[arch-commits] Commit in apparmor/trunk (5 files)

David Runge dvzrv at archlinux.org
Thu May 28 11:22:06 UTC 2020


    Date: Thursday, May 28, 2020 @ 11:22:06
  Author: dvzrv
Revision: 387759

upgpkg: apparmor 2.13.4-5: Rebuilding with patches added to svn.

The upstream patches were changing slightly due to git updates on the gitlab infrastructure.
This changes the checksums, hence all patches are now included to not break reproducibility.

Added:
  apparmor/trunk/apparmor-2.13.4-fix_systemd_userdb.patch
  apparmor/trunk/apparmor-2.13.4-make4.3.patch
  apparmor/trunk/apparmor-2.13.4-run_variable.patch
  apparmor/trunk/apparmor-2.13.4-vim_file.patch
Modified:
  apparmor/trunk/PKGBUILD

------------------------------------------+
 PKGBUILD                                 |   12 -
 apparmor-2.13.4-fix_systemd_userdb.patch |   32 +++
 apparmor-2.13.4-make4.3.patch            |  308 +++++++++++++++++++++++++++++
 apparmor-2.13.4-run_variable.patch       |   45 ++++
 apparmor-2.13.4-vim_file.patch           |   83 +++++++
 5 files changed, 474 insertions(+), 6 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2020-05-28 10:56:56 UTC (rev 387758)
+++ PKGBUILD	2020-05-28 11:22:06 UTC (rev 387759)
@@ -2,7 +2,7 @@
 
 pkgname=apparmor
 pkgver=2.13.4
-pkgrel=4
+pkgrel=5
 pkgdesc="Mandatory Access Control (MAC) using Linux Security Module (LSM)"
 arch=('x86_64')
 url="https://gitlab.com/apparmor/apparmor"
@@ -20,16 +20,16 @@
         'etc/apparmor/subdomain.conf'
         'etc/apparmor/severity.db')
 source=("https://launchpad.net/${pkgname}/${pkgver%.[0-9]}/${pkgver}/+download/${pkgname}-${pkgver}.tar.gz"{,.asc}
-        "${pkgname}-2.13.4-make4.3.patch::https://gitlab.com/apparmor/apparmor/-/merge_requests/465.patch"
-        "${pkgname}-2.13.4-vim_file.patch::https://gitlab.com/apparmor/apparmor/-/merge_requests/472.patch"
-        "${pkgname}-2.13.4-run_variable.patch::https://gitlab.com/apparmor/apparmor/-/commit/454fca7483eae7b7ee613343c2c02abaa20e37e3.patch"
-        "${pkgname}-2.13.4-fix_systemd_userdb.patch::https://gitlab.com/apparmor/apparmor/-/commit/d4296d217c888e08e10bec300fe35351c2ef2f81.patch")
+        "${pkgname}-2.13.4-make4.3.patch"
+        "${pkgname}-2.13.4-vim_file.patch"
+        "${pkgname}-2.13.4-run_variable.patch"
+        "${pkgname}-2.13.4-fix_systemd_userdb.patch")
 sha512sums=('d42748bf36ae66849f79653a62d499e9d17a97c4d680fb653eb1c379d0593aaa09f7ddfc6f2fa0d2fb468bce05fb25444976f60a5ec24778fdd7ec20d1c13651'
             'SKIP'
             '8d0eb65624a7dcc7f019974a7ad10ec0b3e2d61e51a3f9771564b4e0ddaaece17e90f78388933e8f9451ad413a51dd16d479b99733ceef73b86eb8308122a335'
             '987d2d0dd1148c28796cbb933ea79a14ef2bdf903253a10f369614f0cbbd0309c9848e28dd2f2aa216d8deaf8412e6dd043e867da34466fe39169fc0e44f07ad'
             '0abe606ad510cc97947152b28750354bd43046b38abcd6b28bbc04916fad39308f78b3626ca8b4a3ec59612fea908bdef2e309376f617595b5fc1aaec2bc6343'
-            '0fde84730115b2854b85d1b72fbbd5c54730e887af333bfff917da529a08a429d3494efdae9d1baa1d05891d925b04d69f079d11d4afb0907cbfefbd0f280583')
+            'acc76fa492429cd014f5ebc8ae2f8399912513183d634283db124156bca407ba7166fca9ecd74a8b2a334d37da06ea80805e5afc687511baf687bf5298becd4a')
 # AppArmor Development Team (AppArmor signing key) <apparmor at lists.ubuntu.com>
 validpgpkeys=('3ECDCBA5FB34D254961CC53F6689E64E3D3664BB')
 _core_perl="/usr/bin/core_perl"

