Hello community,
here is the log from the commit of package apparmor for openSUSE:Factory
checked in at Mon Jan 17 17:43:05 CET 2011.
--------
New Changes file:
--- /dev/null 2010-08-26 16:28:41.000000000 +0200
+++ apparmor/apparmor.changes 2011-01-10 19:28:48.000000000 +0100
@@ -0,0 +1,95 @@
+-------------------------------------------------------------------
+Mon Jan 10 19:27:01 CET 2011 - jeffm@suse.de
+
+- apparmor-utils: Support newer auditd formatted messages.
+- Fix two x transition conflict bugs. (bnc#662928)
+
+-------------------------------------------------------------------
+Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de
+
+- Splitted ldap related things from nameservice into separate
+ profile and added some missing paths (bnc#662761)
+
+-------------------------------------------------------------------
+Wed Dec 22 03:41:43 CET 2010 - jeffm@suse.de
+
+- Fixed pod2man macros with older versions of GNU make
+
+-------------------------------------------------------------------
+Tue Dec 21 00:36:39 CET 2010 - jeffm@suse.de
+
+- Fixed building of perl and ruby SWIG modules. The former
+ is required for apparmor-utils to work properly.
+
+-------------------------------------------------------------------
+Tue Dec 7 18:22:55 CET 2010 - jeffm@suse.de
+
+- Fixed use-after-free issue in apparmor_parser.
+
+-------------------------------------------------------------------
+Tue Dec 7 17:52:59 CET 2010 - jeffm@suse.de
+
+- Added fixes for logprof issuing uninitialized variable errors
+ while encountering audit messages for unconfined processes.
+
+-------------------------------------------------------------------
+Wed Dec 1 19:52:58 CET 2010 - jeffm@suse.de
+
+- Updated cupsd profile (bnc#539401)
+
+-------------------------------------------------------------------
+Wed Dec 1 19:00:56 CET 2010 - jeffm@suse.de
+
+- Fix {proc} vs {PROC} macro usage in firefox profile (bnc#436262)
+
+-------------------------------------------------------------------
+Wed Dec 1 18:41:31 CET 2010 - jeffm@suse.de
+
+- Added support for eDirectory nameservice (bnc#621394)
+
+-------------------------------------------------------------------
+Wed Dec 1 18:05:44 CET 2010 - jeffm@suse.de
+
+- Fixed incorrect /proc/*/sys usage in usr.sbin.ntpd profile (bnc#634801)
+
+-------------------------------------------------------------------
+Wed Dec 1 17:39:08 CET 2010 - jeffm@suse.de
+
+- Added fix for another case of whitespace affecting profile
+ removal (bnc#510740)
+
+-------------------------------------------------------------------
+Tue Nov 30 12:00:00 CET 2010 - jeffm@suse.de
+
+- Added support for unified build, which massively simplified
+ the packaging.
+
+-------------------------------------------------------------------
+Fri Nov 15 21:22:46 CET 2010 - czanik@balabit.hu
+
+- Fix for syslog-ng profile to allow upgrade to v3.2
+- add mysql support to syslog-ng profile
+
+-------------------------------------------------------------------
+Thu Oct 21 15:16:38 CEST 2010 - jeffm@suse.de
+
+- Added support for enabling/disabling the module automatically
+ during installation/removal (bnc#623246)
+
+-------------------------------------------------------------------
+Tue Oct 5 17:58:31 CEST 2010 - jeffm@suse.de
+
+- Converted archive to tar.bz2.
+
+-------------------------------------------------------------------
+Tue Oct 5 17:49:16 CEST 2010 - jeffm@suse.de
+
+- Updated to 2.5.1-final.
+ - Lots of testcase updates.
+
+-------------------------------------------------------------------
+Fri Aug 27 21:21:38 CEST 2010 - jeffm@suse.de
+
+- Initial packaging of AppArmor 2.5
+ - Now contained in a single archive so built from a single spec file
+
calling whatdependson for head-i586
New:
----
apparmor-2.5.1-edirectory-profile
apparmor-2.5.1-firefox-proc-fix
apparmor-2.5.1-fix-parser-use-after-free
apparmor-2.5.1-ldapclient-profile
apparmor-2.5.1-ntpd-proc-fixes
apparmor-2.5.1-rpmlint-asprintf
apparmor-2.5.1-unconfined-fixes
apparmor-2.5.1-unified-build
apparmor-2.5.1.tar.bz2
apparmor-docs-techdoc-grammar-fixes
apparmor-no-caching-test
apparmor-parser-string-fixes
apparmor-perl
apparmor-profile-editor.desktop
apparmor-profile-editor.png
apparmor-profiles-cupsd-fix
apparmor-profiles-sshd-fix
apparmor-profiles-syslog-ng-fix
apparmor-scripts
apparmor-startproc.patch
apparmor-swig-build-fix
apparmor-translation-fixes
apparmor-utils-SubDomain
apparmor-utils-add-log-types
apparmor-utils-cleanup-on-abort
apparmor-utils-filenames-in-slash
apparmor-utils-null-path-fix
apparmor-utils-string-split
apparmor-utils-support-newer-auditd-formatted-messages
apparmor-utils-translation-unification
apparmor.changes
apparmor.spec
apparmorapplet-gnome-build-fix
baselibs.conf
fix-two-x-transition-conflict-bugs
mod_apparmor-includes
pam-apparmor-include
rpmlintrc
testsuite-build-fix
tomcat-build-fixes
update-trans.sh
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apparmor.spec ++++++
++++ 840 lines (skipped)
++++++ apparmor-2.5.1-edirectory-profile ++++++
From: Jeff Mahoney
Subject: apparmor-profiles: Add support for eDirectory calls from nscd
References: bnc#621394
eDirectory hooks into nscd and provides its own libraries. In order for
this to operate properly with AppArmor, it needs to be told about these
libraries.
This patch adds a new abstract profile and includes it in the nameservice
profile.
Signed-off-by: Jeff Mahoney
---
profiles/apparmor.d/abstractions/nameservice | 3 +++
profiles/apparmor.d/abstractions/novell-edirectory | 13 +++++++++++++
2 files changed, 16 insertions(+)
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -71,6 +71,9 @@
# kerberos
#include
+ # Novell eDirectory
+ #include
+
# TCP/UDP network access
network inet stream,
network inet6 stream,
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/novell-edirectory
@@ -0,0 +1,13 @@
+# $Id$
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /opt/novell/eDirectory/lib/lib*so* r,
+ /opt/novell/eDirectory/lib64/lib*so* r,
++++++ apparmor-2.5.1-firefox-proc-fix ++++++
From: Jeff Mahoney
Subject: apparmor-profiles: Fix proc usage in firefox profile
References: bnc#436262
This patch corrects the use of the {proc} macro. It should be {PROC}.
