diff --git a/common/shlibs b/common/shlibs index 818999bec60..c657388554a 100644 --- a/common/shlibs +++ b/common/shlibs @@ -3347,4 +3347,5 @@ libeditorconfig.so.0 editorconfig-0.12.2_1 libkid3-core.so.3.6.0 kid3-3.6.0_1 libkid3-gui.so.3.6.0 kid3-3.6.0_1 libcfitsio.so.3 cfitsio-3.450_1 -libcue.so.2 libcue-2.2.0_1 +libapparmor.so.1 libapparmor-2.12.0_1 +libcue.so.2 libcue-2.2.0_1 \ No newline at end of file diff --git a/srcpkgs/apparmor-vim b/srcpkgs/apparmor-vim new file mode 120000 index 00000000000..ea0b7d22829 --- /dev/null +++ b/srcpkgs/apparmor-vim @@ -0,0 +1 @@ +apparmor \ No newline at end of file diff --git a/srcpkgs/apparmor/INSTALL.msg b/srcpkgs/apparmor/INSTALL.msg new file mode 100644 index 00000000000..c9f763715a6 --- /dev/null +++ b/srcpkgs/apparmor/INSTALL.msg @@ -0,0 +1,2 @@ +To ensure AppArmor is enabled upon reboot add 'apparmor=1 security=apparmor' to your grub CMDLINE and rebuild your grub config with 'grub-mkconfig -o /boot/grub/grub.cfg'. +You'll also need to swith 'APPARMOR' setting in /etc/default/apparmor to your taste. diff --git a/srcpkgs/apparmor/files/apparmor/finish b/srcpkgs/apparmor/files/apparmor/finish new file mode 100755 index 00000000000..3022c0b9c63 --- /dev/null +++ b/srcpkgs/apparmor/files/apparmor/finish @@ -0,0 +1,7 @@ +#!/bin/sh +[ -r /etc/default/apparmor ] && . /etc/default/apparmor || exit 1 + +# Find all profiles in $APPARMORD and unload them +for profile in $(find /etc/apparmor.d -maxdepth 1 -type f); do + apparmor_parser -R $profile +done diff --git a/srcpkgs/apparmor/files/apparmor/run b/srcpkgs/apparmor/files/apparmor/run new file mode 100755 index 00000000000..257163fdcde --- /dev/null +++ b/srcpkgs/apparmor/files/apparmor/run @@ -0,0 +1,8 @@ +#!/bin/sh +[ -r /etc/default/apparmor ] && . /etc/default/apparmor || exit 1 + +# Find all profiles in $APPARMORD and load them +for profile in $(find /etc/apparmor.d -maxdepth 1 -type f); do + apparmor_parser -a $profile +done +exec chpst -b apparmor pause diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd new file mode 100644 index 00000000000..adfed209b6e --- /dev/null +++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd @@ -0,0 +1,89 @@ +# vim:syntax=apparmor + +#include + +profile dhcpcd /{usr/,}bin/dhcpcd { + #include + #include + + capability chown, + capability net_admin, + capability net_raw, + capability sys_admin, + + network packet dgram, + network inet raw, + network inet6 raw, + + /dev/pts/* rw, + + /etc/dhcpcd.{conf,duid,secret} r, + /etc/ld.so.cache r, + /etc/udev/udev.conf r, + + /proc/*/net/if_inet6 r, + /proc/sys/net/ipv{4,6}/conf/*/* rw, + + /{var/,}run/dhcpcd{-*,}.pid rwk, + /{var/,}run/dhcpcd.sock rw, + /{var/,}run/dhcpcd.unpriv.sock rw, + /{var/,}run/udev/data/* r, + + /sys/devices/*/*/{*/,}net/*/uevent r, + /sys/devices/virtual/net/*/uevent r, + + /{usr/,}bin/dash ix, + /{usr/,}bin/dash mrix, + + /usr/lib/dhcpcd/dev/udev.so m, + /usr/lib/ld-*.so m, + /usr/lib/libc-*.so m, + + # Transition to a child profile for hooks + /usr/libexec/dhcpcd-run-hooks Cx -> dhcpcd_run_hooks, + + /var/db/dhcpcd-*.lease rw, + /var/db/dhcpcd/** rw, + /{usr/,}bin/dhcpcd mrix, + + # Child profile for hooks + profile dhcpcd_run_hooks { + #include + #include + + capability sys_admin, + capability sys_tty_config, + + /etc/chrony.conf rw, + /etc/ntpd.conf rw, + /etc/resolv.conf rw, + /etc/wpa_supplicant/wpa_supplicant*.conf r, + + /{var/,}run/dhcpcd/ rw, + /{var/,}run/dhcpcd/{ntp,resolv}.conf.