Hello community,
here is the log from the commit of package apparmor-utils
checked in at Fri Sep 12 22:52:51 CEST 2008.
--------
--- apparmor-utils/apparmor-utils.changes 2008-06-04 13:59:12.000000000 +0200
+++ apparmor-utils/apparmor-utils.changes 2008-09-12 13:49:41.800328000 +0200
@@ -1,0 +2,5 @@
+Fri Sep 12 13:49:30 CEST 2008 - jjohansen@suse.de
+
+- sync to upstream 2.3.1 bugfix release
+
+-------------------------------------------------------------------
Old:
----
apparmor-utils-2.3-1276.tar.gz
New:
----
apparmor-utils-2.3.1-1296.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apparmor-utils.spec ++++++
--- /var/tmp/diff_new_pack.qP5032/_old 2008-09-12 22:50:52.000000000 +0200
+++ /var/tmp/diff_new_pack.qP5032/_new 2008-09-12 22:50:52.000000000 +0200
@@ -1,10 +1,17 @@
#
-# spec file for package apparmor-utils (Version 2.3)
+# spec file for package apparmor-utils (Version 2.3.1)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
-# This file and all modifications and additions to the pristine
-# package are under the same license as the package itself.
#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
@@ -16,10 +23,10 @@
%define distro suse
%endif
Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles
-Version: 2.3
-Release: 13
+Version: 2.3.1
+Release: 1
Group: Productivity/Security
-Source0: %{name}-%{version}-1276.tar.gz
+Source0: %{name}-%{version}-1296.tar.gz
License: GPL v2 or later; LGPL v2.1 or later
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
@@ -92,6 +99,8 @@
fi
%changelog
+* Fri Sep 12 2008 jjohansen@suse.de
+- sync to upstream 2.3.1 bugfix release
* Wed Jun 04 2008 jjohansen@suse.de
- fix bug where a configuration variable is improperly created/assigned
this causes logprof/genprof and the YaST UI from profiling to fail
++++++ apparmor-utils-2.3-1276.tar.gz -> apparmor-utils-2.3.1-1296.tar.gz ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-utils-2.3/apparmor-utils.spec new/apparmor-utils-2.3.1/apparmor-utils.spec
--- old/apparmor-utils-2.3/apparmor-utils.spec 2008-06-04 14:42:28.000000000 +0200
+++ new/apparmor-utils-2.3.1/apparmor-utils.spec 2008-09-12 13:43:29.000000000 +0200
@@ -24,10 +24,10 @@
Summary: AppArmor userlevel utilities that are useful in creating AppArmor profiles.
Name: apparmor-utils
-Version: 2.3
-Release: 1276
+Version: 2.3.1
+Release: 1296
Group: Productivity/Security
-Source0: %{name}-%{version}-1276.tar.gz
+Source0: %{name}-%{version}-1296.tar.gz
License: GPL
BuildRoot: %{?_tmppath:}%{!?_tmppath:/var/tmp}/%{name}-%{version}-build
BuildArch: noarch
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-utils-2.3/apparmor.vim new/apparmor-utils-2.3.1/apparmor.vim
--- old/apparmor-utils-2.3/apparmor.vim 2006-04-12 22:31:08.000000000 +0200
+++ new/apparmor-utils-2.3.1/apparmor.vim 2008-06-10 02:30:35.000000000 +0200
@@ -1,4 +1,4 @@
-" $Id: apparmor.vim 10 2006-04-12 20:31:08Z steve-beattie $
+" $Id: apparmor.vim 1289 2008-06-10 00:30:35Z jrjohansen $
"
" ----------------------------------------------------------------------
" Copyright (c) 2005 Novell, Inc. All Rights Reserved.
@@ -38,6 +38,7 @@
"hi sdCap ctermfg=lightblue
"hi sdCapKey cterm=underline ctermfg=lightblue
hi link sdCapKey Label
+hi link sdLimKey Label
hi def link sdEntryR Normal
hi sdError cterm=bold ctermbg=red
hi link sdFlagKey Label
@@ -48,9 +49,11 @@
" that many rules and profiles shouldn't be _extremely_ large...
