commit yast2-security for openSUSE:Leap:15.2

root Wed, 26 Feb 2020 21:41:29 -0800

Hello community,

here is the log from the commit of package yast2-security for 
openSUSE:Leap:15.2 checked in at 2020-02-27 06:41:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/yast2-security (Old)
 and      /work/SRC/openSUSE:Leap:15.2/.yast2-security.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "yast2-security"

Thu Feb 27 06:41:25 2020 rev:30 rq:779097 version:4.2.11

Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/yast2-security/yast2-security.changes  
2020-02-04 17:54:37.844756922 +0100
+++ 
/work/SRC/openSUSE:Leap:15.2/.yast2-security.new.26092/yast2-security.changes   
    2020-02-27 06:41:26.257601393 +0100
@@ -1,0 +2,7 @@
+Mon Feb  3 16:02:35 CET 2020 - [email protected]
+
+- Using SysctlConfig class: Handle sysctl entries in different
+  directories (bsc#1151649).
+- 4.2.11
+
+-------------------------------------------------------------------

Old:
----
  yast2-security-4.2.10.tar.bz2

New:
----
  yast2-security-4.2.11.tar.bz2

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ yast2-security.spec ++++++
--- /var/tmp/diff_new_pack.QwIvhw/_old  2020-02-27 06:41:26.541601986 +0100
+++ /var/tmp/diff_new_pack.QwIvhw/_new  2020-02-27 06:41:26.541601986 +0100
@@ -17,7 +17,7 @@
 
 
 Name:           yast2-security
-Version:        4.2.10
+Version:        4.2.11
 Release:        0
 Summary:        YaST2 - Security Configuration
 License:        GPL-2.0-only
@@ -34,8 +34,8 @@
 BuildRequires:  yast2-pam
 BuildRequires:  rubygem(%{rb_default_ruby_abi}:rspec)
 BuildRequires:  rubygem(%{rb_default_ruby_abi}:yast-rake) >= 0.2.5
-# CFA::LoginDefsConfig
-BuildRequires:  yast2 >= 4.2.39
+# CFA::SysctlConfig
+BuildRequires:  yast2 >= 4.2.66
 # Unfortunately we cannot move this to macros.yast,
 # bcond within macros are ignored by osc/OBS.
 %bcond_with yast_run_ci_tests
@@ -45,8 +45,8 @@
 
 # new Pam.ycp API
 Requires:       yast2-pam >= 2.14.0
-# CFA::LoginDefsConfig
-Requires:       yast2 >= 4.2.39
+# CFA::SysctlConfig
+Requires:       yast2 >= 4.2.66
 Requires:       yast2-ruby-bindings >= 1.0.0
 
 Provides:       y2c_sec

++++++ yast2-security-4.2.10.tar.bz2 -> yast2-security-4.2.11.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/yast2-security-4.2.10/package/yast2-security.changes 
new/yast2-security-4.2.11/package/yast2-security.changes
--- old/yast2-security-4.2.10/package/yast2-security.changes    2020-01-23 
14:16:01.000000000 +0100
+++ new/yast2-security-4.2.11/package/yast2-security.changes    2020-02-21 
10:22:33.000000000 +0100
@@ -1,4 +1,11 @@
 -------------------------------------------------------------------
+Mon Feb  3 16:02:35 CET 2020 - [email protected]
+
+- Using SysctlConfig class: Handle sysctl entries in different
+  directories (bsc#1151649).
+- 4.2.11
+
+-------------------------------------------------------------------
 Thu Jan 23 13:04:04 UTC 2020 - Steffen Winterfeldt <[email protected]>
 
 - don't use /bin/systemctl compat symlink (bsc#1160890)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/yast2-security-4.2.10/package/yast2-security.spec 
new/yast2-security-4.2.11/package/yast2-security.spec
--- old/yast2-security-4.2.10/package/yast2-security.spec       2020-01-23 
14:16:01.000000000 +0100
+++ new/yast2-security-4.2.11/package/yast2-security.spec       2020-02-21 
10:22:33.000000000 +0100
@@ -17,7 +17,7 @@
 
 
 Name:           yast2-security
-Version:        4.2.10
+Version:        4.2.11
 Release:        0
 Group:          System/YaST
 License:        GPL-2.0-only
@@ -34,8 +34,8 @@
 BuildRequires:  yast2-devtools >= 4.2.2
 BuildRequires:  rubygem(%{rb_default_ruby_abi}:yast-rake) >= 0.2.5
 BuildRequires:  rubygem(%{rb_default_ruby_abi}:rspec)
-# CFA::LoginDefsConfig
-BuildRequires:  yast2 >= 4.2.39
+# CFA::SysctlConfig
+BuildRequires:  yast2 >= 4.2.66
 # Unfortunately we cannot move this to macros.yast,
 # bcond within macros are ignored by osc/OBS.
 %bcond_with yast_run_ci_tests
@@ -45,8 +45,8 @@
 
