commit apparmor for openSUSE:Factory
Hello community,
here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2018-04-22 14:38:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apparmor (Old)
and /work/SRC/openSUSE:Factory/.apparmor.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor"
Sun Apr 22 14:38:58 2018 rev:114 rq:598829 version:2.13
Changes:
--------
--- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2018-04-17 11:08:44.215105205 +0200
+++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes 2018-04-22 14:39:02.182277456 +0200
@@ -1,0 +2,50 @@
+Thu Apr 19 22:13:40 UTC 2018 - suse-beta@cboltz.de
+
+- create and package precompiled cache (/usr/share/apparmor/cache,
+ read-only) (boo#1069906, boo#1074429)
+- change (writeable) cache directory to /var/cache/apparmor/ - with the
+ new btrfs layout, the only reason for using /var/lib/apparmor/cache/
+ (which was "it's part of the / subvolume") is gone, and /var/cache
+ makes more sense for the cache
+- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
+ cache locations
+- clear cache also in %post of abstractions package
+
+--------------------------------------------------------------------
+Thu Apr 19 19:14:54 UTC 2018 - suse-beta@cboltz.de
+
+- update to AppArmor 2.13
+ - add support for multiple cache directories and cache overlays
+ (boo#1069906, boo#1074429)
+ - add support for conditional includes in policy
+ - remove group restrictions from aa-notify (boo#1058787)
+ - aa-complain etc.: set flags for profiles represented by a glob
+ - aa-status: split profile from exec name
+ - several profile and abstraction updates
+ - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
+ for the detailed upstream changelog
+- drop upstreamed patches and files:
+ - aa-teardown
+ - apparmor.service
+ - apparmor.systemd
+ - 32-bit-no-uid.diff
+ - disable-cache-on-ro-fs.diff
+ - dovecot-stats.diff
+ - parser-write-cache-warn-only.diff
+ - set-flags-for-profiles-represented-by-glob.patch
+ - fix-regression-in-set-flags.patch
+- drop spec code that handled installing aa-teardown, apparmor.service
+ and apparmor.systemd (now part of upstream Makefile)
+- simplify "make -C profiles parser-check" call (upstream Makefile bug
+ that required to call "cd" was fixed)
+- add aa-teardown-path.diff - install aa-teardown in /usr/sbin/
+- move 'exec' symlink to parser package (belongs to aa-exec)
+
+--------------------------------------------------------------------
+Thu Apr 19 11:23:37 UTC 2018 - rgoldwyn@suse.com
+
+- Set flags for profiles represented by glob (bsc#1086154)
+ set-flags-for-profiles-represented-by-glob.patch
+ fix-regression-in-set-flags.patch
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/apparmor/libapparmor.changes 2018-01-01 22:05:43.934928299 +0100
+++ /work/SRC/openSUSE:Factory/.apparmor.new/libapparmor.changes 2018-04-22 14:39:02.222276009 +0200
@@ -1,0 +2,9 @@
+Sun Apr 15 19:02:35 UTC 2018 - suse-beta@cboltz.de
+
+- update to AppArmor 2.13
+ - add support for multiple cache directories and cache overlays
+ (boo#1069906, boo#1074429)
+ - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
+ for the detailed upstream changelog
+
+-------------------------------------------------------------------
Old:
----
32-bit-no-uid.diff
aa-teardown
apparmor-2.12.tar.gz
apparmor-2.12.tar.gz.asc
apparmor.service
apparmor.systemd
disable-cache-on-ro-fs.diff
dovecot-stats.diff
parser-write-cache-warn-only.diff
New:
----
aa-teardown-path.diff
apparmor-2.13.tar.gz
apparmor-2.13.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apparmor.spec ++++++
--- /var/tmp/diff_new_pack.SZjlB2/_old 2018-04-22 14:39:02.954249522 +0200
+++ /var/tmp/diff_new_pack.SZjlB2/_new 2018-04-22 14:39:02.958249378 +0200
@@ -35,7 +35,7 @@
%define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR)
Name: apparmor
-Version: 2.12
+Version: 2.13
Release: 0
Summary: AppArmor userlevel parser utility
License: GPL-2.0-or-later
