Hello community, here is the log from the commit of package apparmor for openSUSE:Factory checked in at 2018-04-22 14:38:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apparmor (Old) and /work/SRC/openSUSE:Factory/.apparmor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apparmor" Sun Apr 22 14:38:58 2018 rev:114 rq:598829 version:2.13 Changes: -------- --- /work/SRC/openSUSE:Factory/apparmor/apparmor.changes 2018-04-17 11:08:44.215105205 +0200 +++ /work/SRC/openSUSE:Factory/.apparmor.new/apparmor.changes 2018-04-22 14:39:02.182277456 +0200 @@ -1,0 +2,50 @@ +Thu Apr 19 22:13:40 UTC 2018 - suse-b...@cboltz.de + +- create and package precompiled cache (/usr/share/apparmor/cache, + read-only) (boo#1069906, boo#1074429) +- change (writeable) cache directory to /var/cache/apparmor/ - with the + new btrfs layout, the only reason for using /var/lib/apparmor/cache/ + (which was "it's part of the / subvolume") is gone, and /var/cache + makes more sense for the cache +- adjust parser.conf (via apparmor-enable-profile-cache.diff) to use both + cache locations +- clear cache also in %post of abstractions package + +-------------------------------------------------------------------- +Thu Apr 19 19:14:54 UTC 2018 - suse-b...@cboltz.de + +- update to AppArmor 2.13 + - add support for multiple cache directories and cache overlays + (boo#1069906, boo#1074429) + - add support for conditional includes in policy + - remove group restrictions from aa-notify (boo#1058787) + - aa-complain etc.: set flags for profiles represented by a glob + - aa-status: split profile from exec name + - several profile and abstraction updates + - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13 + for the detailed upstream changelog +- drop upstreamed patches and files: + - aa-teardown + - apparmor.service + - apparmor.systemd + - 32-bit-no-uid.diff + - disable-cache-on-ro-fs.diff + - dovecot-stats.diff + - parser-write-cache-warn-only.diff + - set-flags-for-profiles-represented-by-glob.patch + - fix-regression-in-set-flags.patch +- drop spec code that handled installing aa-teardown, apparmor.service + and apparmor.systemd (now part of upstream Makefile) +- simplify "make -C profiles parser-check" call (upstream Makefile bug + that required to call "cd" was fixed) +- add aa-teardown-path.diff - install aa-teardown in /usr/sbin/ +- move 'exec' symlink to parser package (belongs to aa-exec) + +-------------------------------------------------------------------- +Thu Apr 19 11:23:37 UTC 2018 - rgold...@suse.com + +- Set flags for profiles represented by glob (bsc#1086154) + set-flags-for-profiles-represented-by-glob.patch + fix-regression-in-set-flags.patch + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/apparmor/libapparmor.changes 2018-01-01 22:05:43.934928299 +0100 +++ /work/SRC/openSUSE:Factory/.apparmor.new/libapparmor.changes 2018-04-22 14:39:02.222276009 +0200 @@ -1,0 +2,9 @@ +Sun Apr 15 19:02:35 UTC 2018 - suse-b...@cboltz.de + +- update to AppArmor 2.13 + - add support for multiple cache directories and cache overlays + (boo#1069906, boo#1074429) + - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13 + for the detailed upstream changelog + +------------------------------------------------------------------- Old: ---- 32-bit-no-uid.diff aa-teardown apparmor-2.12.tar.gz apparmor-2.12.tar.gz.asc apparmor.service apparmor.systemd disable-cache-on-ro-fs.diff dovecot-stats.diff parser-write-cache-warn-only.diff New: ---- aa-teardown-path.diff apparmor-2.13.tar.gz apparmor-2.13.