 # new Pam.ycp API
 Requires:       yast2-pam >= 2.14.0
-# CFA::LoginDefsConfig
-Requires:       yast2 >= 4.2.39
+# CFA::SysctlConfig
+Requires:       yast2 >= 4.2.66
 Requires:       yast2-ruby-bindings >= 1.0.0
 
 Provides:       y2c_sec yast2-config-security
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/yast2-security-4.2.10/src/data/security/level1.yml 
new/yast2-security-4.2.11/src/data/security/level1.yml
--- old/yast2-security-4.2.10/src/data/security/level1.yml      2020-01-23 
14:16:01.000000000 +0100
+++ new/yast2-security-4.2.11/src/data/security/level1.yml      2020-02-21 
10:22:33.000000000 +0100
@@ -34,6 +34,6 @@
 USERDEL_POSTCMD:                  "/usr/sbin/userdel-post.local"
 USERDEL_PRECMD:                   "/usr/sbin/userdel-pre.local"
 kernel.sysrq:                     '0'
-net.ipv4.ip_forward:              '0'
-net.ipv4.tcp_syncookies:          '1'
-net.ipv6.conf.all.forwarding:     '0'
+net.ipv4.ip_forward:              false
+net.ipv4.tcp_syncookies:          true
+net.ipv6.conf.all.forwarding:     false
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/yast2-security-4.2.10/src/data/security/level2.yml 
new/yast2-security-4.2.11/src/data/security/level2.yml
--- old/yast2-security-4.2.10/src/data/security/level2.yml      2020-01-23 
14:16:01.000000000 +0100
+++ new/yast2-security-4.2.11/src/data/security/level2.yml      2020-02-21 
10:22:33.000000000 +0100
@@ -34,6 +34,6 @@
 USERDEL_POSTCMD:                  "/usr/sbin/userdel-post.local"
 USERDEL_PRECMD:                   "/usr/sbin/userdel-pre.local"
 kernel.sysrq:                     '0'
-net.ipv4.ip_forward:              '0'
-net.ipv4.tcp_syncookies:          '1'
-net.ipv6.conf.all.forwarding:     '0'
+net.ipv4.ip_forward:              false
+net.ipv4.tcp_syncookies:          true
+net.ipv6.conf.all.forwarding:     false
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/yast2-security-4.2.10/src/data/security/level3.yml 
new/yast2-security-4.2.11/src/data/security/level3.yml
--- old/yast2-security-4.2.10/src/data/security/level3.yml      2020-01-23 
14:16:01.000000000 +0100
+++ new/yast2-security-4.2.11/src/data/security/level3.yml      2020-02-21 
10:22:33.000000000 +0100
@@ -34,6 +34,6 @@
 USERDEL_POSTCMD:                  "/usr/sbin/userdel-post.local"
 USERDEL_PRECMD:                   "/usr/sbin/userdel-pre.local"
 kernel.sysrq:                     '0'
-net.ipv4.ip_forward:              '0'
-net.ipv4.tcp_syncookies:          '1'
-net.ipv6.conf.all.forwarding:     '0'
+net.ipv4.ip_forward:              false
+net.ipv4.tcp_syncookies:          true
+net.ipv6.conf.all.forwarding:     false
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-security-4.2.10/src/include/security/dialogs.rb 
new/yast2-security-4.2.11/src/include/security/dialogs.rb
--- old/yast2-security-4.2.10/src/include/security/dialogs.rb   2020-01-23 
14:16:01.000000000 +0100
+++ new/yast2-security-4.2.11/src/include/security/dialogs.rb   2020-02-21 
10:22:33.000000000 +0100
@@ -117,7 +117,9 @@
         "yes" => "no",
         "no" => "yes",
         "1" => "0",
-        "0" => "1"
+        "0" => "1",
+        true => false,
+        false => true
       }
 
