Hello community,
here is the log from the commit of package apparmor.485 for openSUSE:11.4:Update checked in at 2012-05-08 18:07:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:11.4:Update/apparmor.485 (Old)
and /work/SRC/openSUSE:11.4:Update/.apparmor.485.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor.485", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2012-05-03 01:24:41.895590051 +0200
+++ /work/SRC/openSUSE:11.4:Update/.apparmor.485.new/apparmor.changes 2012-05-08 18:07:36.000000000 +0200
@@ -0,0 +1,226 @@
+-------------------------------------------------------------------
+Thu Apr 26 20:42:35 UTC 2012 - opensuse@cboltz.de
+
+- update samba profiles to have the same permissions as in openSUSE 12.1
+ (with some exceptions, see bnc#757545#c12) (bnc#757545, bnc#758426)
+ This also fixes bnc#725967, bnc#738041, bnc#738041
+- add missing x bit for directories in /etc/apparmor/ and /etc/apparmor.d/
+
+-------------------------------------------------------------------
+Wed Apr 18 21:49:41 UTC 2012 - opensuse@cboltz.de
+
+- update samba nmbd profile to match updated samba 3.6.3 (bnc#757545)
+
+-------------------------------------------------------------------
+Tue Aug 2 21:40:26 CEST 2011 - jeffm@suse.de
+
+- dovecot: Added support for /var/spool/mail (bnc#691072)
+
+-------------------------------------------------------------------
+Wed Jun 29 14:17:34 CEST 2011 - meissner@suse.de
+
+- conflict the architecure changed packages in -parser to force
+ upgrade. (bnc#702427)
+
+-------------------------------------------------------------------
+Fri Jun 24 15:59:17 CEST 2011 - jeffm@suse.de
+
+- Fixed building of pam_apparmor to properly link libpam (bnc#696553).
+
+-------------------------------------------------------------------
+Thu Jun 23 19:13:40 CEST 2011 - jeffm@suse.de
+
+- Fixed building of apache2-mod_apparmor to properly link (bnc#701821).
+
+-------------------------------------------------------------------
+Thu Apr 7 19:59:50 CEST 2011 - jeffm@suse.de
+
+- Added perl-File-Tail dependency for aa-eventd (bnc#666450).
+
+-------------------------------------------------------------------
+Thu Apr 7 19:55:46 CEST 2011 - jeffm@suse.de
+
+- Add raw network access to traceroute profile (bnc#685674).
+
+-------------------------------------------------------------------
+Tue Mar 29 22:59:39 CEST 2011 - jeffm@suse.de
+
+- Updated dovecot profile (bnc#681267).
+
+-------------------------------------------------------------------
+Sun Mar 27 18:04:05 CEST 2011 - jeffm@suse.de
+
+- Changed apparmor-docs and apparmor-profiles back to noarch
+ (bnc#682909 bnc#682912).
+
+-------------------------------------------------------------------
+Mon Mar 14 19:57:01 CET 2011 - jeffm@suse.de
+
+- Add config files to samba profiles (bnc#666450 bnc#679182).
+
+-------------------------------------------------------------------
+Mon Mar 14 19:04:13 CET 2011 - jeffm@suse.de
+
+- Added /etc/ethers and /var/run/dnsmasq-forwarders to
+ usr.sbin.dnsmasq (bnc#678749).
+
+-------------------------------------------------------------------
+Tue Feb 22 12:45:43 UTC 2011 - bwiedemann@novell.com
+
+- Add Requires for used perl packages (bnc#670650).
+
+-------------------------------------------------------------------
+Tue Jan 25 23:25:28 CET 2011 - jeffm@suse.de
+
+- Updated dhclient profile and added dhclient-script profile (bnc#561152).
+
+-------------------------------------------------------------------
+Tue Jan 25 18:11:00 CET 2011 - jeffm@suse.de
+
+- Added ability to completely disable repositories.
+
+-------------------------------------------------------------------
+Mon Jan 24 21:27:45 CET 2011 - jeffm@suse.de
+
+- Properly indent sub-profiles after genprof completion (bnc#480795).
+
+-------------------------------------------------------------------
+Mon Jan 24 20:16:03 CET 2011 - jeffm@suse.de
+
+- Inherit flags in sub-profiles when generating profiles (bnc#496204).
+
+-------------------------------------------------------------------
+Mon Jan 24 01:02:53 CET 2011 - jeffm@suse.de
+
+- Stop treating profiles shipped with the package as config files.
+ - /etc/apparmor.d will still be treated specially.
+- Add support for parsing network operation events (bnc#665483)
+
+-------------------------------------------------------------------
+Mon Jan 24 00:23:35 CET 2011 - jeffm@suse.de
+
+- Fix for sbin.klogd profile using kernel versions >= 2.6.38-rc1.
+
+-------------------------------------------------------------------
+Mon Jan 24 00:11:28 CET 2011 - jeffm@suse.de
+
+- Update to apparmor-2.5 r1445.
+ - Includes 3 of the fixes below.
+ - Several testsuite fixes.
+ - Update for Thunderbird profile.
+
+-------------------------------------------------------------------
+Fri Jan 21 19:07:15 CET 2011 - jeffm@suse.de
+
+- Add support for libvirt in usr.sbin.dnsmasq (bnc#666090)
+
+-------------------------------------------------------------------
+Tue Jan 18 10:51:33 UTC 2011 - coolo@novell.com
+
+- fix rm call for nscd profile to avoid file conflict
+
+-------------------------------------------------------------------
+Tue Jan 11 15:24:16 CET 2011 - jeffm@suse.de
+
+- profiles: Add openssl abstraction (bnc#623886).
+
+-------------------------------------------------------------------
+Tue Jan 11 15:12:45 CET 2011 - jeffm@suse.de
+
+- Added support for sys_nice to ntpd profile (bnc#657054).
+
+-------------------------------------------------------------------
+Mon Jan 10 19:27:01 CET 2011 - jeffm@suse.de
+
+- apparmor-utils: Support newer auditd formatted messages.
+- Fix two x transition conflict bugs. (bnc#662928)
+
+-------------------------------------------------------------------
+Thu Jan 6 16:23:19 UTC 2011 - rhafer@suse.de
+
+- Splitted ldap related things from nameservice into separate
+ profile and added some missing paths (bnc#662761)
+
+-------------------------------------------------------------------
+Wed Dec 22 03:41:43 CET 2010 - jeffm@suse.de
+
+- Fixed pod2man macros with older versions of GNU make
+
+-------------------------------------------------------------------
+Tue Dec 21 00:36:39 CET 2010 - jeffm@suse.de
+
+- Fixed building of perl and ruby SWIG modules. The former
+ is required for apparmor-utils to work properly.
+
+-------------------------------------------------------------------
+Tue Dec 7 18:22:55 CET 2010 - jeffm@suse.de
+
+- Fixed use-after-free issue in apparmor_parser.
+
+-------------------------------------------------------------------
+Tue Dec 7 17:52:59 CET 2010 - jeffm@suse.de
+
+- Added fixes for logprof issuing uninitialized variable errors
+ while encountering audit messages for unconfined processes.
+
+-------------------------------------------------------------------
+Wed Dec 1 19:52:58 CET 2010 - jeffm@suse.de
+
+- Updated cupsd profile (bnc#539401)
+
+-------------------------------------------------------------------
+Wed Dec 1 19:00:56 CET 2010 - jeffm@suse.de
+
+- Fix {proc} vs {PROC} macro usage in firefox profile (bnc#436262)
+
+-------------------------------------------------------------------
+Wed Dec 1 18:41:31 CET 2010 - jeffm@suse.de
+
+- Added support for eDirectory nameservice (bnc#621394)
+
+-------------------------------------------------------------------
+Wed Dec 1 18:05:44 CET 2010 - jeffm@suse.de
+
+- Fixed incorrect /proc/*/sys usage in usr.sbin.ntpd profile (bnc#634801)
+
+-------------------------------------------------------------------
+Wed Dec 1 17:39:08 CET 2010 - jeffm@suse.de
+
+- Added fix for another case of whitespace affecting profile
+ removal (bnc#510740)
+
+-------------------------------------------------------------------
+Tue Nov 30 12:00:00 CET 2010 - jeffm@suse.de
+
+- Added support for unified build, which massively simplified
+ the packaging.
+
++++ 29 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:11.4:Update/.apparmor.485.new/apparmor.changes
New:
----
apparmor-2.5-r1445
apparmor-2.5.1-edirectory-profile
apparmor-2.5.1-firefox-proc-fix
apparmor-2.5.1-ldapclient-profile
apparmor-2.5.1-network-fixes
apparmor-2.5.1-ntpd-proc-fixes
apparmor-2.5.1-ntpd-sys_nice
apparmor-2.5.1-rpmlint-asprintf
apparmor-2.5.1-ssl-fix
apparmor-2.5.1-unconfined-fixes
apparmor-2.5.1-unified-build
apparmor-2.5.1.tar.bz2
apparmor-docs-techdoc-grammar-fixes
apparmor-no-caching-test
apparmor-parser-string-fixes
apparmor-perl
apparmor-profile-editor.desktop
apparmor-profile-editor.png
apparmor-profiles-cupsd-fix
apparmor-profiles-dhclient
apparmor-profiles-dovecot
apparmor-profiles-samba
apparmor-profiles-samba-3.6.3.diff
apparmor-profiles-sshd-fix
apparmor-profiles-syslog-ng-fix
apparmor-profiles-traceroute
apparmor-profiles-usr.sbin.dnsmasq
apparmor-remove-repo
apparmor-scripts
apparmor-startproc.patch
apparmor-swig-build-fix
apparmor-translation-fixes
apparmor-utils-SubDomain
apparmor-utils-add-log-types
apparmor-utils-cleanup-on-abort
apparmor-utils-filenames-in-slash
apparmor-utils-inherit-flags-during-profile-generation
apparmor-utils-null-path-fix
apparmor-utils-string-split
apparmor-utils-translation-unification
apparmor.changes
apparmor.spec
apparmorapplet-gnome-build-fix
baselibs.conf
genprof-whitespace-in-profile-fix
klog-needs-CAP_SYSLOG
mod_apparmor-includes
pam-apparmor-include
rpmlintrc
tomcat-build-fixes
update-trans.sh
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apparmor.spec ++++++
++++ 874 lines (skipped)
++++++ apparmor-2.5-r1445 ++++++
++++ 705 lines (skipped)
++++++ apparmor-2.5.1-edirectory-profile ++++++
From: Jeff Mahoney
Subject: apparmor-profiles: Add support for eDirectory calls from nscd
References: bnc#621394
eDirectory hooks into nscd and provides its own libraries. In order for
this to operate properly with AppArmor, it needs to be told about these
libraries.