Signed-off-by: Jeff Mahoney
---
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
+++ b/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
@@ -32,9 +32,9 @@
/opt/kde3/share/applications/ r,
/opt/kde3/share/applications/mimeinfo.cache r,
- owner @{proc}/*/mounts r,
- @{proc}/meminfo r,
- @{proc}/sys/kernel/ngroups_max r,
+ owner @{PROC}/*/mounts r,
+ @{PROC}/meminfo r,
+ @{PROC}/sys/kernel/ngroups_max r,
/usr/lib/**.so mr,
++++++ apparmor-2.5.1-fix-parser-use-after-free ++++++
From: Jeff Mahoney
Subject: apparmor: Fix use after free in regexp parser
There are two cases of use-after-free in the simply_tree_base code. It
worked in the past because there aren't any allocations between the
free and the use, so it was still around.
With glibc's memory perturbing feature (set _MALLOC_PERTURB to anything),
the freed memory is poisoned. This causes crashes in e.g. apparmor_parser
while parsing certain profiles.
This patch addresses it by saving a pointer to the node to free after
the node is advanced.
Signed-off-by: Jeff Mahoney
---
parser/libapparmor_re/regexp.yy | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/parser/libapparmor_re/regexp.yy
+++ b/parser/libapparmor_re/regexp.yy
@@ -720,17 +720,19 @@ Node *simplify_tree_base(Node *t, int di
Node *i = t->child[!dir];
for (;dynamic_cast(i); p = i, i = i->child[!dir]) {
if (t->child[dir]->eq(i->child[dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}
}
// last altnode of chain check other dir as well
if (t->child[dir]->eq(p->child[!dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}
++++++ apparmor-2.5.1-ldapclient-profile ++++++
Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
===================================================================
--- /dev/null
+++ apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
+ /etc/ldap.conf r,
+ /etc/ldap.secret r,
+ /etc/openldap/* r,
+ /etc/openldap/cacerts/* r,
+
+ # SASL plugins and config
+ /etc/sasl2/* r,
+ /usr/lib{,32,64}/sasl2/* r,
+
+ #include
Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
===================================================================
--- apparmor-2.5.1.orig/profiles/apparmor.d/abstractions/nameservice
+++ apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
@@ -17,8 +17,6 @@
/etc/group r,
/etc/host.conf r,
/etc/hosts r,
- /etc/ldap.conf r,
- /etc/ldap.secret r,
/etc/nsswitch.conf r,
/etc/gai.conf r,
/etc/passwd r,
@@ -33,9 +31,6 @@
/etc/samba/lmhosts r,
/etc/services r,
- # all openldap config
- /etc/openldap/* r,
- /etc/ldap/** r,
# db backend
/var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading
@@ -59,6 +54,9 @@
# nis
#include
+ # ldap
+ #include
+
# winbind
#include
++++++ apparmor-2.5.1-ntpd-proc-fixes ++++++
From: Jeff Mahoney
Subject: apparmor: Fix incorrect /proc/*/sys usage in usr.sbin.ntpd
References: bnc#634801
/proc/sys/kernel exists, but /proc/*/sys/kernel doesn't. This patch
fixes the profile.
Signed-off-by: Jeff Mahoney
---
profiles/apparmor.d/usr.sbin.ntpd | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -59,11 +59,11 @@
/var/run/ntpd.pid w,
/var/tmp/ntp* rwl,
@{PROC}/*/net/if_inet6 r,
- @{PROC}/*/sys/kernel/ngroups_max r,
+ @{PROC}/sys/kernel/ngroups_max r,
# allow access for when chrooted
/var/lib/ntp/@{PROC}/*/net/if_inet6 r,
- /var/lib/ntp/@{PROC}/*/sys/kernel/ngroups_max r,
+ /var/lib/ntp/@{PROC}/sys/kernel/ngroups_max r,
@{NTPD_DEVICE} rw,
}
++++++ apparmor-2.5.1-rpmlint-asprintf ++++++
From: Jeff Mahoney
Subject: apparmor: Use _GNU_SOURCE when asprintf is used
There are a few places in the parser that use asprintf but don't actually
get the prototype from stdio.h. _GNU_SOURCE is needed for that.
It works as-is but rpmlint in the openSUSE Build Service complains about it.
Signed-off-by: Jeff Mahoney
---
parser/Makefile.am | 1 +
parser/parser_include.c | 2 ++
parser/parser_interface.c | 1 +
parser/parser_lex.l | 4 ++++
parser/parser_main.c | 1 +
parser/parser_variable.c | 1 +
6 files changed, 10 insertions(+)
--- a/parser/Makefile.am
+++ b/parser/Makefile.am
@@ -14,6 +14,7 @@ dist_man_MANS = apparmor.d.5 apparmor.7
BUILT_SOURCES = parser_lex.c parser_yacc.c af_names.h cap_names.h
AM_YFLAGS = -d
AM_CFLAGS = -DLOCALEDIR=\"$(localedir)\"
+AM_LFLAGS = -D_GNU_SOURCE
apparmor_parser_SOURCES = parser_yacc.y parser_lex.l parser_include.c \
parser_interface.c parser_main.c parser_misc.c \
parser_merge.c parser_symtab.c parser_regex.c \
--- a/parser/parser_include.c
+++ b/parser/parser_include.c
@@ -35,6 +35,8 @@
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
+
#include
#include
#include
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -17,6 +17,7 @@
* along with this program; if not, contact Novell, Inc.
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
#include
#include
#include
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -20,6 +20,10 @@
/* Definitions section */
/* %option main */
+%{
+#define _GNU_SOURCE /* for asprintf in stdio.h */
+%}
+
/* eliminates need to link with libfl */
%option noyywrap
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -17,6 +17,7 @@
* along with this program; if not, contact Novell, Inc.
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
#include
#include
#include
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -17,6 +17,7 @@
* along with this program; if not, contact Novell, Inc.
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
#include
#include
#include
++++++ apparmor-2.5.1-unconfined-fixes ++++++
From: Jeff Mahoney
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
The version of AppArmor that was accepted into the mainline kernel
issues audit events for things like change_hat while unconfined.
Previous versions just returned -EPERM without the audit.
This results in logprof and friends spewing uninitialized value errors
when it hits events like:
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
... which happen any time an unconfined process does something with pam
when pam_apparmor is installed.
This patch skips those events.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2735,6 +2735,13 @@ sub add_event_to_tree ($) {
return if ($e->{operation} =~ /profile_set/);
my ($profile, $hat);
+
+ # The version of AppArmor that was accepted into the mainline kernel
+ # issues audit events for things like change_hat while unconfined.
+ # Previous versions just returned -EPERM without the audit so the
+ # events wouldn't have been picked up here.
