patch from 
https://gitlab.com/apparmor/apparmor/merge_requests/49 2018-01-04)
 Patch9:         parser-write-cache-warn-only.diff
 
-# Disable write cache if filesystem is read-only, don't abort
+# Disable write cache if filesystem is read-only, don't abort (merged upstream 
2018-01-16 to 2.10..trunk)
 Patch10:        disable-cache-on-ro-fs.diff
 
+# allow dovecot to run dovecot/stats, and add that profile (submitted upstream 
2018-04-11 https://gitlab.com/apparmor/apparmor/merge_requests/90)
+Patch11:        dovecot-stats.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define apparmor_bin_prefix /lib/apparmor
@@ -363,6 +366,7 @@
 %patch8 -p1
 %patch9 -p1
 %patch10 -p0
+%patch11 -p1
 
 %build
 export SUSE_ASNEEDED=0
@@ -429,6 +433,7 @@
 make check -C binutils
 
 # profiles make check fails for the utils (libapparmor PYTHONPATH issues), 
therefore only do parser-based checks
+# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/80 should allow to 
switch to make -C
 # also, check-parser breaks if using 'make -C' (but works if cd'ing into the 
directory)
 (cd profiles && make check-parser)
 
@@ -509,6 +514,7 @@
 install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix}
 test ! -f %{buildroot}%{_sbindir}/aa-teardown
 install -m0755 %{S:10} %{buildroot}%{_sbindir}
+# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/79 obsoletes the 
next 3 lines
 rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor
 rm %{buildroot}/sbin/rcsubdomain
 ln -sf service %{buildroot}/sbin/rcapparmor

++++++ 32-bit-no-uid.diff ++++++
--- /var/tmp/diff_new_pack.SLyZA8/_old  2018-04-17 11:08:45.223058212 +0200
+++ /var/tmp/diff_new_pack.SLyZA8/_new  2018-04-17 11:08:45.223058212 +0200
@@ -2,12 +2,20 @@
 index 0e74c3f5..5738bb10 100644
 --- a/utils/apparmor/logparser.py
 +++ b/utils/apparmor/logparser.py
+@@ -12,6 +12,7 @@
+ #    GNU General Public License for more details.
+ #
+ # ----------------------------------------------------------------------
++import ctypes
+ import os
+ import re
+ import sys
 @@ -118,7 +118,7 @@ class ReadLog:
          ev['protocol'] = event.net_protocol
          ev['sock_type'] = event.net_sock_type
  
 -        if event.ouid != 18446744073709551615:  # 2^64 - 1
-+        if event.ouid != 18446744073709551615 and event.ouid != 4294967295:  
# 2^64 - 1 and 2^32 - 1
++        if event.ouid != ctypes.c_ulong(-1).value:  # ULONG_MAX
              ev['fsuid'] = event.fsuid
              ev['ouid'] = event.ouid
  



++++++ dovecot-stats.diff ++++++
commit d7cb151eb0da3ce6ac152b37ca84435266d34c88
Author: Christian Boltz <[email protected]>
Date:   Wed Apr 11 22:17:29 2018 +0200

    allow dovecot/auth to write /run/dovecot/old-stats-user
    
    References: https://bugzilla.opensuse.org/show_bug.cgi?id=1087753#c4
                (3rd bullet point)

commit 3521edc41c3f01ebdd7681b107b5c5daa40fe896
Author: Christian Boltz <[email protected]>
Date:   Wed Apr 11 21:34:51 2018 +0200

    add dovecot/stats profile, and allow dovecot to run it
    
    References: https://bugzilla.opensuse.org/show_bug.cgi?id=1088161
diff --git a/profiles/apparmor.d/usr.lib.dovecot.auth 
b/profiles/apparmor.d/usr.lib.dovecot.auth
index fcb54364..b44441e2 100644
--- a/profiles/apparmor.d/usr.lib.dovecot.auth
+++ b/profiles/apparmor.d/usr.lib.dovecot.auth
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------
 #
-#    Copyright (C) 2013 Christian Boltz
+#    Copyright (C) 2013-2018 Christian Boltz
 #    Copyright (C) 2014 Christian Wittmer
 #
 #    This program is free software; you can redistribute it and/or
@@ -43,6 +43,7 @@
   /run/dovecot/auth-worker rw,
   /run/dovecot/login/login rw,
   /{var/,}run/dovecot/auth-token-secret.dat{,.tmp} rw,
+  /{var/,}run/dovecot/old-stats-user w,
   /{var/,}run/dovecot/stats-user rw,
   /{var/,}run/dovecot/anvil-auth-penalty rw,
 
diff --git a/profiles/apparmor.d/usr.lib.dovecot.stats 
b/profiles/apparmor.d/usr.lib.dovecot.stats
new file mode 100644
index 00000000..151e4ed6
--- /dev/null
+++ b/profiles/apparmor.d/usr.lib.dovecot.stats
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2018 Christian Boltz
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+#include <tunables/global>
+
+/usr/lib/dovecot/stats {
+  #include <abstractions/base>
+  #include <abstractions/dovecot-common>
+
+  capability setuid,
+  capability sys_chroot,
+
+  /usr/lib/dovecot/stats mr,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.dovecot.stats>
+}
diff --git a/profiles/apparmor.d/usr.sbin.dovecot 
b/profiles/apparmor.d/usr.sbin.dovecot
index c0b180b4..e3a85fa0 100644
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -54,6 +54,7 @@
   /usr/lib/dovecot/pop3-login Pxmr,
   /usr/lib/dovecot/ssl-build-param rix,
   /usr/lib/dovecot/ssl-params mrPx,
+  /usr/lib/dovecot/stats Px,
   /usr/sbin/dovecot mrix,
   /usr/share/dovecot/protocols.d/   r,
   /usr/share/dovecot/protocols.d/** r,

commit apparmor for openSUSE:Factory

Reply via email to