This patch adds a new abstract profile and includes it in the nameservice
profile.
Signed-off-by: Jeff Mahoney
---
profiles/apparmor.d/abstractions/nameservice | 3 +++
profiles/apparmor.d/abstractions/novell-edirectory | 13 +++++++++++++
2 files changed, 16 insertions(+)
--- a/profiles/apparmor.d/abstractions/nameservice
+++ b/profiles/apparmor.d/abstractions/nameservice
@@ -71,6 +71,9 @@
# kerberos
#include
+ # Novell eDirectory
+ #include
+
# TCP/UDP network access
network inet stream,
network inet6 stream,
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/novell-edirectory
@@ -0,0 +1,13 @@
+# $Id$
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2010 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ /opt/novell/eDirectory/lib/lib*so* r,
+ /opt/novell/eDirectory/lib64/lib*so* r,
++++++ apparmor-2.5.1-firefox-proc-fix ++++++
From: Jeff Mahoney
Subject: apparmor-profiles: Fix proc usage in firefox profile
References: bnc#436262
This patch corrects the use of the {proc} macro. It should be {PROC}.
Signed-off-by: Jeff Mahoney
---
profiles/apparmor/profiles/extras/usr.lib.firefox.firefox | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
+++ b/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
@@ -32,9 +32,9 @@
/opt/kde3/share/applications/ r,
/opt/kde3/share/applications/mimeinfo.cache r,
- owner @{proc}/*/mounts r,
- @{proc}/meminfo r,
- @{proc}/sys/kernel/ngroups_max r,
+ owner @{PROC}/*/mounts r,
+ @{PROC}/meminfo r,
+ @{PROC}/sys/kernel/ngroups_max r,
/usr/lib/**.so mr,
++++++ apparmor-2.5.1-ldapclient-profile ++++++
Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
===================================================================
--- /dev/null
+++ apparmor-2.5.1/profiles/apparmor.d/abstractions/ldapclient
@@ -0,0 +1,21 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # files required by LDAP clients (e.g. nss_ldap/pam_ldap)
+ /etc/ldap.conf r,
+ /etc/ldap.secret r,
+ /etc/openldap/* r,
+ /etc/openldap/cacerts/* r,
+
+ # SASL plugins and config
+ /etc/sasl2/* r,
+ /usr/lib{,32,64}/sasl2/* r,
+
+ #include
Index: apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
===================================================================
--- apparmor-2.5.1.orig/profiles/apparmor.d/abstractions/nameservice
+++ apparmor-2.5.1/profiles/apparmor.d/abstractions/nameservice
@@ -17,8 +17,6 @@
/etc/group r,
/etc/host.conf r,
/etc/hosts r,
- /etc/ldap.conf r,
- /etc/ldap.secret r,
/etc/nsswitch.conf r,
/etc/gai.conf r,
/etc/passwd r,
@@ -33,9 +31,6 @@
/etc/samba/lmhosts r,
/etc/services r,
- # all openldap config
- /etc/openldap/* r,
- /etc/ldap/** r,
# db backend
/var/lib/misc/*.db r,
# The Name Service Cache Daemon can cache lookups, sometimes leading
@@ -59,6 +54,9 @@
# nis
#include
+ # ldap
+ #include
+
# winbind
#include
++++++ apparmor-2.5.1-network-fixes ++++++
From: Jeff Mahoney
Subject: apparmor: Fix network event parsing
References: bnc#665483
The upstream version of AppArmor had network mediation but it was
removed. There's a compability patch floating around that both openSUSE
and Ubuntu have applied to their kernels. Unfortunately, one part was
overlooked. The socket operation event names where changed from the
socket_ prefixed names they had when AppArmor was out-of-tree and
utils/SubDomain.pm was never updated to understand them.
This patch adds an operation-type table so that the code can just
do a optype($operation) call to discover what type of operation a
particular name refers to. It then uses this in place of the socket_
checks to decide whether an event is a network operation.
This allows genprof and logprof to work with networking rules again.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 46 insertions(+), 2 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -233,6 +233,50 @@ my %MODE_HASH = (
N => $AA_EXEC_NT,
);
+
+# Currently only used by netdomain but there's no reason it couldn't
+# be extended to support other types.
+my %operation_types = (
+
+ # Old socket names
+ "socket_create", => "net",
+ "socket_post_create" => "net",
+ "socket_bind" => "net",
+ "socket_connect" => "net",
+ "socket_listen" => "net",
+ "socket_accept" => "net",
+ "socket_sendmsg" => "net",
+ "socket_recvmsg" => "net",
+ "socket_getsockname" => "net",
+ "socket_getpeername" => "net",
+ "socket_getsockopt" => "net",
+ "socket_setsockopt" => "net",
+ "socket_shutdown" => "net",
+
+ # New socket names
+ "create" => "net",
+ "post_create" => "net",
+ "bind" => "net",
+ "connect" => "net",
+ "listen" => "net",
+ "accept" => "net",
+ "sendmsg" => "net",
+ "recvmsg" => "net",
+ "getsockname" => "net",
+ "getpeername" => "net",
+ "getsockopt" => "net",
+ "setsockopt" => "net",
+ "sock_shutdown" => "net",
+);
+
+sub optype($) {
+ my $op = shift;
+ my $type = $operation_types{$op};
+
+ return "unknown" if !defined($type);
+ return $type;
+}
+
sub debug ($) {
my $message = shift;
chomp($message);
@@ -2911,7 +2955,7 @@ sub add_event_to_tree ($) {
}
$pid{$child} = $arrayref;
push @{$arrayref}, [ "fork", $child, $profile, $hat ];
- } elsif ($e->{operation} =~ m/socket_/) {
+ } elsif (optype($e->{operation}) eq "net") {
add_to_tree( $e->{pid},
$e->{parent},
"netdomain",
@@ -6620,7 +6664,7 @@ sub parse_event($) {
LibAppArmor::aa_log_record::swig_magic_token_get($event);
# NetDomain
- if ( $ev{'operation'} && $ev{'operation'} =~ /socket/ ) {
+ if ( $ev{'operation'} && optype($ev{'operation'}) eq "net" ) {
$ev{'family'} =
LibAppArmor::aa_log_record::swig_net_family_get($event);
$ev{'protocol'} =
++++++ apparmor-2.5.1-ntpd-proc-fixes ++++++
From: Jeff Mahoney
Subject: apparmor: Fix incorrect /proc/*/sys usage in usr.sbin.ntpd
References: bnc#634801
/proc/sys/kernel exists, but /proc/*/sys/kernel doesn't. This patch
fixes the profile.
Signed-off-by: Jeff Mahoney
---
profiles/apparmor.d/usr.sbin.ntpd | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -59,11 +59,11 @@
/var/run/ntpd.pid w,
/var/tmp/ntp* rwl,
@{PROC}/*/net/if_inet6 r,
- @{PROC}/*/sys/kernel/ngroups_max r,
+ @{PROC}/sys/kernel/ngroups_max r,
# allow access for when chrooted
/var/lib/ntp/@{PROC}/*/net/if_inet6 r,
- /var/lib/ntp/@{PROC}/*/sys/kernel/ngroups_max r,
+ /var/lib/ntp/@{PROC}/sys/kernel/ngroups_max r,
@{NTPD_DEVICE} rw,
}
++++++ apparmor-2.5.1-ntpd-sys_nice ++++++
From: Jeff Mahoney
Subject: profile: ntpd -N needs sys_nice
References: bnc#657054
ntpd -N allows the administrator to increase or decrease priority of the
ntp server. Since the profile doesn't allow it, the operation is denied.
This patch adds support for that operation.
Signed-off-by: Jeff Mahoney
---
profiles/apparmor.d/usr.sbin.ntpd | 1 +
1 file changed, 1 insertion(+)
--- a/profiles/apparmor.d/usr.sbin.ntpd
+++ b/profiles/apparmor.d/usr.sbin.ntpd
@@ -25,6 +25,7 @@
capability sys_chroot,
capability sys_resource,
capability sys_time,
+ capability sys_nice,
network inet dgram,
network inet stream,
++++++ apparmor-2.5.1-rpmlint-asprintf ++++++
From: Jeff Mahoney
Subject: apparmor: Use _GNU_SOURCE when asprintf is used
There are a few places in the parser that use asprintf but don't actually
get the prototype from stdio.h. _GNU_SOURCE is needed for that.
It works as-is but rpmlint in the openSUSE Build Service complains about it.
Signed-off-by: Jeff Mahoney
---
parser/Makefile.am | 1 +
parser/parser_include.c | 2 ++
parser/parser_interface.c | 1 +
parser/parser_lex.l | 4 ++++
parser/parser_main.c | 1 +
parser/parser_variable.c | 1 +
6 files changed, 10 insertions(+)
--- a/parser/Makefile.am
+++ b/parser/Makefile.am
@@ -14,6 +14,7 @@ dist_man_MANS = apparmor.d.5 apparmor.7
BUILT_SOURCES = parser_lex.c parser_yacc.c af_names.h cap_names.h
AM_YFLAGS = -d
AM_CFLAGS = -DLOCALEDIR=\"$(localedir)\"
+AM_LFLAGS = -D_GNU_SOURCE
apparmor_parser_SOURCES = parser_yacc.y parser_lex.l parser_include.c \
parser_interface.c parser_main.c parser_misc.c \
parser_merge.c parser_symtab.c parser_regex.c \
--- a/parser/parser_include.c
+++ b/parser/parser_include.c
@@ -35,6 +35,8 @@
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
+
#include
#include
#include
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -17,6 +17,7 @@
* along with this program; if not, contact Novell, Inc.