+ return if (!$e->{profile});
+
# just convert new null profile style names to old before we begin processing
# profile and name can contain multiple layers of null- but all we care about
# currently is single level.
@@ -6625,10 +6632,15 @@ sub parse_event($) {
LibAppArmor::free_record($event);
#map new c and d to w as logprof doesn't support them yet
- $rmask =~ s/c/w/g;
- $rmask =~ s/d/w/g;
- $dmask =~ s/c/w/g;
- $dmask =~ s/d/w/g;
+ if ($rmask) {
+ $rmask =~ s/c/w/g;
+ $rmask =~ s/d/w/g;
+ }
+
+ if ($dmask) {
+ $dmask =~ s/c/w/g;
+ $dmask =~ s/d/w/g;
+ }
if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
fatal_error(sprintf(gettext('Log contains unknown mode %s.'),
++++++ apparmor-2.5.1-unified-build ++++++
++++ 27492 lines (skipped)
++++++ apparmor-docs-techdoc-grammar-fixes ++++++
From: Jeff Mahoney
Subject: apparmor-docs: Fix grammar error in techdoc.pdf
References: bnc#588235
This patch fixes a grammar error in techdoc.pdf.
Signed-off-by: Jeff Mahoney
---
parser/techdoc.tex | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/techdoc.tex
+++ b/parser/techdoc.tex
@@ -213,7 +213,7 @@ files by controlling file descriptor pas
\subsection{Mount}
-Mounting can change a process's namespace in in almost arbitrary ways.
+Mounting can change a process's namespace in almost arbitrary ways.
This is a problem because AppArmor's file access control is pathname
based, and granting a process the right to arbitrarily change its
namespace would subvert this protection mechanism. AppArmor therefore
++++++ apparmor-no-caching-test ++++++
---
parser/tst/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/tst/Makefile
+++ b/parser/tst/Makefile
@@ -12,7 +12,7 @@ endif
all: tests
.PHONY: tests error_output parser_sanity caching
-tests: error_output parser_sanity caching
+tests: error_output parser_sanity
error_output: $(PARSER)
$(PARSER) -S -I errors >/dev/null errors/okay.sd
++++++ apparmor-parser-string-fixes ++++++
From: Jeff Mahoney
Subject: apparmor-parser: Fix up translations
References: bnc#586070
---
parser/parser_interface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -77,7 +77,7 @@ static void print_error(int error)
PERROR(_("Out of memory\n"));
break;
case -EFAULT:
- PERROR(_("Couldn't copy profile Bad memory address\n"));
+ PERROR(_("Couldn't copy profile: Bad memory address\n"));
break;
case -EPROTO:
PERROR(_("Profile doesn't conform to protocol\n"));
++++++ apparmor-perl ++++++
---
utils/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -41,7 +41,8 @@ all: ${MANPAGES} ${HTMLMANPAGES}
DESTDIR=/
BINDIR=${DESTDIR}/usr/sbin
CONFDIR=${DESTDIR}/etc/apparmor
-PERLDIR=${DESTDIR}/usr/lib/perl5/vendor_perl/Immunix
+VENDOR_PERL ?= /usr/lib/perl5/vendor_perl
+PERLDIR := ${DESTDIR}${VENDOR_PERL}/Immunix
po/${NAME}.pot: ${TOOLS}
make -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} SubDomain.pm Repository.pm Config.pm Reports.pm"
++++++ apparmor-profile-editor.desktop ++++++
[Desktop Entry]
Encoding=UTF-8
Name=AppArmor Profile Editor
Comment=Edit AppArmor profiles
Exec=profileeditor %f
Terminal=false
Type=Application
Icon=apparmor-profile-editor
Categories=Utility;TextEditor;
X-KDE-SubstituteUID=true
++++++ apparmor-profiles-cupsd-fix ++++++
---
profiles/apparmor/profiles/extras/usr.sbin.cupsd | 25 ++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
@@ -16,20 +16,31 @@
capability setuid,
/bin/bash ixr,
+ /bin/cat ix,
+
+ /usr/bin/foomatic-rip ixr,
+ /etc/foomatic/** r,
+
+ /usr/bin/gs ix,
+ /usr/lib/ghostscript/** m,
+ /usr/lib64/ghostscript/** m,
+ /usr/share/ghostscript/** r,
+ /etc/ghostscript/** r,
+
/dev/lp0 rw,
/dev/tty rw,
/dev/ttyS? w,
/etc/cups rw,
/etc/cups/ r,
- /etc/cups/* r,
+ /etc/cups/** r,
/etc/cups/certs w,
/etc/cups/certs/* w,
- /etc/cups/classes.conf rw,
- /etc/cups/cupsd.conf rw,
+ /etc/cups/*.conf* rw,
/etc/cups/ppd rw,
+ /etc/printcap rw,
/etc/cups/printcap rw,
- /etc/cups/printers.conf rw,
/etc/cups/ssl rw,
+ /etc/cups/yes/* rw,
/etc/hosts.allow r,
/etc/hosts.deny r,
/proc/meminfo r,
@@ -39,11 +50,15 @@
/usr/bin/smbspool ixr,
/usr/lib/cups/backend/* ixr,
/usr/lib/cups/filter/* ixr,
- /usr/sbin/cupsd mr,
+ /usr/sbin/cupsd mixr,
/usr/share/cups/** r,
/var/log/cups/access_log rw,
/var/log/cups/error_log rw,
/var/spool/cups rw,
+ /var/spool/cups/** rw,
/var/spool/cups/tmp w,
/var/spool/cups/tmp/ r,
+ /var/run/cups/** rw,
+ /var/cache/cups/ rw,
+ /var/cache/cups/** rw,
}
++++++ apparmor-profiles-sshd-fix ++++++
From: Jeff Mahoney
Subject: Fix for sshd profile
References: bnc#457072
Without this patch, sshd won't work in enforce mode.