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apparmor.spec ++++++ --- /var/tmp/diff_new_pack.SZjlB2/_old 2018-04-22 14:39:02.954249522 +0200 +++ /var/tmp/diff_new_pack.SZjlB2/_new 2018-04-22 14:39:02.958249378 +0200 @@ -35,7 +35,7 @@ %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) Name: apparmor -Version: 2.12 +Version: 2.13 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0-or-later @@ -48,11 +48,9 @@ Source5: update-trans.sh Source6: baselibs.conf Source7: apparmor-rpmlintrc -Source8: apparmor.service -Source9: apparmor.systemd -Source10: aa-teardown # enable caching of profiles (= massive performance speedup when loading profiles) +# and set cache-loc in parser.conf and apparmor.service accordingly Patch1: apparmor-enable-profile-cache.diff # include autogenerated profile sniplet for samba shares (bnc#688040) @@ -64,17 +62,8 @@ # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch -# logparser.py: ignore ouid if it's 2^32 - 1 which means no ouid given in a log event on 32 bit systems (fixed upstream 2018-03-07) -Patch8: 32-bit-no-uid.diff - -# make cache write failures a warning instead of an error - (patch from https://gitlab.com/apparmor/apparmor/merge_requests/49 2018-01-04) -Patch9: parser-write-cache-warn-only.diff - -# Disable write cache if filesystem is read-only, don't abort (merged upstream 2018-01-16 to 2.10..trunk) -Patch10: disable-cache-on-ro-fs.diff - -# allow dovecot to run dovecot/stats, and add that profile (submitted upstream 2018-04-11 https://gitlab.com/apparmor/apparmor/merge_requests/90) -Patch11: dovecot-stats.diff +# install aa-teardown to /usr/sbin, not /sbin (merged upstream 2018-04-15 https://gitlab.com/apparmor/apparmor/merge_requests/97) +Patch8: aa-teardown-path.diff PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -359,14 +348,11 @@ %prep %setup -q -%patch1 -p1 +%patch1 %patch2 %patch5 -p1 %patch7 -%patch8 -p1 -%patch9 -p1 -%patch10 -p0 -%patch11 -p1 +%patch8 %build export SUSE_ASNEEDED=0 @@ -422,6 +408,10 @@ make -C changehat/tomcat_apparmor/tomcat_5_5 CATALINA_HOME=%{CATALINA_HOME} %endif +# pre-build profile cache +# note that -L only works with an absolute path, therefore prefix it with $(pwd) +parser/apparmor_parser --write-cache -QT -L $(pwd)/profiles/cache -I profiles/apparmor.d/ profiles/apparmor.d/ + %check %if %{with python3} export PYTHON=/usr/bin/python3 @@ -433,9 +423,11 @@ make check -C binutils # profiles make check fails for the utils (libapparmor PYTHONPATH issues), therefore only do parser-based checks -# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/80 should allow to switch to make -C -# also, check-parser breaks if using 'make -C' (but works if cd'ing into the directory) -(cd profiles && make check-parser) +make -C profiles check-parser + +# test for a few files that should exist in the cache +test -f profiles/cache/*/bin.ping +test -f profiles/cache/*/.features make check -C utils @@ -459,11 +451,20 @@ %makeinstall -C profiles +install -d -m 755 %{buildroot}/usr/share/apparmor/cache +cp -a profiles/cache/* %{buildroot}/usr/share/apparmor/cache +test -f %{buildroot}/usr/share/apparmor/cache/*/.features +test -f %{buildroot}/usr/share/apparmor/cache/*/bin.ping + %makeinstall -C parser -# default cache dir is /etc/apparmor.d/cache - not the best location. +# default cache dir (up to 2.12) is /etc/apparmor.d/cache - not the best location. # Use /var/lib/apparmor/cache and make /etc/apparmor.d/cache a symlink to it mkdir -p %{buildroot}%{_localstatedir}/lib/apparmor/cache ( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/lib/apparmor/cache cache ) +# default cache dir (starting with 2.13) is /etc/apparmor.d/cache.d - also not the best location +# Use /var/cache/apparmor and make /etc/apparmor.d/cache.d a symlink to it +mkdir -p %{buildroot}%{_localstatedir}/cache/apparmor +( cd %{buildroot}/%{_sysconfdir}/apparmor.d/ && ln -s ../../%{_localstatedir}/cache/apparmor cache.d ) %if %{with apache} %makeinstall -C changehat/mod_apparmor @@ -507,18 +508,6 @@ # remove *.la files rm -fv %{buildroot}%{_libdir}/libapparmor.la -# Adjust for systemd -test ! -f %{buildroot}%{_unitdir}/apparmor.service -install -D -m0644 %{S:8} %{buildroot}%{_unitdir}/apparmor.service -test ! -f %{buildroot}%{apparmor_bin_prefix}/apparmor.systemd -install -m0755 %{S:9} %{buildroot}%{apparmor_bin_prefix} -test ! -f %{buildroot}%{_sbindir}/aa-teardown -install -m0755 %{S:10} %{buildroot}%{_sbindir} -# TODO: https://gitlab.com/apparmor/apparmor/merge_requests/79 obsoletes the next 3 lines -rm %{buildroot}%{_sysconfdir}/init.d/boot.apparmor -rm %{buildroot}/sbin/rcsubdomain -ln -sf service %{buildroot}/sbin/rcapparmor - echo ------------------------------------------------------------------- #find -ls echo ------------------------------------------------------------------- @@ -542,14 +531,17 @@ %{_bindir}/aa-enabled %{_bindir}/aa-exec %{_sbindir}/aa-teardown +%{_sbindir}/exec %dir %attr(-, root, root) %{_sysconfdir}/apparmor %dir %{_sysconfdir}/apparmor.d %{_sysconfdir}/apparmor.d/cache +%{_sysconfdir}/apparmor.d/cache.d /sbin/rcapparmor %{_unitdir}/apparmor.service %config(noreplace) %{_sysconfdir}/apparmor/subdomain.conf %config(noreplace) %{_sysconfdir}/apparmor/parser.conf %{_localstatedir}/lib/apparmor +%{_localstatedir}/cache/apparmor %dir %attr(-, root, root) %{apparmor_bin_prefix} %{apparmor_bin_prefix}/rc.apparmor.functions %{apparmor_bin_prefix}/apparmor.systemd @@ -560,6 +552,7 @@ %doc %{_mandir}/man5/apparmor.vim.5.gz %doc %{_mandir}/man5/subdomain.conf.5.gz %doc %{_mandir}/man7/apparmor.7.gz +%doc %{_mandir}/man8/aa-teardown.8.gz %doc %{_mandir}/man8/apparmor_parser.8.gz %pre parser @@ -589,6 +582,8 @@ %config(noreplace) %{_sysconfdir}/apparmor.d/sbin.* %config(noreplace) %{_sysconfdir}/apparmor.d/usr.* %config(noreplace) %{_sysconfdir}/apparmor.d/local/* +%dir /usr/share/apparmor/ +/usr/share/apparmor/cache/ /usr/share/apparmor/extra-profiles/ %files utils @@ -619,7 +614,6 @@ %{_sbindir}/decode %{_sbindir}/disable %{_sbindir}/enforce -%{_sbindir}/exec %{_sbindir}/genprof %{_sbindir}/logprof %{_sbindir}/notify @@ -741,12 +735,17 @@ %service_del_postun apparmor.service %post abstractions +# workaround for bnc#904620#c8 / lp#1392042 +rm -f /var/cache/apparmor/* 2>/dev/null #restart_on_update apparmor - but non-broken (bnc#853019) systemctl is-active -q apparmor && systemctl reload apparmor ||: %post profiles # workaround for