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
#include
#include
#include
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -20,6 +20,10 @@
/* Definitions section */
/* %option main */
+%{
+#define _GNU_SOURCE /* for asprintf in stdio.h */
+%}
+
/* eliminates need to link with libfl */
%option noyywrap
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -17,6 +17,7 @@
* along with this program; if not, contact Novell, Inc.
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
#include
#include
#include
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -17,6 +17,7 @@
* along with this program; if not, contact Novell, Inc.
*/
+#define _GNU_SOURCE /* for asprintf in stdio.h */
#include
#include
#include
++++++ apparmor-2.5.1-ssl-fix ++++++
From: Jeff Mahoney
Subject: profiles: Add openssl abstraction
References: bnc#623886
Profiles that use openssl have been adding the openssl files piecemeal.
This patch creates a new openssl abstraction that can be inherited by
all profiles that use it.
Signed-off-by: Jeff Mahoney
---
profiles/apparmor.d/abstractions/openssl | 4 ++++
profiles/apparmor.d/abstractions/ssl_certs | 4 ++++
profiles/apparmor/profiles/extras/usr.lib.postfix.smtp | 2 +-
profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd | 2 +-
profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork | 2 +-
profiles/apparmor/profiles/extras/usr.sbin.imapd | 2 +-
profiles/apparmor/profiles/extras/usr.sbin.ipop2d | 2 +-
profiles/apparmor/profiles/extras/usr.sbin.ipop3d | 2 +-
8 files changed, 14 insertions(+), 6 deletions(-)
--- /dev/null
+++ b/profiles/apparmor.d/abstractions/openssl
@@ -0,0 +1,4 @@
+
+ /etc/ssl/openssl.cnf r,
+ /usr/share/ssl/openssl.cnf r,
+
--- a/profiles/apparmor.d/abstractions/ssl_certs
+++ b/profiles/apparmor.d/abstractions/ssl_certs
@@ -15,3 +15,7 @@
/etc/ssl/certs/* r,
/usr/share/ca-certificates/ r,
/usr/share/ca-certificates/** r,
+ /usr/share/ssl/certs/ca-bundle.crt r,
+
+ /usr/share/ca-certificates/mozilla/ r,
+ /usr/share/ca-certificates/mozilla/* r,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtp
@@ -16,6 +16,7 @@
#include
#include
#include
+ #include
capability dac_override,
capability dac_read_search,
@@ -39,7 +40,6 @@
/etc/postfix/{ssl/,}*.pem r,
/etc/postfix/prng_exch rw,
/usr/share/ssl/certs/ca-bundle.crt r,
- /usr/share/ssl/openssl.cnf r,
/etc/postfix/virtual.db r,
/etc/postfix/sasl_passwd.db r,
/etc/mtab r,
--- a/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
+++ b/profiles/apparmor/profiles/extras/usr.lib.postfix.smtpd
@@ -16,6 +16,7 @@
#include
#include
#include
+ #include
capability dac_override,
capability dac_read_search,
@@ -44,7 +45,6 @@
/usr/lib/sasl2/* mr,
/usr/share/ssl/certs/ca-bundle.crt r,
- /usr/share/ssl/openssl.cnf r,
/{var/spool/postfix/,}pid/inet.* rw,
/{var/spool/postfix/,}private/anvil w,
--- a/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
+++ b/profiles/apparmor/profiles/extras/usr.sbin.httpd2-prefork
@@ -18,6 +18,7 @@
#include
#include
#include
+ #include
capability kill,
capability net_bind_service,
@@ -84,7 +85,6 @@
/usr/share/snmp/mibs r,
/usr/share/snmp/mibs/*.{txt,mib} r,
/usr/share/snmp/mibs/.index wr,
- /usr/share/ssl/openssl.cnf r,
/var/lock/httpd2.lock.* wl,
/var/log/apache2/* rwl,
/var/log/httpd/ssl_scache.dir r,
--- a/profiles/apparmor/profiles/extras/usr.sbin.imapd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.imapd
@@ -16,10 +16,10 @@
#include
#include
#include
+ #include
/dev/urandom r,
/tmp/* rwl,
/usr/sbin/imapd r,
/usr/share/ssl/certs/imapd.pem r,
- /usr/share/ssl/openssl.cnf r,
}
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop2d
@@ -16,10 +16,10 @@
#include
#include
#include
+ #include
/dev/urandom r ,
/tmp/.* rwl ,
/usr/sbin/ipop2d rmix,
/usr/share/ssl/certs/ipop2d.pem r ,
- /usr/share/ssl/openssl.cnf r ,
}
--- a/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
+++ b/profiles/apparmor/profiles/extras/usr.sbin.ipop3d
@@ -16,10 +16,10 @@
#include
#include
#include
+ #include
/dev/urandom r ,
/tmp/.* rwl ,
/usr/sbin/ipop3d rmix,
/usr/share/ssl/certs/ipop3d.pem r ,
- /usr/share/ssl/openssl.cnf r ,
}
++++++ apparmor-2.5.1-unconfined-fixes ++++++
From: Jeff Mahoney
Subject: apparmor: Subdomain.pm: Fix handling of audits of unconfined processes
The version of AppArmor that was accepted into the mainline kernel
issues audit events for things like change_hat while unconfined.
Previous versions just returned -EPERM without the audit.
This results in logprof and friends spewing uninitialized value errors
when it hits events like:
type=AVC msg=audit(1291742101.899:220): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=28005 comm="cron
... which happen any time an unconfined process does something with pam
when pam_apparmor is installed.
This patch skips those events.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2735,6 +2735,13 @@ sub add_event_to_tree ($) {
return if ($e->{operation} =~ /profile_set/);
my ($profile, $hat);
+
+ # The version of AppArmor that was accepted into the mainline kernel
+ # issues audit events for things like change_hat while unconfined.
+ # Previous versions just returned -EPERM without the audit so the
+ # events wouldn't have been picked up here.
+ return if (!$e->{profile});
+
# just convert new null profile style names to old before we begin processing
# profile and name can contain multiple layers of null- but all we care about
# currently is single level.
++++++ apparmor-2.5.1-unified-build ++++++
++++ 27676 lines (skipped)
++++++ apparmor-docs-techdoc-grammar-fixes ++++++
From: Jeff Mahoney
Subject: apparmor-docs: Fix grammar error in techdoc.pdf
References: bnc#588235
This patch fixes a grammar error in techdoc.pdf.
Signed-off-by: Jeff Mahoney
---
parser/techdoc.tex | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/techdoc.tex
+++ b/parser/techdoc.tex
@@ -213,7 +213,7 @@ files by controlling file descriptor pas
\subsection{Mount}
-Mounting can change a process's namespace in in almost arbitrary ways.
+Mounting can change a process's namespace in almost arbitrary ways.
This is a problem because AppArmor's file access control is pathname
based, and granting a process the right to arbitrarily change its
namespace would subvert this protection mechanism. AppArmor therefore
++++++ apparmor-no-caching-test ++++++
---
parser/tst/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/tst/Makefile
+++ b/parser/tst/Makefile
@@ -12,7 +12,7 @@ endif
all: tests
.PHONY: tests error_output gen_xtrans parser_sanity caching
-tests: error_output gen_xtrans parser_sanity caching
+tests: error_output gen_xtrans parser_sanity
gen_xtrans:
perl ./gen-xtrans.pl
++++++ apparmor-parser-string-fixes ++++++
From: Jeff Mahoney
Subject: apparmor-parser: Fix up translations
References: bnc#586070
---
parser/parser_interface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -77,7 +77,7 @@ static void print_error(int error)
PERROR(_("Out of memory\n"));
break;
case -EFAULT:
- PERROR(_("Couldn't copy profile Bad memory address\n"));
+ PERROR(_("Couldn't copy profile: Bad memory address\n"));
break;
case -EPROTO:
PERROR(_("Profile doesn't conform to protocol\n"));
++++++ apparmor-perl ++++++
---
utils/Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -41,7 +41,8 @@ all: ${MANPAGES} ${HTMLMANPAGES}
DESTDIR=/
BINDIR=${DESTDIR}/usr/sbin
CONFDIR=${DESTDIR}/etc/apparmor
-PERLDIR=${DESTDIR}/usr/lib/perl5/vendor_perl/Immunix
+VENDOR_PERL ?= /usr/lib/perl5/vendor_perl
+PERLDIR := ${DESTDIR}${VENDOR_PERL}/Immunix
po/${NAME}.pot: ${TOOLS}
make -C po ${NAME}.pot NAME=${NAME} SOURCES="${TOOLS} SubDomain.pm Repository.pm Config.pm Reports.pm"
++++++ apparmor-profile-editor.desktop ++++++
[Desktop Entry]
Encoding=UTF-8
Name=AppArmor Profile Editor
Comment=Edit AppArmor profiles
Exec=profileeditor %f
Terminal=false
Type=Application
Icon=apparmor-profile-editor
Categories=Utility;TextEditor;
X-KDE-SubstituteUID=true
++++++ apparmor-profiles-cupsd-fix ++++++
---
profiles/apparmor/profiles/extras/usr.sbin.cupsd | 25 ++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.cupsd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.cupsd
@@ -16,20 +16,31 @@
capability setuid,
/bin/bash ixr,
+ /bin/cat ix,
+
+ /usr/bin/foomatic-rip ixr,
+ /etc/foomatic/** r,
+
+ /usr/bin/gs ix,
+ /usr/lib/ghostscript/** m,
+ /usr/lib64/ghostscript/** m,
+ /usr/share/ghostscript/** r,
+ /etc/ghostscript/** r,
+
/dev/lp0 rw,
/dev/tty rw,
/dev/ttyS? w,
/etc/cups rw,
/etc/cups/ r,
- /etc/cups/* r,
+ /etc/cups/** r,
/etc/cups/certs w,
/etc/cups/certs/* w,
- /etc/cups/classes.conf rw,
- /etc/cups/cupsd.conf rw,
+ /etc/cups/*.conf* rw,
/etc/cups/ppd rw,
+ /etc/printcap rw,
/etc/cups/printcap rw,
- /etc/cups/printers.conf rw,
/etc/cups/ssl rw,
+ /etc/cups/yes/* rw,
/etc/hosts.allow r,
/etc/hosts.deny r,
/proc/meminfo r,
@@ -39,11 +50,15 @@
/usr/bin/smbspool ixr,
/usr/lib/cups/backend/* ixr,
/usr/lib/cups/filter/* ixr,
- /usr/sbin/cupsd mr,
+ /usr/sbin/cupsd mixr,
/usr/share/cups/** r,
/var/log/cups/access_log rw,
/var/log/cups/error_log rw,
/var/spool/cups rw,
+ /var/spool/cups/** rw,
/var/spool/cups/tmp w,
/var/spool/cups/tmp/ r,
+ /var/run/cups/** rw,
+ /var/cache/cups/ rw,
+ /var/cache/cups/** rw,
}
++++++ apparmor-profiles-dhclient ++++++
From: Jeff Mahoney
Subject: profiles: update dhclient
References: bnc#561152
Signed-off-by: Jeff Mahoney
---
profiles/apparmor/profiles/extras/sbin.dhclient | 60 +++++++++++------
profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
2 files changed, 60 insertions(+), 21 deletions(-)
