Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2022-04-16 00:14:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new.1941 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Sat Apr 16 00:14:06 2022 rev:168 rq:970238 version:3.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2022-04-12 21:43:23.175649328 +0200 +++ /work/SRC/openSUSE:Factory/.apparmor.new.1941/apparmor.changes 2022-04-16 00:14:26.773664881 +0200 @@ -1,0 +2,15 @@ +Wed Apr 13 13:38:29 UTC 2022 - Noel Power <nopo...@suse.com> + +- Add samba-new-dcerpcd.patch, samba-4.16 has a new dcerpcd daemon + which now will spawn new additional services on demand. We need to + modify the existing smbd/winbind profiles and additionally add a + new set of profiles to cater for the new functionality; + (bnc#1198309); + +------------------------------------------------------------------- +Mon Apr 11 14:34:51 UTC 2022 - Noel Power <nopo...@suse.com> + +- Add samba_deny_net_admin.patch to add new rule to deny + noisy setsockopt calls from systemd; (bnc#1196850). + +------------------------------------------------------------------- New: ---- samba-new-dcerpcd.patch samba_deny_net_admin.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.Bc0Eyg/_old 2022-04-16 00:14:27.581665960 +0200 +++ /var/tmp/diff_new_pack.Bc0Eyg/_new 2022-04-16 00:14:27.585665966 +0200 @@ -88,7 +88,13 @@ # add zgrep and xzgrep profile (submitted upstream 2022-04-10 https://gitlab.com/apparmor/apparmor/-/merge_requests/870) Patch9: zgrep-profile-mr870.diff - +# squash noisy setsockopt calls https://gitlab.com/apparmor/apparmor/-/merge_requests/867 +# bsc#1196850 +Patch10: samba_deny_net_admin.patch +# support for new dcerpcd subsytem in >= samba-4.16 +# https://gitlab.com/apparmor/apparmor/-/merge_requests/871 +# bsc#1198309 +Patch11: samba-new-dcerpcd.patch PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix %{?usrmerged:/usr}/lib/apparmor @@ -354,6 +360,8 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 %build %define _lto_cflags %{nil} @@ -584,6 +592,9 @@ %config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe %config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm %config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-* %config(noreplace) %{_sysconfdir}/apparmor.d/zgrep %config(noreplace) %{_sysconfdir}/apparmor.d/local/* %dir /usr/share/apparmor/ ++++++ samba-new-dcerpcd.patch ++++++ Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd =================================================================== --- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.smbd +++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.smbd @@ -39,6 +39,7 @@ profile smbd /usr/{bin,sbin}/smbd { /usr/lib*/samba/gensec/*.so mr, /usr/lib*/samba/pdb/*.so mr, /usr/lib*/samba/samba-bgqd Px -> samba-bgqd, + /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd, /usr/lib*/samba/{lowcase,upcase,valid}.dat r, /usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr, /usr/lib/@{multiarch}/samba/**/ r, Index: apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd =================================================================== --- apparmor-3.0.4.orig/profiles/apparmor.d/usr.sbin.winbindd +++ apparmor-3.0.4/profiles/apparmor.d/usr.sbin.winbindd @@ -26,6 +26,7 @@ profile winbindd /usr/{bin,sbin}/winbind /usr/lib*/samba/idmap/*.so mr, /usr/lib*/samba/nss_info/*.so mr, /usr/lib*/samba/pdb/*.so mr, + /usr/lib*/samba/samba-dcerpcd Px -> samba-dcerpcd, /usr/{bin,sbin}/winbindd mr, /var/cache/krb5rcache/* rwk, /var/cache/samba/*.tdb rwk, Index: apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd =================================================================== --- /dev/null +++ apparmor-3.0.4/profiles/apparmor.d/samba-dcerpcd @@ -0,0 +1,29 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2022 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +abi <abi/3.0>, + +include <tunables/global> + +profile samba-dcerpcd /usr/lib*/samba/samba-dcerpcd { + include <abstractions/samba-rpcd> + + @{run}/samba/samba-dcerpcd.pid wk, + + /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd, + /usr/lib*/samba/rpcd_classic Px -> samba-rpcd-classic, + /usr/lib*/samba/rpcd_spoolss Px -> samba-rpcd-spoolss, + + @{run}/samba/ncalrpc/ rw, + @{run}/samba/ncalrpc/** rw, + # Site-specific additions and overrides. See local/README for details. + include if exists <local/samba-dcerpcd> +} Index: apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd =================================================================== --- /dev/null +++ apparmor-3.0.4/profiles/apparmor.d/abstractions/samba-rpcd @@ -0,0 +1,30 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2022 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +# This file contains basic permissions for samba rpcd_xyz services + + abi <abi/3.0>, + + include <abstractions/base> + include <abstractions/nameservice> + include <abstractions/samba> + + capability setgid, + capability setuid, + + signal receive set=term peer=smbd, + + @{PROC}/sys/kernel/core_pattern r, + owner @{PROC}/@{pid}/fd/ r, + + # Include additions to the abstraction + include if exists <abstractions/samba-rpcd.d> + Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd =================================================================== --- /dev/null +++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd @@ -0,0 +1,20 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2022 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +abi <abi/3.0>, + +include <tunables/global> + +profile samba-rpcd /usr/lib*/samba/rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} { + include <abstractions/samba-rpcd> + # Site-specific additions and overrides. See local/README for details. + include if exists <local/samba-rpcd> +} Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic =================================================================== --- /dev/null +++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-classic @@ -0,0 +1,22 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2022 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +abi <abi/3.0>, + +include <tunables/global> + +profile samba-rpcd-classic /usr/lib*/samba/rpcd_classic { + include <abstractions/samba-rpcd> + include <abstractions/wutmp> + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/samba-rpcd-classic> +} Index: apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss =================================================================== --- /dev/null +++ apparmor-3.0.4/profiles/apparmor.d/samba-rpcd-spoolss @@ -0,0 +1,23 @@ +# ------------------------------------------------------------------ +# +# Copyright (C) 2022 SUSE LLC +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ +# vim:syntax=apparmor + +abi <abi/3.0>, + +include <tunables/global> + +profile samba-rpcd-spoolss /usr/lib*/samba/rpcd_spoolss { + include <abstractions/samba-rpcd> + + /usr/lib*/samba/samba-bgqd Px -> samba-bgqd, + + # Site-specific additions and overrides. See local/README for details. + include if exists <local/samba-rpcd-spoolss> +} ++++++ samba_deny_net_admin.patch ++++++ Index: apparmor-3.0.4/profiles/apparmor.d/abstractions/samba =================================================================== --- apparmor-3.0.4.orig/profiles/apparmor.d/abstractions/samba +++ apparmor-3.0.4/profiles/apparmor.d/abstractions/samba @@ -34,5 +34,7 @@ # required for clustering /var/lib/ctdb/** rwk, + deny capability net_admin, # noisy setsockopt() calls from systemd + # Include additions to the abstraction include if exists <abstractions/samba.d>
