Hello community,
here is the log from the commit of package apparmor for openSUSE:Factory
checked in at Tue Jan 25 13:16:44 CET 2011.
--------
--- apparmor/apparmor.changes 2011-01-18 11:55:47.000000000 +0100
+++ /mounts/work_src_done/STABLE/apparmor/apparmor.changes 2011-01-24 20:16:37.000000000 +0100
@@ -1,0 +2,30 @@
+Mon Jan 24 20:16:03 CET 2011 - jeffm@suse.de
+
+- Inherit flags in sub-profiles when generating profiles (bnc#496204).
+
+-------------------------------------------------------------------
+Mon Jan 24 01:02:53 CET 2011 - jeffm@suse.de
+
+- Stop treating profiles shipped with the package as config files.
+ - /etc/apparmor.d will still be treated specially.
+- Add support for parsing network operation events (bnc#665483)
+
+-------------------------------------------------------------------
+Mon Jan 24 00:23:35 CET 2011 - jeffm@suse.de
+
+- Fix for sbin.klogd profile using kernel versions >= 2.6.38-rc1.
+
+-------------------------------------------------------------------
+Mon Jan 24 00:11:28 CET 2011 - jeffm@suse.de
+
+- Update to apparmor-2.5 r1445.
+ - Includes 3 of the fixes below.
+ - Several testsuite fixes.
+ - Update for Thunderbird profile.
+
+-------------------------------------------------------------------
+Fri Jan 21 19:07:15 CET 2011 - jeffm@suse.de
+
+- Add support for libvirt in usr.sbin.dnsmasq (bnc#666090)
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
apparmor-2.5.1-fix-parser-use-after-free
apparmor-utils-support-newer-auditd-formatted-messages
fix-two-x-transition-conflict-bugs
testsuite-build-fix
New:
----
apparmor-2.5-r1445
apparmor-2.5.1-dnsmasq-libvirt-profile-fix
apparmor-2.5.1-network-fixes
apparmor-utils-inherit-flags-during-profile-generation
klog-needs-CAP_SYSLOG
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apparmor.spec ++++++
--- /var/tmp/diff_new_pack.MYf8zX/_old 2011-01-25 13:16:30.000000000 +0100
+++ /var/tmp/diff_new_pack.MYf8zX/_new 2011-01-25 13:16:30.000000000 +0100
@@ -32,6 +32,9 @@
%define JAR_FILE changeHatValve.jar
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
+%define srcversion 2.5.1
+%define bzr_commit r1445
+
Name: apparmor
%if ! %{?distro:1}0
%if %{?suse_version:1}0
@@ -45,14 +48,14 @@
%define distro suse
%endif
Summary: AppArmor userlevel parser utility
-Version: 2.5.1
-Release: 2
+Version: %{srcversion}.%{bzr_commit}
+Release: 1
Group: Productivity/Networking/Security
-Source0: apparmor-%{version}.tar.bz2
+Source0: apparmor-%{srcversion}.tar.bz2
Source1: %{name}-profile-editor.png
Source2: %{name}-profile-editor.desktop
Source3: update-trans.sh
-Patch: testsuite-build-fix
+Patch: apparmor-2.5-%{bzr_commit}
Patch1: pam-apparmor-include
Patch2: mod_apparmor-includes
Patch3: tomcat-build-fixes
@@ -81,12 +84,15 @@
Patch26: apparmor-2.5.1-edirectory-profile
Patch27: apparmor-2.5.1-firefox-proc-fix
Patch28: apparmor-2.5.1-unconfined-fixes
-Patch29: apparmor-2.5.1-fix-parser-use-after-free
+Patch29: apparmor-utils-inherit-flags-during-profile-generation
Patch30: apparmor-2.5.1-ldapclient-profile
-Patch31: apparmor-utils-support-newer-auditd-formatted-messages
-Patch32: fix-two-x-transition-conflict-bugs
+#Patch31:
+#Patch32:
Patch33: apparmor-2.5.1-ntpd-sys_nice
Patch34: apparmor-2.5.1-ssl-fix
+Patch35: apparmor-2.5.1-dnsmasq-libvirt-profile-fix
+Patch36: klog-needs-CAP_SYSLOG
+Patch37: apparmor-2.5.1-network-fixes