syn sync fromstart
-syn keyword sdCapKey chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease
+syn keyword sdCapKey chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin
syn keyword sdCapDanger sys_admin
+syn keyword sdLimKey cpu fsize data stack core rss nofile ofile as nproc memlock locks sigpending msgqueue nice rtprio
+
syn keyword sdFlagKey complain audit debug
" highlight some invalid syntax
@@ -60,7 +63,7 @@
syn match sdGlob /\v\?|\*|\{.*,.*\}|[[^\]]\+\]/
-syn cluster sdEntry contains=sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryUX,sdCap
+syn cluster sdEntry contains=sdEntryR,sdEntryW,sdEntryIX,sdEntryPX,sdEntryUX,sdCap,sdLim
" unconstrained entry, flag the line red
syn match sdEntryUX /\v^\s*\/\S*\s+(l|r|w|ux)+\s*,(\s*$|(\s*#.*$)\@=)/ contained contains=sdGlob nextgroup=@sdEntry,sdComment,sdError
@@ -74,6 +77,8 @@
syn match sdEntryW /\v^\s*\/\S*\s+(l|r|w)+\s*,(\s*$|(\s*#.*$)\@=)/ contained contains=sdGlob nextgroup=@sdEntry,sdComment,sdError
" Capability line
syn match sdCap /\v^\s*capability\s+\S+\s*,(\s*$|(\s*#.*$)\@=)/ contained contains=sdCapKey,sdCapDanger nextgroup=@sdEntry,sdComment,sdError
+" Rlimits
+syn match sdLim /\v^\s*set\s+rlimit\s+\S+\s*\<\=\s*(|-)[0-9]+(|K|M|G)+\s*,(\s*$|(\s*#.*$)\@=)/ contained contains=sdLimKey nextgroup=@sdEntry,sdComment,sdError
" read entry, no highlighting
syn match sdEntryR /\v^\s*\/\S*\s+[rl]+\s*,(\s*$|(\s*#.*$)\@=)/ contained contains=sdGlob nextgroup=@sdEntry,sdComment,sdError
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-utils-2.3/audit.pod new/apparmor-utils-2.3.1/audit.pod
--- old/apparmor-utils-2.3/audit.pod 2007-08-16 00:43:40.000000000 +0200
+++ new/apparmor-utils-2.3.1/audit.pod 2008-06-11 23:19:36.000000000 +0200
@@ -2,15 +2,15 @@
=head1 NAME
-audit - set a AppArmor security profile to I<audit> mode.
+aa-audit - set a AppArmor security profile to I<audit> mode.
=head1 SYNOPSIS
-B [I ...]>
+B [I ...]>
=head1 DESCRIPTION
-B<audit> is used to set the audit mode for one or more profiles to audit.
+B<aa-audit> is used to set the audit mode for one or more profiles to audit.
In this mode security policy is enforced and all access (successes and failures) are logged to the system log.
=head1 BUGS
@@ -20,7 +20,7 @@
=head1 SEE ALSO
-apparmor(7), apparmor.d(5), enforce(1), complain(1), change_hat(2), and
+apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), change_hat(2), and
Lhttp://forge.novell.com/modules/xfmod/project/?apparmor.
=cut
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-utils-2.3/autodep.pod new/apparmor-utils-2.3.1/autodep.pod
--- old/apparmor-utils-2.3/autodep.pod 2007-04-03 22:13:35.000000000 +0200
+++ new/apparmor-utils-2.3.1/autodep.pod 2008-06-11 23:19:36.000000000 +0200
@@ -1,4 +1,4 @@
-# $Id: autodep.pod 535 2007-04-03 20:13:35Z steve-beattie $
+# $Id: autodep.pod 1290 2008-06-11 21:19:36Z jrjohansen $
# This publication is intellectual property of Novell Inc. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
@@ -24,17 +24,17 @@
=head1 NAME
-autodep - guess basic AppArmor profile requirements
+aa-autodep - guess basic AppArmor profile requirements
=head1 SYNOPSIS
-B [I ...]>
+B [I ...]>
=head1 DESCRIPTION
-B<autodep> is used to generate a minimal AppArmor profile for a set of
+B<aa-autodep> is used to generate a minimal AppArmor profile for a set of
executables. This program will generate a profile for binary executable
-as well as interpreted script programs. At a minimum autodep will provide
+as well as interpreted script programs. At a minimum aa-autodep will provide
a base profile containing a base include directive which includes basic
profile entries needed by most programs. The profile is generated by
recursively calling ldd(1) on the executables listed on the command line.
@@ -47,7 +47,7 @@
=head1 SEE ALSO
-apparmor(7), apparmor.d(5), complain(1), enforce(1), change_hat(2), and
+apparmor(7), apparmor.d(5), aa-complain(1), aa-enforce(1), change_hat(2), and
Lhttp://forge.novell.com/modules/xfmod/project/?apparmor.