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
@@ -12,12 +12,12 @@
# raw sockets, and thus cannot be confined with NetDomain
#
# Should these programs have their own domains?
-# /bin/ps mixr,
-# /sbin/arp rmix,
-# /usr/bin/dig rmix,
-# /usr/bin/uptime rmix,
-# /usr/bin/vmstat rmix,
-# /usr/bin/w rmix,
+# /bin/ps mrix,
+# /sbin/arp mrix,
+# /usr/bin/dig mrix,
+# /usr/bin/uptime mrix,
+# /usr/bin/vmstat mrix,
+# /usr/bin/w mrix,
#include
@@ -25,25 +25,29 @@
#include
#include
#include
- /sbin/dhclient rmix,
- /sbin/dhclient-script rmix,
- /bin/bash rmix,
- /bin/df rmix,
+
+ network packet packet,
+
+ /sbin/dhclient mrix,
+
+ /sbin/dhclient-script mrix,
+ /bin/bash mrix,
+ /bin/df mrix,
/bin/netstat Px,
- /bin/ps mixr,
+ /bin/ps mrix,
/dev/random r,
/etc/dhclient.conf r,
- @{PROC}/ r,
- @{PROC}/interrupts r,
- @{PROC}/net/dev r,
- @{PROC}/rtc r,
+ @{PROC}/ r,
+ @{PROC}/interrupts r,
+ @{PROC}/*/net/dev r,
+ @{PROC}/rtc r,
# following rule shouldn't work, self is a symlink
- @{PROC}/self/status r,
- /sbin/arp rmix,
- /usr/bin/dig rmix,
- /usr/bin/uptime rmix,
- /usr/bin/vmstat rmix,
- /usr/bin/w rmix,
+ @{PROC}/self/status r,
+ /sbin/arp mrix,
+ /usr/bin/dig mrix,
+ /usr/bin/uptime mrix,
+ /usr/bin/vmstat mrix,
+ /usr/bin/w mrix,
/var/lib/dhcp/dhclient.leases rw,
/var/lib/dhcp/dhclient-*.leases rw,
/var/log/lastlog r,
@@ -53,4 +57,18 @@
/var/run/dhclient-*.pid rw,
/var/spool r,
/var/spool/mail r,
+
+ # This one will need to be fleshed out depending on what the user is doing
+ /sbin/dhclient-script mrpx,
+
+ /bin/grep mrix,
+ /bin/sleep mrix,
+ /etc/sysconfig/network/dhcp r,
+ /etc/sysconfig/network/scripts/functions.common r,
+ /etc/sysconfig/network/scripts/functions r,
+ /sbin/ip mrix,
+ /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
+ /var/lib/dhcp/* rw,
+ /var/run/nm-dhclient-*.conf r,
+
}
--- /dev/null
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
@@ -0,0 +1,21 @@
+# Last Modified: Tue Jan 25 16:48:30 2011
+#include
+
+# dhclient-script will call plugins from /etc/netconfig.d, so this
+# will need to be extended on a per-site basis.
+
+/sbin/dhclient-script {
+ #include
+ #include
+ #include
+
+ /bin/bash rix,
+ /bin/grep rix,
+ /bin/sleep rix,
+ /bin/touch rix,
+ /dev/.sysconfig/network/** r,
+ /etc/netconfig.d/* mrix,
+ /etc/sysconfig/network/** r,
+ /sbin/dhclient-script r,
+ /sbin/ip rix,
+}
++++++ apparmor-profiles-dovecot ++++++
---
profiles/apparmor.d/usr.lib.dovecot.deliver | 1 +
profiles/apparmor.d/usr.lib.dovecot.imap | 4 ++++
profiles/apparmor.d/usr.lib.dovecot.pop3 | 1 +
profiles/apparmor.d/usr.sbin.dovecot | 11 +++++++----
4 files changed, 13 insertions(+), 4 deletions(-)
--- a/profiles/apparmor.d/usr.lib.dovecot.deliver
+++ b/profiles/apparmor.d/usr.lib.dovecot.deliver
@@ -17,4 +17,5 @@
@{HOME}/mail/.imap/** klrw,
/usr/lib/dovecot/deliver mr,
/var/mail/* klrw,
+ /var/spool/mail/* klrw,
}
--- a/profiles/apparmor.d/usr.lib.dovecot.imap
+++ b/profiles/apparmor.d/usr.lib.dovecot.imap
@@ -11,9 +11,13 @@
@{HOME} r,
@{HOME}/Maildir/ rw,
@{HOME}/Maildir/** klrw,
+ @{HOME}/Mail/ rw,
+ @{HOME}/Mail/* klrw,
+ @{HOME}/Mail/.imap/** klrw,
@{HOME}/mail/ rw,
@{HOME}/mail/* klrw,
@{HOME}/mail/.imap/** klrw,
/usr/lib/dovecot/imap mr,
/var/mail/* klrw,
+ /var/spool/mail/* klrw,
}
--- a/profiles/apparmor.d/usr.lib.dovecot.pop3
+++ b/profiles/apparmor.d/usr.lib.dovecot.pop3
@@ -9,6 +9,7 @@
capability setuid,
/var/mail/* klrw,
+ /var/spool/mail/* klrw,
@{HOME} r,
@{HOME}/mail/* klrw,
@{HOME}/mail/.imap/** klrw,
--- a/profiles/apparmor.d/usr.sbin.dovecot
+++ b/profiles/apparmor.d/usr.sbin.dovecot
@@ -13,9 +13,12 @@
capability setgid,
capability setuid,
capability sys_chroot,
+ capability fsetid,
/etc/dovecot/** r,
/etc/mtab r,
+ /etc/lsb-release r,
+ /etc/SuSE-release r,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
@@ -26,8 +29,8 @@
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/ssl-build-param ixr,
/usr/sbin/dovecot mr,
- /var/lib/dovecot/ w,
- /var/lib/dovecot/* krw,
- /var/run/dovecot/ rw,
- /var/run/dovecot/** rw,
+ /var/lib/dovecot/ wl,
+ /var/lib/dovecot/* krwl,
+ /var/run/dovecot/ rwl,
+ /var/run/dovecot/** rwl,
}
++++++ apparmor-profiles-samba ++++++
From: Jeff Mahoney
Subject: apparmor-profiles: Add samba config files
References: bnc#679182 bnc#666450
Signed-off-by: Jeff Mahoney
---
profiles/apparmor.d/abstractions/samba | 5 +++--
profiles/apparmor.d/usr.sbin.nmbd | 6 ++++--
profiles/apparmor.d/usr.sbin.smbd | 3 +++
3 files changed, 10 insertions(+), 4 deletions(-)
--- a/profiles/apparmor.d/abstractions/samba
+++ b/profiles/apparmor.d/abstractions/samba
@@ -10,10 +10,11 @@
#
# ------------------------------------------------------------------
- /etc/samba/smb.conf r,
+ /etc/samba/* r,
/usr/share/samba/*.dat r,
/var/lib/samba/**.tdb rwk,
- /var/log/samba/cores/* w,
+ /var/log/samba/cores/ rw,
+ /var/log/samba/cores/* rw,
/var/log/samba/log.* w,
/var/run/samba/*.tdb rw,
--- a/profiles/apparmor.d/usr.sbin.nmbd
+++ b/profiles/apparmor.d/usr.sbin.nmbd
@@ -11,9 +11,11 @@
/usr/sbin/nmbd mr,
/var/cache/samba/browse.dat* rw,
+ /var/lib/samba/browse.dat* rw,
/var/lib/samba/wins.dat* rw,
- /var/run/samba/** rk,
- /var/run/samba/nmbd.pid rw,
+ /var/run/samba/** rwk,
+ /var/log/samba/cores rw,
+ /var/log/samba/cores/ rw,
/var/log/samba/cores/nmbd/ rw,
/var/log/samba/cores/nmbd/** rw,
}
--- a/profiles/apparmor.d/usr.sbin.smbd
+++ b/profiles/apparmor.d/usr.sbin.smbd
@@ -22,6 +22,9 @@
/etc/printcap r,
/proc/*/mounts r,
/usr/sbin/smbd mr,
+ /etc/samba/* rwk,
+ /etc/samba/passdb.tdb rwk,
+ /etc/samba/secrets.tdb rwk,
/var/cache/samba/** rwk,
/var/cache/samba/printing/printers.tdb mrw,
/var/lib/samba/** rwk,
++++++ apparmor-profiles-samba-3.6.3.diff ++++++
diff -u -p -Nur profiles/apparmor.d_ORIG/abstractions/samba profiles/apparmor.d/abstractions/samba
--- profiles/apparmor.d_ORIG/abstractions/samba 2011-08-11 19:33:08.000000000 +0200
+++ profiles/apparmor.d/abstractions/samba 2012-04-26 22:33:05.000000000 +0200
@@ -14,7 +14,7 @@
/usr/share/samba/*.dat r,
/var/lib/samba/**.tdb rwk,
/var/log/samba/cores/ rw,
- /var/log/samba/cores/* rw,
+ /var/log/samba/cores/** rw,
/var/log/samba/log.* w,
/var/run/samba/*.tdb rw,
diff -u -p -Nur profiles/apparmor.d_ORIG/usr.sbin.nmbd profiles/apparmor.d/usr.sbin.nmbd
--- profiles/apparmor.d_ORIG/usr.sbin.nmbd 2011-08-11 19:33:08.000000000 +0200
+++ profiles/apparmor.d/usr.sbin.nmbd 2012-04-26 22:38:35.000000000 +0200
@@ -9,7 +9,13 @@
capability net_bind_service,
+ /proc/sys/kernel/core_pattern r,
/usr/sbin/nmbd mr,
+ /var/{cache,lib}/samba/sync.* rw,
+ /var/{cache,lib}/samba/unexpected rw,
+ /var/{cache,lib}/samba/smb_krb5/krb5.conf* rw,
+ /var/{cache,lib}/samba/smb_krb5/ rw,