bnc#904620#c8 / lp#1392042 +# old cache location up to 2.12 rm -f /var/lib/apparmor/cache/* 2>/dev/null +# cache location starting with 2.13 +rm -f /var/cache/apparmor/* 2>/dev/null #restart_on_update apparmor - but non-broken (bnc#853019) systemctl is-active -q apparmor && systemctl reload apparmor ||: ++++++ libapparmor.spec ++++++ --- /var/tmp/diff_new_pack.SZjlB2/_old 2018-04-22 14:39:02.986248364 +0200 +++ /var/tmp/diff_new_pack.SZjlB2/_new 2018-04-22 14:39:02.990248219 +0200 @@ -18,7 +18,7 @@ Name: libapparmor -Version: 2.12 +Version: 2.13 Release: 0 Summary: Utility library for AppArmor License: LGPL-2.1-or-later ++++++ aa-teardown-path.diff ++++++ Index: parser/Makefile =================================================================== --- parser/Makefile.orig 2018-04-15 15:48:53.000000000 +0200 +++ parser/Makefile 2018-04-15 23:21:13.677508654 +0200 @@ -384,8 +384,8 @@ install-systemd: install -m 755 -d $(SYSTEMD_UNIT_DIR) install -m 644 apparmor.service $(SYSTEMD_UNIT_DIR) install -m 644 apparmor.systemd $(APPARMOR_BIN_PREFIX) - install -m 755 -d $(DESTDIR)/sbin - install -m 755 aa-teardown $(DESTDIR)/sbin + install -m 755 -d $(DESTDIR)/usr/sbin + install -m 755 aa-teardown $(DESTDIR)/usr/sbin ifndef VERBOSE .SILENT: clean ++++++ apparmor-2.12.tar.gz -> apparmor-2.13.tar.gz ++++++ /work/SRC/openSUSE:Factory/apparmor/apparmor-2.12.tar.gz /work/SRC/openSUSE:Factory/.apparmor.new/apparmor-2.13.tar.gz differ: char 5, line 1 ++++++ apparmor-enable-profile-cache.diff ++++++ --- /var/tmp/diff_new_pack.SZjlB2/_old 2018-04-22 14:39:03.054245904 +0200 +++ /var/tmp/diff_new_pack.SZjlB2/_new 2018-04-22 14:39:03.054245904 +0200 @@ -2,22 +2,45 @@ This speeds up loading the (unchanged) profiles about 20 times. -Upstream doesn't enable caching because the cache directory is not +Upstream doesn't enable caching because the cache directory is not writeable at the time profiles are loaded in Ubuntu. See also bnc#689458 +Also set the cache location to /var/cache/apparmor/ (writeable) and +/usr/share/apparmor/cache/ (packaged precompiled cache), and adjust +the mount requirements in apparmor.service accordingly. + +See boo#1069906 and boo#1074429 + + Signed-off by: Christian Boltz <appar...@cboltz.de> ---- a/parser/parser.conf_ORIG 2011-10-09 20:59:31.000000000 +0200 -+++ b/parser/parser.conf 2011-10-09 21:00:15.000000000 +0200 -@@ -28,7 +28,7 @@ +Index: parser/parser.conf +=================================================================== +--- parser/parser.conf_ORIG 2018-04-19 22:47:18.485179998 +0200 ++++ parser/parser.conf 2018-04-19 22:51:12.084588654 +0200 +@@ -31,7 +31,10 @@ # match-string "pattern=aadfa audit perms=crwxamlk/ user::other" ## Turn creating/updating of the cache on by default -#write-cache +write-cache ++ ++# cache location (cache writes go to the first directory in the list) ++cache-loc /var/cache/apparmor,/usr/share/apparmor/cache ## Show cache hits #show-cache +--- parser/apparmor.service_ORIG 2018-04-19 22:58:12.631443321 +0200 ++++ parser/apparmor.service 2018-04-19 22:58:47.903343044 +0200 +@@ -4,7 +4,7 @@ DefaultDependencies=no + Before=sysinit.target + After=systemd-journald-audit.socket + # profile cache +-After=var.mount var-lib.mount ++After=var.mount var-cache.mount usr.mount usr-share.mount + ConditionSecurity=apparmor + + [Service]