=cut
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-utils-2.3/common/Make.rules new/apparmor-utils-2.3.1/common/Make.rules
--- old/apparmor-utils-2.3/common/Make.rules 2008-04-07 21:37:57.000000000 +0200
+++ new/apparmor-utils-2.3.1/common/Make.rules 2008-09-12 13:40:04.000000000 +0200
@@ -1,4 +1,4 @@
-# $Id: Make.rules 1182 2008-04-07 19:37:57Z jrjohansen $
+# $Id: Make.rules 1300 2008-09-12 11:40:04Z jrjohansen $
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
@@ -25,7 +25,7 @@
# directories
DISTRIBUTION=AppArmor
-VERSION=2.3
+VERSION=2.3.1
# OVERRIDABLE variables
# Set these variables before including Make.rules to change its behavior
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-utils-2.3/complain.pod new/apparmor-utils-2.3.1/complain.pod
--- old/apparmor-utils-2.3/complain.pod 2007-04-03 22:13:35.000000000 +0200
+++ new/apparmor-utils-2.3.1/complain.pod 2008-06-11 23:19:36.000000000 +0200
@@ -1,4 +1,4 @@
-# $Id: complain.pod 535 2007-04-03 20:13:35Z steve-beattie $
+# $Id: complain.pod 1290 2008-06-11 21:19:36Z jrjohansen $
# This publication is intellectual property of Novell Inc. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
@@ -24,15 +24,15 @@
=head1 NAME
-complain - set a AppArmor security profile to I<complain> mode.
+aa-complain - set a AppArmor security profile to I<complain> mode.
=head1 SYNOPSIS
-B [I ...]>
+B [I ...]>
=head1 DESCRIPTION
-B<complain> is used to set the enforcement mode for one or more profiles to complain.
+B<aa-complain> is used to set the enforcement mode for one or more profiles to complain.
In this mode security policy is not enforced but rather access violations are logged
to the system log.
@@ -43,7 +43,7 @@
=head1 SEE ALSO
-apparmor(7), apparmor.d(5), enforce(1), change_hat(2), and
+apparmor(7), apparmor.d(5), aa-enforce(1), change_hat(2), and
Lhttp://forge.novell.com/modules/xfmod/project/?apparmor.
=cut
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-utils-2.3/enforce.pod new/apparmor-utils-2.3.1/enforce.pod
--- old/apparmor-utils-2.3/enforce.pod 2007-04-03 22:13:35.000000000 +0200
+++ new/apparmor-utils-2.3.1/enforce.pod 2008-06-11 23:19:36.000000000 +0200
@@ -1,4 +1,4 @@
-# $Id: enforce.pod 535 2007-04-03 20:13:35Z steve-beattie $
+# $Id: enforce.pod 1290 2008-06-11 21:19:36Z jrjohansen $
# This publication is intellectual property of Novell Inc. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
@@ -24,19 +24,19 @@
=head1 NAME
-enforce - set an AppArmor security profile to I<enforce> mode from
+aa-enforce - set an AppArmor security profile to I<enforce> mode from
I<complain> mode.
=head1 SYNOPSIS
-B [I ...]>
+B [I ...]>
=head1 DESCRIPTION
-B<enforce> is used to set the enforcement mode for one or more profiles
+B<aa-enforce> is used to set the enforcement mode for one or more profiles
to I<enforce>. This command is only relevant is conjuction with the
utility I<complain> which sets a profile to complain mode. The default
-mode for a security policy is enforce and the I<complain> utility must
+mode for a security policy is enforce and the I<aa-complain> utility must
be run to change this behavior.
=head1 BUGS
@@ -46,7 +46,7 @@
=head1 SEE ALSO
-apparmor(7), apparmor.d(5), complain(1), change_hat(2), and
+apparmor(7), apparmor.d(5), aa-complain(1), change_hat(2), and
Lhttp://forge.novell.com/modules/xfmod/project/?apparmor.
=cut
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-utils-2.3/genprof.pod new/apparmor-utils-2.3.1/genprof.pod
--- old/apparmor-utils-2.3/genprof.pod 2007-04-03 22:13:35.000000000 +0200
+++ new/apparmor-utils-2.3.1/genprof.pod 2008-06-11 23:19:36.000000000 +0200
@@ -1,4 +1,4 @@
-# $Id: genprof.pod 535 2007-04-03 20:13:35Z steve-beattie $
+# $Id: genprof.pod 1290 2008-06-11 21:19:36Z jrjohansen $
# This publication is intellectual property of Novell Inc. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
@@ -24,11 +24,11 @@
=head1 NAME
-genprof - profile generation utility for AppArmor
+aa-genprof - profile generation utility for AppArmor
=head1 SYNOPSIS
-B [I<-d /path/to/profiles>]>
+B [I<-d /path/to/profiles>]>
=head1 OPTIONS
@@ -40,12 +40,12 @@
=head1 DESCRIPTION
-When running genprof, you must specify a program to profile. If the
-specified program is not a fully-qualified path, genprof will search $PATH
+When running aa-genprof, you must specify a program to profile. If the
+specified program is not a fully-qualified path, aa-genprof will search $PATH
in order to find the program.