License: GPLv2+
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Url: https://launchpad.net/apparmor
@@ -157,6 +163,7 @@
Provides: subdomain-parser-common = %{version}
Provides: subdomain-leaf-cert = %{version}
Provides: libimnxcert = %{version}
+Provides: apparmor-parser(CAP_SYSLOG)
%description parser
The AppArmor Parser is a userlevel program that is used to load in
@@ -311,6 +318,7 @@
Group: Productivity/Security
Obsoletes: subdomain-profiles < %{version}
Provides: subdomain-profiles = %{version}
+Requires: apparmor-parser(CAP_SYSLOG)
%description profiles
Base profiles. AppArmor is a file and network mandatory access control
@@ -453,7 +461,7 @@
%endif
%prep
-%setup -q
+%setup -q -n %{name}-%{srcversion}
%patch -p1
%patch1 -p1
%patch2 -p1
@@ -485,10 +493,11 @@
%patch28 -p1
%patch29 -p1
%patch30 -p1
-%patch31 -p1
-%patch32 -p1
%patch33 -p1
%patch34 -p1
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1
%build
export SUSE_ASNEEDED=0
@@ -658,7 +667,7 @@
%files profiles
%defattr(-,root,root)
%attr(644, root, root) %config(noreplace) %{profiles_dir}/*
-%attr(644, root, root) %config(noreplace) %{extras_dir}/*
+%attr(644, root, root) %{extras_dir}/*
%dir %{_sysconfdir}/apparmor.d/
%dir %{_sysconfdir}/apparmor/
%dir %{_sysconfdir}/apparmor/profiles
++++++ apparmor-2.5-r1445 ++++++
++++ 705 lines (skipped)
++++++ apparmor-2.5.1-dnsmasq-libvirt-profile-fix ++++++
From: Jeff Mahoney
Subject: profiles: Add libvirt pid support to dnsmasq profile
References: bnc#666090
libvirt starts up dnsmasq with its pid file in
Signed-off-by: Jeff Mahoney
---
profiles/apparmor.d/usr.sbin.dnsmasq | 6 ++++++
1 file changed, 6 insertions(+)
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -8,6 +8,9 @@
capability setgid,
capability setuid,
capability dac_override,
+ capability net_admin, # for DHCP server
+ capability net_raw, # for DHCP server ping checks
+ network inet raw,
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
@@ -19,5 +22,8 @@
/var/run/dnsmasq/ r,
/var/run/dnsmasq/* rw,
+ /var/run/libvirt/network/ r, # Required when called by libvirt
+ /var/run/libvirt/network/*.pid rw, # Required when called by libvirt
+
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
}
++++++ apparmor-2.5.1-network-fixes ++++++
From: Jeff Mahoney
Subject: apparmor: Fix network event parsing
References: bnc#665483
The upstream version of AppArmor had network mediation but it was
removed. There's a compability patch floating around that both openSUSE
and Ubuntu have applied to their kernels. Unfortunately, one part was
overlooked. The socket operation event names where changed from the
socket_ prefixed names they had when AppArmor was out-of-tree and
utils/SubDomain.pm was never updated to understand them.
This patch adds an operation-type table so that the code can just
do a optype($operation) call to discover what type of operation a
particular name refers to. It then uses this in place of the socket_
checks to decide whether an event is a network operation.
This allows genprof and logprof to work with networking rules again.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 46 insertions(+), 2 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -233,6 +233,50 @@ my %MODE_HASH = (
N => $AA_EXEC_NT,
);
+
+# Currently only used by netdomain but there's no reason it couldn't
+# be extended to support other types.