libselinux accesses /proc/filesystems to determine if it's enabled
bash won't execute
audit_control is probably from libselinux too
---
profiles/apparmor/profiles/extras/usr.sbin.sshd | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@@ -30,6 +30,8 @@
capability kill,
capability setgid,
capability setuid,
+ capability audit_control,
+ capability sys_ptrace,
/dev/ptmx rw,
/dev/urandom r,
@@ -44,11 +46,12 @@
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/loginuid w,
+ @{PROC}/filesystems r,
# should only be here for use in non-change-hat openssh
# duplicated from EXEC hat
/bin/ash Ux,
- /bin/bash Ux,
+ /bin/bash rUx,
/bin/bash2 Ux,
/bin/bsh Ux,
/bin/csh Ux,
++++++ apparmor-profiles-syslog-ng-fix ++++++
--- a/profiles/apparmor.d/sbin.syslog-ng.old 2008-11-05 15:53:00.000000000 +0100
+++ b/profiles/apparmor.d/sbin.syslog-ng 2010-11-05 09:11:23.186489224 +0100
@@ -19,12 +19,14 @@
#include
#include
#include
+ #include
capability chown,
capability dac_override,
capability fsetid,
capability fowner,
capability sys_tty_config,
+ capability sys_resource,
/dev/log w,
/dev/syslog w,
@@ -35,11 +37,14 @@
/etc/hosts.deny r,
/etc/hosts.allow r,
/sbin/syslog-ng mr,
+ /usr/share/syslog-ng/** r,
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
- @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist rw,
+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
@{CHROOT_BASE}/var/log/** w,
@{CHROOT_BASE}/var/run/syslog-ng.pid krw,
+ @{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
+ /var/run/syslog-ng/additional-log-sockets.conf r,
}
++++++ apparmor-scripts ++++++
---
parser/rc.aaeventd.suse | 2 +-
parser/rc.apparmor.functions | 16 ++++++++--------
parser/rc.apparmor.suse | 23 ++++++++++++++++++++++-
3 files changed, 31 insertions(+), 10 deletions(-)
--- a/parser/rc.aaeventd.suse
+++ b/parser/rc.aaeventd.suse
@@ -30,7 +30,7 @@
### BEGIN INIT INFO
# Provides: aaeventd
# Required-Start: apparmor
-# Required-Stop:
+# Required-Stop: $null
# Default-Start: 2 3 5
# Default-Stop:
# Short-Description: AppArmor Notification and Reporting
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -111,9 +111,7 @@ is_apparmor_present() {
# check for subdomainfs version of module
grep -qE "^($modules)[[:space:]]" /proc/modules
- if [ $? -ne 0 ] ; then
- ls /sys/module/apparmor 2>/dev/null | grep -qE "^($modules)"
- fi
+ [ $? -ne 0 -a -d /sys/module/apparmor ]
return $?
}
@@ -380,10 +378,11 @@ apparmor_start() {
configure_owlsm
# if there is anything in the profiles file don't load
- cat "$SFS_MOUNTPOINT/profiles" | if ! read line ; then
+ if ! read line < "$SFS_MOUNTPOINT/profiles"; then
parse_profiles load
else
- aa_log_skipped_msg "AppArmor already loaded with profiles."
+ aa_log_skipped_msg ": already loaded with profiles."
+ return 0
fi
aa_log_end_msg 0
return 0
@@ -415,7 +414,8 @@ remove_profiles() {
#them so stor to tmp first
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
- cat "$MODULE_PLIST" | while read profile ; do
+ # Skip subprofiles, they'll be removed with the owning profile
+ grep -v // "$MODULE_PLIST" | while IFS= read profile ; do
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
rc=$?
if [ ${rc} -ne 0 ] ; then
@@ -430,7 +430,7 @@ apparmor_stop() {
aa_log_daemon_msg "Unloading AppArmor profiles "
remove_profiles
rc=$?
- log_end_msg $rc
+ aa_log_end_msg $rc
return $rc
}
@@ -468,7 +468,7 @@ __apparmor_restart() {
profiles_names_list ${PNAMES_LIST}
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
- sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while read profile ; do
+ sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
done
rm "$MODULE_PLIST"
--- a/parser/rc.apparmor.suse
+++ b/parser/rc.apparmor.suse
@@ -34,6 +34,7 @@
# Required-Start: boot.cleanup
# Required-Stop: $null
# Should-Start: $local_fs
+# Should-Stop: $null
# Default-Start: B
# Default-Stop:
# Short-Description: AppArmor initialization
@@ -76,7 +77,19 @@ aa_log_warning_msg() {
}
aa_log_failure_msg() {
- log_failure_msg $*
+ log_failure_msg '\n'$*
+}
+
+aa_log_action_begin() {
+ echo -n
+}
+
+aa_log_action_end() {
+ echo -n
+}
+
+aa_log_daemon_msg() {
+ echo -en "$@ "
}
aa_log_skipped_msg() {
@@ -84,6 +97,14 @@ aa_log_skipped_msg() {
echo -e "$rc_skipped"
}
+aa_log_end_msg() {
+ v="-v"
+ if [ "$1" != '0' ]; then
+ rc="-v$1"
+ fi
+ rc_status $v
+}
+
usage() {
echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
}
++++++ apparmor-startproc.patch ++++++
---
parser/rc.aaeventd.suse | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/parser/rc.aaeventd.suse
+++ b/parser/rc.aaeventd.suse
@@ -81,9 +81,9 @@ usage() {
start_aa_event() {
if [ -x "$AA_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
- sd_action "Starting AppArmor Event daemon" startproc -f -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
+ sd_action "Starting AppArmor Event daemon" startproc -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
elif [ -x "$SD_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
- sd_action "Starting AppArmor Event daemon" startproc -f -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
+ sd_action "Starting AppArmor Event daemon" startproc -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
fi
}
++++++ apparmor-swig-build-fix ++++++
---
libraries/libapparmor/swig/perl/Makefile.am | 1 +
1 file changed, 1 insertion(+)
--- a/libraries/libapparmor/swig/perl/Makefile.am
+++ b/libraries/libapparmor/swig/perl/Makefile.am
@@ -9,6 +9,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibA
Makefile.perl: Makefile.PL
$(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
+ sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
LibAppArmor.so: libapparmor_wrap.c Makefile.perl
if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
++++++ apparmor-translation-fixes ++++++
---
utils/SubDomain.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2304,7 +2304,7 @@ sub handlechildren {
unless (-e getprofilefilename($exec_target)) {
my $ynans = "y";
if ($exec_mode & str_to_mode("i")) {
- $ynans = UI_YesNo(sprintf(gettext("A profile for %s does not exist create one?"), $exec_target), "n");
+ $ynans = UI_YesNo(sprintf(gettext("A profile for %s does not exist. Create one?"), $exec_target), "n");
}
if ($ynans eq "y") {
$helpers{$exec_target} = "enforce";
@@ -2331,7 +2331,7 @@ sub handlechildren {
unless ($sd{$profile}{$exec_target}) {
my $ynans = "y";
if ($exec_mode & str_to_mode("i")) {
- $ynans = UI_YesNo(sprintf(gettext("A local profile for %s does not exist create one?"), $exec_target), "n");
+ $ynans = UI_YesNo(sprintf(gettext("A local profile for %s does not exist. Create one?"), $exec_target), "n");
}
if ($ynans eq "y") {
$hat = $exec_target;
++++++ apparmor-utils-SubDomain ++++++
---
utils/Reports.pm | 2 +-
utils/SubDomain.pm | 2 +-
utils/genprof | 4 ++--
utils/rc.sd-event-dispatch.suse | 10 +++++-----
utils/unconfined | 2 +-
5 files changed, 10 insertions(+), 10 deletions(-)
--- a/utils/Reports.pm
+++ b/utils/Reports.pm
@@ -14,7 +14,7 @@ package Immunix::Reports;
################################################################################
# /usr/lib/perl5/site_perl/Reports.pm
#
-# - Parses /var/log/messages for SubDomain messages
+# - Parses /var/log/messages for AppArmor messages
# - Writes results to .html or comma-delimited (.csv) files (Optional)
#
# Requires:
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1590,7 +1590,7 @@ my %CMDS = (
CMD_GLOBEXT => "Glob w/(E)xt",
CMD_ADDHAT => "(A)dd Requested Hat",
CMD_USEDEFAULT => "(U)se Default Hat",
- CMD_SCAN => "(S)can system log for SubDomain events",
+ CMD_SCAN => "(S)can system log for AppArmor events",
CMD_HELP => "(H)elp",
CMD_VIEW_PROFILE => "(V)iew Profile",
CMD_USE_PROFILE => "(U)se Profile",
--- a/utils/genprof
+++ b/utils/genprof
@@ -52,7 +52,7 @@ GetOptions(
my $sd_mountpoint = check_for_subdomain();
unless ($sd_mountpoint) {
- fatal_error(gettext("SubDomain does not appear to be started. Please enable SubDomain and try again."));
+ fatal_error(gettext("AppArmor does not appear to be started. Please enable AppArmor and try again."));