-If a profile does not exist for the program, genprof will create one using
-autodep(1).
+If a profile does not exist for the program, aa-genprof will create one using
+aa-autodep(1).
Genprof will then:
@@ -59,17 +59,17 @@
It then presents the user with two options, (S)can system log for entries
to add to profile and (F)inish.
-If the user selects (S)can or hits return, genprof will parse
+If the user selects (S)can or hits return, aa-genprof will parse
the complain mode logs and iterate through generated violations
using logprof(1).
After the user finishes selecting profile entries based on violations
-that were detected during the program execution, genprof will reload
+that were detected during the program execution, aa-genprof will reload
the updated profiles in complain mode and again prompt the user for (S)can and
(D)one. This cycle can then be repeated as neccesary until all application
functionality has been exercised without generating access violations.
-When the user eventually hits (F)inish, genprof will set the main profile,
+When the user eventually hits (F)inish, aa-genprof will set the main profile,
and any other profiles that were generated, into enforce mode and exit.
=head1 BUGS
@@ -79,8 +79,8 @@
=head1 SEE ALSO
-apparmor(7), apparmor.d(5), enforce(1), complain(1), change_hat(2),
-logprof(1), logprof.conf(5), and
+apparmor(7), apparmor.d(5), aa-enforce(1), aa-complain(1), change_hat(2),
+aa-logprof(1), logprof.conf(5), and
Lhttp://forge.novell.com/modules/xfmod/project/?apparmor.
=cut
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-utils-2.3/logprof.pod new/apparmor-utils-2.3.1/logprof.pod
--- old/apparmor-utils-2.3/logprof.pod 2007-04-03 22:13:35.000000000 +0200
+++ new/apparmor-utils-2.3.1/logprof.pod 2008-06-11 23:19:36.000000000 +0200
@@ -1,4 +1,4 @@
-# $Id: logprof.pod 535 2007-04-03 20:13:35Z steve-beattie $
+# $Id: logprof.pod 1290 2008-06-11 21:19:36Z jrjohansen $
# This publication is intellectual property of Novell Inc. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
@@ -24,11 +24,11 @@
=head1 NAME
-logprof - utility program for managing AppArmor security profiles
+aa-logprof - utility program for managing AppArmor security profiles
=head1 SYNOPSIS
-B] [I<-f /path/to/logfile>] [I<-m E<lt>mark in logfileE<gt>>]>
+B] [I<-f /path/to/logfile>] [I<-m E<lt>mark in logfileE<gt>>]>
=head1 OPTIONS
@@ -43,28 +43,28 @@
B< -m --logmark "mark">
- logprof will ignore all events in the system log before the
+ aa-logprof will ignore all events in the system log before the
specified mark is seen. If the mark contains spaces, it must
be surrounded with quotes to work correctly.
=head1 DESCRIPTION
-B<logprof> is an interactive tool used to review AppArmor's
+B<aa-logprof> is an interactive tool used to review AppArmor's
complain mode output and generate new entries for AppArmor security
profiles.
-Running logprof will scan the log file and if there are new AppArmor
+Running aa-logprof will scan the log file and if there are new AppArmor
events that are not covered by the existing profile set, the user will
be prompted with suggested modifications to augment the profile.
-When logprof exits profile changes are saved to disk. If AppArmor is
+When aa-logprof exits profile changes are saved to disk. If AppArmor is
running, the updated profiles are reloaded and if any processes that
generated AppArmor events are still running in the null-complain-profile,
those processes are set to run under their proper profiles.
=head2 Responding to AppArmor Events
-B<logprof> will generate a list of suggested profile changes that
+B<aa-logprof> will generate a list of suggested profile changes that
the user can choose from, or they can create their own, to modifiy the
permission set of the profile so that the generated access violation
will not re-occur.
@@ -92,9 +92,9 @@
path for this event, they'll be informed and have the option to fix it.
If the user selects (G)lob last piece then, taking the currently selected
-option, logprof will remove the last path element and replace it with /*.
+option, aa-logprof will remove the last path element and replace it with /*.
-If the last path element already was /*, logprof will go up a directory
+If the last path element already was /*, aa-logprof will go up a directory
level and replace it with /**.
