commit apparmor-utils for openSUSE:11.3

Hello community, here is the log from the commit of package apparmor-utils for openSUSE:11.3 checked in at Tue Apr 12 14:30:28 CEST 2011. -------- --- old-versions/11.3/UPDATES/all/apparmor-utils/apparmor-utils.changes 2010-08-03 13:39:08.000000000 +0200 +++ 11.3/apparmor-utils/apparmor-utils.changes 2011-04-07 16:39:51.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Apr 7 16:37:36 CEST 2011 - jeffm@suse.de + +- Fix parsing of learning (null-XX) profiles with genprof and logprof + (bnc#546618 bnc#668311 bnc#685833). + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- handle-null-profile-logs-correctly ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor-utils.spec ++++++ --- /var/tmp/diff_new_pack.EPznWP/_old 2011-04-12 14:28:16.000000000 +0200 +++ /var/tmp/diff_new_pack.EPznWP/_new 2011-04-12 14:28:16.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package apparmor-utils (Version 2.3.1) +# spec file for package apparmor-utils # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,7 +24,7 @@ %endif Summary: AppArmor User-Level Utilities Useful for Creating AppArmor Profiles Version: 2.3.1 -Release: 19.<RELEASE1> +Release: 19.<RELEASE3> Group: Productivity/Security Source0: %{name}-%{version}-1377.tar.gz Patch1: apparmor-utils-string-split @@ -35,6 +35,7 @@ Patch6: apparmor-utils-filenames-in-slash Patch7: apparmor-utils-translation-unification Patch8: apparmor-utils-translations +Patch9: handle-null-profile-logs-correctly License: GPLv2+ ; LGPLv2.1+ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -86,6 +87,7 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build ++++++ handle-null-profile-logs-correctly ++++++ From: Kees Cook Subject: handle null profile logs correctly References: bnc#546618 bnc#668311 bnc#685833 handle new null profile logs, handle new include directories. from ubuntu branch Acked-by: Jeff Mahoney --- SubDomain.pm | 92 ++++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 72 insertions(+), 20 deletions(-) --- a/SubDomain.pm +++ b/SubDomain.pm @@ -105,6 +105,7 @@ our @EXPORT = qw( check_qualifiers isSkippableFile + isSkippableDir ); our $confdir = "/etc/apparmor"; @@ -2726,8 +2727,17 @@ sub add_event_to_tree ($) { return if ($e->{operation} =~ /profile_set/); my ($profile, $hat); + # just convert new null profile style names to old before we begin processing + # profile and name can contain multiple layers of null- but all we care about + # currently is single level. + if ($e->{profile} =~ m/\/\/null-/) { + $e->{profile} = "null-complain-profile"; + } ($profile, $hat) = split /\/\//, $e->{profile}; if ( $e->{operation} eq "change_hat" ) { + #screen out change_hat events that aren't part of learning, as before + #AppArmor 2.4 these events only happend as hints during learning + return if ($sdmode ne "HINT" && $sdmode ne "PERMITTING"); ($profile, $hat) = split /\/\//, $e->{name}; } $hat = $profile if ( !$hat ); @@ -2751,6 +2761,18 @@ sub add_event_to_tree ($) { $e->{name}, $e->{name2} ); + } elsif ( defined $e->{name2} && $e->{name2} =~ m/\/\/null-/) { + add_to_tree( $e->{pid}, + $e->{parent}, + "exec", + $profile, + $hat, + $prog, + $sdmode, + $e->{denied_mask}, + $e->{name}, + "" + ); } } elsif ($e->{operation} =~ m/file_/ or # These are the path operations introduced in 2.6.29 @@ -2766,6 +2788,18 @@ sub add_event_to_tree ($) { $e->{name}, "", ); + } elsif ($e->{operation} eq "open") { + add_to_tree( $e->{pid}, + $e->{parent}, + "path", + $profile, + $hat, + $prog, + $sdmode, + $e->{denied_mask}, + $e->{name}, + "", + ); } elsif ($e->{operation} eq "capable") { add_to_tree( $e->{pid}, $e->{parent}, @@ -4507,9 +4541,9 @@ sub uniq (@) { } our $MODE_MAP_RE = "r|w|l|m|k|a|x|i|u|p|c|n|I|U|P|C|N"; -our $LOG_MODE_RE = "r|w|l|m|k|a|x|ix|ux|px|cx|nx|pix|cix|Ix|Ux|Px|Cx|Nx|Pix|Cix"; -our $PROFILE_MODE_RE = "r|w|l|m|k|a|ix|ux|px|cx|pix|cix|Ux|Px|Cx|Pix|Cix"; -our $PROFILE_MODE_NT_RE = "r|w|l|m|k|a|x|ix|ux|px|cx|pix|cix|Ux|Px|Cx|Pix|Cix"; +our $LOG_MODE_RE = "r|w|l|m|k|a|x|ix|ux|px|cx|nx|pix|cix|Ix|Ux|Px|PUx|Cx|Nx|Pix|Cix"; +our $PROFILE_MODE_RE = "r|w|l|m|k|a|ix|ux|px|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix"; +our $PROFILE_MODE_NT_RE = "r|w|l|m|k|a|x|ix|ux|px|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix"; our $PROFILE_MODE_DENY_RE = "r|w|l|m|k|a|x"; sub split_log_mode($) { @@ -4792,6 +4826,16 @@ sub isSkippableFile($) { || $path =~ /\~$/); } +# isSkippableDir - return true if directory matches something that +# should be skipped (cache directory, symlink directories, etc.) +sub isSkippableDir($) { + my $path = shift; + + return ($path eq "disable" + || $path eq "cache" + || $path eq "force-complain"); +} + sub checkIncludeSyntax($) { my $errors = shift; @@ -4799,6 +4843,7 @@ sub checkIncludeSyntax($) { my @incdirs = grep { (!/^\./) && (-d "$profiledir/$_") } readdir(SDDIR); close(SDDIR); while (my $id = shift @incdirs) { + next if isSkippableDir($id); if (opendir(SDDIR, "$profiledir/$id")) { for my $path (grep { !/^\./ } readdir(SDDIR)) { chomp($path); @@ -4925,10 +4970,6 @@ sub parse_profile_data { # start of a profile... if (m/^\s*(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+((flags=)?\((.+)\)\s+)*\{\s*(#.*)?$/) { - if ($do_include) { - die "include <$file> contains syntax errors.\n"; - } - # if we run into the start of a profile while we're already in a # profile, something's wrong... if ($profile) { @@ -4988,9 +5029,6 @@ sub parse_profile_data { # if we hit the end of a profile when we're not in one, something's # wrong... - if ($do_include) { - die "include <$file> contains syntax errors."; - } if (not $profile) { die sprintf(gettext('%s contains syntax errors.'), $file) . "\n"; } @@ -5162,13 +5200,29 @@ sub parse_profile_data { $filelist{$file}{include}{$include} = 1; } - # try to load the include... - my $ret = eval { loadinclude($include); }; - # propagate errors up the chain - if ($@) { die $@; } - - return $ret if ( $ret != 0 ); - + # include is a dir + if (-d "$profiledir/$include") { + if (opendir(SDINCDIR, "$profiledir/$include")) { + for my $path (readdir(SDINCDIR)) { + chomp($path); + next if isSkippableFile($path); + if (-f "$profiledir/$include/$path") { + my $file = "$include/$path"; + $file =~ s/$profiledir\///; + my $ret = eval { loadinclude($file); }; + if ($@) { die $@; } + return $ret if ( $ret != 0 ); + } + } + } + closedir(SDINCDIR); + } else { + # try to load the include... + my $ret = eval { loadinclude($include); }; + # propagate errors up the chain + if ($@) { die $@; } + return $ret if ( $ret != 0 ); + } } elsif (/^\s*(audit\s+)?(deny\s+)?network(.*)/) { if (not $profile) { die sprintf(gettext('%s contains syntax errors.'), $file) . "\n"; @@ -5212,9 +5266,6 @@ sub parse_profile_data { unless exists($profile_data->{$profile}{$hat}{declared}); } elsif (m/^\s*\^(\"??.+?\"??)\s+((flags=)?\((.+)\)\s+)*\{\s*(#.*)?$/) { - if ($do_include) { - die "include <$file> contains syntax errors."; - } # start of embedded hat syntax hat definition # read in and mark as changed so that will be written out in the new # format @@ -6193,6 +6244,7 @@ sub loadincludes { close(SDDIR); while (my $id = shift @incdirs) { + next if isSkippableDir($id); if (opendir(SDDIR, "$profiledir/$id")) { for my $path (readdir(SDDIR)) { chomp($path); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org