+ /var/{cache,lib}/samba/smb_tmp_krb5.* rw,
/var/cache/samba/browse.dat* rw,
/var/lib/samba/browse.dat* rw,
/var/lib/samba/wins.dat* rw,
diff -u -p -Nur profiles/apparmor.d_ORIG/usr.sbin.smbd profiles/apparmor.d/usr.sbin.smbd
--- profiles/apparmor.d_ORIG/usr.sbin.smbd 2011-08-11 19:33:08.000000000 +0200
+++ profiles/apparmor.d/usr.sbin.smbd 2012-04-26 22:36:45.000000000 +0200
@@ -12,6 +12,10 @@
#include
#include
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability lease,
capability net_bind_service,
capability setgid,
capability setuid,
@@ -19,12 +23,19 @@
capability sys_tty_config,
/etc/mtab r,
+ /etc/netgroup r,
/etc/printcap r,
/proc/*/mounts r,
+ /proc/sys/kernel/core_pattern r,
/usr/sbin/smbd mr,
/etc/samba/* rwk,
/etc/samba/passdb.tdb rwk,
/etc/samba/secrets.tdb rwk,
+ /usr/lib*/samba/auth/script.so mr,
+ /usr/lib*/samba/charset/*.so mr,
+ /usr/lib*/samba/{lowercase,upcase,valid}.dat r,
+ /usr/lib*/samba/vfs/*.so mr,
+ /usr/sbin/smbldap-useradd Px,
/var/cache/samba/** rwk,
/var/cache/samba/printing/printers.tdb mrw,
/var/lib/samba/** rwk,
diff -u -p -Nur profiles/apparmor.d_ORIG/usr.sbin.smbldap-useradd profiles/apparmor.d/usr.sbin.smbldap-useradd
--- profiles/apparmor.d_ORIG/usr.sbin.smbldap-useradd 1970-01-01 01:00:00.000000000 +0100
+++ profiles/apparmor.d/usr.sbin.smbldap-useradd 2012-04-26 22:37:09.000000000 +0200
@@ -0,0 +1,34 @@
+# Last Modified: Tue Jan 3 00:17:40 2012
+#include
+
+/usr/sbin/smbldap-useradd {
+ #include
+ #include
+ #include
+ #include
+
+ /dev/tty rw,
+ /bin/bash ix,
+ /etc/init.d/nscd Cx,
+ /etc/shadow r,
+ /etc/smbldap-tools/smbldap.conf r,
+ /etc/smbldap-tools/smbldap_bind.conf r,
+ /usr/sbin/smbldap-useradd r,
+ /usr/sbin/smbldap_tools.pm r,
+ /var/log/samba/log.smbd w,
+
+ profile /etc/init.d/nscd {
+ #include
+ #include
+
+ capability sys_ptrace,
+
+ /bin/bash r,
+ /bin/mountpoint rix,
+ /bin/systemctl rix,
+ /dev/tty rw,
+ /etc/init.d/nscd r,
+ /etc/rc.status r,
+
+ }
+}
++++++ apparmor-profiles-sshd-fix ++++++
From: Jeff Mahoney
Subject: Fix for sshd profile
References: bnc#457072
Without this patch, sshd won't work in enforce mode.
libselinux accesses /proc/filesystems to determine if it's enabled
bash won't execute
audit_control is probably from libselinux too
---
profiles/apparmor/profiles/extras/usr.sbin.sshd | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/profiles/apparmor/profiles/extras/usr.sbin.sshd
+++ b/profiles/apparmor/profiles/extras/usr.sbin.sshd
@@ -30,6 +30,8 @@
capability kill,
capability setgid,
capability setuid,
+ capability audit_control,
+ capability sys_ptrace,
/dev/ptmx rw,
/dev/urandom r,
@@ -44,11 +46,12 @@
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/loginuid w,
+ @{PROC}/filesystems r,
# should only be here for use in non-change-hat openssh
# duplicated from EXEC hat
/bin/ash Ux,
- /bin/bash Ux,
+ /bin/bash rUx,
/bin/bash2 Ux,
/bin/bsh Ux,
/bin/csh Ux,
++++++ apparmor-profiles-syslog-ng-fix ++++++
--- a/profiles/apparmor.d/sbin.syslog-ng.old 2008-11-05 15:53:00.000000000 +0100
+++ b/profiles/apparmor.d/sbin.syslog-ng 2010-11-05 09:11:23.186489224 +0100
@@ -19,12 +19,14 @@
#include
#include
#include
+ #include
capability chown,
capability dac_override,
capability fsetid,
capability fowner,
capability sys_tty_config,
+ capability sys_resource,
/dev/log w,
/dev/syslog w,
@@ -35,11 +37,14 @@
/etc/hosts.deny r,
/etc/hosts.allow r,
/sbin/syslog-ng mr,
+ /usr/share/syslog-ng/** r,
# chrooted applications
@{CHROOT_BASE}/var/lib/*/dev/log w,
- @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist rw,
+ @{CHROOT_BASE}/var/lib/syslog-ng/syslog-ng.persist* rw,
@{CHROOT_BASE}/var/log/** w,
@{CHROOT_BASE}/var/run/syslog-ng.pid krw,
+ @{CHROOT_BASE}/var/run/syslog-ng.ctl rw,
+ /var/run/syslog-ng/additional-log-sockets.conf r,
}
++++++ apparmor-profiles-traceroute ++++++
---
profiles/apparmor.d/usr.sbin.traceroute | 2 ++
1 file changed, 2 insertions(+)
--- a/profiles/apparmor.d/usr.sbin.traceroute
+++ b/profiles/apparmor.d/usr.sbin.traceroute
@@ -18,6 +18,8 @@
capability net_raw,
+ network inet raw,
+
/usr/sbin/traceroute rmix,
@{PROC}/net/route r,
}
++++++ apparmor-profiles-usr.sbin.dnsmasq ++++++
From: Jeff Mahoney
Subject: dnsmasq: Profile fixes
References: bnc#666090 bnc#678749
Signed-off-by: Jeff Mahoney
---
profiles/apparmor.d/usr.sbin.dnsmasq | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/profiles/apparmor.d/usr.sbin.dnsmasq
+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
@@ -8,16 +8,28 @@
capability setgid,
capability setuid,
capability dac_override,
+ capability net_admin, # for DHCP server
+ capability net_raw, # for DHCP server ping checks
+ network inet raw,
/etc/dnsmasq.conf r,
/etc/dnsmasq.d/ r,
/etc/dnsmasq.d/* r,
+ /etc/ethers r,
/usr/sbin/dnsmasq mr,
/var/run/*dnsmasq*.pid w,
+ /var/run/dnsmasq-forwarders r,
/var/run/dnsmasq/ r,
/var/run/dnsmasq/* rw,
/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
+
+ # libvirt pid files for dnsmasq
+ /var/run/libvirt/network/ r,
+ /var/run/libvirt/network/*.pid rw,
+ /var/lib/libvirt/dnsmasq/ r,
+ /var/lib/libvirt/dnsmasq/*.hostsfile r,
+
}
++++++ apparmor-remove-repo ++++++
From: Jeff Mahoney
Subject: apparmor-utils: Allow repository to be completely disabled
This patch allows the repository to be completely disabled. It's been
subject to massive bitrot and isn't really maintained.
It will only confuse the user if they are asked for repository information
and it doesn't work.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 5 +++++
utils/logprof.conf | 4 ++++
2 files changed, 9 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -3107,6 +3107,8 @@ sub UI_repo_signup {
sub UI_ask_to_enable_repo {
my $q = { };
+ return if (defined $cfg->{settings}{allow_repository} &&
+ $cfg->{settings}{allow_repository} eq "no");
return if ( not defined $cfg->{repository}{url} );
$q->{headers} = [
gettext("Repository"), $cfg->{repository}{url},
@@ -3231,6 +3233,8 @@ sub get_preferred_user ($) {
sub repo_is_enabled () {
my $enabled;
+ return 0 if defined($cfg->{settings}{allow_repository}) &&
+ $cfg->{settings}{allow_repository} eq "no";
if ($cfg->{repository}{url} &&
$repo_cfg &&
$repo_cfg->{repository}{enabled} &&
@@ -3244,6 +3248,7 @@ sub repo_is_enabled () {
sub update_repo_profile {
my $profile = shift;
+ return undef if not repo_is_enabled();
return undef if ( not is_repo_profile($profile) );
my $distro = $cfg->{repository}{distro};
my $url = $profile->{repo}{url};
--- a/utils/logprof.conf
+++ b/utils/logprof.conf
@@ -35,6 +35,10 @@
# files.
custom_includes =
+ # whether to prompt to enable repositories (values: yes/no)
+ # This feature has fallen to bitrot and should not be used.