This new globbed entry is then added to the suggestion list and marked
@@ -103,14 +103,14 @@
So /usr/share/themes/foo/bar/baz.gif can be turned into
/usr/share/themes/** by hitting "g" three times.
-If the user selects (A)llow, logprof will take the current selection
+If the user selects (A)llow, aa-logprof will take the current selection
and add it to the profile, deleting other entries in the profile that
are matched by the new entry.
Adding r access to /usr/share/themes/** would delete an entry for r
access to /usr/share/themes/foo/*.gif if it exists in the profile.
-If (Q)uit is selected at this point, logprof will ignore all new pending
+If (Q)uit is selected at this point, aa-logprof will ignore all new pending
capability and path accesses.
After all of the path accesses have been handled, logrof will write all
@@ -119,14 +119,14 @@
=head2 New Process (Execution) Events
If there are unhandled x accesses generated by the execve(2) of a
-new process, logprof will display the parent profile and the target
+new process, aa-logprof will display the parent profile and the target
program that's being executed and prompt the user to select and execute
modifier. These modifiers will allow a choice for the target to: have it's
own profile (px), inherit the parent's profile (ix), run unconstrained
(ux), or deny access for the target. See apparmor.d(5) for details.
If there is a corresponding entry for the target in the qualifiers
-section of /etc/logprof.conf, the presented list will contain only the
+section of /etc/apparmor/logprof.conf, the presented list will contain only the
allowed modes.
The default option for this question is selected using this logic--
@@ -138,7 +138,7 @@
# else
# deny is default
-logprof will never suggest "ux" as the default.
+aa-logprof will never suggest "ux" as the default.
=head2 ChangeHat Events
@@ -162,7 +162,7 @@
=head1 SEE ALSO
klogd(8), auditd(8), apparmor(7), apparmor.d(5), change_hat(2),
-logprof.conf(5), genprof(1), complain(1), enforce(1), and
+logprof.conf(5), aa-genprof(1), aa-complain(1), aa-enforce(1), and
Lhttp://forge.novell.com/modules/xfmod/project/?apparmor.
=cut
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-utils-2.3/SubDomain.pm new/apparmor-utils-2.3.1/SubDomain.pm
--- old/apparmor-utils-2.3/SubDomain.pm 2008-06-04 00:54:55.000000000 +0200
+++ new/apparmor-utils-2.3.1/SubDomain.pm 2008-09-10 11:38:44.000000000 +0200
@@ -1,4 +1,4 @@
-# $Id: SubDomain.pm 1273 2008-06-03 22:54:55Z jrjohansen $
+# $Id: SubDomain.pm 1296 2008-09-10 09:38:44Z jrjohansen $
#
# ----------------------------------------------------------------------
# Copyright (c) 2006 Novell, Inc. All Rights Reserved.
@@ -688,8 +688,8 @@
chomp $library;
next unless $library;
- $profile->{allow}{path}->{$library}{mode} = str_to_mode("mr");
- $profile->{allow}{path}->{$library}{audit} = 0;
+ $profile->{allow}{path}->{$library}{mode} |= str_to_mode("mr");
+ $profile->{allow}{path}->{$library}{audit} |= 0;
}
}
@@ -728,8 +728,8 @@
my $hashbang = head($fqdbin);
if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
my $interpreter = get_full_path($1);
- $profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} = str_to_mode("ix");
- $profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} = 0;
+ $profile->{$fqdbin}{allow}{path}->{$interpreter}{mode} |= str_to_mode("ix");
+ $profile->{$fqdbin}{allow}{path}->{$interpreter}{audit} |= 0;
if ($interpreter =~ /perl/) {
$profile->{$fqdbin}{include}->{"abstractions/perl"} = 1;
} elsif ($interpreter =~ m/\/bin\/(bash|sh)/) {
@@ -2248,7 +2248,7 @@
}
$prelog{PERMITTING}{$profile}{$hat}{path}{$exec_target} |= $exec_mode;
$log{PERMITTING}{$profile} = {};
