Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2022-07-29 16:47:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new.1533 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Fri Jul 29 16:47:00 2022 rev:177 rq:991158 version:3.0.5 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2022-07-22 19:20:14.764559599 +0200 +++ /work/SRC/openSUSE:Factory/.apparmor.new.1533/apparmor.changes 2022-07-29 16:47:05.206517236 +0200 @@ -1,0 +2,25 @@ +Mon Jul 25 18:18:04 UTC 2022 - Christian Boltz <suse-b...@cboltz.de> + +- update to AppArmor 3.0.5 + - several additions to profiles and abstractions + - bugfixes in parser and utils + - see https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_3.0.5 + for the detailed upstream changelog +- remove upstream(ed) patchs: + - apparmor-setuptools61-mr897.patch + - dovecot-profiles-boo1199535-mr881.diff + - php8-fpm-mr876.patch + - python310-help-mr848.patch + - samba-new-dcerpcd.patch + - samba_deny_net_admin.patch + - update-samba-bgqd.diff + - update-usr-sbin-smbd.diff +- apparmor-samba-include-permissions-for-shares.diff: remove + upstreamed part +- add dirtest-sort-mr900.diff to fix random test failures +- change apache-extra-profile-include-if-exists.diff to the post-mv + path (new quilt executes mv) +- stop disabling lto (fixed upstream) (boo#1133091) +- package profile-load script in -parser + +------------------------------------------------------------------- Old: ---- apparmor-3.0.4.tar.gz apparmor-3.0.4.tar.gz.asc apparmor-setuptools61-mr897.patch dovecot-profiles-boo1199535-mr881.diff php8-fpm-mr876.patch python310-help-mr848.patch samba-new-dcerpcd.patch samba_deny_net_admin.patch update-samba-bgqd.diff update-usr-sbin-smbd.diff New: ---- apparmor-3.0.5.tar.gz apparmor-3.0.5.tar.gz.asc dirtest-sort-mr900.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.MXX3mu/_old 2022-07-29 16:47:06.146519849 +0200 +++ /var/tmp/diff_new_pack.MXX3mu/_new 2022-07-29 16:47:06.150519860 +0200 @@ -45,7 +45,7 @@ %define JAR_FILE changeHatValve.jar Name: apparmor -Version: 3.0.4 +Version: 3.0.5 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0-or-later @@ -63,7 +63,8 @@ # and set cache-loc in parser.conf and apparmor.service accordingly Patch1: apparmor-enable-profile-cache.diff -# include autogenerated profile sniplet for samba shares (bnc#688040) - upstreamed as part of https://gitlab.com/apparmor/apparmor/-/merge_requests/838 2022-02-16 (master + 3.0 branch) +# include autogenerated profile sniplet for samba shares (bnc#688040) - include rule upstreamed in 3.0.5 (MR 838), now "just" creates the local/ sniplet +# (technically only needed in Leap 15.x, the samba script in Tumbleweed also works if the local/ sniplet doesn't exist - but dropping the local/ sniplet will move existing autogenerated sniplets to *.rpmsave) Patch2: apparmor-samba-include-permissions-for-shares.diff # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkae...@suse.de @@ -78,41 +79,12 @@ # make <apache2.d> include in apache extra profile optional to make openQA happy (boo#1178527) Patch6: apache-extra-profile-include-if-exists.diff -# bsc#1196850 add rule to deal with 'DENIED' open of /proc/{pid}/fd -# merged upstream 3.0+master 2022-03-14 https://gitlab.com/apparmor/apparmor/-/merge_requests/860 -# bsc#1195463 add rule to allow reading of openssl.cnf -# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862 -Patch7: update-samba-bgqd.diff - -# bsc#1195463 add rule to allow reading of openssl.cnf -# merged upstream (2.12..master) 2022-03-13 https://gitlab.com/apparmor/apparmor/-/merge_requests/862 -Patch8: update-usr-sbin-smbd.diff - # add zgrep and xzgrep profile (merged upstream 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/870 + merged upstream 2022-04-18 