+my %operation_types = (
+
+ # Old socket names
+ "socket_create", => "net",
+ "socket_post_create" => "net",
+ "socket_bind" => "net",
+ "socket_connect" => "net",
+ "socket_listen" => "net",
+ "socket_accept" => "net",
+ "socket_sendmsg" => "net",
+ "socket_recvmsg" => "net",
+ "socket_getsockname" => "net",
+ "socket_getpeername" => "net",
+ "socket_getsockopt" => "net",
+ "socket_setsockopt" => "net",
+ "socket_shutdown" => "net",
+
+ # New socket names
+ "create" => "net",
+ "post_create" => "net",
+ "bind" => "net",
+ "connect" => "net",
+ "listen" => "net",
+ "accept" => "net",
+ "sendmsg" => "net",
+ "recvmsg" => "net",
+ "getsockname" => "net",
+ "getpeername" => "net",
+ "getsockopt" => "net",
+ "setsockopt" => "net",
+ "sock_shutdown" => "net",
+);
+
+sub optype($) {
+ my $op = shift;
+ my $type = $operation_types{$op};
+
+ return "unknown" if !defined($type);
+ return $type;
+}
+
sub debug ($) {
my $message = shift;
chomp($message);
@@ -2911,7 +2955,7 @@ sub add_event_to_tree ($) {
}
$pid{$child} = $arrayref;
push @{$arrayref}, [ "fork", $child, $profile, $hat ];
- } elsif ($e->{operation} =~ m/socket_/) {
+ } elsif (optype($e->{operation}) eq "net") {
add_to_tree( $e->{pid},
$e->{parent},
"netdomain",
@@ -6620,7 +6664,7 @@ sub parse_event($) {
LibAppArmor::aa_log_record::swig_magic_token_get($event);
# NetDomain
- if ( $ev{'operation'} && $ev{'operation'} =~ /socket/ ) {
+ if ( $ev{'operation'} && optype($ev{'operation'}) eq "net" ) {
$ev{'family'} =
LibAppArmor::aa_log_record::swig_net_family_get($event);
$ev{'protocol'} =
++++++ apparmor-2.5.1-unconfined-fixes ++++++
--- /var/tmp/diff_new_pack.MYf8zX/_old 2011-01-25 13:16:30.000000000 +0100
+++ /var/tmp/diff_new_pack.MYf8zX/_new 2011-01-25 13:16:30.000000000 +0100
@@ -35,23 +35,3 @@
# just convert new null profile style names to old before we begin processing
# profile and name can contain multiple layers of null- but all we care about
# currently is single level.
-@@ -6625,10 +6632,15 @@ sub parse_event($) {
- LibAppArmor::free_record($event);
-
- #map new c and d to w as logprof doesn't support them yet
-- $rmask =~ s/c/w/g;
-- $rmask =~ s/d/w/g;
-- $dmask =~ s/c/w/g;
-- $dmask =~ s/d/w/g;
-+ if ($rmask) {
-+ $rmask =~ s/c/w/g;
-+ $rmask =~ s/d/w/g;
-+ }
-+
-+ if ($dmask) {
-+ $dmask =~ s/c/w/g;
-+ $dmask =~ s/d/w/g;
-+ }
-
- if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
- fatal_error(sprintf(gettext('Log contains unknown mode %s.'),
++++++ apparmor-2.5.1-unified-build ++++++
--- /var/tmp/diff_new_pack.MYf8zX/_old 2011-01-25 13:16:30.000000000 +0100
+++ /var/tmp/diff_new_pack.MYf8zX/_new 2011-01-25 13:16:30.000000000 +0100
@@ -43,6 +43,94 @@
libraries/libapparmor/config.guess | 1502 -
libraries/libapparmor/config.sub | 1714 -
libraries/libapparmor/configure |13962 ----------
+ AUTHORS | 1
+ ChangeLog | 1
+ INSTALL | 365
+ Makefile.am | 2
+ NEWS | 1
+ README | 1
+ changehat/Makefile.am | 1
+ changehat/mod_apparmor/Makefile.am | 19
+ changehat/mod_apparmor/apache2-mod_apparmor.spec.in | 216
+ changehat/pam_apparmor/COPYING | 39
+ changehat/pam_apparmor/Makefile.am | 9
+ changehat/pam_apparmor/pam_apparmor.changes | 49
+ changehat/pam_apparmor/pam_apparmor.spec.in | 83
+ changehat/tomcat_apparmor/Makefile.am | 1
+ changehat/tomcat_apparmor/tomcat_5_0/Makefile.am | 2
+ changehat/tomcat_apparmor/tomcat_5_5/Makefile.am | 13