- $sd{$profile}{$hat}{allow}{path}{$exec_target}{mode} = $exec_mode;
+ $sd{$profile}{$hat}{allow}{path}{$exec_target}{mode} |= $exec_mode;
$sd{$profile}{$hat}{allow}{path}{$exec_target}{audit} |= 0;
$sd{$profile}{$hat}{allow}{path}{$exec_target}{to} = $to_name if ($to_name);
@@ -2264,7 +2264,7 @@
my $hashbang = head($exec_target);
if ($hashbang =~ /^#!\s*(\S+)/) {
my $interpreter = get_full_path($1);
- $sd{$profile}{$hat}{path}->{$interpreter}{mode} = str_to_mode("ix");
+ $sd{$profile}{$hat}{path}->{$interpreter}{mode} |= str_to_mode("ix");
$sd{$profile}{$hat}{path}->{$interpreter}{audit} |= 0;
if ($interpreter =~ /perl/) {
$sd{$profile}{$hat}{include}{"abstractions/perl"} = 1;
@@ -2715,6 +2715,7 @@
}
}
return if ( $sdmode =~ /UNKNOWN|AUDIT|STATUS|ERROR/ );
+ return if ($e->{operation} =~ /profile_set/);
my ($profile, $hat);
($profile, $hat) = split /\/\//, $e->{profile};
@@ -3628,7 +3629,7 @@
UI_Info(sprintf(gettext('Deleted %s previous matching profile entries.'), $deleted)) if $deleted;
} else {
if ($sd{$profile}{$hat}{allow}{path}{$path}{mode}) {
- $mode = $mode | $sd{$profile}{$hat}{allow}{path}{$path}{mode};
+ $mode |= $sd{$profile}{$hat}{allow}{path}{$path}{mode};
}
my $deleted = 0;
@@ -3658,7 +3659,7 @@
} elsif ($owner_toggle == 3) {
$mode = owner_flatten_mode($mode);
}
- $sd{$profile}{$hat}{allow}{path}{$path}{mode} = $mode;
+ $sd{$profile}{$hat}{allow}{path}{$path}{mode} |= $mode;
my $tmpmode = ($audit_toggle == 1) ? $mode & ~$allow_mode : 0;
$tmpmode = ($audit_toggle == 2) ? $mode : $tmpmode;
$sd{$profile}{$hat}{allow}{path}{$path}{audit} |= $tmpmode;
@@ -4567,8 +4568,7 @@
my $mode = shift;
my ($user, $other) = split_mode($mode);
-
- my $str = sub_str_to_mode($user) . "::" . sub_str_to_mode($other);
+ my $str = sub_mode_to_str($user) . "::" . sub_mode_to_str($other);
return $str;
}
@@ -5015,14 +5015,14 @@
my $link = strip_quotes($7);
my $value = strip_quotes($8);
$profile_data->{$profile}{$hat}{$allow}{link}{$link}{to} = $value;
- $profile_data->{$profile}{$hat}{$allow}{link}{$link}{mode} = $AA_MAY_LINK;
+ $profile_data->{$profile}{$hat}{$allow}{link}{$link}{mode} |= $AA_MAY_LINK;
if ($subset) {
- $profile_data->{$profile}{$hat}{$allow}{link}{$link}{mode} = $AA_LINK_SUBSET;
+ $profile_data->{$profile}{$hat}{$allow}{link}{$link}{mode} |= $AA_LINK_SUBSET;
}
if ($audit) {
- $profile_data->{$profile}{$hat}{$allow}{link}{$link}{audit} = $AA_LINK_SUBSET;
+ $profile_data->{$profile}{$hat}{$allow}{link}{$link}{audit} |= $AA_LINK_SUBSET;
} else {
- $profile_data->{$profile}{$hat}{$allow}{link}{$link}{audit} = 0;
+ $profile_data->{$profile}{$hat}{$allow}{link}{$link}{audit} |= 0;
}
} elsif (m/^\s*change_profile\s+->\s*("??.+?"??),(#.*)?$/) { # for now just keep change_profile
@@ -5121,12 +5121,13 @@
} else {
$tmpmode = str_to_mode($mode);
}
- $profile_data->{$profile}{$hat}{$allow}{path}{$path}{mode} = $tmpmode;
+
+ $profile_data->{$profile}{$hat}{$allow}{path}{$path}{mode} |= $tmpmode;
$profile_data->{$profile}{$hat}{$allow}{path}{$path}{to} = $nt_name if $nt_name;
if ($audit) {
- $profile_data->{$profile}{$hat}{$allow}{path}{$path}{audit} = $tmpmode;
+ $profile_data->{$profile}{$hat}{$allow}{path}{$path}{audit} |= $tmpmode;
} else {
- $profile_data->{$profile}{$hat}{$allow}{path}{$path}{audit} = 0;
+ $profile_data->{$profile}{$hat}{$allow}{path}{$path}{audit} |= 0;
}
} elsif (m/^\s*#include <(.+)>\s*$/) { # include stuff
my $include = $1;
@@ -5159,15 +5160,15 @@
$profile_data->{$profile}{$hat}{$allow}{netdomain}{rule} = { };
}
- if ( $network =~ /\s+(\S+)\s*,\s*(#.*)?$/ ) {
- my $fam = $1;
- $profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{$fam} = 1;