@@ -48,11 +48,9 @@
Source5: update-trans.sh
Source6: baselibs.conf
Source7: apparmor-rpmlintrc
-Source8: apparmor.service
-Source9: apparmor.systemd
-Source10: aa-teardown
# enable caching of profiles (= massive performance speedup when loading profiles)
+# and set cache-loc in parser.conf and apparmor.service accordingly
Patch1: apparmor-enable-profile-cache.diff
# include autogenerated profile sniplet for samba shares (bnc#688040)
@@ -64,17 +62,8 @@
# bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21)
Patch7: apparmor-lessopen-profile.patch
-# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a log event on 32 bit systems (fixed upstream 2018-03-07)
-Patch8: 32-bit-no-uid.diff
-
-# make cache write failures a warning instead of an error - (patch from https://gitlab.com/apparmor/apparmor/merge_requests/49 2018-01-04)
-Patch9: parser-write-cache-warn-only.diff
-
-# Disable write cache if filesystem is read-only, don't abort (merged upstream 2018-01-16 to 2.10..trunk)
-Patch10: disable-cache-on-ro-fs.diff
-
-# allow dovecot to run dovecot/stats, and add that profile (submitted upstream 2018-04-11 https://gitlab.com/apparmor/apparmor/merge_requests/90)
-Patch11: dovecot-stats.diff
+# install aa-teardown to /usr/sbin, not /sbin (merged upstream 2018-04-15 https://gitlab.com/apparmor/apparmor/merge_requests/97)
+Patch8: aa-teardown-path.diff
PreReq: sed
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -359,14 +348,11 @@
%prep
%setup -q
-%patch1 -p1
+%patch1
%patch2
%patch5 -p1
%patch7
-%patch8 -p1
-%patch9 -p1
-%patch10 -p0
-%patch11 -p1
+%patch8
%build
export SUSE_ASNEEDED=0
@@ -422,6 +408,10 @@
make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME}
%endif
+# pre-build profile cache
+# note that -L only works with an absolute path, therefore prefix it with $(pwd)
+parser/apparmor_parser --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/
+
%check
%if %{with python3}
export PYTHON=/usr/bin/python3
@@ -433,9 +423,11 @@
make check -C binutils
# profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks
-# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/80 should allow to switch to make -C
-# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory)
-(cd profiles && make check-parser)
+make -C profiles check-parser
+
+# test for a few files that should exist in the cache
+test -f profiles/cache/*/bin.ping
+test -f profiles/cache/*/.features
make check -C utils
@@ -459,11 +451,20 @@
%makeinstall -C profiles
+install -d -m 755 %{buildroot}/usr/share/apparmor/cache
+cp -a profiles/cache/* %{buildroot}/usr/share/apparmor/cache
+test -f %{buildroot}/usr/share/apparmor/cache/*/.features
+test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping
+
%makeinstall -C parser
-# default cache dir is /etc/apparmor.d/cache - not the best location.
+# default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location.
# Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it
mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache
( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache )
+# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location
+# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it
+mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor
+( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d )
%if %{with apache}
%makeinstall -C changehat/mod_apparmor
@@ -507,18 +508,6 @@
# remove *.la files
rm -fv %{buildroot}%{_libdir}/libapparmor.la
-# Adjust for systemd
-test ! -f %{buildroot}%{_unitdir}/apparmor.service
-install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service
-test ! -f %{buildroot}%{apparmor_bin_prefix}/apparmor.systemd
-install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix}
-test ! -f %{buildroot}%{_sbindir}/aa-teardown
-install -m0755 %{S:10} %{buildroot}%{_sbindir}
-# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/79 obsoletes the next 3 lines
-rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor
-rm %{buildroot}/sbin/rcsubdomain
-ln -sf service %{buildroot}/sbin/rcapparmor
-
echo -------------------------------------------------------------------
#find -ls
echo -------------------------------------------------------------------
@@ -542,14 +531,17 @@
%{_bindir}/aa-enabled
%{_bindir}/aa-exec
%{_sbindir}/aa-teardown
+%{_sbindir}/exec
%dir %attr(-, root, root) %{_sysconfdir}/apparmor
%dir %{_sysconfdir}/apparmor.d
%{_sysconfdir}/apparmor.d/cache
+%{_sysconfdir}/apparmor.d/cache.d
/sbin/rcapparmor
%{_unitdir}/apparmor.service
%config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf
%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
%{_localstatedir}/lib/apparmor
+%{_localstatedir}/cache/apparmor
%dir %attr(-, root, root) %{apparmor_bin_prefix}
%{apparmor_bin_prefix}/rc.apparmor.functions
%{apparmor_bin_prefix}/apparmor.systemd
@@ -560,6 +552,7 @@
%doc %{_mandir}/man5/apparmor.vim.5.gz
%doc %{_mandir}/man5/subdomain.conf.5.gz
%doc %{_mandir}/man7/apparmor.7.gz
+%doc %{_mandir}/man8/aa-teardown.8.gz
%doc %{_mandir}/man8/apparmor_parser.8.gz
%pre parser
@@ -589,6 +582,8 @@
%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
+%dir /usr/share/apparmor/
+/usr/share/apparmor/cache/
/usr/share/apparmor/extra-profiles/
%files utils
@@ -619,7 +614,6 @@
%{_sbindir}/decode
%{_sbindir}/disable
%{_sbindir}/enforce
-%{_sbindir}/exec
%{_sbindir}/genprof
%{_sbindir}/logprof
%{_sbindir}/notify
@@ -741,12 +735,17 @@
%service_del_postun apparmor.service
%post abstractions
+# workaround for bnc#904620#c8 / lp#1392042
+rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:
%post profiles
# workaround for bnc#904620#c8 / lp#1392042
+# old cache location up to 2.12
rm -f /var/lib/apparmor/cache/* 2>/dev/null
+# cache location starting with 2.13
+rm -f /var/cache/apparmor/* 2>/dev/null
#restart_on_update apparmor - but non-broken (bnc#853019)
systemctl is-active -q apparmor && systemctl reload apparmor ||:
++++++ libapparmor.spec ++++++
--- /var/tmp/diff_new_pack.SZjlB2/_old 2018-04-22 14:39:02.986248364 +0200
+++ /var/tmp/diff_new_pack.SZjlB2/_new 2018-04-22 14:39:02.990248219 +0200
@@ -18,7 +18,7 @@
Name: libapparmor
-Version: 2.12
+Version: 2.13
Release: 0
Summary: Utility library for AppArmor
License: LGPL-2.1-or-later
++++++ aa-teardown-path.diff ++++++
Index: parser/Makefile
===================================================================
--- parser/Makefile.orig 2018-04-15 15:48:53.000000000 +0200
+++ parser/Makefile 2018-04-15 23:21:13.677508654 +0200
@@ -384,8 +384,8 @@ install-systemd:
install -m 755 -d $(SYSTEMD_UNIT_DIR)
install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR)
install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX)
- install -m 755 -d $(DESTDIR)/sbin
- install -m 755 aa-teardown $(DESTDIR)/sbin
+ install -m 755 -d $(DESTDIR)/usr/sbin
+ install -m 755 aa-teardown $(DESTDIR)/usr/sbin
ifndef VERBOSE
.SILENT: clean
++++++ apparmor-2.12.tar.gz -> apparmor-2.13.tar.gz ++++++
/work/SRC/openSUSE:Factory/apparmor/apparmor-2.12.tar.gz /work/SRC/openSUSE:Factory/.apparmor.new/apparmor-2.13.tar.gz differ: char 5, line 1
++++++ apparmor-enable-profile-cache.diff ++++++
--- /var/tmp/diff_new_pack.SZjlB2/_old 2018-04-22 14:39:03.054245904 +0200
+++ /var/tmp/diff_new_pack.SZjlB2/_new 2018-04-22 14:39:03.054245904 +0200
@@ -2,22 +2,45 @@
This speeds up loading the (unchanged) profiles about 20 times.
-Upstream doesn't enable caching because the cache directory is not
+Upstream doesn't enable caching because the cache directory is not
writeable at the time profiles are loaded in Ubuntu.
See also bnc#689458
+Also set the cache location to /var/cache/apparmor/ (writeable) and
+/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust
+the mount requirements in apparmor.service accordingly.
+
+See boo#1069906 and boo#1074429
+
+
Signed-off by: Christian Boltz
participants (1)
-
root@hilbert.suse.de