Added: apparmor-2.13.4-fix_systemd_userdb.patch
===================================================================
--- apparmor-2.13.4-fix_systemd_userdb.patch	                        (rev 0)
+++ apparmor-2.13.4-fix_systemd_userdb.patch	2020-05-28 11:22:06 UTC (rev 387759)
@@ -0,0 +1,32 @@
+From 16f9f6885aff84123c0b52197f435e40d656c0e4 Mon Sep 17 00:00:00 2001
+From: nl6720 <nl6720 at gmail.com>
+Date: Thu, 19 Mar 2020 12:05:44 +0200
+Subject: [PATCH] abstractions/nameservice: allow accessing
+ /run/systemd/userdb/
+
+On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .
+
+Signed-off-by: nl6720 <nl6720 at gmail.com>
+---
+ profiles/apparmor.d/abstractions/nameservice | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
+index 760e449e..2f3b1d15 100644
+--- a/profiles/apparmor.d/abstractions/nameservice
++++ b/profiles/apparmor.d/abstractions/nameservice
+@@ -29,6 +29,11 @@
+   /var/lib/extrausers/group  r,
+   /var/lib/extrausers/passwd r,
+ 
++  # NSS records from systemd-userdbd.service
++  @{run}/systemd/userdb/ r,
++  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
++  @{PROC}/sys/kernel/random/boot_id r,
++
+   # When using sssd, the passwd and group files are stored in an alternate path
+   # and the nss plugin also needs to talk to a pipe
+   /var/lib/sss/mc/group   r,
+-- 
+2.26.2
+