- $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{$fam} = $audit;
- } elsif ($network =~ /\s+(\S+)\s+(\S+)\s*,\s*(#.*)?$/ ) {
+ if ($network =~ /\s+(\S+)\s+(\S+)\s*,\s*(#.*)?$/ ) {
my $fam = $1;
my $type = $2;
$profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{$fam}{$type} = 1;
$profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{$fam}{$type} = $audit;
+ } elsif ( $network =~ /\s+(\S+)\s*,\s*(#.*)?$/ ) {
+ my $fam = $1;
+ $profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{$fam} = 1;
+ $profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{$fam} = $audit;
} else {
$profile_data->{$profile}{$hat}{$allow}{netdomain}{rule}{all} = 1;
$profile_data->{$profile}{$hat}{$allow}{netdomain}{audit}{all} = 1;
@@ -5189,7 +5190,7 @@
$profile_data->{$profile}{$hat}{'declared'} = 1
unless exists($profile_data->{$profile}{$hat}{declared});
- } elsif (m/^\s*\^(\"??.+?\"??)\s+(flags=\(.+\)\s+)*\{\s*(#.*)?$/) {
+ } elsif (m/^\s*\^(\"??.+?\"??)\s+((flags=)?\((.+)\)\s+)*\{\s*(#.*)?$/) {
if ($do_include) {
die "include <$file> contains syntax errors.";
}
@@ -5207,14 +5208,13 @@
# we hit the start of a hat inside the current profile
$hat = $1;
- my $flags = $3;
+ my $flags = $4;
# strip quotes.
$hat = $1 if $hat =~ /^"(.+)"$/;
# keep track of profile flags
$profile_data->{$profile}{$hat}{flags} = $flags;
-
# we have seen more than a declaration so clear it
$profile_data->{$profile}{$hat}{'declared'} = 0;
$profile_data->{$profile}{$hat}{allow}{path} = { };
@@ -5609,85 +5609,63 @@
my $tail = "";
$tail = " -> " . $profile_data->{$allow}{path}{$path}{to} if ($profile_data->{$allow}{path}{$path}{to});
my ($user, $other) = split_mode($mode);
- if ($user & ~$other) {
- $user = $user & ~$other;
- $mode = $other;
-
- if ($user & $audit) {
- my $amode = $user & $audit;
- my $modestr = mode_to_str_user($amode);
- my $str = $allowstr;
- $str .= "owner " if $modestr =~ s/owner //;
- if ($path =~ /\s/) {
- push @data, "${pre}audit ${str}\"$path\" ${modestr}${tail},";
- } else {
- push @data, "${pre}audit ${str}$path ${modestr}${tail},";
- }
- # mask off the bits we have already written
- $user &= ~$audit;
- }
- if ($user) {
- my $modestr = mode_to_str_user($user & ~$audit);
- my $str = $allowstr;
- $str .= "owner " if $modestr =~ s/owner //;
+ my ($user_audit, $other_audit) = split_mode($audit);
+ # determine whether the rule contains any owner only components
- # deal with whitespace in path names
- if ($path =~ /\s/) {
- push @data, "${pre}${str}\"$path\" ${modestr}${tail},";
- } else {
- push @data, "${pre}${str}$path ${modestr}${tail},";
- }
- }
- if ($mode & $audit) {
- my $amode = $mode & $audit;
- my $modestr = mode_to_str_user($amode);
- my $str = $allowstr;
- $str .= "owner " if $modestr =~ s/owner //;
- if ($path =~ /\s/) {
- push @data, "${pre}audit ${str}\"$path\" ${modestr}${tail},";
- } else {
- push @data, "${pre}audit ${str}$path ${modestr}${tail},";
- }
- # mask off the bits we have already written
- $mode &= ~$audit;
- }
- if ($mode) {
- my $modestr = mode_to_str_user($mode & ~$audit);
- my $str = $allowstr;
- $str .= "owner " if $modestr =~ s/owner //;
- # deal with whitespace in path names
- if ($path =~ /\s/) {
- push @data, "${pre}${str}\"$path\" ${modestr}${tail},";
+ while ($user || $other) {
+ my $ownerstr = "";
+ my ($tmpmode, $tmpaudit) = 0;
+ if ($user & ~$other) {
+ # user contains bits not set in other
+ $ownerstr = "owner ";
+ $tmpmode = $user & ~$other;
+ $tmpaudit = $user_audit;
+ $user &= ~$tmpmode;
+ } elsif ($other & ~$user) {
+ $ownerstr = "other ";
+ $tmpmode = $other & ~$user;
+ $tmpaudit = $other_audit;
+ $other &= ~$tmpmode;
+ } else {
+ if ($user_audit & ~$other_audit & $user) {