+ allow_repository = no
+
[repository]
distro = ubuntu-intrepid
++++++ apparmor-scripts ++++++
---
parser/rc.aaeventd.suse | 2 +-
parser/rc.apparmor.functions | 16 ++++++++--------
parser/rc.apparmor.suse | 23 ++++++++++++++++++++++-
3 files changed, 31 insertions(+), 10 deletions(-)
--- a/parser/rc.aaeventd.suse
+++ b/parser/rc.aaeventd.suse
@@ -30,7 +30,7 @@
### BEGIN INIT INFO
# Provides: aaeventd
# Required-Start: apparmor
-# Required-Stop:
+# Required-Stop: $null
# Default-Start: 2 3 5
# Default-Stop:
# Short-Description: AppArmor Notification and Reporting
--- a/parser/rc.apparmor.functions
+++ b/parser/rc.apparmor.functions
@@ -111,9 +111,7 @@ is_apparmor_present() {
# check for subdomainfs version of module
grep -qE "^($modules)[[:space:]]" /proc/modules
- if [ $? -ne 0 ] ; then
- ls /sys/module/apparmor 2>/dev/null | grep -qE "^($modules)"
- fi
+ [ $? -ne 0 -a -d /sys/module/apparmor ]
return $?
}
@@ -380,10 +378,11 @@ apparmor_start() {
configure_owlsm
# if there is anything in the profiles file don't load
- cat "$SFS_MOUNTPOINT/profiles" | if ! read line ; then
+ if ! read line < "$SFS_MOUNTPOINT/profiles"; then
parse_profiles load
else
- aa_log_skipped_msg "AppArmor already loaded with profiles."
+ aa_log_skipped_msg ": already loaded with profiles."
+ return 0
fi
aa_log_end_msg 0
return 0
@@ -415,7 +414,8 @@ remove_profiles() {
#them so stor to tmp first
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
- cat "$MODULE_PLIST" | while read profile ; do
+ # Skip subprofiles, they'll be removed with the owning profile
+ grep -v // "$MODULE_PLIST" | while IFS= read profile ; do
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
rc=$?
if [ ${rc} -ne 0 ] ; then
@@ -430,7 +430,7 @@ apparmor_stop() {
aa_log_daemon_msg "Unloading AppArmor profiles "
remove_profiles
rc=$?
- log_end_msg $rc
+ aa_log_end_msg $rc
return $rc
}
@@ -468,7 +468,7 @@ __apparmor_restart() {
profiles_names_list ${PNAMES_LIST}
MODULE_PLIST=$(mktemp ${APPARMOR_TMPDIR}/tmp.XXXXXXXX)
sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | sort >"$MODULE_PLIST"
- sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while read profile ; do
+ sort "$PNAMES_LIST" | comm -2 -3 "$MODULE_PLIST" - | while IFS= read profile ; do
echo -n "$profile" > "$SFS_MOUNTPOINT/.remove"
done
rm "$MODULE_PLIST"
--- a/parser/rc.apparmor.suse
+++ b/parser/rc.apparmor.suse
@@ -34,6 +34,7 @@
# Required-Start: boot.cleanup
# Required-Stop: $null
# Should-Start: $local_fs
+# Should-Stop: $null
# Default-Start: B
# Default-Stop:
# Short-Description: AppArmor initialization
@@ -76,7 +77,19 @@ aa_log_warning_msg() {
}
aa_log_failure_msg() {
- log_failure_msg $*
+ log_failure_msg '\n'$*
+}
+
+aa_log_action_begin() {
+ echo -n
+}
+
+aa_log_action_end() {
+ echo -n
+}
+
+aa_log_daemon_msg() {
+ echo -en "$@ "
}
aa_log_skipped_msg() {
@@ -84,6 +97,14 @@ aa_log_skipped_msg() {
echo -e "$rc_skipped"
}
+aa_log_end_msg() {
+ v="-v"
+ if [ "$1" != '0' ]; then
+ rc="-v$1"
+ fi
+ rc_status $v
+}
+
usage() {
echo "Usage: $0 {start|stop|restart|try-restart|reload|force-reload|status|kill}"
}
++++++ apparmor-startproc.patch ++++++
---
parser/rc.aaeventd.suse | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/parser/rc.aaeventd.suse
+++ b/parser/rc.aaeventd.suse
@@ -81,9 +81,9 @@ usage() {
start_aa_event() {
if [ -x "$AA_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
- sd_action "Starting AppArmor Event daemon" startproc -f -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
+ sd_action "Starting AppArmor Event daemon" startproc -p $AA_EV_PIDFILE $AA_EV_BIN -p $AA_EV_PIDFILE
elif [ -x "$SD_EV_BIN" -a "${APPARMOR_ENABLE_AAEVENTD}" = "yes" ] ; then
- sd_action "Starting AppArmor Event daemon" startproc -f -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
+ sd_action "Starting AppArmor Event daemon" startproc -p $SD_EV_PIDFILE $SD_EV_BIN -p $SD_EV_PIDFILE
fi
}
++++++ apparmor-swig-build-fix ++++++
---
libraries/libapparmor/swig/perl/Makefile.am | 1 +
1 file changed, 1 insertion(+)
--- a/libraries/libapparmor/swig/perl/Makefile.am
+++ b/libraries/libapparmor/swig/perl/Makefile.am
@@ -9,6 +9,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibA
Makefile.perl: Makefile.PL
$(PERL) $< PREFIX=$(prefix) MAKEFILE=$@
+ sed -ie 's/^LD_RUN_PATH.*//g' Makefile.perl
LibAppArmor.so: libapparmor_wrap.c Makefile.perl
if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
++++++ apparmor-translation-fixes ++++++
---
utils/SubDomain.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2304,7 +2304,7 @@ sub handlechildren {
unless (-e getprofilefilename($exec_target)) {
my $ynans = "y";
if ($exec_mode & str_to_mode("i")) {
- $ynans = UI_YesNo(sprintf(gettext("A profile for %s does not exist create one?"), $exec_target), "n");
+ $ynans = UI_YesNo(sprintf(gettext("A profile for %s does not exist. Create one?"), $exec_target), "n");
}
if ($ynans eq "y") {
$helpers{$exec_target} = "enforce";
@@ -2331,7 +2331,7 @@ sub handlechildren {
unless ($sd{$profile}{$exec_target}) {
my $ynans = "y";
if ($exec_mode & str_to_mode("i")) {
- $ynans = UI_YesNo(sprintf(gettext("A local profile for %s does not exist create one?"), $exec_target), "n");
+ $ynans = UI_YesNo(sprintf(gettext("A local profile for %s does not exist. Create one?"), $exec_target), "n");
}
if ($ynans eq "y") {
$hat = $exec_target;
++++++ apparmor-utils-SubDomain ++++++
---
utils/Reports.pm | 2 +-
utils/SubDomain.pm | 2 +-
utils/genprof | 4 ++--
utils/rc.sd-event-dispatch.suse | 10 +++++-----
utils/unconfined | 2 +-
5 files changed, 10 insertions(+), 10 deletions(-)
--- a/utils/Reports.pm
+++ b/utils/Reports.pm
@@ -14,7 +14,7 @@ package Immunix::Reports;
################################################################################
# /usr/lib/perl5/site_perl/Reports.pm
#
-# - Parses /var/log/messages for SubDomain messages
+# - Parses /var/log/messages for AppArmor messages
# - Writes results to .html or comma-delimited (.csv) files (Optional)
#
# Requires:
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1590,7 +1590,7 @@ my %CMDS = (
CMD_GLOBEXT => "Glob w/(E)xt",
CMD_ADDHAT => "(A)dd Requested Hat",
CMD_USEDEFAULT => "(U)se Default Hat",
- CMD_SCAN => "(S)can system log for SubDomain events",
+ CMD_SCAN => "(S)can system log for AppArmor events",
CMD_HELP => "(H)elp",
CMD_VIEW_PROFILE => "(V)iew Profile",
CMD_USE_PROFILE => "(U)se Profile",
--- a/utils/genprof
+++ b/utils/genprof
@@ -52,7 +52,7 @@ GetOptions(
my $sd_mountpoint = check_for_subdomain();
unless ($sd_mountpoint) {
- fatal_error(gettext("SubDomain does not appear to be started. Please enable SubDomain and try again."));
+ fatal_error(gettext("AppArmor does not appear to be started. Please enable AppArmor and try again."));
}
# let's convert it to full path...
@@ -166,7 +166,7 @@ for my $p (sort keys %helpers) {
}
}
-UI_Info(gettext("Reloaded SubDomain profiles in enforce mode."));
+UI_Info(gettext("Reloaded AppArmor profiles in enforce mode."));
UI_Info(sprintf(gettext('Finished generating profile for %s.'), $fqdbin));
exit 0;
--- a/utils/rc.sd-event-dispatch.suse
+++ b/utils/rc.sd-event-dispatch.suse
@@ -7,14 +7,14 @@
# /usr/sbin/rcsd-event-dispatch
#
# chkconfig: 2345 01 99
-# description: SubDomain event dispatcher
+# description: AppArmor event dispatcher
#
### BEGIN INIT INFO
# Provides: sd-event-dispatch
# Required-Start: subdomain
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
-# Description: Start the SubDomain event dispacher
+# Description: Start the AppArmor event dispacher
### END INIT INFO
SD_EV_BIN=/usr/sbin/sd-event-dispatch.pl
@@ -38,7 +38,7 @@ rc_reset
case "$1" in
start)
- echo -n "Starting SubDomain Event daemon"
+ echo -n "Starting AppArmor Event daemon"
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
@@ -48,7 +48,7 @@ case "$1" in
rc_status -v
;;
stop)
- echo -n "Shutting down SubDomain Event daemon"
+ echo -n "Shutting down AppArmor Event daemon"
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
@@ -75,7 +75,7 @@ case "$1" in
rc_status
;;
status)
- echo -n "Checking for SubDomain Event daemon"
+ echo -n "Checking for AppArmor Event daemon"
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
--- a/utils/unconfined
+++ b/utils/unconfined
@@ -54,7 +54,7 @@ sub usage {
my $subdomainfs = check_for_subdomain();
-die gettext("SubDomain does not appear to be started. Please enable SubDomain and try again.") . "\n"
+die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
unless $subdomainfs;
my @pids;
++++++ apparmor-utils-add-log-types ++++++
From: Jeff Mahoney
Subject: apparmor-utils: Add support for creds and path operations
References: bnc#564316
2.6.29 introduced the path security_operations and credentials
This patch adds support for those operations to the log parser.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2789,7 +2789,9 @@ sub add_event_to_tree ($) {
""
);
}
- } elsif ($e->{operation} =~ m/file_/) {
+ } elsif ($e->{operation} =~ m/file_/ or
+ # These are the path operations introduced in 2.6.29
+ $e->{operation} =~ m/^(open|unlink|mkdir|rmdir|mknod|truncate|symlink_create|link|rename_src|rename_dest)$/) {
add_to_tree( $e->{pid},
$e->{parent},
"path",
++++++ apparmor-utils-cleanup-on-abort ++++++
From: Jeff Mahoney
Subject: [PATCH] apparmor-utils: cleanup after abort in genprof
References: bnc#307067
The initial generation of the base profile is required to be written out
to put the process in complain mode for observation. If the user
decides to abort the profiling session, that base profile is left
behind.
