Hello community, here is the log from the commit of package yast2-apparmor for openSUSE:Factory checked in at 2018-12-19 13:25:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-apparmor (Old) and /work/SRC/openSUSE:Factory/.yast2-apparmor.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-apparmor" Wed Dec 19 13:25:00 2018 rev:71 rq:657295 version:4.1.3 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-apparmor/yast2-apparmor.changes 2018-11-27 10:39:00.220404065 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-apparmor.new.28833/yast2-apparmor.changes 2018-12-19 13:25:01.541264240 +0100 @@ -1,0 +2,13 @@ +Tue Dec 11 16:44:21 UTC 2018 - jlo...@suse.com + +- More about hardening commands execution (part of bsc#1118291). +- Replace backticks by Yast::Execute. +- 4.1.3 + +------------------------------------------------------------------- +Mon Dec 10 13:49:30 UTC 2018 - jlo...@suse.com + +- Hardening execution of system commands (part of bsc#1118291). +- 4.1.2 + +------------------------------------------------------------------- @@ -4,0 +18 @@ +- 4.1.1 Old: ---- yast2-apparmor-4.1.1.tar.bz2 New: ---- yast2-apparmor-4.1.3.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-apparmor.spec ++++++ --- /var/tmp/diff_new_pack.ab5Epg/_old 2018-12-19 13:25:02.001263680 +0100 +++ /var/tmp/diff_new_pack.ab5Epg/_new 2018-12-19 13:25:02.005263675 +0100 @@ -17,7 +17,7 @@ Name: yast2-apparmor -Version: 4.1.1 +Version: 4.1.3 Release: 0 Summary: YaST2 - Plugins for AppArmor Profile Management License: GPL-2.0-only @@ -27,7 +27,8 @@ BuildRequires: update-desktop-files BuildRequires: yast2 BuildRequires: yast2-devtools >= 3.1.10 -Requires: yast2 +# Yast::Execute.locally! +Requires: yast2 > 3.3.2 Requires: yast2-ruby-bindings >= 1.0.0 BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ yast2-apparmor-4.1.1.tar.bz2 -> yast2-apparmor-4.1.3.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-apparmor-4.1.1/package/yast2-apparmor.changes new/yast2-apparmor-4.1.3/package/yast2-apparmor.changes --- old/yast2-apparmor-4.1.1/package/yast2-apparmor.changes 2018-11-23 15:29:48.000000000 +0100 +++ new/yast2-apparmor-4.1.3/package/yast2-apparmor.changes 2018-12-11 18:31:00.000000000 +0100 @@ -1,7 +1,21 @@ ------------------------------------------------------------------- +Tue Dec 11 16:44:21 UTC 2018 - jlo...@suse.com + +- More about hardening commands execution (part of bsc#1118291). +- Replace backticks by Yast::Execute. +- 4.1.3 + +------------------------------------------------------------------- +Mon Dec 10 13:49:30 UTC 2018 - jlo...@suse.com + +- Hardening execution of system commands (part of bsc#1118291). +- 4.1.2 + +------------------------------------------------------------------- Fri Nov 23 14:14:25 UTC 2018 - Stasiek Michalski <hel...@mailbox.org> - Provide icon with module (boo#1109310) +- 4.1.1 ------------------------------------------------------------------- Tue Oct 16 16:54:23 CEST 2018 - sch...@suse.de diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-apparmor-4.1.1/package/yast2-apparmor.spec new/yast2-apparmor-4.1.3/package/yast2-apparmor.spec --- old/yast2-apparmor-4.1.1/package/yast2-apparmor.spec 2018-11-23 15:29:48.000000000 +0100 +++ new/yast2-apparmor-4.1.3/package/yast2-apparmor.spec 2018-12-11 18:31:00.000000000 +0100 @@ -17,7 +17,7 @@ Name: yast2-apparmor -Version: 4.1.1 +Version: 4.1.3 Release: 0 Summary: YaST2 - Plugins for AppArmor Profile Management Url: https://github.com/yast/yast-apparmor @@ -27,7 +27,8 @@ BuildRequires: update-desktop-files BuildRequires: yast2 BuildRequires: yast2-devtools >= 3.1.10 -Requires: yast2 +# Yast::Execute.locally! +Requires: yast2 > 3.3.2 Requires: yast2-ruby-bindings >= 1.0.0 BuildRoot: %{_tmppath}/%{name}-%{version}-build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-apparmor-4.1.1/src/lib/apparmor/profiles.rb new/yast2-apparmor-4.1.3/src/lib/apparmor/profiles.rb --- old/yast2-apparmor-4.1.1/src/lib/apparmor/profiles.rb 2018-11-23 15:29:48.000000000 +0100 +++ new/yast2-apparmor-4.1.3/src/lib/apparmor/profiles.rb 2018-12-11 18:31:00.000000000 +0100 @@ -6,6 +6,8 @@ require 'json' require 'open3' require 'yast' +require "yast2/execute" + Yast.import 'UI' Yast.import 'Label' Yast.import 'Popup' @@ -23,13 +25,13 @@ # Set to complain mode def complain - system("/usr/sbin/aa-complain #{@name}") + execute("/usr/sbin/aa-complain", @name) @status = 'complain' end # Set to enforce mode def enforce - system("/usr/sbin/aa-enforce #{@name}") + execute("/usr/sbin/aa-enforce", @name) @status = 'enforce' end @@ -57,13 +59,28 @@ a.push(pstr) a end + + private + + # Executes a given command + # + # For possible parameters, see Yast::Execute.locally!. + # + # @return [Boolean] true if the command finishes correctly; false otherwise + def execute(*args) + Yast::Execute.locally!(*args) + true + rescue Cheetah::ExecutionFailed + false + end end # Class representing a list of profiles class Profiles attr_reader :prof def initialize - status_output = `/usr/sbin/aa-status --json` + status_output = command_output("/usr/sbin/aa-status", "--json") + jtext = JSON.parse(status_output) h = jtext['profiles'] @prof = {} @@ -90,6 +107,20 @@ def toggle(name) @prof[name].toggle end + + private + + # Returns the output of the given command + # + # @param args [Array<String>, Array<Array<String>>] the command to execute and + # its arguments. For a detailed description, see + # https://www.rubydoc.info/github/openSUSE/cheetah/Cheetah#run-class_method + # @return [String] commmand output or an empty string if the command fails. + def command_output(*args) + Yast::Execute.locally!(*args, stdout: :capture) + rescue Cheetah::ExecutionFailed + "" + end end class ProfilesDialog < ::UI::Dialog