       # mapping for "Configure" links
@@ -150,9 +152,9 @@
       # handle the special cases at first
       if Builtins.contains(@configurable_options, option)
         ret = _("Configure")
-      elsif ["1", "yes"].include?(value)
+      elsif ["1", "yes", true].include?(value)
         ret = _("Enabled")
-      elsif ["0", "no"].include?(value)
+      elsif ["0", "no", false].include?(value)
         ret = _("Disabled")
       else
         return @UNKNOWN_STATUS
@@ -257,23 +259,15 @@
         },
         {
           "id"        => "net.ipv4.tcp_syncookies",
-          "is_secure" => Ops.get(
-            Security.Settings,
-            "net.ipv4.tcp_syncookies",
-            ""
-          ) == "1"
+          "is_secure" => Security.Settings[ "net.ipv4.tcp_syncookies" ]
         },
         {
           "id"        => "net.ipv4.ip_forward",
-          "is_secure" => Ops.get(Security.Settings, "net.ipv4.ip_forward", "") 
== "0"
+          "is_secure" => !Security.Settings["net.ipv4.ip_forward"]
         },
         {
           "id"        => "net.ipv6.conf.all.forwarding",
-          "is_secure" => Ops.get(
-            Security.Settings,
-            "net.ipv6.conf.all.forwarding",
-            ""
-          ) == "0"
+          "is_secure" => !Security.Settings["net.ipv6.conf.all.forwarding"]
         },
         {
           "id"        => "MANDATORY_SERVICES",
@@ -481,12 +475,7 @@
           Builtins.y2milestone("Clicked %1 link", ret)
 
           current_value = Ops.get(Security.Settings, Convert.to_string(ret), 
"")
-
-          new_value = Ops.get_string(
-            @link_value_mapping,
-            current_value,
-            current_value
-          )
+          new_value = @link_value_mapping[current_value]
 
           # set the new value and refresh the overview
           if Builtins.haskey(@link_value_mapping, current_value) &&
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/yast2-security-4.2.10/src/modules/Security.rb 
new/yast2-security-4.2.11/src/modules/Security.rb
--- old/yast2-security-4.2.10/src/modules/Security.rb   2020-01-23 
14:16:01.000000000 +0100
+++ new/yast2-security-4.2.11/src/modules/Security.rb   2020-02-21 
10:22:33.000000000 +0100
@@ -27,7 +27,7 @@
 # $Id$
 require "yast"
 require "yast2/systemd/service"
-require "cfa/sysctl"
+require "cfa/sysctl_config"
 require "cfa/shadow_config"
 require "yaml"
 require "security/ctrl_alt_del_config"
@@ -42,8 +42,8 @@
     include ::Security::CtrlAltDelConfig
 
     SYSCTL_VALUES = {
-      "yes" => "1",
-      "no"  => "0"
+      "yes" => true,
+      "no"  => false
     }
 
     SHADOW_ATTRS = [
@@ -118,9 +118,9 @@
         "CRACKLIB_DICT_PATH"                        => 
"/usr/lib/cracklib_dict",
         "DISPLAYMANAGER_REMOTE_ACCESS"              => "no",
         "kernel.sysrq"                              => "0",
-        "net.ipv4.tcp_syncookies"                   => "1",
-        "net.ipv4.ip_forward"                       => "0",
-        "net.ipv6.conf.all.forwarding"              => "0",
+        "net.ipv4.tcp_syncookies"                   => true,
+        "net.ipv4.ip_forward"                       => false,
+        "net.ipv6.conf.all.forwarding"              => false,
         "FAIL_DELAY"                                => "3",
         "GID_MAX"                                   => "60000",
         "GID_MIN"                                   => "1000",
@@ -189,9 +189,9 @@
       # Default values for /etc/sysctl.conf keys
       @sysctl = {
         "kernel.sysrq"                 => "0",
-        "net.ipv4.tcp_syncookies"      => "1",
-        "net.ipv4.ip_forward"          => "0",
-        "net.ipv6.conf.all.forwarding" => "0"
+        "net.ipv4.tcp_syncookies"      => true,
+        "net.ipv4.ip_forward"          => false,
+        "net.ipv6.conf.all.forwarding" => false
       }
 
       # Mapping of /etc/sysctl.conf keys to old (obsoleted) sysconfig ones
@@ -245,7 +245,7 @@
       @write_only = false
 
       # Force reading of sysctl configuration
-      @sysctl_file = nil
+      @sysctl_config = nil
 
       @activation_mapping = {
         "DHCPD_RUN_CHROOTED"           => "/usr/bin/systemctl try-restart 
dhcpd.service",
@@ -583,14 +583,17 @@
       @sysctl.sort.each do |key, default_value|
         val = @Settings.fetch(key, default_value)
         int_val = Integer(val) rescue nil
-        if int_val.nil?
-          log.error "value #{val} for #{key} is not integer, not writing"
+        if int_val.nil? && ![TrueClass, FalseClass].include?(val.class)
+          log.error "value #{val} for #{key} has wrong type, not writing"
         elsif val != read_sysctl_value(key)
           write_sysctl_value(key, val)
           written = true
         end
       end
-      sysctl_file.save if written
+
+      if written && !sysctl_config.conflict?
+        sysctl_config.save
+      end
 