+ changehat/tomcat_apparmor/tomcat_5_5/build.xml | 11
+ changehat/tomcat_apparmor/tomcat_5_5/src/Makefile.am | 1
+ changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile.am | 17
+ config.rpath | 666
+ configure.in | 220
+ deprecated/Makefile.am | 2
+ deprecated/management/Makefile.am | 1
+ deprecated/management/apparmor-dbus/Makefile.am | 2
+ deprecated/management/apparmor-dbus/src/Makefile.am | 3
+ deprecated/management/applets/Makefile.am | 1
+ deprecated/management/applets/apparmorapplet-gnome/Makefile.am | 4
+ deprecated/management/applets/apparmorapplet-gnome/po/Makefile | 30
+ deprecated/management/applets/apparmorapplet-gnome/po/Makefile.in.in | 258
+ deprecated/management/applets/apparmorapplet-gnome/src/Makefile.am | 8
+ deprecated/management/profile-editor/Makefile.am | 2
+ deprecated/management/profile-editor/src/Makefile.am | 6
+ deprecated/management/profile-editor/src/wxStyledTextCtrl/Makefile.am | 4
+ libraries/Makefile.am | 1
+ libraries/libapparmor/AUTHORS | 2
+ libraries/libapparmor/ChangeLog | 1
+ libraries/libapparmor/INSTALL | 236
+ libraries/libapparmor/NEWS | 1
+ libraries/libapparmor/README | 1
+ libraries/libapparmor/autogen.sh | 42
+ libraries/libapparmor/compile | 143
+ libraries/libapparmor/config.guess | 1502 -
+ libraries/libapparmor/config.sub | 1714 -
+ libraries/libapparmor/configure |13962 ----------
+ AUTHORS | 1
+ ChangeLog | 1
+ INSTALL | 365
+ Makefile.am | 2
+ NEWS | 1
+ README | 1
+ changehat/Makefile.am | 1
+ changehat/mod_apparmor/Makefile.am | 19
+ changehat/mod_apparmor/apache2-mod_apparmor.spec.in | 216
+ changehat/pam_apparmor/COPYING | 39
+ changehat/pam_apparmor/Makefile.am | 9
+ changehat/pam_apparmor/pam_apparmor.changes | 49
+ changehat/pam_apparmor/pam_apparmor.spec.in | 83
+ changehat/tomcat_apparmor/Makefile.am | 1
+ changehat/tomcat_apparmor/tomcat_5_0/Makefile.am | 2
+ changehat/tomcat_apparmor/tomcat_5_5/Makefile.am | 13
+ changehat/tomcat_apparmor/tomcat_5_5/build.xml | 11
+ changehat/tomcat_apparmor/tomcat_5_5/src/Makefile.am | 1
+ changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile.am | 17
+ config.rpath | 666
+ configure.in | 220
+ deprecated/Makefile.am | 2
+ deprecated/management/Makefile.am | 1
+ deprecated/management/apparmor-dbus/Makefile.am | 2
+ deprecated/management/apparmor-dbus/src/Makefile.am | 3
+ deprecated/management/applets/Makefile.am | 1
+ deprecated/management/applets/apparmorapplet-gnome/Makefile.am | 4
+ deprecated/management/applets/apparmorapplet-gnome/po/Makefile | 30
+ deprecated/management/applets/apparmorapplet-gnome/po/Makefile.in.in | 258
+ deprecated/management/applets/apparmorapplet-gnome/src/Makefile.am | 8
+ deprecated/management/profile-editor/Makefile.am | 2
+ deprecated/management/profile-editor/src/Makefile.am | 6
+ deprecated/management/profile-editor/src/wxStyledTextCtrl/Makefile.am | 4
+ libraries/Makefile.am | 1
+ libraries/libapparmor/AUTHORS | 2
+ libraries/libapparmor/ChangeLog | 1
+ libraries/libapparmor/INSTALL | 236
+ libraries/libapparmor/NEWS | 1
+ libraries/libapparmor/README | 1
+ libraries/libapparmor/autogen.sh | 42
+ libraries/libapparmor/compile | 143
+ libraries/libapparmor/config.guess | 1502 -
+ libraries/libapparmor/config.sub | 1714 -
+ libraries/libapparmor/configure |13962 ----------
libraries/libapparmor/doc/Makefile.am | 14
libraries/libapparmor/install-sh | 520
libraries/libapparmor/libapparmor1.spec | 178