}
# let's convert it to full path...
@@ -166,7 +166,7 @@ for my $p (sort keys %helpers) {
}
}
-UI_Info(gettext("Reloaded SubDomain profiles in enforce mode."));
+UI_Info(gettext("Reloaded AppArmor profiles in enforce mode."));
UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
exit 0;
--- a/utils/rc.sd-event-dispatch.suse
+++ b/utils/rc.sd-event-dispatch.suse
@@ -7,14 +7,14 @@
# /usr/sbin/rcsd-event-dispatch
#
# chkconfig: 2345 01 99
-# description: SubDomain event dispatcher
+# description: AppArmor event dispatcher
#
### BEGIN INIT INFO
# Provides: sd-event-dispatch
# Required-Start: subdomain
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
-# Description: Start the SubDomain event dispacher
+# Description: Start the AppArmor event dispacher
### END INIT INFO
SD_EV_BIN=/usr/sbin/sd-event-dispatch.pl
@@ -38,7 +38,7 @@ rc_reset
case "$1" in
start)
- echo -n "Starting SubDomain Event daemon"
+ echo -n "Starting AppArmor Event daemon"
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
@@ -48,7 +48,7 @@ case "$1" in
rc_status -v
;;
stop)
- echo -n "Shutting down SubDomain Event daemon"
+ echo -n "Shutting down AppArmor Event daemon"
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
@@ -75,7 +75,7 @@ case "$1" in
rc_status
;;
status)
- echo -n "Checking for SubDomain Event daemon"
+ echo -n "Checking for AppArmor Event daemon"
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
--- a/utils/unconfined
+++ b/utils/unconfined
@@ -54,7 +54,7 @@ sub usage {
my $subdomainfs = check_for_subdomain();
-die gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.") . "\n"
+die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
unless $subdomainfs;
my @pids;
++++++ apparmor-utils-add-log-types ++++++
From: Jeff Mahoney
Subject: apparmor-utils: Add support for creds and path operations
References: bnc#564316
2.6.29 introduced the path security_operations and credentials
This patch adds support for those operations to the log parser.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2789,7 +2789,9 @@ sub add_event_to_tree ($) {
""
);
}
- } elsif ($e->{operation} =~ m/file_/) {
+ } elsif ($e->{operation} =~ m/file_/ or
+ # These are the path operations introduced in 2.6.29
+ $e->{operation} =~ m/^(open|unlink|mkdir|rmdir|mknod|truncate|symlink_create|link|rename_src|rename_dest)$/) {
add_to_tree( $e->{pid},
$e->{parent},
"path",
++++++ apparmor-utils-cleanup-on-abort ++++++
From: Jeff Mahoney
Subject: [PATCH] apparmor-utils: cleanup after abort in genprof
References: bnc#307067
The initial generation of the base profile is required to be written out
to put the process in complain mode for observation. If the user
decides to abort the profiling session, that base profile is left
behind.
This patch removes all profiles created during the run up to an abort.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 3 +++
1 file changed, 3 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1750,6 +1750,9 @@ sub confirm_and_abort {
if ($ans eq "y") {
UI_Info(gettext("Abandoning all changes."));
shutdown_yast();
+ foreach my $prof (@created) {
+ delete_profile($prof);
+ }
exit 0;
}
}
++++++ apparmor-utils-filenames-in-slash ++++++
From: Jeff Mahoney
Subject: apparmor-utils: Fix handling of files in /
References: bnc#397883
The separate handling of files and directories with realpath is broken.
For files e.g. /foo, $dir ends up being empty since the / is eaten by
the regex. realpath resolves an empty argument as the current directory,
resulting in an incorrect path.
There's no explanation of why the separate handling was used in the
first place.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -511,14 +511,7 @@ sub get_full_path ($) {
}
}
- if (-f $path) {
- my ($dir, $file) = $path =~ m/^(.*)\/(.+)$/;
- $path = realpath($dir) . "/$file";
- } else {
- $path = realpath($path);
- }
-
- return $path;
+ return realpath($path);
}
sub findexecutable ($) {
++++++ apparmor-utils-null-path-fix ++++++
From: Jeff Mahoney
Subject: Subdomain.pm: Fix for null path
References: bnc#407959
When handling the following log entry, logprof will spew perl errors and
ultimately generate an invalid config: "r,"
Since there is nothing to do with a null path, just skip to the next entry.
type=APPARMOR_DENIED msg=audit(1214497030.421:39): operation="inode_permission" info="Failed name resolution - object not a valid entry" requested_mask="r" denied_mask="r" pid=31367 profile="/usr/sbin/httpd2-worker
---
utils/SubDomain.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1905,7 +1905,7 @@ sub handlechildren {
$hat = $h;
}
- next unless $profile && $hat;
+ next unless $profile && $hat && $detail;
my $domainchange = ($type eq "exec") ? "change" : "nochange";
# escape special characters that show up in literal paths
++++++ apparmor-utils-string-split ++++++
From: Jeff Mahoney
Subject: SubDomain.pm: Split long string
The string split here ends up not displaying well in yast.
---
utils/SubDomain.pm | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -6241,7 +6241,12 @@ sub check_qualifiers {
if ($cfg->{qualifiers}{$program}) {
unless($cfg->{qualifiers}{$program} =~ /p/) {
- fatal_error(sprintf(gettext("\%s is currently marked as a program that should not have it's own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you're doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $program));
+ fatal_error(sprintf(gettext(
+"\%s is currently marked as a program that should not have its own\n".
+"profile. Usually, programs are marked this way if creating a profile for \n".
+"them is likely to break the rest of the system. If you know what you're\n".
+"doing and are certain you want to create a profile for this program, edit\n".
+"the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $program));
}
}
}
++++++ apparmor-utils-support-newer-auditd-formatted-messages ++++++
From: Steve Beattie
Subject: apparmor-utils: Support newer auditd formatted messages.
