Revisions of apparmor

Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 602408 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 116)
- exclude the /etc/apparmor.d/cache.d/ directory from aa-logprof parsing
  (logprof-skip-cache-d.diff) (forwarded request 602407 from cboltz)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 600115 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 115)
- add fix-apparmor-systemd-perms.diff:
  fix permissions of /lib/apparmor/apparmor.systemd (boo#1090545) (forwarded request 600114 from cboltz)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 598829 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 114)
- create and package precompiled cache (/usr/share/apparmor/cache,
  read-only) (boo#1069906, boo#1074429)
- change (writeable) cache directory to /var/cache/apparmor/ - with the
  new btrfs layout, the only reason for using /var/lib/apparmor/cache/
  (which was "it's part of the / subvolume") is gone, and /var/cache
  makes more sense for the cache
- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both
  cache locations
- clear cache also in %post of abstractions package
--------------------------------------------------------------------
- update to AppArmor 2.13
  - add support for multiple cache directories and cache overlays
    (boo#1069906, boo#1074429)
  - add support for conditional includes in policy
  - remove group restrictions from aa-notify (boo#1058787)
  - aa-complain etc.: set flags for profiles represented by a glob
  - aa-status: split profile from exec name
  - several profile and abstraction updates
  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
    for the detailed upstream changelog
- drop upstreamed patches and files:
  - aa-teardown
  - apparmor.service
  - apparmor.systemd
  - 32-bit-no-uid.diff
  - disable-cache-on-ro-fs.diff
  - dovecot-stats.diff
  - parser-write-cache-warn-only.diff
  - set-flags-for-profiles-represented-by-glob.patch
  - fix-regression-in-set-flags.patch
- drop spec code that handled installing aa-teardown, apparmor.service
  and apparmor.systemd (now part of upstream Makefile)
- simplify "make -C profiles parser-check" call (upstream Makefile bug
  that required to call "cd" was fixed)
- add aa-teardown-path.diff - install aa-teardown in /usr/sbin/
- move 'exec' symlink to parser package (belongs to aa-exec)
--------------------------------------------------------------------
- Set flags for profiles represented by glob (bsc#1086154)
   set-flags-for-profiles-represented-by-glob.patch
   fix-regression-in-set-flags.patch


libapparmor
- update to AppArmor 2.13
  - add support for multiple cache directories and cache overlays
    (boo#1069906, boo#1074429)
  - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13
    for the detailed upstream changelog
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 595790 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 113)
- add dovecot-stats.diff:
  - add dovecot/stats profile and allow dovecot to run it (boo#1088161)
  - allow dovecot/auth to write /run/dovecot/old-stats-user (part of boo#1087753)
- update 32-bit-no-uid.diff with upstream fix (forwarded request 595789 from cboltz)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 582183 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 112)
boo#1082956 (forwarded request 581986 from goldwynr)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 566495 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 111)
- add disable-cache-on-ro-fs.diff - disable write cache if filesystem is
  read-only and don't bail out (bsc#1069906, bsc#1074429)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 561675 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 110)
- add parser-write-cache-warn-only.diff to make cache write failures a
  warning instead of an error (boo#1069906, boo#1074429)
- reduce dependeny on libnotify-tools (used by aa-notify -p) to "Suggests"
  to avoid pulling in several Gnome packages on servers (boo#1067477) (forwarded request 561674 from cboltz)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 560031 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 109)
- add 32-bit-no-uid.diff to fix handling of log events without ouid on
  32 bit systems (forwarded request 560030 from cboltz)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 547738 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 108)
bsc#1069346 (forwarded request 546471 from goldwynr)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 536621 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 107)
apparmor:
- update to AppArmor 2.11.1
  - add permissions to several profiles and abstractions (including
    lp#1650827 and boo#1057900)
  - several fixes in the aa-* tools (including lp#1689667, lp#1628286,
    lp#1661766 and boo#1062667)
  - fix downgrading/converting of 'unix' rules (will be supported in
    kernel 4.15) to 'network unix' rules in apparmor_parser (boo#1061195)
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for
    upstream changelog
- remove upstream(ed) patches
  - upstream-changes-r3616..3628.diff
  - upstream-changes-r3629..3648.diff
  - parser-tests-dbus-duplicated-conditionals.diff
  - apparmor-fix-podsyntax.patch
  - sshd-profile-drop-local-include-r3615.diff
- refresh apparmor-yast-cleanup.patch
- add utils-fix-sorted-save_profiles-regression.diff to fix a regression
  in displaying the "changed profiles" list in aa-logprof

Also add bugzilla reference to the previous change:
- add nameservice-libtirpc.diff to fix NIS/YP logins (boo#1062244)


libapparmor:
- update to AppArmor 2.11.1
  - mostly test-related changes in libapparmor
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11_1 for
    upstream changelog (forwarded request 536620 from cboltz)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 534597 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 106)
- add nameservice-libtirpc.diff to fix NIS/YP logins (forwarded request 534596 from cboltz)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 531184 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 105)
- profiles-sockets-temporary-fix.patch to cater to nameservices with the
  new sockets mediation, until unix rules are upstreamed (boo#1061195)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 528520 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 104)
- add apparmor-fix-podsyntax.patch from mailing list to fix
  compilation with perl 5.26 (forwarded request 528495 from coolo)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 517044 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 103)
- do not require exact X.Y version of "python3"
- require also matching python(abi) which is arguably more important (forwarded request 517036 from matejcik)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 511329 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 102)
- don't rely on implementation details for reload in %post