Added: apparmor-2.13.4-make4.3.patch
===================================================================
--- apparmor-2.13.4-make4.3.patch	                        (rev 0)
+++ apparmor-2.13.4-make4.3.patch	2020-05-28 11:22:06 UTC (rev 387759)
@@ -0,0 +1,308 @@
+From fc2beaca9d642fb93736066f26e3588ad30ec7a4 Mon Sep 17 00:00:00 2001
+From: Eric Chiang <ericchiang at google.com>
+Date: Thu, 17 Jan 2019 11:02:57 -0800
+Subject: [PATCH 1/4] *: ensure make apparmor_parser is cached
+
+This change updates parser/Makefile to respect target dependencies and
+not rebuild apparmor_parser if nothing's changed. The goal is to allow
+cross-compiled tests #17 to run on a target system without the tests
+attempting to rebuild the parser.
+
+Two changes were made:
+
+* Generate af_names.h in a script so the script timestamp is compared.
+* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
+
+Changes to list_af_names are intended to exactly replicate the old
+behavior.
+
+Signed-off-by: Eric Chiang <ericchiang at google.com>
+(cherry picked from commit cb8c3377babfed4600446d1f60d53d8e2a581578)
+---
+ common/Make.rules                | 21 ---------------------
+ common/list_af_names.sh          | 19 +++++++++++++++++++
+ parser/Makefile                  | 13 +++++--------
+ utils/vim/create-apparmor.vim.py |  2 +-
+ 4 files changed, 25 insertions(+), 30 deletions(-)
+ create mode 100755 common/list_af_names.sh
+
+diff --git a/common/Make.rules b/common/Make.rules
+index d2149fcd..357bdec8 100644
+--- a/common/Make.rules
++++ b/common/Make.rules
+@@ -87,27 +87,6 @@ CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C
+ list_capabilities: /usr/include/linux/capability.h
+ 	@echo "$(CAPABILITIES)"
+ 
+-# =====================
+-# generate list of network protocols based on
+-# sys/socket.h for use in multiple locations in
+-# the source tree
+-# =====================
+-
+-# These are the families that it doesn't make sense for apparmor
+-# to mediate. We use PF_ here since that is what is required in
+-# bits/socket.h, but we will rewrite these as AF_.
+-
+-FILTER_FAMILIES=PF_UNIX
+-
+-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
+-
+-# emits the AF names in a "AF_NAME NUMBER," pattern
+-AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
+-
+-.PHONY: list_af_names
+-list_af_names:
+-	@echo "$(AF_NAMES)"
+-
+ # =====================
+ # manpages
+ # =====================
+diff --git a/common/list_af_names.sh b/common/list_af_names.sh
+new file mode 100755
+index 00000000..d7987537
+--- /dev/null
++++ b/common/list_af_names.sh
+@@ -0,0 +1,19 @@
++#!/bin/bash -e
++
++# =====================
++# generate list of network protocols based on
++# sys/socket.h for use in multiple locations in
++# the source tree
++# =====================
++
++# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search
++# for "PF_" constants since that is what is required in bits/socket.h, but
++# rewrite as "AF_".
++
++echo "#include <sys/socket.h>" | \
++  cpp -dM | \
++  LC_ALL=C sed -n \
++    -e '/PF_UNIX/d' \
++    -e 's/PF_LOCAL/PF_UNIX/' \
++    -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \
++  sort -n -k2
+diff --git a/parser/Makefile b/parser/Makefile
+index 73e88f5c..c22d32da 100644
+--- a/parser/Makefile
++++ b/parser/Makefile
+@@ -281,10 +281,9 @@ parser_version.h: Makefile
+ # as well as the filtering that occurs for network protocols that
+ # apparmor should not mediate.
+ 
+-.PHONY: af_names.h
+-af_names.h:
+-	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
+-	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
++af_names.h: ../common/list_af_names.sh
++	../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@
++	../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@
+ 	# cat $@
+ 
+ cap_names.h: /usr/include/linux/capability.h
+@@ -304,10 +303,7 @@ tests: apparmor_parser ${TESTS}
+ 	sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
+ 	$(Q)$(MAKE) -s -C tst tests
+ 
+-# always need to rebuild.
+-.SILENT: $(AAREOBJECT)
+-.PHONY: $(AAREOBJECT)
+-$(AAREOBJECT):
++$(AAREOBJECT): FORCE
+ 	$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
+ 
+ .PHONY: install-rhel4
+@@ -408,3 +404,4 @@ clean: pod_clean
+ 	$(MAKE) -s -C po clean
+ 	$(MAKE) -s -C tst clean
+ 
++FORCE:
+diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
+index 10bd5b8d..fea134f6 100644
+--- a/utils/vim/create-apparmor.vim.py
++++ b/utils/vim/create-apparmor.vim.py
+@@ -57,7 +57,7 @@ for cap in capabilities:
+         benign_caps.append(cap)
+ 
+ # get network protos list
+-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
++(rc, output) = cmd(['../../common/list_af_names.sh'])
+ if rc != 0:
+     sys.stderr.write("make list_af_names failed: " + output)
+     exit(rc)
+-- 
+2.26.2
+
+
+From 69651fc6565cf033ab763a607d786eb14143b7c6 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Fri, 14 Jun 2019 01:04:22 -0700
+Subject: [PATCH 2/4] Revert "utils/test-network.py: fix failing testcase"
+
+This reverts commit 378519d23f8b6e55b1c0741e8cd197863e0ff8a0.
+this commit was meant for the 2.13 branch not master
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+(cherry picked from commit 9144e39d252cd75dd2d6941154e014f7d46147ca)
+---
+ utils/test/test-network.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/test/test-network.py b/utils/test/test-network.py