+ $ownerstr = "owner ";
+ $tmpaudit = $user_audit & ~$other_audit & $user;
+ $tmpmode = $user & $tmpaudit;
+ $user &= ~$tmpmode;
+ } elsif ($other_audit & ~$user_audit & $other) {
+ $ownerstr = "other ";
+ $tmpaudit = $other_audit & ~$user_audit & $other;
+ $tmpmode = $other & $tmpaudit;
+ $other &= ~$tmpmode;
} else {
- push @data, "${pre}${str}$path ${modestr}${tail},";
+ # user == other && user_audit == other_audit
+ $ownerstr = "";
+ $tmpmode = $user;
+ $tmpaudit = $user_audit;
+ $user &= ~$tmpmode;
+ $other &= ~$tmpmode;
}
}
- } else {
- if ($mode & $audit) {
- my $amode = $mode & $audit;
- my $modestr = mode_to_str_user($amode);
- my $str = $allowstr;
- $str .= "owner " if $modestr =~ s/owner //;
+
+ if ($tmpmode & $tmpaudit) {
+ my $modestr = mode_to_str($tmpmode & $tmpaudit);
if ($path =~ /\s/) {
- push @data, "${pre}audit ${str}\"$path\" ${modestr}${tail},";
+ push @data, "${pre}audit ${allowstr}${ownerstr}\"$path\" ${modestr}${tail},";
} else {
- push @data, "${pre}audit ${str}$path ${modestr}${tail},";
+ push @data, "${pre}audit ${allowstr}${ownerstr}$path ${modestr}${tail},";
}
- # mask off the bits we have already written
- $mode &= ~$audit;
+ $tmpmode &= ~$tmpaudit;
}
- if ($mode) {
- my $modestr = mode_to_str_user($mode & ~$audit);
- my $str = $allowstr;
- $str .= "owner " if $modestr =~ s/owner //;
- # deal with whitespace in path names
+ if ($tmpmode) {
+ my $modestr = mode_to_str($tmpmode);
if ($path =~ /\s/) {
- push @data, "${pre}${str}\"$path\" ${modestr}${tail},";
+ push @data, "${pre}${allowstr}${ownerstr}\"$path\" ${modestr}${tail},";
} else {
- push @data, "${pre}${str}$path ${modestr}${tail},";
+ push @data, "${pre}${allowstr}${ownerstr}$path ${modestr}${tail},";
}
}
}
+
}
push @data, "";
}
@@ -5979,7 +5957,7 @@
sub netrules_access_check ($$$) {
my ($netrules, $family, $sock_type) = @_;
return 0 if ( not defined $netrules );
- my %netrules = %$netrules;;
+ my %netrules = %$netrules;
my $all_net = defined $netrules{rule}{all};
my $all_net_family = defined $netrules{rule}{$family} && $netrules{rule}{$family} == 1;
my $net_family_sock = defined $netrules{rule}{$family} &&
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/apparmor-utils-2.3/unconfined.pod new/apparmor-utils-2.3.1/unconfined.pod
--- old/apparmor-utils-2.3/unconfined.pod 2007-04-03 22:13:35.000000000 +0200
+++ new/apparmor-utils-2.3.1/unconfined.pod 2008-06-11 23:19:36.000000000 +0200
@@ -1,4 +1,4 @@
-# $Id: unconfined.pod 535 2007-04-03 20:13:35Z steve-beattie $
+# $Id: unconfined.pod 1290 2008-06-11 21:19:36Z jrjohansen $
# This publication is intellectual property of Novell Inc. Its contents
# can be duplicated, either in part or in whole, provided that a copyright
# label is visibly located on each copy.
@@ -24,21 +24,21 @@
=head1 NAME
-unconfined - output a list of processes with tcp or udp ports that do
+aa-unconfined - output a list of processes with tcp or udp ports that do
not have AppArmor profiles loaded
=head1 SYNOPSIS
-B<unconfined>
+B<aa-unconfined>
=head1 DESCRIPTION
-B<unconfined> will use netstat(8) to determine which processes have open
+B<aa-unconfined> will use netstat(8) to determine which processes have open
network sockets and do not have AppArmor profiles loaded into the kernel.
=head1 BUGS
-B<unconfined> must be run as root to retrieve the process executable
+B<aa-unconfined> must be run as root to retrieve the process executable
link from the F</proc> filesystem. This program is susceptible to race
conditions of several flavours: an unlinked executable will be mishandled;
an executable started before a AppArmor profile is loaded will not
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org