       # enable sysrq?
       sysrq = Integer(@Settings.fetch("kernel.sysrq", "0")) rescue nil
@@ -726,6 +729,26 @@
     # @return [Boolean] True on success
     def Import(settings)
       settings = deep_copy(settings)
+      if settings.key?("KERNEL.SYSRQ")
+        settings["kernel.sysrq"] = settings.delete("KERNEL.SYSRQ")
+      end
+      if settings.key?("NET.IPV4.TCP_SYNCOOKIES")
+        settings["net.ipv4.tcp_syncookies"] = 
settings.delete("NET.IPV4.TCP_SYNCOOKIES")
+      end
+      if settings.key?("NET.IPV4.IP_FORWARD")
+        settings["net.ipv4.ip_forward"] = 
settings.delete("NET.IPV4.IP_FORWARD")
+      end
+      if settings.key?("NET.IPV6.CONF.ALL.FORWARDING")
+        settings["net.ipv6.conf.all.forwarding"] = 
settings.delete("NET.IPV6.CONF.ALL.FORWARDING")
+      end
+
+      # conversion to true/false
+      ["net.ipv4.tcp_syncookies", "net.ipv4.ip_forward", 
"net.ipv6.conf.all.forwarding"].each do |key|
+        if settings.key?(key) && settings[key].is_a?(::String)
+          settings[key] = settings[key] == "1" ? true : false
+        end
+      end
+
       return true if settings == {}
 
       @modified = true
@@ -736,13 +759,14 @@
         else
           if @sysctl.key?(k) && settings.key?(@sysctl2sysconfig[k])
             val = settings[@sysctl2sysconfig[k]].to_s
-            tmpSettings[k] = SYSCTL_VALUES[val] || val
+            tmpSettings[k] = SYSCTL_VALUES.key?(val) ? SYSCTL_VALUES[val] : val
           else
             tmpSettings[k] = settings[@obsolete_login_defs[k]] || v
           end
         end
       end
       @Settings = tmpSettings
+
       true
     end
 
@@ -750,7 +774,15 @@
     # (For use by autoinstallation.)
     # @return [Hash] Dumped settings (later acceptable by Import ())
     def Export
-      Builtins.eval(@Settings)
+      settings = deep_copy(@Settings)
+      # conversion to 0/1 string
+      ["net.ipv4.tcp_syncookies", "net.ipv4.ip_forward", 
"net.ipv6.conf.all.forwarding"].each do |key|
+        if [TrueClass, FalseClass].include?(settings[key].class)
+          settings[key] = settings[key] ? "1" : "0"
+        end
+      end
+
+      settings
     end
 
     # Create a textual summary and a list of unconfigured cards
@@ -858,31 +890,31 @@
     #
     # @note It memoizes the value until {#main} is called.
     #
-    # @return [Yast2::CFA::Sysctl]
-    def sysctl_file
-      return @sysctl_file if @sysctl_file
-      @sysctl_file = CFA::Sysctl.new
-      @sysctl_file.load
-      @sysctl_file
+    # @return [Yast2::CFA::SysctlConfig]
+    def sysctl_config
+      return @sysctl_config if @sysctl_config
+      @sysctl_config = CFA::SysctlConfig.new
+      @sysctl_config.load
+      @sysctl_config
     end
 
-    # Map sysctl keys to method names from the CFA::Sysctl class.
+    # Map sysctl keys to method names from the CFA::SysctlConfig class.
     SYSCTL_KEY_TO_METH = {
       "kernel.sysrq"                 => :kernel_sysrq,
-      "net.ipv4.tcp_syncookies"      => :raw_tcp_syncookies,
-      "net.ipv4.ip_forward"          => :raw_forward_ipv4,
-      "net.ipv6.conf.all.forwarding" => :raw_forward_ipv6
+      "net.ipv4.tcp_syncookies"      => :tcp_syncookies,
+      "net.ipv4.ip_forward"          => :forward_ipv4,
+      "net.ipv6.conf.all.forwarding" => :forward_ipv6
     }.freeze
 
     # @param key [String] Key to get the value for
     def read_sysctl_value(key)
-      sysctl_file.public_send(SYSCTL_KEY_TO_METH[key])
+      sysctl_config.public_send(SYSCTL_KEY_TO_METH[key])
     end
 