- add JSON support. Required for FATE#323380.
  (apparmor-yast-cleanup.patch, apparmor-json-support.patch)
Yuchen Lin's avatar Yuchen Lin (maxlin_factory) accepted request 482776 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 101)
- add upstream-changes-r3629..3648.diff:
  - preserve unknown profiles when reloading apparmor.service
    (CVE-2017-6507, lp#1668892, boo#1029696)
  - add aa-remove-unknown utility to unload unknown profiles (lp#1668892)
  - update nvidia abstraction for newer nvidia drivers
  - don't enforce ordering of dbus rule attributes in utils (lp#1628286)
  - add --parser, --base and --Include option to aa-easyprof to allow
    non-standard paths (useful for tests) (lp#1521031)
  - move initialization code in apparmor.aa to init_aa(). This allows to
    run all utils tests even if /etc/apparmor.d/ or /sbin/apparmor_parser
    don't exist.
  - several improvements in the utils tests
- drop upstreamed python3-drop-re-locale.patch
- no longer delete/skip some of the utils tests (to allow this, add
  parser-tests-dbus-duplicated-conditionals.diff)
- add var.mount dependeny to apparmor.service (boo#1016259#c34)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 481186 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 100)
- Cleanup spec file:
  - don't use insserv if we afterwards call systemd, this can
    have bad side effects
  - remove dead code
  - remove now obsolete 'distro' checks
- Replace init.d script with new wrapper working with systemd (forwarded request 480782 from kukuk)
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 458843 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 99)
- add python3-drop-re-locale.patch: remove deprecated re.LOCALE
  flag in Python UI as it was dropped from Python 3.6 (lp#1661766)

- Fix RPM groups
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 453537 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 98)
TL;DR: update AppArmor to 2.11, split off libapparmor package/spec, move libapparmor to /usr


Details:

- add upstream-changes-r3616..3628.diff:
  - update abstractions/base, abstractions/apache2-common and dovecot profiles
  - merge ask_the_questions() of aa-logprof and aa-mergeprof
  - pass LDFLAGS when building parser, libapparmor perl bindings and pam_apparmor
- adjust deleting the cache in profiles %post to the new cache location
- silence errors when deleting the cache (boo#976914)

- split libapparmor into separate spec to get rid of build loop
  involving mariadb, systemd, apparmor, libapr and mariadb again
  (see the discussion in SR 448871 for details)
- libapparmor.spec is based on the AppArmor 2.11 apparmor.spec, but
  with minimum BuildRequires

- update to AppArmor 2.11.0
  - apparmor_parser now supports parallel compiles and loads
  - add full support for dbus, ptrace and signal rules and events to the
    utils
  - full rewrite of the file rule handling in the utils
  - lots of improvements and fixes
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_11 for the
    detailed changelog
- patches:
  - add sshd-profile-drop-local-include-r3615.diff to fix 'make check'
  - drop aa-unconfined-fix-netstat-call-2.10r3380.diff, no longer needed
  - refresh apparmor-abstractions-no-multiline.diff
  - refresh apparmor-samba-include-permissions-for-shares.diff
- spec changes:
  - aa-unconfined switched to using ss (from iproute2), adjust Recommends:
  - move libapparmor to /usr/lib*/
  - drop %if %suse_version checks for 12.x
  - change several Obsoletes from %version to < 2.9. Those package names
    weren't used since years, and 2.9 is still a careful choice
  - include apparmor.service independent of %suse_version
  - techdoc.pdf is now shipped in upstream tarball to reduce BuildRequires
    - drop latex2html, texlive-* and w3m BuildRequires
    - techdoc.txt and techdoc.html not included, drop them from the package
  - run most of utils/ make check (some tests expect /etc/apparmor.d/ and
    /sbin/apparmor_parser to exist, skip them)
  - BuildRequires python3-pyflakes (utils tests) and dejagnu (libapparmor tests)
  - drop sed'ing python3 into aa-* shebang (upstreamed)
  - build binutils
    - aa-exec is now written in C and lives in /usr/bin/, move it to the
      apparmor_parser package and create a compability symlink in /usr/sbin/
    - aa-exec manpage moved to section 1
    - aa-enabled is a small new tool to find out if AppArmor is enabled
  - package new aa_stack_profile(2) manpage
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 452189 from Christian Boltz's avatar Christian Boltz (cboltz) (revision 97)
[New attemp with /var/lib/apparmor/cache as cache location, as discussed
with DimStar on IRC. No other differences compared to SR 449669.]

- change /etc/apparmor.d/cache symlink to /var/lib/apparmor/cache/.
  This is part of the root partition (at least with default partitioning)
  and should be available earlier than /var/cache/apparmor/
  (boo#1015249, boo#980081, bsc#1016259)
- add dependency on var-lib.mount to apparmor.service as safety net

- update to AppArmor 2.10.2 maintenance release
  - lots of bugfixes and profile updates (including boo#1000201,
    boo#1009964, boo#1014463)
  - see http://wiki.apparmor.net/index.php/ReleaseNotes_2_10_2 for details
- add aa-unconfined-fix-netstat-call-2.10r3380.diff to fix a regression
  in aa-unconfined
- drop upstream(ed) patches:
  - changes-since-2.10.1--r3326..3346.diff
  - changes-since-2.10.1--r3347..3353.diff
  - libapparmor-fix-import-path.diff (upstream fix is slightly different)
  - nscd-var-lib.diff
- refresh apparmor-abstractions-no-multiline.diff
Displaying revisions 101 - 120 of 216
openSUSE Build Service is sponsored by