+index 8605786d..73a6b9d1 100644
+--- a/utils/test/test-network.py
++++ b/utils/test/test-network.py
+@@ -31,7 +31,7 @@ exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
+ 
+ class NetworkKeywordsTest(AATest):
+     def test_network_keyword_list(self):
+-        rc, output = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
++        rc, output = cmd('../../common/list_af_names.sh')
+         self.assertEqual(rc, 0)
+ 
+         af_names = []
+-- 
+2.26.2
+
+
+From 0d8e4cda3fb5194b82e288cadbcce98998064b7a Mon Sep 17 00:00:00 2001
+From: allgdante <allan.garret at gmail.com>
+Date: Mon, 23 Mar 2020 15:09:15 +0000
+Subject: [PATCH 3/4] Generate CAPABILITIES in a script due to make 4.3
+
+This way we could generate the capabilities in a way that works with
+every version of make.
+Changes to list_capabilities are intended to exactly replicate the old
+behavior.
+
+(cherry picked from commit e92da079ca12e776991bd36524430bd67c1cb72a)
+---
+ common/Make.rules                | 13 -------------
+ common/list_capabilities.sh      | 14 ++++++++++++++
+ parser/Makefile                  |  2 +-
+ utils/Makefile                   |  2 +-
+ utils/vim/create-apparmor.vim.py |  2 +-
+ 5 files changed, 17 insertions(+), 16 deletions(-)
+ create mode 100755 common/list_capabilities.sh
+
+diff --git a/common/Make.rules b/common/Make.rules
+index 357bdec8..ecc6181a 100644
+--- a/common/Make.rules
++++ b/common/Make.rules
+@@ -74,19 +74,6 @@ endif
+ pod_clean:
+ 	-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
+ 
+-# =====================
+-# generate list of capabilities based on
+-# /usr/include/linux/capabilities.h for use in multiple locations in
+-# the source tree
+-# =====================
+-
+-# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
+-CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort)
+-
+-.PHONY: list_capabilities
+-list_capabilities: /usr/include/linux/capability.h
+-	@echo "$(CAPABILITIES)"
+-
+ # =====================
+ # manpages
+ # =====================
+diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh
+new file mode 100755
+index 00000000..4e37cda7
+--- /dev/null
++++ b/common/list_capabilities.sh
+@@ -0,0 +1,14 @@
++#!/bin/bash -e
++
++# =====================
++# generate list of capabilities based on
++# /usr/include/linux/capabilities.h for use in multiple locations in
++# the source tree
++# =====================
++
++echo "#include <linux/capability.h>" | \
++  cpp -dM | \
++  LC_ALL=C sed -n \
++    -e '/CAP_EMPTY_SET/d' \
++    -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \
++  LC_ALL=C sort
+diff --git a/parser/Makefile b/parser/Makefile
+index c22d32da..3e50125a 100644
+--- a/parser/Makefile
++++ b/parser/Makefile
+@@ -287,7 +287,7 @@ af_names.h: ../common/list_af_names.sh
+ 	# cat $@
+ 
+ cap_names.h: /usr/include/linux/capability.h
+-	echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
++	../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
+ 
+ tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
+ 	$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
+diff --git a/utils/Makefile b/utils/Makefile
+index 68f8c376..ea9e0601 100644
+--- a/utils/Makefile
++++ b/utils/Makefile
+@@ -80,7 +80,7 @@ clean: pod_clean
+ .SILENT: check_severity_db
+ check_severity_db: /usr/include/linux/capability.h severity.db
+ 	# The sed statement is based on the one in the parser's makefile
+-	RC=0 ; for cap in ${CAPABILITIES} ; do \
++	RC=0 ; for cap in $(shell ../common/list_capabilities.sh) ; do \
+ 	    if !  grep -q -w $${cap} severity.db ; then \
+ 		echo "Warning! capability $${cap} not found in severity.db" ; \
+ 		RC=1 ; \
+diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
+index fea134f6..6a5f02a2 100644
+--- a/utils/vim/create-apparmor.vim.py
++++ b/utils/vim/create-apparmor.vim.py
+@@ -45,7 +45,7 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s
+     return [sp.returncode, out + outerr]
+ 
+ # get capabilities list
+-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
++(rc, output) = cmd(['../../common/list_capabilities.sh'])
+ if rc != 0:
+     sys.stderr.write("make list_capabilities failed: " + output)
+     exit(rc)
+-- 
+2.26.2
+
+
+From af0c288fcd4b9ddbf3a062d6d0e1c9618e8f3c75 Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor at cboltz.de>
+Date: Sun, 29 Mar 2020 00:07:11 +0100
+Subject: [PATCH 4/4] fix capabilities in apparmor.vim
+
+https://gitlab.com/apparmor/apparmor/-/merge_requests/461 /
+e92da079ca12e776991bd36524430bd67c1cb72a changed creating the
+capabilities to use a script.
+
+A side effect is that the list is now separated by \n instead of
+spaces. Adjust create-apparmor.vim.py to the new output.
+
+(cherry picked from commit 60b005788e79c1be7276349242e0cc97b99f7118)
+---
+ utils/vim/create-apparmor.vim.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
+index 6a5f02a2..b5df957a 100644
+--- a/utils/vim/create-apparmor.vim.py
++++ b/utils/vim/create-apparmor.vim.py
+@@ -50,7 +50,7 @@ if rc != 0:
+     sys.stderr.write("make list_capabilities failed: " + output)
+     exit(rc)
+ 
+-capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
++capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n')
+ benign_caps = []
+ for cap in capabilities:
+     if cap not in danger_caps:
+-- 
+2.26.2
+