     # @param key    [String] Key to set the value for
     # @param value [String] Value to assign to the given key
     def write_sysctl_value(key, value)
-      sysctl_file.public_send(SYSCTL_KEY_TO_METH[key].to_s + "=", value)
+      sysctl_config.public_send(SYSCTL_KEY_TO_METH[key].to_s + "=", value)
     end
 
     def shadow_config
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/yast2-security-4.2.10/test/security_test.rb 
new/yast2-security-4.2.11/test/security_test.rb
--- old/yast2-security-4.2.10/test/security_test.rb     2020-01-23 
14:16:01.000000000 +0100
+++ new/yast2-security-4.2.11/test/security_test.rb     2020-02-21 
10:22:33.000000000 +0100
@@ -36,12 +36,12 @@
   import "Service"
 
   describe Security do
-    let(:sysctl_file) { CFA::Sysctl.new }
+    let(:sysctl_config) { CFA::SysctlConfig.new }
     let(:shadow_config) { CFA::ShadowConfig.new }
 
     before do
-      allow(CFA::Sysctl).to receive(:new).and_return(sysctl_file)
-      allow(sysctl_file).to receive(:save)
+      allow(CFA::SysctlConfig).to receive(:new).and_return(sysctl_config)
+      allow(sysctl_config).to receive(:save)
       allow(CFA::ShadowConfig).to receive(:load).and_return(shadow_config)
       allow(shadow_config).to receive(:save)
       Security.main
@@ -193,26 +193,26 @@
       context "writing to sysctl.conf" do
         before do
           allow(SCR).to exec_bash(/echo .* \/kernel\/sysrq/)
+          allow(sysctl_config).to receive(:conflict?).and_return(false)
         end
 
         it "does not write invalid values" do
           Security.Settings["kernel.sysrq"] = "yes"
           Security.Settings["net.ipv4.ip_forward"] = ""
-          expect(sysctl_file).to_not receive(:kernel_sysrq).with("yes")
-          expect(sysctl_file).to_not receive(:raw_forward_ipv4=).with("")
+          expect(sysctl_config).to_not receive(:kernel_sysrq).with("yes")
+          expect(sysctl_config).to_not receive(:raw_forward_ipv4=).with("")
           Security.write_kernel_settings
         end
 
         it "does not write unchanged values" do
-          Security.Settings["net.ipv4.ip_forward"] = "0"
-          expect(sysctl_file).to_not receive(:raw_forward_ipv4=).with("0")
+          Security.Settings["net.ipv4.ip_forward"] = false
+          expect(sysctl_config).to_not receive(:save)
           Security.write_kernel_settings
         end
 
         it "writes changed values" do
-          Security.Settings["net.ipv4.ip_forward"] = "1"
-          expect(sysctl_file).to receive(:raw_forward_ipv4=).with("1")
-          expect(sysctl_file).to receive(:save)
+          Security.Settings["net.ipv4.ip_forward"] = true
+          expect(sysctl_config).to receive(:save)
           Security.write_kernel_settings
         end
       end
@@ -575,9 +575,9 @@
 
       it "sets kernel settings based on /etc/sysctl.conf" do
         expect(Security.Settings["kernel.sysrq"]).to eql("0")
-        expect(Security.Settings["net.ipv4.tcp_syncookies"]).to eql("1")
-        expect(Security.Settings["net.ipv4.ip_forward"]).to eql("0")
-        expect(Security.Settings["net.ipv6.conf.all.forwarding"]).to eql("0")
+        expect(Security.Settings["net.ipv4.tcp_syncookies"]).to eql(true)
+        expect(Security.Settings["net.ipv4.ip_forward"]).to eql(false)
+        expect(Security.Settings["net.ipv6.conf.all.forwarding"]).to eql(false)
       end
     end
 
@@ -684,7 +684,7 @@
         Security.Settings["MANDATORY_SERVICES"] = "no"
 
         # SYSCTL
-        Security.Settings["net.ipv4.ip_forward"] = "1"
+        Security.Settings["net.ipv4.ip_forward"] = true
 
         # OBSOLETE LOGIN DEFS
         Security.Settings["SYS_UID_MIN"] = 200
@@ -710,7 +710,7 @@
         it "imports SYSCTL settings modifying key names and adapting values" do
           expect(Security.Import("IP_FORWARD" => "no")).to eql(true)
 
-          expect(Security.Settings["net.ipv4.ip_forward"]).to eql("0")
+          expect(Security.Settings["net.ipv4.ip_forward"]).to eql(false)
         end
 
         it "imports LOGIN DEFS settings transforming key name" do

commit yast2-security for openSUSE:Leap:15.2

Reply via email to