Patch from mancha on irc.
This is lp:apparmor/2.5 commit r1444.
Acked-By: Steve Beattie
Acked-by: Jeff Mahoney
---
utils/SubDomain.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2420,7 +2420,7 @@
my $RE_LOG_v2_1_audit =
qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
my $RE_LOG_v2_6_audit =
- qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/;
+ qr/type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=/;
sub prefetch_next_log_entry {
# if we already have an existing cache entry, something's broken
++++++ apparmor-utils-translation-unification ++++++
From: Jeff Mahoney
Subject: apparmor-utils: Translation unification
References: bnc#586072
This patch removes small inconsistencies between identical strings to
allow for easier translation.
Reported-by: Isis Binder
Signed-off-by: Jeff Mahoney
---
utils/Reports.pm | 6 +++---
utils/unconfined | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/utils/Reports.pm
+++ b/utils/Reports.pm
@@ -967,7 +967,7 @@ sub getEssStats {
};
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
@@ -980,7 +980,7 @@ sub getEssStats {
};
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
@@ -988,7 +988,7 @@ sub getEssStats {
eval { $ret = $dbh->selectall_arrayref("$query"); };
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
--- a/utils/unconfined
+++ b/utils/unconfined
@@ -54,7 +54,7 @@ sub usage {
my $subdomainfs = check_for_subdomain();
-die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
+die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
unless $subdomainfs;
my @pids;
++++++ apparmorapplet-gnome-build-fix ++++++
---
deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c | 1 +
1 file changed, 1 insertion(+)
--- a/deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
+++ b/deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
@@ -11,6 +11,7 @@
#include
#include
#include
+#include
#include "preferences_dialog.h"
#include "reject_list.h"
#include "apparmor-applet.h"
++++++ baselibs.conf ++++++
pam_apparmor
supplements "packageand(pam_apparmor:pam-<targettype>)"
libapparmor1
obsoletes "libapparmor-<targettype> <= <version>"
provides "libapparmor-<targettype> = <version>"
++++++ fix-two-x-transition-conflict-bugs ++++++
From: John Johansen
Subject: Fix two x transition conflict bugs.
References: bnc#662928 lpn#693082
This is lp:apparmor/2.5 commit r1443.
The is_merged_x_consistend macro was incorrect in that is tested for
USER_EXEC_TYPE to determine if there was an x transition. This fails
for unconfined execs so an unconfined exec would not correctly conflict
with another exec type.
The dfa match flag table for xtransitions was not large enough and not
indexed properly for pux, and cux transitions. The index calculation did
not take into account the pux flag so that pux and px aliased to the same
location and cux and cx aliased to the same location.
This would result in the first rule being processed defining what the
transition type was for all following rules of the type following. So
if a px transition was processed first all pux, transitions in the profile
would be treated pux.
Signed-off-by: John Johansen
Acked-By: Steve Beattie
Add auto generation of xtransition conflict tests
All the combiniation of xtransition conflics where not well represented in
the regression test suite. Instead of relying on multiple static test
files, automatically generate all possible conflicts.
Signed-off-by: John Johansen
Acked-By: Steve Beattie
Acked-by: Jeff Mahoney
diff:
=== modified file 'parser/immunix.h'
parser/immunix.h | 4
parser/libapparmor_re/regexp.yy | 10 -
parser/tst/Makefile | 10 +
parser/tst/gen-xtrans.pl | 152 +++++++++++++++++++++++++++++
parser/tst/simple_tests/generated_x/readme | 2
5 files changed, 169 insertions(+), 9 deletions(-)
--- a/parser/immunix.h 2009-08-20 15:41:10 +0000
+++ b/parser/immunix.h 2011-01-07 20:46:15 +0000
@@ -148,12 +148,12 @@
#include
static inline int is_merged_x_consistent(int a, int b)
{
- if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
+ if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
{ fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
return 0;
}
- if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
+ if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
{ fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
return 0;
=== modified file 'parser/libapparmor_re/regexp.yy'
--- a/parser/libapparmor_re/regexp.yy 2010-07-24 14:16:14 +0000
+++ b/parser/libapparmor_re/regexp.yy 2011-01-07 20:46:15 +0000
@@ -2581,9 +2581,9 @@
#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
extern "C" void aare_reset_matchflags(void)
{
@@ -2644,8 +2644,8 @@
flip_tree(tree);
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
=== modified file 'parser/tst/Makefile'
--- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000
+++ b/parser/tst/Makefile 2011-01-07 20:46:15 +0000
@@ -11,8 +11,11 @@
all: tests
-.PHONY: tests error_output parser_sanity caching
-tests: error_output parser_sanity
+.PHONY: tests error_output gen_xtrans parser_sanity caching
+tests: error_output gen_xtrans parser_sanity
+
+gen_xtrans:
+ perl ./gen-xtrans.pl
error_output: $(PARSER)
$(PARSER) -S -I errors >/dev/null errors/okay.sd
@@ -34,3 +37,6 @@
$(PARSER):
make -C $(PARSER_DIR) $(PARSER_BIN)
+
+clean:
+ rm -f simple_tests/generated_x/*
=== added file 'parser/tst/gen-xtrans.pl'
--- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000
+++ b/parser/tst/gen-xtrans.pl 2011-01-07 20:46:15 +0000
@@ -0,0 +1,152 @@
+#!/usr/bin/perl
+
+use strict;
+use Locale::gettext;
+use POSIX;
+
+setlocale(LC_MESSAGES, "");
+
+my $prefix="simple_tests/generated_x";
+
+my @trans_types = ("p", "P", "c", "C", "u", "i");
+my @modifiers = ("i", "u");
+my %trans_modifiers = (
+ "p" => \@modifiers,
+ "P" => \@modifiers,
+ "c" => \@modifiers,
+ "C" => \@modifiers,
+ );
+
+my @targets = ("", "target", "target2");