This patch removes all profiles created during the run up to an abort.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 3 +++
1 file changed, 3 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1750,6 +1750,9 @@ sub confirm_and_abort {
if ($ans eq "y") {
UI_Info(gettext("Abandoning all changes."));
shutdown_yast();
+ foreach my $prof (@created) {
+ delete_profile($prof);
+ }
exit 0;
}
}
++++++ apparmor-utils-filenames-in-slash ++++++
From: Jeff Mahoney
Subject: apparmor-utils: Fix handling of files in /
References: bnc#397883
The separate handling of files and directories with realpath is broken.
For files e.g. /foo, $dir ends up being empty since the / is eaten by
the regex. realpath resolves an empty argument as the current directory,
resulting in an incorrect path.
There's no explanation of why the separate handling was used in the
first place.
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -511,14 +511,7 @@ sub get_full_path ($) {
}
}
- if (-f $path) {
- my ($dir, $file) = $path =~ m/^(.*)\/(.+)$/;
- $path = realpath($dir) . "/$file";
- } else {
- $path = realpath($path);
- }
-
- return $path;
+ return realpath($path);
}
sub findexecutable ($) {
++++++ apparmor-utils-inherit-flags-during-profile-generation ++++++
From: Jeff Mahoney
Subject: apparmor-utils: Inherit flags in sub-profiles when generating profiles
References: bnc#496204
When creating profiles with cx subprofiles, genprof will set the
sub-profile in enforce mode. When genprof cycles multiple times, it
prohibits the sub-profile from working correctly.
e.g.
# Last Modified: Mon Jan 24 13:52:26 2011
#include
/home/jeffm/mycat flags=(complain) {
#include
#include
#include
/bin/bash ix,
/bin/cat cx,
/home/jeffm/mycat r,
profile /bin/cat {
#include
/bin/cat r,
/home/jeffm/mycat r,
}
}
This patch allows sub-profiles to inherit the flags from the parent
profile, which allows it to be created in complain mode (if appropriate).
The temporary complain flags are cleaned up at genprof completion as
expected.
This issue was reported at: https://bugzilla.novell.com/show_bug.cgi?id=496204
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 6 ++++++
1 file changed, 6 insertions(+)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -2337,6 +2337,12 @@ sub handlechildren {
# we have seen more than a declaration so clear it
$sd{$profile}{$hat}{'declared'} = 0;
$sd{$profile}{$hat}{profile} = 1;
+
+ # Otherwise sub-profiles end up getting
+ # put in enforce mode with genprof
+ $sd{$profile}{$hat}{flags} = $sd{$profile}{$profile}{flags} if $profile ne $hat;
+
+ $sd{$profile}{$hat}{flags} = 'complain';
$sd{$profile}{$hat}{allow}{path} = { };
$sd{$profile}{$hat}{allow}{netdomain} = { };
my $file = $sd{$profile}{$profile}{filename};
++++++ apparmor-utils-null-path-fix ++++++
From: Jeff Mahoney
Subject: Subdomain.pm: Fix for null path
References: bnc#407959
When handling the following log entry, logprof will spew perl errors and
ultimately generate an invalid config: "r,"
Since there is nothing to do with a null path, just skip to the next entry.
type=APPARMOR_DENIED msg=audit(1214497030.421:39): operation="inode_permission" info="Failed name resolution - object not a valid entry" requested_mask="r" denied_mask="r" pid=31367 profile="/usr/sbin/httpd2-worker
---
utils/SubDomain.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1905,7 +1905,7 @@ sub handlechildren {
$hat = $h;
}
- next unless $profile && $hat;
+ next unless $profile && $hat && $detail;
my $domainchange = ($type eq "exec") ? "change" : "nochange";
# escape special characters that show up in literal paths
++++++ apparmor-utils-string-split ++++++
From: Jeff Mahoney
Subject: SubDomain.pm: Split long string
The string split here ends up not displaying well in yast.
---
utils/SubDomain.pm | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -6241,7 +6241,12 @@ sub check_qualifiers {
if ($cfg->{qualifiers}{$program}) {
unless($cfg->{qualifiers}{$program} =~ /p/) {
- fatal_error(sprintf(gettext("\%s is currently marked as a program that should not have it's own profile. Usually, programs are marked this way if creating a profile for them is likely to break the rest of the system. If you know what you're doing and are certain you want to create a profile for this program, edit the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $program));
+ fatal_error(sprintf(gettext(
+"\%s is currently marked as a program that should not have its own\n".
+"profile. Usually, programs are marked this way if creating a profile for \n".
+"them is likely to break the rest of the system. If you know what you're\n".
+"doing and are certain you want to create a profile for this program, edit\n".
+"the corresponding entry in the [qualifiers] section in /etc/apparmor/logprof.conf."), $program));
}
}
}
++++++ apparmor-utils-translation-unification ++++++
From: Jeff Mahoney
Subject: apparmor-utils: Translation unification
References: bnc#586072
This patch removes small inconsistencies between identical strings to
allow for easier translation.
Reported-by: Isis Binder
Signed-off-by: Jeff Mahoney
---
utils/Reports.pm | 6 +++---
utils/unconfined | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/utils/Reports.pm
+++ b/utils/Reports.pm
@@ -967,7 +967,7 @@ sub getEssStats {
};
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
@@ -980,7 +980,7 @@ sub getEssStats {
};
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
@@ -988,7 +988,7 @@ sub getEssStats {
eval { $ret = $dbh->selectall_arrayref("$query"); };
if ($@) {
- ycp::y2error(sprintf(gettext("DBI Execution failed: %s"), $DBI::errstr));
+ ycp::y2error(sprintf(gettext("DBI Execution failed: %s."), $DBI::errstr));
return;
}
--- a/utils/unconfined
+++ b/utils/unconfined
@@ -54,7 +54,7 @@ sub usage {
my $subdomainfs = check_for_subdomain();
-die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
+die gettext("AppArmor does not appear to be started. Please enable AppArmor and try again.") . "\n"
unless $subdomainfs;
my @pids;
++++++ apparmorapplet-gnome-build-fix ++++++
---
deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c | 1 +
1 file changed, 1 insertion(+)
--- a/deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
+++ b/deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
@@ -11,6 +11,7 @@
#include
#include
#include
+#include
#include "preferences_dialog.h"
#include "reject_list.h"
#include "apparmor-applet.h"
++++++ baselibs.conf ++++++
pam_apparmor
supplements "packageand(pam_apparmor:pam-<targettype>)"
libapparmor1
obsoletes "libapparmor-<targettype> <= <version>"
provides "libapparmor-<targettype> = <version>"
++++++ genprof-whitespace-in-profile-fix ++++++
From: Jeff Mahoney
Subject: apparmor-utils: setprofileflags() drops leading whitespace
References: bnc#480795
setprofileflags() drops leading whitespace for subprofiles. writeheader()
properly indents subprofiles 2 spaces per nesting level but when
genprof sets the profile to enforce mode at completion, the whitespace
is removed.
This patch adds the whitespace globbing to the regexp and uses it to
prefix the sub-profile with the correct spacing.
Reported at: https://bugzilla.novell.com/show_bug.cgi?id=480795
Signed-off-by: Jeff Mahoney
---
utils/SubDomain.pm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/utils/SubDomain.pm
+++ b/utils/SubDomain.pm
@@ -1033,13 +1033,13 @@ sub setprofileflags ($$) {
if (open(PROFILE, "$filename")) {
if (open(NEWPROFILE, ">$filename.new")) {
while (<PROFILE>) {
- if (m/^\s*(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
- my ($binary, $flags) = ($1, $5);
+ if (m/^(\s*)(("??\/.+?"??)|(profile\s+("??.+?"??)))\s+(flags=\(.+\)\s+)*\{\s*$/) {
+ my ($space, $binary, $flags) = ($1, $2, $6);
if ($newflags) {
- $_ = "$binary flags=($newflags) {\n";
+ $_ = "$space$binary flags=($newflags) {\n";
} else {
- $_ = "$binary {\n";
+ $_ = "$space$binary {\n";
}
} elsif (m/^(\s*\^\S+)\s+(flags=\(.+\)\s+)*\{\s*$/) {
my ($hat, $flags) = ($1, $2);
++++++ klog-needs-CAP_SYSLOG ++++++
---
parser/parser_misc.c | 4 ++++
profiles/apparmor.d/sbin.klogd | 1 +
2 files changed, 5 insertions(+)
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -122,6 +122,9 @@ static int get_table_token(const char *n
static struct keyword_table capability_table[] = {
/* capabilities */
#include "cap_names.h"
+#ifndef CAP_SYSLOG
+ {"syslog", 34},
+#endif
/* terminate */
{NULL, 0}
};
@@ -820,6 +823,7 @@ static const char *capnames[] = {
"audit_control",
"setfcap",
"mac_override"
+ "syslog",
};
const char *capability_to_name(unsigned int cap)
--- a/profiles/apparmor.d/sbin.klogd
+++ b/profiles/apparmor.d/sbin.klogd
@@ -15,6 +15,7 @@
#include
capability sys_admin,
+ capability syslog,
network inet stream,
++++++ mod_apparmor-includes ++++++
---
changehat/mod_apparmor/Makefile | 6 +-----
changehat/mod_apparmor/mod_apparmor.c | 6 +-----
2 files changed, 2 insertions(+), 10 deletions(-)
--- a/changehat/mod_apparmor/Makefile
+++ b/changehat/mod_apparmor/Makefile
@@ -42,11 +42,7 @@ APXS:=$(shell if [ -x "/usr/sbin/apxs2"
fi )
APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR)
DESTDIR=
-LIBAPPARMOR_FLAGS=$(shell if [ -f /usr/lib/libapparmor.so -o -f /usr/lib64/libapparmor.so ] ; then \
- echo -lapparmor ; \
- else \
- echo -DUSE_COMPAT_IMMUNIX_H -limmunix ;\
- fi)
+LIBAPPARMOR_FLAGS="-I../../libraries/libapparmor/src -L../../libraries/libapparmor/src/.libs -lapparmor"
all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
--- a/changehat/mod_apparmor/mod_apparmor.c
+++ b/changehat/mod_apparmor/mod_apparmor.c
@@ -24,11 +24,7 @@
#include "apr_strings.h"
#include "apr_lib.h"
-#ifndef USE_COMPAT_IMMUNIX_H
-#include
-#else
-#include
-#endif
+#include "apparmor.h"
#include
/* #define DEBUG */
++++++ pam-apparmor-include ++++++
From: Jeff Mahoney
Subject: apparmor: Fix pam includes/linking
---
changehat/pam_apparmor/Makefile | 6 +++---
changehat/pam_apparmor/pam_apparmor.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/changehat/pam_apparmor/Makefile
+++ b/changehat/pam_apparmor/Makefile
@@ -27,8 +27,8 @@ common/Make.rules: $(COMMONDIR)/Make.rul
ln -sf $(COMMONDIR) .
