Hello community,
here is the log from the commit of package yast2-apparmor for openSUSE:Factory
checked in at 2018-12-19 13:25:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-apparmor (Old)
and /work/SRC/openSUSE:Factory/.yast2-apparmor.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-apparmor"
Wed Dec 19 13:25:00 2018 rev:71 rq:657295 version:4.1.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-apparmor/yast2-apparmor.changes
2018-11-27 10:39:00.220404065 +0100
+++ /work/SRC/openSUSE:Factory/.yast2-apparmor.new.28833/yast2-apparmor.changes
2018-12-19 13:25:01.541264240 +0100
@@ -1,0 +2,13 @@
+Tue Dec 11 16:44:21 UTC 2018 - jlo...@suse.com
+
+- More about hardening commands execution (part of bsc#1118291).
+- Replace backticks by Yast::Execute.
+- 4.1.3
+
+-------------------------------------------------------------------
+Mon Dec 10 13:49:30 UTC 2018 - jlo...@suse.com
+
+- Hardening execution of system commands (part of bsc#1118291).
+- 4.1.2
+
+-------------------------------------------------------------------
@@ -4,0 +18 @@
+- 4.1.1
Old:
----
yast2-apparmor-4.1.1.tar.bz2
New:
----
yast2-apparmor-4.1.3.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-apparmor.spec ++++++
--- /var/tmp/diff_new_pack.ab5Epg/_old 2018-12-19 13:25:02.001263680 +0100
+++ /var/tmp/diff_new_pack.ab5Epg/_new 2018-12-19 13:25:02.005263675 +0100
@@ -17,7 +17,7 @@
Name: yast2-apparmor
-Version: 4.1.1
+Version: 4.1.3
Release: 0
Summary: YaST2 - Plugins for AppArmor Profile Management
License: GPL-2.0-only
@@ -27,7 +27,8 @@
BuildRequires: update-desktop-files
BuildRequires: yast2
BuildRequires: yast2-devtools >= 3.1.10
-Requires: yast2
+# Yast::Execute.locally!
+Requires: yast2 > 3.3.2
Requires: yast2-ruby-bindings >= 1.0.0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
++++++ yast2-apparmor-4.1.1.tar.bz2 -> yast2-apparmor-4.1.3.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-apparmor-4.1.1/package/yast2-apparmor.changes
new/yast2-apparmor-4.1.3/package/yast2-apparmor.changes
--- old/yast2-apparmor-4.1.1/package/yast2-apparmor.changes 2018-11-23
15:29:48.000000000 +0100
+++ new/yast2-apparmor-4.1.3/package/yast2-apparmor.changes 2018-12-11
18:31:00.000000000 +0100
@@ -1,7 +1,21 @@
-------------------------------------------------------------------
+Tue Dec 11 16:44:21 UTC 2018 - jlo...@suse.com
+
+- More about hardening commands execution (part of bsc#1118291).
+- Replace backticks by Yast::Execute.
+- 4.1.3
+
+-------------------------------------------------------------------
+Mon Dec 10 13:49:30 UTC 2018 - jlo...@suse.com
+
+- Hardening execution of system commands (part of bsc#1118291).
+- 4.1.2
+
+-------------------------------------------------------------------
Fri Nov 23 14:14:25 UTC 2018 - Stasiek Michalski <hel...@mailbox.org>
- Provide icon with module (boo#1109310)
+- 4.1.1
-------------------------------------------------------------------
Tue Oct 16 16:54:23 CEST 2018 - sch...@suse.de
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-apparmor-4.1.1/package/yast2-apparmor.spec
new/yast2-apparmor-4.1.3/package/yast2-apparmor.spec
--- old/yast2-apparmor-4.1.1/package/yast2-apparmor.spec 2018-11-23
15:29:48.000000000 +0100
+++ new/yast2-apparmor-4.1.3/package/yast2-apparmor.spec 2018-12-11
18:31:00.000000000 +0100
@@ -17,7 +17,7 @@
Name: yast2-apparmor
-Version: 4.1.1
+Version: 4.1.3
Release: 0
Summary: YaST2 - Plugins for AppArmor Profile Management
Url: https://github.com/yast/yast-apparmor
@@ -27,7 +27,8 @@
BuildRequires: update-desktop-files
BuildRequires: yast2
BuildRequires: yast2-devtools >= 3.1.10
-Requires: yast2
+# Yast::Execute.locally!
+Requires: yast2 > 3.3.2
Requires: yast2-ruby-bindings >= 1.0.0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-apparmor-4.1.1/src/lib/apparmor/profiles.rb
new/yast2-apparmor-4.1.3/src/lib/apparmor/profiles.rb
--- old/yast2-apparmor-4.1.1/src/lib/apparmor/profiles.rb 2018-11-23
15:29:48.000000000 +0100
+++ new/yast2-apparmor-4.1.3/src/lib/apparmor/profiles.rb 2018-12-11
18:31:00.000000000 +0100
@@ -6,6 +6,8 @@
require 'json'
require 'open3'
require 'yast'
+require "yast2/execute"
+
Yast.import 'UI'
Yast.import 'Label'
Yast.import 'Popup'
@@ -23,13 +25,13 @@
# Set to complain mode
def complain
- system("/usr/sbin/aa-complain #{@name}")
+ execute("/usr/sbin/aa-complain", @name)
@status = 'complain'
end
# Set to enforce mode
def enforce
- system("/usr/sbin/aa-enforce #{@name}")
+ execute("/usr/sbin/aa-enforce", @name)
@status = 'enforce'
end
@@ -57,13 +59,28 @@
a.push(pstr)
a
end
+
+ private
+
+ # Executes a given command
+ #
+ # For possible parameters, see Yast::Execute.locally!.
+ #
+ # @return [Boolean] true if the command finishes correctly; false otherwise
+ def execute(*args)
+ Yast::Execute.locally!(*args)
+ true
+ rescue Cheetah::ExecutionFailed
+ false
+ end
end
# Class representing a list of profiles
class Profiles
attr_reader :prof
def initialize
- status_output = `/usr/sbin/aa-status --json`
+ status_output = command_output("/usr/sbin/aa-status", "--json")
+
jtext = JSON.parse(status_output)
h = jtext['profiles']
@prof = {}
@@ -90,6 +107,20 @@
def toggle(name)
@prof[name].toggle
end
+
+ private
+
+ # Returns the output of the given command
+ #
+ # @param args [Array<String>, Array<Array<String>>] the command to execute
and
+ # its arguments. For a detailed description, see
+ #
https://www.rubydoc.info/github/openSUSE/cheetah/Cheetah#run-class_method
+ # @return [String] commmand output or an empty string if the command fails.
+ def command_output(*args)
+ Yast::Execute.locally!(*args, stdout: :capture)
+ rescue Cheetah::ExecutionFailed
+ ""
+ end
end
class ProfilesDialog < ::UI::Dialog