** rw, + /{var/,}run/dhcpcd/{ntp,resolv}.conf/ rw, + /{var/,}run/dhcpcd/{ntp,resolv}.conf/*.dhcp rw, + + /usr/bin/cat mrix, + /usr/bin/chmod mrix, + /usr/bin/cmp mrix, + /usr/bin/dash mr, + /usr/bin/hostname-coreutils mrix, + /usr/bin/mkdir mrix, + /usr/bin/rm mrix, + /usr/bin/sed mrix, + /usr/bin/util-linux-logger mrix, + /usr/bin/wpa_supplicant CUx, + /usr/bin/wpa_cli CUx, + /usr/bin/resolvconf CUx, + + /usr/libexec/dhcpcd-hooks/ r, + /usr/libexec/dhcpcd-hooks/* r, + /usr/libexec/dhcpcd-run-hooks r, + + /usr/share/dhcpcd/hooks/* r, + } + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.iputils-ping b/srcpkgs/apparmor/files/profiles/usr.bin.iputils-ping new file mode 100644 index 00000000000..3508789e9b2 --- /dev/null +++ b/srcpkgs/apparmor/files/profiles/usr.bin.iputils-ping @@ -0,0 +1,19 @@ +# vim:syntax=apparmor + +#include +profile ping /{usr/,}bin/iputils-ping { + #include + #include + #include + + capability net_raw, + capability setuid, + network inet raw, + network inet6 raw, + + /{usr/,}bin/iputils-ping mixr, + /etc/modules.conf r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx new file mode 100644 index 00000000000..5e4854d9032 --- /dev/null +++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx @@ -0,0 +1,34 @@ +# vim:syntax=apparmor + +# NOTE: This profile will by default work with pfp-fpm on TCP sockets. +# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx +# /path/to/your/unix/socket rw, + +#include + +/usr/bin/nginx { + #include + #include + #include + #include + + capability setgid, + capability setuid, + + # XXX: Maybe switch to "/etc/nginx/** r," ? + /etc/nginx/*.conf r, + /etc/nginx/*_params r, + /etc/nginx/conf.d/* r, + /etc/nginx/mime.types r, + + /run/nginx.pid rw, + + /usr/bin/nginx mr, + + /usr/share/nginx/html/* r, + + /var/log/nginx/* w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm new file mode 100644 index 00000000000..98366dcaabf --- /dev/null +++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm @@ -0,0 +1,44 @@ +# vim:syntax=apparmor + +# NOTE: This profile uses TCP sockets by default +# If you wish for php-fpm to listen to unix socket, +# add the following permission to local/usr.bin.php-fpm +# /path/to/your/unix/socket w, + +#include + +# This is PHP open_basedir where script can only be executed from. +# /home, /tmp have been removed to not open permissions too widely +# /usr/share/pear have been removed to have its own permission +@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/ + +/usr/bin/php-fpm { + #include + #include + #include + #include + + capability setgid, + capability setuid, + capability kill, + + /etc/php/php-fpm.conf r, + /etc/php/php-fpm.d/* r, + + # This is set to make php-fpm work by default, but if you don't use these paths + # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights + # to where your PHP app is located + @{PHP_BASEDIRS}/** r, + + /usr/bin/php-fpm mr, + + /usr/share/pear/** r, + /usr/share/php/fpm/status.html r, + + /var/log/php-fpm.log w, + + # Site-specific additions and overrides. See local/README for details. + #include + +} + diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd new file mode 100644 index 00000000000..8c00a903611 --- /dev/null +++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd @@ -0,0 +1,17 @@ +# vim:syntax=apparmor + +#include + +/usr/bin/uuidd { + #include + #include + + network inet dgram, + + /usr/bin/uuidd mr, + + /run/uuidd/request rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch new file mode 100644 index 00000000000..0f25758486a --- /dev/null +++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch @@ -0,0 +1,29 @@ +diff --git a/utils/logprof.conf b/utils/logprof.conf +index a3d7a31..296dd8b 100644 +--- a/utils/logprof.conf ++++ b/utils/logprof.conf +@@ -14,7 +14,7 @@ + inactive_profiledir = /usr/share/apparmor/extra-profiles + logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages + +- parser = /sbin/apparmor_parser /sbin/subdomain_parser ++ parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser + ldd = /usr/bin/ldd + logger = /bin/logger /usr/bin/logger + +@@ -36,10 +36,10 @@ + custom_includes = + + +-[repository] +- distro = ubuntu-intrepid +- url = http://apparmor.test.opensuse.org/backend/api +- preferred_user = ubuntu ++#[repository] ++# distro = ubuntu-intrepid ++# url = http://apparmor.test.opensuse.org/backend/api ++# preferred_user = ubuntu + + [qualifiers] + # things will be painfully broken if bash has a profile + diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template new file mode 100644 index 00000000000..ffe94cadc53 --- /dev/null +++ b/srcpkgs/apparmor/template @@ -0,0 +1,108 @@ +# Template file for 'apparmor' +pkgname=apparmor +version=2.13.0 +revision=1 +_short_ver=${version%\.*} +wrksrc="${pkgname}-v${_short_ver}" +configure_args="--prefix=/usr --with-perl --with-python" +patch_args="-Np1" +hostmakedepends="bison flex autoconf automake libtool" +makedepends="perl python3-devel swig" +depends="runit-void-apparmor python3 libapparmor" +only_for_archs="x86_64 i686" +short_desc="Mandatory access control to restrict programs" +maintainer="Olivier Mauras " +license="GPL-3" +homepage="https://gitlab.com/apparmor/apparmor" +distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${_short_ver}/apparmor-v${_short_ver}.tar.gz" +checksum="fdafa0b71cbf574cce76a1ea1542b4540fa1c1040f80d0f0866fc0056ec37747" + +pre_build() { + # Replace release profiles by our owns + cd ${wrksrc} + + # Put in place our own profiles + cp ${FILESDIR}/profiles/* profiles/apparmor.d/ + mv profiles/apparmor.d/bin.ping profiles/apparmor/profiles/extras/ +} + +do_build() { + cd ${wrksrc}/libraries/libapparmor + NOCONFIGURE=1 ./autogen.sh + ./configure ${configure_args} + make ${makejobs} + + export CFLAGS+="-fPIC" + export LDFLAGS+="-fPIE -pie" + + cd ${wrksrc}/binutils + make ${makejobs} + + cd ${wrksrc}/utils + make ${makejobs} + + cd ${wrksrc}/parser + sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' Makefile + sed -i 's#${DESTDIR}/lib#${DESTDIR}/usr/lib#g' Makefile + make ${makejobs} + + cd ${wrksrc}/profiles + make ${makejobs} +} + +do_install() { + cd ${wrksrc}/libraries/libapparmor + make DESTDIR=${DESTDIR} install + + cd ${wrksrc}/binutils + make DESTDIR=${DESTDIR} install + + cd ${wrksrc}/utils + make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install + + cd ${wrksrc}/parser + make DESTDIR=${DESTDIR} install + + cd ${wrksrc}/profiles + make DESTDIR=${DESTDIR} install +} + +post_install() { + # Put Vim syntax in the correct place + mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/ + mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/ + + # We want to keep this empty directory + touch ${DESTDIR}/etc/apparmor.d/disable/.empty +} + +apparmor-vim_package() { + short_desc+=" - Vim syntax" + depends="vim" + pkg_install() { + vmove usr/share/vim/vim80/syntax/apparmor.vim + vmove usr/share/man/man5/apparmor.vim.5 + } +} + +libapparmor_package() { + short_desc+=" - Library" + pkg_install() { + vmove "usr/lib/libapparmor.so*" + vmove usr/lib/perl5 + vmove "usr/lib/python3.6/site-packages/LibAppArmor*" + vmove usr/share/man/man2 + vmove usr/share/man/man3 + } +} + +libapparmor-devel_package() { + short_desc+=" - Library development files" + depends="${sourcepkg}-${version}_${revision}" + pkg_install() { + vmove usr/include/ + vmove "usr/lib/*.a" + vmove usr/lib/pkgconfig + } +} + diff --git a/srcpkgs/libapparmor b/srcpkgs/libapparmor new file mode 120000 index 00000000000..3586dedef9d --- /dev/null +++ b/srcpkgs/libapparmor @@ -0,0 +1 @@ +apparmor/ \ No newline at end of file diff --git a/srcpkgs/libapparmor-devel b/srcpkgs/libapparmor-devel new file mode 120000 index 00000000000..3586dedef9d --- /dev/null +++ b/srcpkgs/libapparmor-devel @@ -0,0 +1 @@ +apparmor/ \ No newline at end of file diff --git a/srcpkgs/runit-void-apparmor b/srcpkgs/runit-void-apparmor new file mode 120000 index 00000000000..56af4340f73 --- /dev/null +++ b/srcpkgs/runit-void-apparmor @@ -0,0 +1 @@ +runit-void \ No newline at end of file diff --git a/srcpkgs/runit-void/files/09-apparmor.sh b/srcpkgs/runit-void/files/09-apparmor.sh new file mode 100644 index 00000000000..f323f80136d --- /dev/null +++ b/srcpkgs/runit-void/files/09-apparmor.sh @@ -0,0 +1,32 @@ +# vim: set ts=4 sw=4 et: + +# AppArmor is not enabled in kernel, silently exit +[ ! -d /sys/kernel/security/apparmor ] && return + +# Load config +[ -r /etc/default/apparmor ] && . /etc/default/apparmor + +# Proceed to load profiles depending on user settings +msg "Loading AppArmor profiles..." + +if [ -n "$APPARMOR" ]; then + if [ "$APPARMOR" != "complain" -a "$APPARMOR" != "enforce" ]; then + printf '! AppArmor set to %s - ignoring profiles\n' "$APPARMOR" + return + fi + + [ "$APPARMOR" = "complain" ] && AACOMPLAIN="-C" + + if [ -d /etc/apparmor.d -a -x /usr/bin/apparmor_parser ]; then + for profile in /etc/apparmor.d/*; do + if [ -f "$profile" ]; then + printf '* Load profile %s: %s\n' "($APPARMOR)" "$profile" + apparmor_parser -a $AACOMPLAIN "$profile" + fi + done + else + printf '! AppArmor installation problem - ensure you have installed apparmor package\n' + fi +else + printf '! AppArmor disabled - ignoring profiles\n' +fi diff --git a/srcpkgs/runit-void/files/rc.apparmor b/srcpkgs/runit-void/files/rc.apparmor new file mode 100644 index 00000000000..980b5b3eecc --- /dev/null +++ b/srcpkgs/runit-void/files/rc.apparmor @@ -0,0 +1,7 @@ +# AppArmor configuration + +# Possible options: +# - disable +# - complain +# - enforce +#APPARMOR=disable diff --git a/srcpkgs/runit-void/template b/srcpkgs/runit-void/template index d246f3f8fd1..9e36b69173f 100644 --- a/srcpkgs/runit-void/template +++ b/srcpkgs/runit-void/template @@ -1,7 +1,7 @@ # Template file for 'runit-void' pkgname=runit-void version=20171102 -revision=1 +revision=2 wrksrc="void-runit-${version}" build_style=gnu-makefile homepage="http://www.voidlinux.eu" @@ -32,9 +32,20 @@ post_install() { vconf ${FILESDIR}/hostname vconf ${FILESDIR}/os-release vconf ${FILESDIR}/locale.conf + vinstall ${FILESDIR}/rc.apparmor 644 /etc/default/apparmor + vinstall ${FILESDIR}/09-apparmor.sh 644 /etc/runit/core-services/ # Enable services at post-install time instead. rm -f ${DESTDIR}/etc/runit/runsvdir/current rm -rf ${DESTDIR}/etc/runit/runsvdir/default rm -rf ${DESTDIR}/etc/runit/runsvdir/single ln -s runit-init ${DESTDIR}/usr/bin/init } + +runit-void-apparmor_package() { + short_desc+=" - AppArmor initialization" + depends="${sourcepkg}-${version}_${revision}" + pkg_install() { + vmove etc/default/apparmor + vmove etc/runit/core-services/09-apparmor.sh + } +}