Added: apparmor-2.13.4-run_variable.patch
===================================================================
--- apparmor-2.13.4-run_variable.patch	                        (rev 0)
+++ apparmor-2.13.4-run_variable.patch	2020-05-28 11:22:06 UTC (rev 387759)
@@ -0,0 +1,45 @@
+From 454fca7483eae7b7ee613343c2c02abaa20e37e3 Mon Sep 17 00:00:00 2001
+From: nl6720 <nl6720 at gmail.com>
+Date: Thu, 13 Feb 2020 09:58:33 +0200
+Subject: [PATCH] Add "run" variable
+
+Signed-off-by: nl6720 <nl6720 at gmail.com>
+(cherry picked from commit 452b5b8735e449cba29a1fb25c9bff38ba8763ec)
+---
+ parser/apparmor.d.pod               | 1 +
+ profiles/apparmor.d/tunables/global | 1 +
+ profiles/apparmor.d/tunables/run    | 1 +
+ 3 files changed, 3 insertions(+)
+ create mode 100644 profiles/apparmor.d/tunables/run
+
+diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
+index 662830bd..59ac72c9 100644
+--- a/parser/apparmor.d.pod
++++ b/parser/apparmor.d.pod
+@@ -1279,6 +1279,7 @@ provided AppArmor policy:
+   @{apparmorfs}
+   @{sys}
+   @{tid}
++  @{run}
+   @{XDG_DESKTOP_DIR}
+   @{XDG_DOWNLOAD_DIR}
+   @{XDG_TEMPLATES_DIR}
+diff --git a/profiles/apparmor.d/tunables/global b/profiles/apparmor.d/tunables/global
+index 28d6fc6d..3b6f99cc 100644
+--- a/profiles/apparmor.d/tunables/global
++++ b/profiles/apparmor.d/tunables/global
+@@ -19,3 +19,4 @@
+ #include <tunables/kernelvars>
+ #include <tunables/xdg-user-dirs>
+ #include <tunables/share>
++#include <tunables/run>
+diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run
+new file mode 100644
+index 00000000..e535d2fe
+--- /dev/null
++++ b/profiles/apparmor.d/tunables/run
+@@ -0,0 +1 @@
++@{run}=/run /var/run
+-- 
+2.26.2
+