endif
-EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall
-LINK_FLAGS=-Xlinker -x
+EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall -I../../libraries/libapparmor/src/
+LINK_FLAGS=-Xlinker -x -L../../libraries/libapparmor/src/.libs
LIBS=-lpam -lapparmor
OBJECTS=${NAME}.o get_options.o
@@ -42,7 +42,7 @@ $(NAME).so: ${OBJECTS}
# need some better way of determining this
DESTDIR=/
-SECDIR=${DESTDIR}/lib/security
+SECDIR ?= ${DESTDIR}/lib/security
.PHONY: install
install: $(NAME).so
--- a/changehat/pam_apparmor/pam_apparmor.c
+++ b/changehat/pam_apparmor/pam_apparmor.c
@@ -27,7 +27,7 @@
#include
#include
#include
-#include
+#include "apparmor.h"
#include
#include
++++++ rpmlintrc ++++++
addFilter("devel-file-in-non-devel-package.*/usr/lib64/libJNIChangeHat.so")
addFilter("devel-file-in-non-devel-package.*/usr/lib/libJNIChangeHat.so")
addFilter("shlib-policy-name-error.*libJNIChangeHat0")
++++++ tomcat-build-fixes ++++++
---
changehat/tomcat_apparmor/tomcat_5_5/build.xml | 15 +++++-----
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c | 2 -
changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile | 4 +-
3 files changed, 11 insertions(+), 10 deletions(-)
--- a/changehat/tomcat_apparmor/tomcat_5_5/build.xml
+++ b/changehat/tomcat_apparmor/tomcat_5_5/build.xml
@@ -4,8 +4,8 @@
<property name="jni_src" location="src/jni_src"/>
<property name="build" location="build"/>
<property name="install_root" location="/"/>
- <property name="catalina_home" location="/usr/share/tomcat5"/>
- <property name="lib" location="lib"/>
+ <property name="catalina_home" location="/usr/share/tomcat6"/>
+ <property name="lib" location="/usr/share/tomcat6/bin"/>
<property name="install_lib" value="/lib"/>
<property name="dist" location="dist"/>
<property name="jarfile" location="${dist}/${ant.project.name}.jar"/>
@@ -18,10 +18,11 @@
<include name="**/*.jar"/>
</fileset>
- <fileset id="tomcat.jars" dir="${catalina_home}/server/lib">
+ <fileset id="tomcat.jars" dir="${catalina_home}/lib">
<include name="**/*.jar"/>
</fileset>
- <fileset id="servlet.jars" dir="${catalina_home}/common/lib">
+
+ <fileset id="servlet.jars" dir="${catalina_home}/lib">
<include name="**/*.jar"/>
</fileset>
@@ -80,9 +81,9 @@
</target>
<target name="install_jar" depends="jni_so" description="Install jar file">
- <mkdir dir="${install_root}/${catalina_home}/server/lib/"/>
- <copy file="${jarfile}" tofile="${install_root}/${catalina_home}/server/lib/${ant.project.name}.jar"/>
- <chmod perm="644" file="${install_root}/${catalina_home}/server/lib/${ant.project.name}.jar"/>
+ <mkdir dir="${install_root}/${catalina_home}/lib/"/>
+ <copy file="${jarfile}" tofile="${install_root}/${catalina_home}/lib/${ant.project.name}.jar"/>
+ <chmod perm="644" file="${install_root}/${catalina_home}/lib/${ant.project.name}.jar"/>
</target>
<target name="clean" description="Remove build and dist directories">
--- a/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
+++ b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
@@ -13,7 +13,7 @@
#include "jni.h"
#include
-#include "sys/apparmor.h"
+#include "apparmor.h"
#include "com_novell_apparmor_JNIChangeHat.h"
/* c intermediate lib call for Java -> JNI -> c library execution of the change_hat call */
--- a/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile
+++ b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/Makefile
@@ -4,7 +4,7 @@ LIB = lib/
LIBDIR = /usr/${LIB}
INCLUDE = ${LIBDIR}/jvm/java/include
CFLAGS = -g -O2 -Wall -Wstrict-prototypes -Wl,-soname,$@.${SO_VERS} -pipe -fpic -D_REENTRANT
-INCLUDES = -I$(INCLUDE) -I$(INCLUDE)/linux
+INCLUDES = -I$(INCLUDE) -I$(INCLUDE)/linux -I$(TOP)/../../../libraries/libapparmor/src/
CLASSFILE = ${CLASSPATH}/com/novell/apparmor/${JAVA_CLASSNAME}.class
DESTDIR = ${TOP}/dist
SO_VERS = 1
@@ -20,7 +20,7 @@ ${JAVA_CLASSNAME}.java com_novell_apparm
javah -jni -classpath ${CLASSPATH} com.novell.apparmor.${JAVA_CLASSNAME}
${TARGET}.so: ${JAVA_CLASSNAME}.c ${JAVA_CLASSNAME}.java com_novell_apparmor_${JAVA_CLASSNAME}.h
- gcc ${INCLUDES} ${CFLAGS} -shared -o ${TARGET}.so ${JAVA_CLASSNAME}.c -lapparmor
+ gcc ${INCLUDES} ${CFLAGS} -shared -o ${TARGET}.so ${JAVA_CLASSNAME}.c -L$(TOP)/../../../libraries/libapparmor/src/.libs -lapparmor
install: ${TARGET}.so
install -d $(DESTDIR)/${LIB} $(DESTDIR)${LIBDIR}
++++++ update-trans.sh ++++++
CFILES="
deprecated/management/applets/apparmorapplet-gnome/src/apparmor-applet.c
deprecated/management/applets/apparmorapplet-gnome/src/preferences_dialog.c
deprecated/management/applets/apparmorapplet-gnome/src/reject_list.c
parser/parser_alias.c
parser/parser_include.c
parser/parser_interface.c
parser/parser_lex.l
parser/parser_main.c
parser/parser_merge.c
parser/parser_misc.c
parser/parser_policy.c
parser/parser_regex.c
parser/parser_symtab.c
parser/parser_variable.c
parser/parser_yacc.y
"
CPPFILES="
deprecated/management/profile-editor/src/AboutDialog.cpp
deprecated/management/profile-editor/src/AboutDialog.h
deprecated/management/profile-editor/src/Configuration.cpp
deprecated/management/profile-editor/src/Preferences.cpp
deprecated/management/profile-editor/src/Preferences.h
deprecated/management/profile-editor/src/profileeditor.cpp
deprecated/management/profile-editor/src/SearchAllProfiles.cpp
deprecated/management/profile-editor/src/SearchAllProfiles.h
parser/libapparmor_re/regexp.yy
"
PERLFILES="
utils/aa-repo.pl
utils/audit
utils/autodep
utils/complain
utils/enforce
utils/genprof
utils/logprof
utils/Reports.pm
utils/SubDomain.pm
utils/unconfined
"
ARGS="--keyword=_ --keyword=N_ -n --force-po"
xgettext $ARGS --output=apparmor-C.pot -L C $CFILES
xgettext $ARGS --output=apparmor-CPP.pot -L C++ $CPPFILES
xgettext $ARGS --output=apparmor-PERL.pot -L Perl $PERLFILES
msgcat apparmor-*.pot > apparmor.pot
sed \
-e 's/Project-Id-Version: PACKAGE VERSION/Project-Id-Version: apparmor/g' \
-e 's/PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE/PO-Revision-Date: 2009-02-05 13:38/' \
-e 's/Report-Msgid-Bugs-To: /Report-Msgid-Bugs-To: apparmor-general@forge.novell.com/' \
-e 's/Last-Translator: FULL NAME /Last-Translator: Novell Language /' \
-e 's/Language-Team: LANGUAGE /Language-Team: Novell Language /' \
-e 's/Content-Type: text\/plain; charset=CHARSET/Content-Type: text\/plain; charset=UTF-8/' \
< apparmor.pot > apparmor.pot.new
mv apparmor.pot.new apparmor.pot
for file in $(find . -name '*.po'); do
f=$(basename $file)
msgmerge -U apparmor.pot $file
if [ -e "po/$f" ]; then
msgcat $file po/$f > $f
mv $f po/$f
else
cp $file po/$f
fi
done
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org