+my @null_target = ("");
+
+my %named_trans = (
+ "p" => \@targets,
+ "P" => \@targets,
+ "c" => \@targets,
+ "C" => \@targets,
+ "u" => \@null_target,
+ "i" => \@null_target,
+ );
+
+# audit qualifier disabled for now it really shouldn't affect the conflict
+# test but it may be worth checking every once in awhile
+#my @qualifiers = ("", "owner", "audit", "audit owner");
+my @qualifiers = ("", "owner");
+
+my $count = 0;
+
+gen_conflicting_x();
+gen_overlap_re_exact();
+gen_dominate_re_re();
+gen_ambiguous_re_re();
+
+print "Generated $count xtransition interaction tests\n";
+
+sub gen_list {
+ my @output;
+ foreach my $trans (@trans_types) {
+ if ($trans_modifiers{$trans}) {
+ foreach my $mod (@{$trans_modifiers{$trans}}) {
+ push @output, "${trans}${mod}x";
+ }
+ }
+ push @output, "${trans}x";
+ }
+ return @output;
+}
+
+sub print_rule($$$$) {
+ my ($file, $name, $perm, $target) = @_;
+ print $file "\t${name} ${perm}";
+ if ($target ne "") {
+ print $file " -> $target";
+ }
+ print $file ",\n";
+}
+
+sub gen_file($$$$$$$$) {
+ my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
+
+# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
+
+ my $file;
+ unless (open $file, ">$name") {
+ print("couldn't open $name\n");
+ exit 1;
+ }
+
+ print $file "#\n";
+ print $file "#=DESCRIPTION ${name}\n";
+ print $file "#=EXRESULT ${xres}\n";
+ print $file "#\n";
+ print $file "/usr/bin/foo {\n";
+ print_rule($file, $rule1, $perm1, $target1);
+ print_rule($file, $rule2, $perm2, $target2);
+ print $file "}";
+ close($file);
+
+ $count++;
+}
+
+#NOTE: currently we don't do px to cx, or cx to px conversion
+# so
+# /foo {
+# /* px -> /foo//bar,
+# /* cx -> bar,
+#
+# will conflict
+#
+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords
+# It is assumed that there are extra tests to verify 1 to 1 coorispondance
+sub gen_files($$$$) {
+ my ($name, $rule1, $rule2, $default) = @_;
+
+ my @perms = gen_list();
+
+# print "@perms\n";
+
+ foreach my $i (@perms) {
+ foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
+ foreach my $q (@qualifiers) {
+ foreach my $j (@perms) {
+ foreach my $u (@{$named_trans{substr($j, 0, 1)}}) {
+ foreach my $r (@qualifiers) {
+ my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd";
+# print "$file\n";
+
+ #override failures when transitions are the same
+ my $xres = ${default};
+ if ($i eq $j && $t eq $u) {
+ $xres = "PASS";
+ }
+
+
+# print "foo $xres $rule1 $i $t $rule2 $j $u\n";
+ gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
+ }
+ }
+ }
+ }
+ }
+ }
+
+}
+
+sub gen_conflicting_x {
+ gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL");
+}
+
+sub gen_overlap_re_exact {
+
+ gen_files("exact", "/bin/cat", "/bin/*", "PASS");
+}
+
+# we currently don't support this, once supported change to "PASS"
+sub gen_dominate_re_re {
+ gen_files("dominate", "/bin/*", "/bin/**", "FAIL");
+}
+
+sub gen_ambiguous_re_re {
+ gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
+}
=== added directory 'parser/tst/simple_tests/generated_x'
=== added file 'parser/tst/simple_tests/generated_x/readme'
--- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000
+++ b/parser/tst/simple_tests/generated_x/readme 2011-01-07 20:46:15 +0000
@@ -0,0 +1,2 @@
+Directory for auto generated x-transition tests
+
++++++ mod_apparmor-includes ++++++
---
changehat/mod_apparmor/Makefile | 6 +-----
changehat/mod_apparmor/mod_apparmor.c | 6 +-----
2 files changed, 2 insertions(+), 10 deletions(-)
--- a/changehat/mod_apparmor/Makefile
+++ b/changehat/mod_apparmor/Makefile
@@ -42,11 +42,7 @@ APXS:=$(shell if [ -x "/usr/sbin/apxs2"
fi )
APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR)
DESTDIR=
-LIBAPPARMOR_FLAGS=$(shell if [ -f /usr/lib/libapparmor.so -o -f /usr/lib64/libapparmor.so ] ; then \
- echo -lapparmor ; \
- else \
- echo -DUSE_COMPAT_IMMUNIX_H -limmunix ;\
- fi)
+LIBAPPARMOR_FLAGS="-I../../libraries/libapparmor/src -L../../libraries/libapparmor/src/.libs -lapparmor"
all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
--- a/changehat/mod_apparmor/mod_apparmor.c
+++ b/changehat/mod_apparmor/mod_apparmor.c
@@ -24,11 +24,7 @@
#include "apr_strings.h"
#include "apr_lib.h"
-#ifndef USE_COMPAT_IMMUNIX_H
-#include
-#else
-#include
-#endif
+#include "apparmor.h"
#include
/* #define DEBUG */
++++++ pam-apparmor-include ++++++
From: Jeff Mahoney
Subject: apparmor: Fix pam includes/linking
---
changehat/pam_apparmor/Makefile | 6 +++---
changehat/pam_apparmor/pam_apparmor.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/changehat/pam_apparmor/Makefile
+++ b/changehat/pam_apparmor/Makefile
@@ -27,8 +27,8 @@ common/Make.rules: $(COMMONDIR)/Make.rul
ln -sf $(COMMONDIR) .
endif
-EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall
-LINK_FLAGS=-Xlinker -x
+EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall -I../../libraries/libapparmor/src/
+LINK_FLAGS=-Xlinker -x -L../../libraries/libapparmor/src/.libs
LIBS=-lpam -lapparmor
OBJECTS=${NAME}.o get_options.o
@@ -42,7 +42,7 @@ $(NAME).so: ${OBJECTS}
# need some better way of determining this
DESTDIR=/
-SECDIR=${DESTDIR}/lib/security
+SECDIR ?= ${DESTDIR}/lib/security
.PHONY: install
install: $(NAME).so
--- a/changehat/pam_apparmor/pam_apparmor.c
+++ b/changehat/pam_apparmor/pam_apparmor.c
@@ -27,7 +27,7 @@
#include
#include
#include
-#include
+#include "apparmor.h"
#include
#include
++++++ rpmlintrc ++++++
addFilter("devel-file-in-non-devel-package.*/usr/lib64/libJNIChangeHat.so")
addFilter("devel-file-in-non-devel-package.*/usr/lib/libJNIChangeHat.so")
addFilter("shlib-policy-name-error.*libJNIChangeHat0")
++++++ testsuite-build-fix ++++++
From: Jeff Mahoney
Subject: testsuite: Fix linking with shared in-tree libapparmor
This patch stops the static linking with libapparmor and uses the
shared library instead. Before it's installed, it'll have the in-tree
rpath and the testsuite will work as expected.