Added: apparmor-2.13.4-vim_file.patch
===================================================================
--- apparmor-2.13.4-vim_file.patch	                        (rev 0)
+++ apparmor-2.13.4-vim_file.patch	2020-05-28 11:22:06 UTC (rev 387759)
@@ -0,0 +1,83 @@
+From 9e7c4f88f9165725c384d4b3432014c6d37452f4 Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor at cboltz.de>
+Date: Sun, 5 Apr 2020 14:26:15 +0200
+Subject: [PATCH 1/2] create-apparmor.vim.py: split stdout and stderr
+
+This will prevent that stderr output ends up in apparmor.vim
+
+References:
+- https://gitlab.com/apparmor/apparmor/issues/75
+- https://bugs.archlinux.org/task/65450
+- https://bugs.launchpad.net/apparmor/+bug/1187437
+---
+ utils/vim/create-apparmor.vim.py | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
+index b5df957a..8a17bb43 100644
+--- a/utils/vim/create-apparmor.vim.py
++++ b/utils/vim/create-apparmor.vim.py
+@@ -42,12 +42,12 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s
+     # Handle redirection of stderr
+     if outerr is None:
+         outerr = ''
+-    return [sp.returncode, out + outerr]
++    return [sp.returncode, out, outerr]
+ 
+ # get capabilities list
+-(rc, output) = cmd(['../../common/list_capabilities.sh'])
++(rc, output, outerr) = cmd(['../../common/list_capabilities.sh'])
+ if rc != 0:
+-    sys.stderr.write("make list_capabilities failed: " + output)
++    sys.stderr.write("make list_capabilities failed: " + output + outerr)
+     exit(rc)
+ 
+ capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n')
+@@ -57,9 +57,9 @@ for cap in capabilities:
+         benign_caps.append(cap)
+ 
+ # get network protos list
+-(rc, output) = cmd(['../../common/list_af_names.sh'])
++(rc, output, outerr) = cmd(['../../common/list_af_names.sh'])
+ if rc != 0:
+-    sys.stderr.write("make list_af_names failed: " + output)
++    sys.stderr.write("make list_af_names failed: " + output + outerr)
+     exit(rc)
+ 
+ af_names = []
+-- 
+2.26.2
+
+
+From 0f891ba30e32545d0f514ef8e3b1768f0b776fc2 Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor at cboltz.de>
+Date: Sun, 5 Apr 2020 14:31:33 +0200
+Subject: [PATCH 2/2] Delete (possibly broken) apparmor.vim on failure
+
+If create-apparmor.vim.py fails, an empty apparmor.vim gets created. The
+next "make" run will assume that apparmor.vim was already created (the
+file exists and has a new-enough timestamp) and will therefore skip the
+create-apparmor.vim.py run, keeping the broken apparmor.vim forever.
+
+Adjust the Makefile to delete apparmor.vim if the script fails. This
+ensures that make tries again in the next run.
+---
+ utils/vim/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/vim/Makefile b/utils/vim/Makefile
+index 9ffc301e..7d107dd0 100644
+--- a/utils/vim/Makefile
++++ b/utils/vim/Makefile
+@@ -9,7 +9,7 @@ VIM_INSTALL_PATH=${DESTDIR}/usr/share/apparmor
+ all: apparmor.vim manpages htmlmanpages
+ 
+ apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py
+-	${PYTHON} create-apparmor.vim.py > apparmor.vim
++	${PYTHON} create-apparmor.vim.py > apparmor.vim || { rm -f apparmor.vim ; exit 1; }
+ 
+ manpages: $(MANPAGES)
+ 
+-- 
+2.26.2
+


More information about the arch-commits mailing list