https://gitlab.com/apparmor/apparmor/-/merge_requests/873 -# + 2022-06-28 https://gitlab.com/apparmor/apparmor/-/merge_requests/892 - master only) +# + merged upstream 2022-06-29 https://gitlab.com/apparmor/apparmor/-/merge_requests/892 - master only) Patch9: zgrep-profile-mr870.diff -# squash noisy setsockopt calls - merged upstream master+3.0 2022-04-12 https://gitlab.com/apparmor/apparmor/-/merge_requests/867 -# bsc#1196850 -Patch10: samba_deny_net_admin.patch - -# support for new dcerpcd subsytem in >= samba-4.16 -# merged upstream 2022-04-15 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/871 -# merged upstream 2022-05-11 3.0+master https://gitlab.com/apparmor/apparmor/-/merge_requests/880 -# bsc#1198309 -Patch11: samba-new-dcerpcd.patch - -# allow php8 php-fpm to read its config (from upstream master+3.0 https://gitlab.com/apparmor/apparmor/-/merge_requests/876) -Patch12: php8-fpm-mr876.patch - -# allow python 3.10 --help output (from the branch-3.0 backport of https://gitlab.com/apparmor/apparmor/-/merge_requests/848) -Patch13: python310-help-mr848.patch - -# extend dovecot profiles for latest dovecot (boo 1199535, submitted upstream https://gitlab.com/apparmor/apparmor/-/merge_requests/881) -Patch14: dovecot-profiles-boo1199535-mr881.diff - -# https://gitlab.com/apparmor/apparmor/-/merge_requests/897 -Patch15: apparmor-setuptools61-mr897.patch +# dirtest.sh: sort output to avoid random test failures (from upstream, merged 3.0+master 2022-07-25 https://gitlab.com/apparmor/apparmor/-/merge_requests/900) +Patch10: dirtest-sort-mr900.diff PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -371,8 +343,6 @@ %setup -q # very loose profile that doesn't even match the apache2 binary path in openSUSE. Move it away instead of confusing people (boo#872984) -# (patch to change <apache.d> include to "include if exists" needs to be applied before moving the file to avoid breaking quilt) -%patch6 mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/profiles/extras/ %patch1 @@ -380,18 +350,11 @@ %patch3 -p1 %patch4 %patch5 -%patch7 -p1 -%patch8 -p1 +%patch6 %patch9 -p1 %patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 %build -%define _lto_cflags %{nil} export SUSE_ASNEEDED=0 # libapparmor: @@ -575,6 +538,7 @@ %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions %{apparmor_bin_prefix}/apparmor.systemd +%{apparmor_bin_prefix}/profile-load %doc %{_mandir}/man1/aa-enabled.1.gz %doc %{_mandir}/man1/aa-exec.1.gz %doc %{_mandir}/man1/aa-features-abi.1.gz ++++++ libapparmor.spec ++++++ --- /var/tmp/diff_new_pack.MXX3mu/_old 2022-07-29 16:47:06.174519927 +0200 +++ /var/tmp/diff_new_pack.MXX3mu/_new 2022-07-29 16:47:06.178519938 +0200 @@ -18,7 +18,7 @@ Name: libapparmor -Version: 3.0.4 +Version: 3.0.5 Release: 0 Summary: Utility library for AppArmor License: LGPL-2.1-or-later @@ -66,7 +66,6 @@ %setup -q -n apparmor-%{version} %build -%define _lto_cflags %{nil} ( cd ./libraries/libapparmor %configure \ ++++++ apache-extra-profile-include-if-exists.diff ++++++ --- /var/tmp/diff_new_pack.MXX3mu/_old 2022-07-29 16:47:06.222520060 +0200 +++ /var/tmp/diff_new_pack.MXX3mu/_new 2022-07-29 16:47:06.226520072 +0200 @@ -8,10 +8,10 @@ Fixes https://bugzilla.opensuse.org/show_bug.cgi?id=1178527 -Index: profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 +Index: profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2 =================================================================== ---- profiles/apparmor.d//usr.lib.apache2.mpm-prefork.apache2.orig 2020-12-02 12:01:37.000000000 +0100 -+++ profiles/apparmor.d//usr.lib.apache2.mpm-prefork.apache2 2021-01-22 12:19:45.964708670 +0100 +--- profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2.orig 2020-12-02 12:01:37.000000000 +0100 ++++ profiles/apparmor/profiles/extras/usr.lib.apache2.mpm-prefork.apache2 2021-01-22 12:19:45.964708670 +0100 @@ -75,7 +75,7 @@ include <tunables/global> # This directory contains web application # package-specific apparmor files. ++++++ apparmor-3.0.4.tar.gz -> apparmor-3.0.5.tar.gz ++++++ /work/SRC/openSUSE:Factory/apparmor/apparmor-3.0.4.tar.gz /work/SRC/openSUSE:Factory/.apparmor.new.1533/apparmor-3.0.5.tar.gz differ: char 12, line 1 ++++++ apparmor-samba-include-permissions-for-shares.diff ++++++ --- /var/tmp/diff_new_pack.MXX3mu/_old 2022-07-29 16:47:06.282520227 +0200 +++ /var/tmp/diff_new_pack.MXX3mu/_new 2022-07-29 16:47:06.286520238 +0200 @@ -1,15 +1,21 @@ -Samba generates a profile sniplet with permissions for all shares at +Samba generates a profile sniplet with permissions for all shares at start using the update-apparmor-samba-profile script. -This patch includes the autogenerated profile sniplet it in the smbd -profile. It also creates a dummy profile sniplet to avoid "file not -found" errors when AppArmor is started before samba was started. +After the include rules were upstreamed in AppArmor 3.0.5 (MR 838), this +patch was shortened. Now it "only" creates a dummy profile sniplet +because update-apparmor-samba-profiles on Leap 15.3 and 15.4 aborts if +the local/ sniplet doesn't exist. + +Tumbleweed does not rely on a pre-existing local/usr.sbin.smbd-shares +anymore, therefore the patch gets skipped there in the spec. + References: https://bugzilla.novell.com/show_bug.cgi?id=688040 Signed-off-by: Christian Boltz <appar...@cboltz.de> + === added file 'profiles/apparmor.d/local/usr.sbin.smbd-shares' --- profiles/apparmor.d/local/usr.sbin.smbd-shares 1970-01-01 00:00:00 +0000 +++ profiles/apparmor.d/local/usr.sbin.smbd-shares 2011-10-19 09:40:05 +0000 @@ -17,19 +23,5 @@ +# This file will be replaced by rules for all samba shares at samba start. +# Do not edit! -=== modified file 'profiles/apparmor.d/usr.sbin.smbd' ---- profiles/apparmor.d/usr.sbin.smbd 2011-08-27 18:50:42 +0000 -+++ profiles/apparmor.d/usr.sbin.smbd 2011-10-19 09:37:04 +0000 -@@ -59,6 +59,10 @@ - @{HOMEDIRS}/** lrwk, - /var/lib/samba/usershares/{,**} lrwk, - -+ # permissions for all configured shares -+ # autogenerated by update-apparmor-samba-profile at samba start -+ include <local/usr.sbin.smbd-shares> -+ - # Site-specific additions and overrides. See local/README for details. - include if exists <local/usr.sbin.smbd> - } ++++++ dirtest-sort-mr900.diff ++++++ >From c0815d0e0f1c68397b8ce04d81c48940e4b2c63b Mon Sep 17 00:00:00 2001 From: intrigeri <intrig...@boum.org> Date: Mon, 25 Jul 2022 10:04:13 +0000 Subject: [PATCH] dirtest.sh: don't rely on apparmor_parser -N's output sort order to be deterministic I've seen this test fail because "apparmor_parser -N" returned the expected lines, but in a different order than what's expected (dirtest.out). To fix this, sort both the expected and actual output. --- parser/tst/dirtest.sh | 3 ++- parser/tst/dirtest/dirtest.out | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/parser/tst/dirtest.sh b/parser/tst/dirtest.sh index 8c94dbd68..95c108371 100755 --- a/parser/tst/dirtest.sh +++ b/parser/tst/dirtest.sh @@ -31,8 +31,9 @@ do_tst() { shift 2 #global tmpdir - ${APPARMOR_PARSER} "$@" > "$tmpdir/out" 2>/dev/null + ${APPARMOR_PARSER} "$@" > "$tmpdir/out.unsorted" 2>/dev/null rc=$? + LC_ALL=C sort "$tmpdir/out.unsorted" > "$tmpdir/out" if [ $rc -ne 0 ] && [ "$expected" != "fail" ] ; then echo "failed: expected \"$expected\" but parser returned error" return 1 diff --git a/parser/tst/dirtest/dirtest.out b/parser/tst/dirtest/dirtest.out index e82188b84..5b4cc30aa 100644 --- a/parser/tst/dirtest/dirtest.out +++ b/parser/tst/dirtest/dirtest.out @@ -1,3 +1,3 @@ -good_target a_profile b_profile +good_target -- GitLab