Signed-off-by: Jeff Mahoney
---
libraries/libapparmor/testsuite/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/libraries/libapparmor/testsuite/Makefile.am
+++ b/libraries/libapparmor/testsuite/Makefile.am
@@ -12,7 +12,7 @@ noinst_PROGRAMS = test_multi.multi
test_multi_multi_SOURCES = test_multi.c
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
test_multi_multi_LDFLAGS = $(LDFLAGS)
-test_multi_multi_LDADD = ../src/.libs/libapparmor.a
+test_multi_multi_LDADD = -L../src/.libs -lapparmor
clean-local:
rm -f tmp.err.* tmp.out.* site.exp site.bak
++++++ tomcat-build-fixes ++++++
---
changehat/tomcat_apparmor/tomcat_5_5/build.xml | 15 +++++-----
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c | 2 -
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile | 4 +-
3 files changed, 11 insertions(+), 10 deletions(-)
--- a/changehat/tomcat_apparmor/tomcat_5_5/build.xml
+++ b/changehat/tomcat_apparmor/tomcat_5_5/build.xml
@@ -4,8 +4,8 @@
<property name="jni_src" location="src/jni_src"/>
<property name="build" location="build"/>
<property name="install_root" location="/"/>
- <property name="catalina_home" location="/usr/share/tomcat5"/>
- <property name="lib" location="lib"/>
+ <property name="catalina_home" location="/usr/share/tomcat6"/>
+ <property name="lib" location="/usr/share/tomcat6/bin"/>
<property name="install_lib" value="/lib"/>
<property name="dist" location="dist"/>
<property name="jarfile" location="${dist}/${ant.project.name}.jar"/>
@@ -18,10 +18,11 @@
<include name="**/*.jar"/>
</fileset>
- <fileset id="tomcat.jars" dir="${catalina_home}/server/lib">
+ <fileset id="tomcat.jars" dir="${catalina_home}/lib">
<include name="**/*.jar"/>
</fileset>
- <fileset id="servlet.jars" dir="${catalina_home}/common/lib">
+
+ <fileset id="servlet.jars" dir="${catalina_home}/lib">
<include name="**/*.jar"/>
</fileset>
@@ -80,9 +81,9 @@
</target>
<target name="install_jar" depends="jni_so" description="Install jar file">
- <mkdir dir="${install_root}/${catalina_home}/server/lib/"/>
- <copy file="${jarfile}" tofile="${install_root}/${catalina_home}/server/lib/${ant.project.name}.jar"/>
- <chmod perm="644" file="${install_root}/${catalina_home}/server/lib/${ant.project.name}.jar"/>
+ <mkdir dir="${install_root}/${catalina_home}/lib/"/>
+ <copy file="${jarfile}" tofile="${install_root}/${catalina_home}/lib/${ant.project.name}.jar"/>
+ <chmod perm="644" file="${install_root}/${catalina_home}/lib/${ant.project.name}.jar"/>
</target>
<target name="clean" description="Remove build and dist directories">
--- a/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
+++ b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
@@ -13,7 +13,7 @@
#include "jni.h"
#include
-#include "sys/apparmor.h"
+#include "apparmor.h"
#include "com_novell_apparmor_JNIChangeHat.h"
/* c intermediate lib call for Java -> JNI -> c library execution of the change_hat call */
--- a/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile
+++ b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile
@@ -4,7 +4,7 @@ LIB = lib/
LIBDIR = /usr/${LIB}
INCLUDE = ${LIBDIR}/jvm/java/include
CFLAGS = -g -O2 -Wall -Wstrict-prototypes -Wl,-soname,$@.${SO_VERS} -pipe -fpic -D_REENTRANT
-INCLUDES = -I$(INCLUDE) -I$(INCLUDE)/linux
+INCLUDES = -I$(INCLUDE) -I$(INCLUDE)/linux -I$(TOP)/../../../libraries/libapparmor/src/
CLASSFILE = ${CLASSPATH}/com/novell/apparmor/${JAVA_CLASSNAME}.class
DESTDIR = ${TOP}/dist
SO_VERS = 1
@@ -20,7 +20,7 @@ ${JAVA_CLASSNAME}.java com_novell_apparm
javah -jni -classpath ${CLASSPATH} com.novell.apparmor.${JAVA_CLASSNAME}
${TARGET}.so: ${JAVA_CLASSNAME}.c ${JAVA_CLASSNAME}.java com_novell_apparmor_${JAVA_CLASSNAME}.h
- gcc ${INCLUDES} ${CFLAGS} -shared -o ${TARGET}.so ${JAVA_CLASSNAME}.c -lapparmor
+ gcc ${INCLUDES} ${CFLAGS} -shared -o ${TARGET}.so ${JAVA_CLASSNAME}.c -L$(TOP)/../../../libraries/libapparmor/src/.libs -lapparmor
install: ${TARGET}.so
install -d $(DESTDIR)/${LIB} $(DESTDIR)${LIBDIR}
++++++ update-trans.sh ++++++
CFILES="
deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
deprecated/management/applets/apparmorapplet-gnome/src/preferences_dialog.c
deprecated/management/applets/apparmorapplet-gnome/src/reject_list.c
parser/parser_alias.c
parser/parser_include.c
parser/parser_interface.c
parser/parser_lex.l
parser/parser_main.c
parser/parser_merge.c
parser/parser_misc.c
parser/parser_policy.c
parser/parser_regex.c
parser/parser_symtab.c
parser/parser_variable.c
parser/parser_yacc.y
"
CPPFILES="
deprecated/management/profile-editor/src/AboutDialog.cpp
deprecated/management/profile-editor/src/AboutDialog.h
deprecated/management/profile-editor/src/Configuration.cpp
deprecated/management/profile-editor/src/Preferences.cpp
deprecated/management/profile-editor/src/Preferences.h
deprecated/management/profile-editor/src/profileeditor.cpp
deprecated/management/profile-editor/src/SearchAllProfiles.cpp
deprecated/management/profile-editor/src/SearchAllProfiles.h
parser/libapparmor_re/regexp.yy
"
PERLFILES="
utils/aa-repo.pl
utils/audit
utils/autodep
utils/complain
utils/enforce
utils/genprof
utils/logprof
utils/Reports.pm
utils/SubDomain.pm
utils/unconfined
"
ARGS="--keyword=_ --keyword=N_ -n --force-po"
xgettext $ARGS --output=apparmor-C.pot -L C $CFILES
xgettext $ARGS --output=apparmor-CPP.pot -L C++ $CPPFILES
xgettext $ARGS --output=apparmor-PERL.pot -L Perl $PERLFILES
msgcat apparmor-*.pot > apparmor.pot
sed \
-e 's/Project-Id-Version: PACKAGE VERSION/Project-Id-Version: apparmor/g' \
-e 's/PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE/PO-Revision-Date: 2009-02-05 13:38/' \
-e 's/Report-Msgid-Bugs-To: /Report-Msgid-Bugs-To: apparmor-general@forge.novell.com/' \
-e 's/Last-Translator: FULL NAME /Last-Translator: Novell Language /' \
-e 's/Language-Team: LANGUAGE /Language-Team: Novell Language /' \
-e 's/Content-Type: text\/plain; charset=CHARSET/Content-Type: text\/plain; charset=UTF-8/' \
< apparmor.pot > apparmor.pot.new
mv apparmor.pot.new apparmor.pot
for file in $(find . -name '*.po'); do
f=$(basename $file)
msgmerge -U apparmor.pot $file
if [ -e "po/$f" ]; then
msgcat $file po/$f > $f
mv $f po/$f
else
cp $file po/$f
fi
done
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org