Hello community, here is the log from the commit of package yast2-security for openSUSE:Leap:15.2 checked in at 2020-04-08 12:47:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/yast2-security (Old) and /work/SRC/openSUSE:Leap:15.2/.yast2-security.new.3248 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-security" Wed Apr 8 12:47:51 2020 rev:31 rq:791111 version:4.2.12 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/yast2-security/yast2-security.changes 2020-02-27 06:41:26.257601393 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.yast2-security.new.3248/yast2-security.changes 2020-04-08 12:47:53.290327476 +0200 @@ -1,0 +2,7 @@ +Tue Mar 31 17:41:17 UTC 2020 - Knut Anderssen <kanders...@suse.com> + +- Apply sysctl changes to the running system when the YaST sysctl + configuration file is modified (bsc#1167234) +- 4.2.12 + +------------------------------------------------------------------- Old: ---- yast2-security-4.2.11.tar.bz2 New: ---- yast2-security-4.2.12.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-security.spec ++++++ --- /var/tmp/diff_new_pack.bwEJr4/_old 2020-04-08 12:47:53.678327671 +0200 +++ /var/tmp/diff_new_pack.bwEJr4/_new 2020-04-08 12:47:53.682327674 +0200 @@ -17,7 +17,7 @@ Name: yast2-security -Version: 4.2.11 +Version: 4.2.12 Release: 0 Summary: YaST2 - Security Configuration License: GPL-2.0-only ++++++ yast2-security-4.2.11.tar.bz2 -> yast2-security-4.2.12.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.11/package/yast2-security.changes new/yast2-security-4.2.12/package/yast2-security.changes --- old/yast2-security-4.2.11/package/yast2-security.changes 2020-02-21 10:22:33.000000000 +0100 +++ new/yast2-security-4.2.12/package/yast2-security.changes 2020-04-02 16:38:52.000000000 +0200 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Tue Mar 31 17:41:17 UTC 2020 - Knut Anderssen <kanders...@suse.com> + +- Apply sysctl changes to the running system when the YaST sysctl + configuration file is modified (bsc#1167234) +- 4.2.12 + +------------------------------------------------------------------- Mon Feb 3 16:02:35 CET 2020 - sch...@suse.de - Using SysctlConfig class: Handle sysctl entries in different diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.11/package/yast2-security.spec new/yast2-security-4.2.12/package/yast2-security.spec --- old/yast2-security-4.2.11/package/yast2-security.spec 2020-02-21 10:22:33.000000000 +0100 +++ new/yast2-security-4.2.12/package/yast2-security.spec 2020-04-02 16:38:52.000000000 +0200 @@ -17,7 +17,7 @@ Name: yast2-security -Version: 4.2.11 +Version: 4.2.12 Release: 0 Group: System/YaST License: GPL-2.0-only diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.11/src/modules/Security.rb new/yast2-security-4.2.12/src/modules/Security.rb --- old/yast2-security-4.2.11/src/modules/Security.rb 2020-02-21 10:22:33.000000000 +0100 +++ new/yast2-security-4.2.12/src/modules/Security.rb 2020-04-02 16:38:52.000000000 +0200 @@ -591,18 +591,9 @@ end end - if written && !sysctl_config.conflict? - sysctl_config.save - end - - # enable sysrq? - sysrq = Integer(@Settings.fetch("kernel.sysrq", "0")) rescue nil - if sysrq != nil - SCR.Execute( - path(".target.bash"), - "echo #{sysrq} > /proc/sys/kernel/sysrq" - ) - end + # In case of modified, always write the changes (bsc#1167234) + sysctl_config.save if written + written end # Write local PolicyKit configuration @@ -620,8 +611,21 @@ end end - # Ensures that file permissions and PolicyKit privileges are applied - def apply_new_settings + # Apply sysctl settings from all the sysctl configuration files + def apply_sysctl_changes + # Reports if there are conflict when the configuration is applied + sysctl_config.conflict? + + Yast::Execute.on_target("/usr/sbin/sysctl", "--system") + end + + # Ensures that sysctl changes, file permissions and PolicyKit privileges + # are applied + # + # @param sysctl [Boolean] whether sysctl changes should be applied or not + def apply_new_settings(sysctl: false) + # Apply sysctl changes to the running system (bsc#1167234) + apply_sysctl_changes if sysctl # apply all current permissions as they are now # (what SuSEconfig --module permissions would have done) SCR.Execute(path(".target.bash"), "/usr/bin/chkstat --system") @@ -707,12 +711,12 @@ Progress.NextStage write_pam_settings write_polkit_settings - write_kernel_settings + sysctl_modified = write_kernel_settings # Finish him return false if Abort() Progress.NextStage - apply_new_settings + apply_new_settings(sysctl: sysctl_modified) return false if Abort() Progress.NextStage diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.11/test/levels_test.rb new/yast2-security-4.2.12/test/levels_test.rb --- old/yast2-security-4.2.11/test/levels_test.rb 