Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at Tue Jan 25 13:16:44 CET 2011. -------- --- apparmor/apparmor.changes 2011-01-18 11:55:47.000000000 +0100 +++ /mounts/work_src_done/STABLE/apparmor/apparmor.changes 2011-01-24 20:16:37.000000000 +0100 @@ -1,0 +2,30 @@ +Mon Jan 24 20:16:03 CET 2011 - jeffm@suse.de + +- Inherit flags in sub-profiles when generating profiles (bnc#496204). + +------------------------------------------------------------------- +Mon Jan 24 01:02:53 CET 2011 - jeffm@suse.de + +- Stop treating profiles shipped with the package as config files. + - /etc/apparmor.d will still be treated specially. +- Add support for parsing network operation events (bnc#665483) + +------------------------------------------------------------------- +Mon Jan 24 00:23:35 CET 2011 - jeffm@suse.de + +- Fix for sbin.klogd profile using kernel versions >= 2.6.38-rc1. + +------------------------------------------------------------------- +Mon Jan 24 00:11:28 CET 2011 - jeffm@suse.de + +- Update to apparmor-2.5 r1445. + - Includes 3 of the fixes below. + - Several testsuite fixes. + - Update for Thunderbird profile. + +------------------------------------------------------------------- +Fri Jan 21 19:07:15 CET 2011 - jeffm@suse.de + +- Add support for libvirt in usr.sbin.dnsmasq (bnc#666090) + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- apparmor-2.5.1-fix-parser-use-after-free apparmor-utils-support-newer-auditd-formatted-messages fix-two-x-transition-conflict-bugs testsuite-build-fix New: ---- apparmor-2.5-r1445 apparmor-2.5.1-dnsmasq-libvirt-profile-fix apparmor-2.5.1-network-fixes apparmor-utils-inherit-flags-during-profile-generation klog-needs-CAP_SYSLOG ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.MYf8zX/_old 2011-01-25 13:16:30.000000000 +0100 +++ /var/tmp/diff_new_pack.MYf8zX/_new 2011-01-25 13:16:30.000000000 +0100 @@ -32,6 +32,9 @@ %define JAR_FILE changeHatValve.jar %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) +%define srcversion 2.5.1 +%define bzr_commit r1445 + Name: apparmor %if ! %{?distro:1}0 %if %{?suse_version:1}0 @@ -45,14 +48,14 @@ %define distro suse %endif Summary: AppArmor userlevel parser utility -Version: 2.5.1 -Release: 2 +Version: %{srcversion}.%{bzr_commit} +Release: 1 Group: Productivity/Networking/Security -Source0: apparmor-%{version}.tar.bz2 +Source0: apparmor-%{srcversion}.tar.bz2 Source1: %{name}-profile-editor.png Source2: %{name}-profile-editor.desktop Source3: update-trans.sh -Patch: testsuite-build-fix +Patch: apparmor-2.5-%{bzr_commit} Patch1: pam-apparmor-include Patch2: mod_apparmor-includes Patch3: tomcat-build-fixes @@ -81,12 +84,15 @@ Patch26: apparmor-2.5.1-edirectory-profile Patch27: apparmor-2.5.1-firefox-proc-fix Patch28: apparmor-2.5.1-unconfined-fixes -Patch29: apparmor-2.5.1-fix-parser-use-after-free +Patch29: apparmor-utils-inherit-flags-during-profile-generation Patch30: apparmor-2.5.1-ldapclient-profile -Patch31: apparmor-utils-support-newer-auditd-formatted-messages -Patch32: fix-two-x-transition-conflict-bugs +#Patch31: +#Patch32: Patch33: apparmor-2.5.1-ntpd-sys_nice Patch34: apparmor-2.5.1-ssl-fix +Patch35: apparmor-2.5.1-dnsmasq-libvirt-profile-fix +Patch36: klog-needs-CAP_SYSLOG +Patch37: apparmor-2.5.1-network-fixes License: GPLv2+ BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: https://launchpad.net/apparmor @@ -157,6 +163,7 @@ Provides: subdomain-parser-common = %{version} Provides: subdomain-leaf-cert = %{version} Provides: libimnxcert = %{version} +Provides: apparmor-parser(CAP_SYSLOG) %description parser The AppArmor Parser is a userlevel program that is used to load in @@ -311,6 +318,7 @@ Group: Productivity/Security Obsoletes: subdomain-profiles < %{version} Provides: subdomain-profiles = %{version} +Requires: apparmor-parser(CAP_SYSLOG) %description profiles Base profiles. AppArmor is a file and network mandatory access control @@ -453,7 +461,7 @@ %endif %prep -%setup -q +%setup -q -n %{name}-%{srcversion} %patch -p1 %patch1 -p1 %patch2 -p1 @@ -485,10 +493,11 @@ %patch28 -p1 %patch29 -p1 %patch30 -p1 -%patch31 -p1 -%patch32 -p1 %patch33 -p1 %patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 %build export SUSE_ASNEEDED=0 @@ -658,7 +667,7 @@ %files profiles %defattr(-,root,root) %attr(644, root, root) %config(noreplace) %{profiles_dir}/* -%attr(644, root, root) %config(noreplace) %{extras_dir}/* +%attr(644, root, root) %{extras_dir}/* %dir %{_sysconfdir}/apparmor.d/ %dir %{_sysconfdir}/apparmor/ %dir %{_sysconfdir}/apparmor/profiles ++++++ apparmor-2.5-r1445 ++++++ ++++ 705 lines (skipped) ++++++ apparmor-2.5.1-dnsmasq-libvirt-profile-fix ++++++ From: Jeff Mahoney <jeffm@suse.com> Subject: profiles: Add libvirt pid support to dnsmasq profile References: bnc#666090 libvirt starts up dnsmasq with its pid file in Signed-off-by: Jeff Mahoney <jeffm@suse.com> --- profiles/apparmor.d/usr.sbin.dnsmasq | 6 ++++++ 1 file changed, 6 insertions(+) --- a/profiles/apparmor.d/usr.sbin.dnsmasq +++ b/profiles/apparmor.d/usr.sbin.dnsmasq @@ -8,6 +8,9 @@ capability setgid, capability setuid, capability dac_override, + capability net_admin, # for DHCP server + capability net_raw, # for DHCP server ping checks + network inet raw, /etc/dnsmasq.conf r, /etc/dnsmasq.d/ r, @@ -19,5 +22,8 @@ /var/run/dnsmasq/ r, /var/run/dnsmasq/* rw, + /var/run/libvirt/network/ r, # Required when called by libvirt + /var/run/libvirt/network/*.pid rw, # Required when called by libvirt + /var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage } ++++++ apparmor-2.5.1-network-fixes ++++++ From: Jeff Mahoney <jeffm@suse.com> Subject: apparmor: Fix network event parsing References: bnc#665483 The upstream version of AppArmor had network mediation but it was removed. There's a compability patch floating around that both openSUSE and Ubuntu have applied to their kernels. Unfortunately, one part was overlooked. The socket operation event names where changed from the socket_ prefixed names they had when AppArmor was out-of-tree and utils/SubDomain.pm was never updated to understand them. This patch adds an operation-type table so that the code can just do a optype($operation) call to discover what type of operation a particular name refers to. It then uses this in place of the socket_ checks to decide whether an event is a network operation. This allows genprof and logprof to work with networking rules again. Signed-off-by: Jeff Mahoney <jeffm@suse.com> --- utils/SubDomain.pm | 48 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 2 deletions(-) --- a/utils/SubDomain.pm +++ b/utils/SubDomain.pm @@ -233,6 +233,50 @@ my %MODE_HASH = ( N => $AA_EXEC_NT, ); + +# Currently only used by netdomain but there's no reason it couldn't +# be extended to support other types. +my %operation_types = ( + + # Old socket names + "socket_create", => "net", + "socket_post_create" => "net", + "socket_bind" => "net", + "socket_connect" => "net", + "socket_listen" => "net", + "socket_accept" => "net", + "socket_sendmsg" => "net", + "socket_recvmsg" => "net", + "socket_getsockname" => "net", + "socket_getpeername" => "net", + "socket_getsockopt" => "net", + "socket_setsockopt" => "net", + "socket_shutdown" => "net", + + # New socket names + "create" => "net", + "post_create" => "net", + "bind" => "net", + "connect" => "net", + "listen" => "net", + "accept" => "net", + "sendmsg" => "net", + "recvmsg" => "net", + "getsockname" => "net", + "getpeername" => "net", + "getsockopt" => "net", + "setsockopt" => "net", + "sock_shutdown" => "net", +); + +sub optype($) { + my $op = shift; + my $type = $operation_types{$op}; + + return "unknown" if !defined($type); + return $type; +} + sub debug ($) { my $message = shift; chomp($message); @@ -2911,7 +2955,7 @@ sub add_event_to_tree ($) { } $pid{$child} = $arrayref; push @{$arrayref}, [ "fork", $child, $profile, $hat ]; - } elsif ($e->{operation} =~ m/socket_/) { + } elsif (optype($e->{operation}) eq "net") { add_to_tree( $e->{pid}, $e->{parent}, "netdomain", @@ -6620,7 +6664,7 @@ sub parse_event($) { LibAppArmor::aa_log_record::swig_magic_token_get($event); # NetDomain - if ( $ev{'operation'} && $ev{'operation'} =~ /socket/ ) { + if ( $ev{'operation'} && optype($ev{'operation'}) eq "net" ) { $ev{'family'} = LibAppArmor::aa_log_record::swig_net_family_get($event); $ev{'protocol'} = ++++++ apparmor-2.5.1-unconfined-fixes ++++++ --- /var/tmp/diff_new_pack.MYf8zX/_old 2011-01-25 13:16:30.000000000 +0100 +++ /var/tmp/diff_new_pack.MYf8zX/_new 2011-01-25 13:16:30.000000000 +0100 @@ -35,23 +35,3 @@ # just convert new null profile style names to old before we begin processing # profile and name can contain multiple layers of null- but all we care about # currently is single level. -@@ -6625,10 +6632,15 @@ sub parse_event($) { - LibAppArmor::free_record($event); - - #map new c and d to w as logprof doesn't support them yet -- $rmask =~ s/c/w/g; -- $rmask =~ s/d/w/g; -- $dmask =~ s/c/w/g; -- $dmask =~ s/d/w/g; -+ if ($rmask) { -+ $rmask =~ s/c/w/g; -+ $rmask =~ s/d/w/g; -+ } -+ -+ if ($dmask) { -+ $dmask =~ s/c/w/g; -+ $dmask =~ s/d/w/g; -+ } - - if ($rmask && !validate_log_mode(hide_log_mode($rmask))) { - fatal_error(sprintf(gettext('Log contains unknown mode %s.'), ++++++ apparmor-2.5.1-unified-build ++++++ --- /var/tmp/diff_new_pack.MYf8zX/_old 2011-01-25 13:16:30.000000000 +0100 +++ /var/tmp/diff_new_pack.MYf8zX/_new 2011-01-25 13:16:30.000000000 +0100 @@ -43,6 +43,94 @@ libraries/libapparmor/config.guess | 1502 - libraries/libapparmor/config.sub | 1714 - libraries/libapparmor/configure |13962 ---------- + AUTHORS | 1 + ChangeLog | 1 + INSTALL | 365 + Makefile.am | 2 + NEWS | 1 + README | 1 + changehat/Makefile.am | 1 + changehat/mod_apparmor/Makefile.am | 19 + changehat/mod_apparmor/apache2-mod_apparmor.spec.in | 216 + changehat/pam_apparmor/COPYING | 39 + changehat/pam_apparmor/Makefile.am | 9 + changehat/pam_apparmor/pam_apparmor.changes | 49 + changehat/pam_apparmor/pam_apparmor.spec.in | 83 + changehat/tomcat_apparmor/Makefile.am | 1 + changehat/tomcat_apparmor/tomcat_5_0/Makefile.am | 2 + changehat/tomcat_apparmor/tomcat_5_5/Makefile.am | 13 + changehat/tomcat_apparmor/tomcat_5_5/build.xml | 11 + changehat/tomcat_apparmor/tomcat_5_5/src/Makefile.am | 1 + changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile.am | 17 + config.rpath | 666 + configure.in | 220 + deprecated/Makefile.am | 2 + deprecated/management/Makefile.am | 1 + deprecated/management/apparmor-dbus/Makefile.am | 2 + deprecated/management/apparmor-dbus/src/Makefile.am | 3 + deprecated/management/applets/Makefile.am | 1 + deprecated/management/applets/apparmorapplet-gnome/Makefile.am | 4 + deprecated/management/applets/apparmorapplet-gnome/po/Makefile | 30 + deprecated/management/applets/apparmorapplet-gnome/po/Makefile.in.in | 258 + deprecated/management/applets/apparmorapplet-gnome/src/Makefile.am | 8 + deprecated/management/profile-editor/Makefile.am | 2 + deprecated/management/profile-editor/src/Makefile.am | 6 + deprecated/management/profile-editor/src/wxStyledTextCtrl/Makefile.am | 4 + libraries/Makefile.am | 1 + libraries/libapparmor/AUTHORS | 2 + libraries/libapparmor/ChangeLog | 1 + libraries/libapparmor/INSTALL | 236 + libraries/libapparmor/NEWS | 1 + libraries/libapparmor/README | 1 + libraries/libapparmor/autogen.sh | 42 + libraries/libapparmor/compile | 143 + libraries/libapparmor/config.guess | 1502 - + libraries/libapparmor/config.sub | 1714 - + libraries/libapparmor/configure |13962 ---------- + AUTHORS | 1 + ChangeLog | 1 + INSTALL | 365 + Makefile.am | 2 + NEWS | 1 + README | 1 + changehat/Makefile.am | 1 + changehat/mod_apparmor/Makefile.am | 19 + changehat/mod_apparmor/apache2-mod_apparmor.spec.in | 216 + changehat/pam_apparmor/COPYING | 39 + changehat/pam_apparmor/Makefile.am | 9 + changehat/pam_apparmor/pam_apparmor.changes | 49 + changehat/pam_apparmor/pam_apparmor.spec.in | 83 + changehat/tomcat_apparmor/Makefile.am | 1 + changehat/tomcat_apparmor/tomcat_5_0/Makefile.am | 2 + changehat/tomcat_apparmor/tomcat_5_5/Makefile.am | 13 + changehat/tomcat_apparmor/tomcat_5_5/build.xml | 11 + changehat/tomcat_apparmor/tomcat_5_5/src/Makefile.am | 1 + changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile.am | 17 + config.rpath | 666 + configure.in | 220 + deprecated/Makefile.am | 2 + deprecated/management/Makefile.am | 1 + deprecated/management/apparmor-dbus/Makefile.am | 2 + deprecated/management/apparmor-dbus/src/Makefile.am | 3 + deprecated/management/applets/Makefile.am | 1 + deprecated/management/applets/apparmorapplet-gnome/Makefile.am | 4 + deprecated/management/applets/apparmorapplet-gnome/po/Makefile | 30 + deprecated/management/applets/apparmorapplet-gnome/po/Makefile.in.in | 258 + deprecated/management/applets/apparmorapplet-gnome/src/Makefile.am | 8 + deprecated/management/profile-editor/Makefile.am | 2 + deprecated/management/profile-editor/src/Makefile.am | 6 + deprecated/management/profile-editor/src/wxStyledTextCtrl/Makefile.am | 4 + libraries/Makefile.am | 1 + libraries/libapparmor/AUTHORS | 2 + libraries/libapparmor/ChangeLog | 1 + libraries/libapparmor/INSTALL | 236 + libraries/libapparmor/NEWS | 1 + libraries/libapparmor/README | 1 + libraries/libapparmor/autogen.sh | 42 + libraries/libapparmor/compile | 143 + libraries/libapparmor/config.guess | 1502 - + libraries/libapparmor/config.sub | 1714 - + libraries/libapparmor/configure |13962 ---------- libraries/libapparmor/doc/Makefile.am | 14 libraries/libapparmor/install-sh | 520 libraries/libapparmor/libapparmor1.spec | 178 @@ -64,8 +152,8 @@ m4/wxwidgets.m4 | 37 parser/Makefile.am | 81 parser/libapparmor_re/Makefile.am | 4 - parser/libapparmor_re/regexp.y | 2800 -- - parser/libapparmor_re/regexp.yy | 2800 ++ + parser/libapparmor_re/regexp.y | 2802 -- + parser/libapparmor_re/regexp.yy | 2802 ++ parser/parser_alias.c | 1 parser/parser_main.c | 3 parser/parser_policy.c | 1 @@ -80,7 +168,7 @@ utils/Makefile.PL | 15 utils/Makefile.am | 39 utils/po/Makefile | 8 - 81 files changed, 4902 insertions(+), 22094 deletions(-) + 81 files changed, 4904 insertions(+), 22096 deletions(-) --- /dev/null +++ b/AUTHORS @@ -21585,7 +21673,7 @@ +libapparmor_re_la_SOURCES = regexp.yy --- a/parser/libapparmor_re/regexp.y +++ /dev/null -@@ -1,2800 +0,0 @@ +@@ -1,2802 +0,0 @@ -/* - * regexp.y -- Regular Expression Matcher Generator - * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de> @@ -22308,17 +22396,19 @@ - Node *i = t->child[!dir]; - for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) { - if (t->child[dir]->eq(i->child[dir])) { +- Node *old = t; - t->child[!dir]->dup(); -- t->release(); - t = t->child[!dir]; +- old->release(); - continue; - } - } - // last altnode of chain check other dir as well - if (t->child[dir]->eq(p->child[!dir])) { +- Node *old = t; - t->child[!dir]->dup(); -- t->release(); - t = t->child[!dir]; +- old->release(); - continue; - } - @@ -24169,9 +24259,9 @@ -#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1) -MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; -DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; --#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2) --MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/ --ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/ +-#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */ +-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/ +-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/ - -extern "C" void aare_reset_matchflags(void) -{ @@ -24232,8 +24322,8 @@ - flip_tree(tree); - - --/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */ --#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f) +-/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */ +-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f) - -//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS)) -// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]); @@ -24388,7 +24478,7 @@ -} --- /dev/null +++ b/parser/libapparmor_re/regexp.yy -@@ -0,0 +1,2800 @@ +@@ -0,0 +1,2802 @@ +/* + * regexp.y -- Regular Expression Matcher Generator + * (C) 2006, 2007 Andreas Gruenbacher <agruen@suse.de> @@ -25111,17 +25201,19 @@ + Node *i = t->child[!dir]; + for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) { + if (t->child[dir]->eq(i->child[dir])) { ++ Node *old = t; + t->child[!dir]->dup(); -+ t->release(); + t = t->child[!dir]; ++ old->release(); + continue; + } + } + // last altnode of chain check other dir as well + if (t->child[dir]->eq(p->child[!dir])) { ++ Node *old = t; + t->child[!dir]->dup(); -+ t->release(); + t = t->child[!dir]; ++ old->release(); + continue; + } + @@ -26972,9 +27064,9 @@ +#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1) +MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; +DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; -+#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2) -+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/ -+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/ ++#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */ ++MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/ ++ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/ + +extern "C" void aare_reset_matchflags(void) +{ @@ -27035,8 +27127,8 @@ + flip_tree(tree); + + -+/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */ -+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f) ++/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */ ++#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f) + +//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS)) +// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]); ++++++ apparmor-no-caching-test ++++++ --- /var/tmp/diff_new_pack.MYf8zX/_old 2011-01-25 13:16:30.000000000 +0100 +++ /var/tmp/diff_new_pack.MYf8zX/_new 2011-01-25 13:16:30.000000000 +0100 @@ -7,9 +7,9 @@ @@ -12,7 +12,7 @@ endif all: tests - .PHONY: tests error_output parser_sanity caching --tests: error_output parser_sanity caching -+tests: error_output parser_sanity + .PHONY: tests error_output gen_xtrans parser_sanity caching +-tests: error_output gen_xtrans parser_sanity caching ++tests: error_output gen_xtrans parser_sanity - error_output: $(PARSER) - $(PARSER) -S -I errors >/dev/null errors/okay.sd + gen_xtrans: + perl ./gen-xtrans.pl ++++++ apparmor-utils-inherit-flags-during-profile-generation ++++++ From: Jeff Mahoney <jeffm@suse.com> Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles References: bnc#496204 When creating profiles with cx subprofiles, genprof will set the sub-profile in enforce mode. When genprof cycles multiple times, it prohibits the sub-profile from working correctly. e.g. # Last Modified: Mon Jan 24 13:52:26 2011 #include <tunables/global> /home/jeffm/mycat flags=(complain) { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/consoles> /bin/bash ix, /bin/cat cx, /home/jeffm/mycat r, profile /bin/cat { #include <abstractions/base> /bin/cat r, /home/jeffm/mycat r, } } This patch allows sub-profiles to inherit the flags from the parent profile, which allows it to be created in complain mode (if appropriate). The temporary complain flags are cleaned up at genprof completion as expected. This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204 Signed-off-by: Jeff Mahoney <jeffm@suse.com> --- utils/SubDomain.pm | 6 ++++++ 1 file changed, 6 insertions(+) --- a/utils/SubDomain.pm +++ b/utils/SubDomain.pm @@ -2337,6 +2337,12 @@ sub handlechildren { # we have seen more than a declaration so clear it $sd{$profile}{$hat}{'declared'} = 0; $sd{$profile}{$hat}{profile} = 1; + + # Otherwise sub-profiles end up getting + # put in enforce mode with genprof + $sd{$profile}{$hat}{flags} = $sd{$profile}{$profile}{flags} if $profile ne $hat; + + $sd{$profile}{$hat}{flags} = 'complain'; $sd{$profile}{$hat}{allow}{path} = { }; $sd{$profile}{$hat}{allow}{netdomain} = { }; my $file = $sd{$profile}{$profile}{filename}; ++++++ klog-needs-CAP_SYSLOG ++++++ --- parser/parser_misc.c | 4 ++++ profiles/apparmor.d/sbin.klogd | 1 + 2 files changed, 5 insertions(+) --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -122,6 +122,9 @@ static int get_table_token(const char *n static struct keyword_table capability_table[] = { /* capabilities */ #include "cap_names.h" +#ifndef CAP_SYSLOG + {"syslog", 34}, +#endif /* terminate */ {NULL, 0} }; @@ -820,6 +823,7 @@ static const char *capnames[] = { "audit_control", "setfcap", "mac_override" + "syslog", }; const char *capability_to_name(unsigned int cap) --- a/profiles/apparmor.d/sbin.klogd +++ b/profiles/apparmor.d/sbin.klogd @@ -15,6 +15,7 @@ #include <abstractions/base> capability sys_admin, + capability syslog, network inet stream, ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org