Hello community,
here is the log from the commit of package yast2-security for
openSUSE:Leap:15.2 checked in at 2020-04-08 12:47:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/yast2-security (Old)
and /work/SRC/openSUSE:Leap:15.2/.yast2-security.new.3248 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security"
Wed Apr 8 12:47:51 2020 rev:31 rq:791111 version:4.2.12
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/yast2-security/yast2-security.changes
2020-02-27 06:41:26.257601393 +0100
+++
/work/SRC/openSUSE:Leap:15.2/.yast2-security.new.3248/yast2-security.changes
2020-04-08 12:47:53.290327476 +0200
@@ -1,0 +2,7 @@
+Tue Mar 31 17:41:17 UTC 2020 - Knut Anderssen <kanders...@suse.com>
+
+- Apply sysctl changes to the running system when the YaST sysctl
+ configuration file is modified (bsc#1167234)
+- 4.2.12
+
+-------------------------------------------------------------------
Old:
----
yast2-security-4.2.11.tar.bz2
New:
----
yast2-security-4.2.12.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ yast2-security.spec ++++++
--- /var/tmp/diff_new_pack.bwEJr4/_old 2020-04-08 12:47:53.678327671 +0200
+++ /var/tmp/diff_new_pack.bwEJr4/_new 2020-04-08 12:47:53.682327674 +0200
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 4.2.11
+Version: 4.2.12
Release: 0
Summary: YaST2 - Security Configuration
License: GPL-2.0-only
++++++ yast2-security-4.2.11.tar.bz2 -> yast2-security-4.2.12.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.2.11/package/yast2-security.changes
new/yast2-security-4.2.12/package/yast2-security.changes
--- old/yast2-security-4.2.11/package/yast2-security.changes 2020-02-21
10:22:33.000000000 +0100
+++ new/yast2-security-4.2.12/package/yast2-security.changes 2020-04-02
16:38:52.000000000 +0200
@@ -1,4 +1,11 @@
-------------------------------------------------------------------
+Tue Mar 31 17:41:17 UTC 2020 - Knut Anderssen <kanders...@suse.com>
+
+- Apply sysctl changes to the running system when the YaST sysctl
+ configuration file is modified (bsc#1167234)
+- 4.2.12
+
+-------------------------------------------------------------------
Mon Feb 3 16:02:35 CET 2020 - sch...@suse.de
- Using SysctlConfig class: Handle sysctl entries in different
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.2.11/package/yast2-security.spec
new/yast2-security-4.2.12/package/yast2-security.spec
--- old/yast2-security-4.2.11/package/yast2-security.spec 2020-02-21
10:22:33.000000000 +0100
+++ new/yast2-security-4.2.12/package/yast2-security.spec 2020-04-02
16:38:52.000000000 +0200
@@ -17,7 +17,7 @@
Name: yast2-security
-Version: 4.2.11
+Version: 4.2.12
Release: 0
Group: System/YaST
License: GPL-2.0-only
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.2.11/src/modules/Security.rb
new/yast2-security-4.2.12/src/modules/Security.rb
--- old/yast2-security-4.2.11/src/modules/Security.rb 2020-02-21
10:22:33.000000000 +0100
+++ new/yast2-security-4.2.12/src/modules/Security.rb 2020-04-02
16:38:52.000000000 +0200
@@ -591,18 +591,9 @@
end
end
- if written && !sysctl_config.conflict?
- sysctl_config.save
- end
-
- # enable sysrq?
- sysrq = Integer(@Settings.fetch("kernel.sysrq", "0")) rescue nil
- if sysrq != nil
- SCR.Execute(
- path(".target.bash"),
- "echo #{sysrq} > /proc/sys/kernel/sysrq"
- )
- end
+ # In case of modified, always write the changes (bsc#1167234)
+ sysctl_config.save if written
+ written
end
# Write local PolicyKit configuration
@@ -620,8 +611,21 @@
end
end
- # Ensures that file permissions and PolicyKit privileges are applied
- def apply_new_settings
+ # Apply sysctl settings from all the sysctl configuration files
+ def apply_sysctl_changes
+ # Reports if there are conflict when the configuration is applied
+ sysctl_config.conflict?
+
+ Yast::Execute.on_target("/usr/sbin/sysctl", "--system")
+ end
+
+ # Ensures that sysctl changes, file permissions and PolicyKit privileges
+ # are applied
+ #
+ # @param sysctl [Boolean] whether sysctl changes should be applied or not
+ def apply_new_settings(sysctl: false)
+ # Apply sysctl changes to the running system (bsc#1167234)
+ apply_sysctl_changes if sysctl
# apply all current permissions as they are now
# (what SuSEconfig --module permissions would have done)
SCR.Execute(path(".target.bash"), "/usr/bin/chkstat --system")
@@ -707,12 +711,12 @@
Progress.NextStage
write_pam_settings
write_polkit_settings
- write_kernel_settings
+ sysctl_modified = write_kernel_settings
# Finish him
return false if Abort()
Progress.NextStage
- apply_new_settings
+ apply_new_settings(sysctl: sysctl_modified)
return false if Abort()
Progress.NextStage
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.2.11/test/levels_test.rb
new/yast2-security-4.2.12/test/levels_test.rb
--- old/yast2-security-4.2.11/test/levels_test.rb 2020-02-21
10:22:33.000000000 +0100
+++ new/yast2-security-4.2.12/test/levels_test.rb 2020-04-02
16:38:52.000000000 +0200
@@ -2,6 +2,7 @@
require_relative 'test_helper'
require "cfa/shadow_config"
+require "cfa/sysctl_config"
module Yast
class LevelsTester < Client
@@ -24,10 +25,15 @@
subject(:settings) { tester.Levels }
let(:shadow_config) { CFA::ShadowConfig.new }
+ let(:sysctl_config) { CFA::SysctlConfig.new }
before do
+ tester
allow(CFA::ShadowConfig).to receive(:load).and_return(shadow_config)
allow(shadow_config).to receive(:save)
+ allow(Security).to receive(:sysctl_config).and_return(sysctl_config)
+ allow(sysctl_config).to receive(:conflict?)