2020-02-21 10:22:33.000000000 +0100 +++ new/yast2-security-4.2.12/test/levels_test.rb 2020-04-02 16:38:52.000000000 +0200 @@ -2,6 +2,7 @@ require_relative 'test_helper' require "cfa/shadow_config" +require "cfa/sysctl_config" module Yast class LevelsTester < Client @@ -24,10 +25,15 @@ subject(:settings) { tester.Levels } let(:shadow_config) { CFA::ShadowConfig.new } + let(:sysctl_config) { CFA::SysctlConfig.new } before do + tester allow(CFA::ShadowConfig).to receive(:load).and_return(shadow_config) allow(shadow_config).to receive(:save) + allow(Security).to receive(:sysctl_config).and_return(sysctl_config) + allow(sysctl_config).to receive(:conflict?) + allow(Security).to receive(:write_kernel_settings).and_return(true) end it "reads the settings from the yaml files" do @@ -61,7 +67,7 @@ expect(SCR).to exec_bash_output("/usr/sbin/pam-config -d --pwhistory-remember") .and_return(empty_bash_output) expect(SCR).to exec_bash("ln -s -f /dev/null /etc/systemd/system/ctrl-alt-del.target") - expect(SCR).to exec_bash("echo 0 > /proc/sys/kernel/sysrq") + expect(Yast::Execute).to receive(:on_target).with("/usr/sbin/sysctl", "--system") expect(SCR).to exec_bash("/usr/bin/chkstat --system") expect(shadow_config).to receive(:fail_delay=).with("6") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-security-4.2.11/test/security_test.rb new/yast2-security-4.2.12/test/security_test.rb --- old/yast2-security-4.2.11/test/security_test.rb 2020-02-21 10:22:33.000000000 +0100 +++ new/yast2-security-4.2.12/test/security_test.rb 2020-04-02 16:38:52.000000000 +0200 @@ -38,6 +38,7 @@ describe Security do let(:sysctl_config) { CFA::SysctlConfig.new } let(:shadow_config) { CFA::ShadowConfig.new } + let(:bash_path) { Yast::Path.new(".target.bash") } before do allow(CFA::SysctlConfig).to receive(:new).and_return(sysctl_config) @@ -121,6 +122,65 @@ end end + describe "#apply_new_settings" do + before do + allow(Security).to receive(:apply_sysctl_changes) + allow(Yast::SCR).to receive(:Execute) + end + + context "when the sysctl config is modified" do + it "applies sysctl changes" do + expect(Security).to receive(:apply_sysctl_changes) + + Security.apply_new_settings(sysctl: true) + end + end + + context "when the sysctl config is not modified" do + it "does not apply sysctl changes" do + expect(Security).to_not receive(:apply_sysctl_changes) + + Security.apply_new_settings + end + end + + it "applies all current permissions as they are now" do + expect(Yast::SCR).to receive(:Execute) + .with(bash_path, "/usr/bin/chkstat --system") + + Security.apply_new_settings + end + + it "ensures polkit privileges are applied" do + expect(FileUtils) + .to receive(:Exists).with("/sbin/set_polkit_default_privs").and_return(true) + expect(Yast::SCR).to receive(:Execute) + .with(bash_path, "/sbin/set_polkit_default_privs") + + Security.apply_new_settings + end + end + + describe "#apply_sysctl_changes" do + before do + allow(Security).to receive(:sysctl_config).and_return(sysctl_config) + allow(sysctl_config).to receive(:conflict?) + allow(Yast::Execute).to receive(:on_target).with("/usr/sbin/sysctl", "--system") + end + + it "checks if there are sysctl conflicts with other files" do + expect(sysctl_config).to receive(:conflict?) + + Security.apply_sysctl_changes + end + + it "applies the changes from all the configuration files" do + expect(Yast::Execute).to receive(:on_target).with("/usr/sbin/sysctl", "--system") + + Security.apply_sysctl_changes + end + end + describe "#write_to_locations" do before do change_scr_root(File.join(DATA_PATH, "system")) @@ -201,34 +261,34 @@ Security.Settings["net.ipv4.ip_forward"] = "" expect(sysctl_config).to_not receive(:kernel_sysrq).with("yes") expect(sysctl_config).to_not receive(:raw_forward_ipv4=).with("") - Security.write_kernel_settings + expect(Security.write_kernel_settings).to eq(false) end it "does not write unchanged values" do Security.Settings["net.ipv4.ip_forward"] = false expect(sysctl_config).to_not receive(:save) Security.write_kernel_settings + expect(Security.write_kernel_settings).to eq(false) end it "writes changed values" do Security.Settings["net.ipv4.ip_forward"] = true expect(sysctl_config).to receive(:save) Security.write_kernel_settings + expect(Security.write_kernel_settings).to eq(true) end end context "setting sysrq" do it "does not write invalid values" do - expect(SCR).to_not exec_bash(/echo .* \/kernel\/sysrq/) - Security.Settings["kernel.sysrq"] = "yes" + expect(sysctl_config).to_not receive(:save) Security.write_kernel_settings end it "writes valid values" do - expect(SCR).to exec_bash("echo 1 > /proc/sys/kernel/sysrq") - Security.Settings["kernel.sysrq"] = "1" + expect(sysctl_config).to receive(:save) Security.write_kernel_settings end end