@@ -64,8 +152,8 @@
m4/wxwidgets.m4 | 37
parser/Makefile.am | 81
parser/libapparmor_re/Makefile.am | 4
- parser/libapparmor_re/regexp.y | 2800 --
- parser/libapparmor_re/regexp.yy | 2800 ++
+ parser/libapparmor_re/regexp.y | 2802 --
+ parser/libapparmor_re/regexp.yy | 2802 ++
parser/parser_alias.c | 1
parser/parser_main.c | 3
parser/parser_policy.c | 1
@@ -80,7 +168,7 @@
utils/Makefile.PL | 15
utils/Makefile.am | 39
utils/po/Makefile | 8
- 81 files changed, 4902 insertions(+), 22094 deletions(-)
+ 81 files changed, 4904 insertions(+), 22096 deletions(-)
--- /dev/null
+++ b/AUTHORS
@@ -21585,7 +21673,7 @@
+libapparmor_re_la_SOURCES = regexp.yy
--- a/parser/libapparmor_re/regexp.y
+++ /dev/null
-@@ -1,2800 +0,0 @@
+@@ -1,2802 +0,0 @@
-/*
- * regexp.y -- Regular Expression Matcher Generator
- * (C) 2006, 2007 Andreas Gruenbacher
@@ -22308,17 +22396,19 @@
- Node *i = t->child[!dir];
- for (;dynamic_cast(i); p = i, i = i->child[!dir]) {
- if (t->child[dir]->eq(i->child[dir])) {
+- Node *old = t;
- t->child[!dir]->dup();
-- t->release();
- t = t->child[!dir];
+- old->release();
- continue;
- }
- }
- // last altnode of chain check other dir as well
- if (t->child[dir]->eq(p->child[!dir])) {
+- Node *old = t;
- t->child[!dir]->dup();
-- t->release();
- t = t->child[!dir];
+- old->release();
- continue;
- }
-
@@ -24169,9 +24259,9 @@
-#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
-MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
--#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
--MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
--ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
+-#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
+-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
+-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
-
-extern "C" void aare_reset_matchflags(void)
-{
@@ -24232,8 +24322,8 @@
- flip_tree(tree);
-
-
--/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
--#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
+-/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
-
-//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
-// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
@@ -24388,7 +24478,7 @@
-}
--- /dev/null
+++ b/parser/libapparmor_re/regexp.yy
-@@ -0,0 +1,2800 @@
+@@ -0,0 +1,2802 @@
+/*
+ * regexp.y -- Regular Expression Matcher Generator
+ * (C) 2006, 2007 Andreas Gruenbacher
@@ -25111,17 +25201,19 @@
+ Node *i = t->child[!dir];
+ for (;dynamic_cast(i); p = i, i = i->child[!dir]) {
+ if (t->child[dir]->eq(i->child[dir])) {
++ Node *old = t;
+ t->child[!dir]->dup();
-+ t->release();
+ t = t->child[!dir];
++ old->release();
+ continue;
+ }
+ }
+ // last altnode of chain check other dir as well
+ if (t->child[dir]->eq(p->child[!dir])) {
++ Node *old = t;
+ t->child[!dir]->dup();
-+ t->release();
+ t = t->child[!dir];
++ old->release();
+ continue;
+ }
+
@@ -26972,9 +27064,9 @@
+#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
+MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
+DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-+#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
-+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
-+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
++#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
++MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
++ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
+
+extern "C" void aare_reset_matchflags(void)
+{
@@ -27035,8 +27127,8 @@
+ flip_tree(tree);
+
+
-+/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
-+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
++/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
++#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
+
+//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
+// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
++++++ apparmor-no-caching-test ++++++
--- /var/tmp/diff_new_pack.MYf8zX/_old 2011-01-25 13:16:30.000000000 +0100
+++ /var/tmp/diff_new_pack.MYf8zX/_new 2011-01-25 13:16:30.000000000 +0100
@@ -7,9 +7,9 @@
@@ -12,7 +12,7 @@ endif
all: tests
- .PHONY: tests error_output parser_sanity caching
--tests: error_output parser_sanity caching
-+tests: error_output parser_sanity
+ .PHONY: tests error_output gen_xtrans parser_sanity caching
+-tests: error_output gen_xtrans parser_sanity caching
++tests: error_output gen_xtrans parser_sanity
- error_output: $(PARSER)
- $(PARSER) -S -I errors >/dev/null errors/okay.sd
+ gen_xtrans:
+ perl ./gen-xtrans.pl
++++++ apparmor-utils-inherit-flags-during-profile-generation ++++++
From: Jeff Mahoney
Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles
References: bnc#496204
When creating profiles with cx subprofiles, genprof will set the
sub-profile in enforce mode. When genprof cycles multiple times, it
prohibits the sub-profile from working correctly.
e.g.
# Last Modified: Mon Jan 24 13:52:26 2011
#include
/home/jeffm/mycat flags=(complain) {
#include
#include
#include
/bin/bash ix,
/bin/cat cx,
/home/jeffm/mycat r,
profile /bin/cat {
#include
/bin/cat r,
/home/jeffm/mycat r,
}
}
This patch allows sub-profiles to inherit the flags from the parent
profile, which allows it to be created in complain mode (if appropriate).
The temporary complain flags are cleaned up at genprof completion as
expected.
This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 6 ++++++
1 file changed, 6 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2337,6 +2337,12 @@ sub handlechildren {
# we have seen more than a declaration so clear it
$sd{$profile}{$hat}{'declared'} = 0;
$sd{$profile}{$hat}{profile} = 1;
+
+ # Otherwise sub-profiles end up getting
+ # put in enforce mode with genprof
+ $sd{$profile}{$hat}{flags} = $sd{$profile}{$profile}{flags} if $profile ne $hat;
+
+ $sd{$profile}{$hat}{flags} = 'complain';
$sd{$profile}{$hat}{allow}{path} = { };
$sd{$profile}{$hat}{allow}{netdomain} = { };
my $file = $sd{$profile}{$profile}{filename};
++++++ klog-needs-CAP_SYSLOG ++++++
---
parser/parser_misc.c | 4 ++++
profiles/apparmor.d/sbin.klogd | 1 +
2 files changed, 5 insertions(+)
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -122,6 +122,9 @@ static int get_table_token(const char *n
static struct keyword_table capability_table[] = {
/* capabilities */
#include "cap_names.h"
+#ifndef CAP_SYSLOG
+ {"syslog", 34},
+#endif
/* terminate */
{NULL, 0}
};
@@ -820,6 +823,7 @@ static const char *capnames[] = {
"audit_control",
"setfcap",
"mac_override"
+ "syslog",
};
const char *capability_to_name(unsigned int cap)
--- a/profiles/apparmor.d/sbin.klogd
+++ b/profiles/apparmor.d/sbin.klogd
@@ -15,6 +15,7 @@
#include
capability sys_admin,
+ capability syslog,
network inet stream,
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org