+ allow(Security).to receive(:write_kernel_settings).and_return(true)
end
it "reads the settings from the yaml files" do
@@ -61,7 +67,7 @@
expect(SCR).to exec_bash_output("/usr/sbin/pam-config -d
--pwhistory-remember")
.and_return(empty_bash_output)
expect(SCR).to exec_bash("ln -s -f /dev/null
/etc/systemd/system/ctrl-alt-del.target")
- expect(SCR).to exec_bash("echo 0 > /proc/sys/kernel/sysrq")
+ expect(Yast::Execute).to receive(:on_target).with("/usr/sbin/sysctl",
"--system")
expect(SCR).to exec_bash("/usr/bin/chkstat --system")
expect(shadow_config).to receive(:fail_delay=).with("6")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/yast2-security-4.2.11/test/security_test.rb
new/yast2-security-4.2.12/test/security_test.rb
--- old/yast2-security-4.2.11/test/security_test.rb 2020-02-21
10:22:33.000000000 +0100
+++ new/yast2-security-4.2.12/test/security_test.rb 2020-04-02
16:38:52.000000000 +0200
@@ -38,6 +38,7 @@
describe Security do
let(:sysctl_config) { CFA::SysctlConfig.new }
let(:shadow_config) { CFA::ShadowConfig.new }
+ let(:bash_path) { Yast::Path.new(".target.bash") }
before do
allow(CFA::SysctlConfig).to receive(:new).and_return(sysctl_config)
@@ -121,6 +122,65 @@
end
end
+ describe "#apply_new_settings" do
+ before do
+ allow(Security).to receive(:apply_sysctl_changes)
+ allow(Yast::SCR).to receive(:Execute)
+ end
+
+ context "when the sysctl config is modified" do
+ it "applies sysctl changes" do
+ expect(Security).to receive(:apply_sysctl_changes)
+
+ Security.apply_new_settings(sysctl: true)
+ end
+ end
+
+ context "when the sysctl config is not modified" do
+ it "does not apply sysctl changes" do
+ expect(Security).to_not receive(:apply_sysctl_changes)
+
+ Security.apply_new_settings
+ end
+ end
+
+ it "applies all current permissions as they are now" do
+ expect(Yast::SCR).to receive(:Execute)
+ .with(bash_path, "/usr/bin/chkstat --system")
+
+ Security.apply_new_settings
+ end
+
+ it "ensures polkit privileges are applied" do
+ expect(FileUtils)
+ .to
receive(:Exists).with("/sbin/set_polkit_default_privs").and_return(true)
+ expect(Yast::SCR).to receive(:Execute)
+ .with(bash_path, "/sbin/set_polkit_default_privs")
+
+ Security.apply_new_settings
+ end
+ end
+
+ describe "#apply_sysctl_changes" do
+ before do
+ allow(Security).to receive(:sysctl_config).and_return(sysctl_config)
+ allow(sysctl_config).to receive(:conflict?)
+ allow(Yast::Execute).to receive(:on_target).with("/usr/sbin/sysctl",
"--system")
+ end
+
+ it "checks if there are sysctl conflicts with other files" do
+ expect(sysctl_config).to receive(:conflict?)
+
+ Security.apply_sysctl_changes
+ end
+
+ it "applies the changes from all the configuration files" do
+ expect(Yast::Execute).to receive(:on_target).with("/usr/sbin/sysctl",
"--system")
+
+ Security.apply_sysctl_changes
+ end
+ end
+
describe "#write_to_locations" do
before do
change_scr_root(File.join(DATA_PATH, "system"))
@@ -201,34 +261,34 @@
Security.Settings["net.ipv4.ip_forward"] = ""
expect(sysctl_config).to_not receive(:kernel_sysrq).with("yes")
expect(sysctl_config).to_not receive(:raw_forward_ipv4=).with("")
- Security.write_kernel_settings
+ expect(Security.write_kernel_settings).to eq(false)
end
it "does not write unchanged values" do
Security.Settings["net.ipv4.ip_forward"] = false
expect(sysctl_config).to_not receive(:save)
Security.write_kernel_settings
+ expect(Security.write_kernel_settings).to eq(false)
end
it "writes changed values" do
Security.Settings["net.ipv4.ip_forward"] = true
expect(sysctl_config).to receive(:save)
Security.write_kernel_settings
+ expect(Security.write_kernel_settings).to eq(true)
end
end
context "setting sysrq" do
it "does not write invalid values" do
- expect(SCR).to_not exec_bash(/echo .* \/kernel\/sysrq/)
-
Security.Settings["kernel.sysrq"] = "yes"
+ expect(sysctl_config).to_not receive(:save)
Security.write_kernel_settings
end
it "writes valid values" do
- expect(SCR).to exec_bash("echo 1 > /proc/sys/kernel/sysrq")
-
Security.Settings["kernel.sysrq"] = "1"
+ expect(sysctl_config).to receive(:save)
Security.write_kernel_settings
end
end
