diff --git a/srcpkgs/apparmor/INSTALL.msg b/srcpkgs/apparmor/INSTALL.msg index c9f763715a..488f2c40e1 100644 --- a/srcpkgs/apparmor/INSTALL.msg +++ b/srcpkgs/apparmor/INSTALL.msg @@ -1,2 +1 @@ -To ensure AppArmor is enabled upon reboot add 'apparmor=1 security=apparmor' to your grub CMDLINE and rebuild your grub config with 'grub-mkconfig -o /boot/grub/grub.cfg'. -You'll also need to swith 'APPARMOR' setting in /etc/default/apparmor to your taste. +To configure AppArmor properly, please refer to the Void Linux Handbook: https://docs.voidlinux.org/config/security/apparmor.html diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd index 26364f3638..1d6e1b95d6 100644 --- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd +++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd @@ -1,10 +1,12 @@ # vim:syntax=apparmor -#include +abi , + +include profile dhcpcd /{usr/,}bin/dhcpcd { - #include - #include + include + include capability chown, capability fowner, @@ -16,8 +18,10 @@ profile dhcpcd /{usr/,}bin/dhcpcd { capability setgid, capability sys_admin, capability sys_chroot, + capability bpf, network packet dgram, + network packet raw, network inet raw, network inet6 raw, @@ -58,5 +62,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd { owner @{PROC}/@{pid}/stat r, # Site-specific additions and overrides. See local/README for details. - #include + include if exists } diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx index 5e4854d903..be769703f5 100644 --- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx +++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx @@ -1,25 +1,23 @@ # vim:syntax=apparmor +abi , + # NOTE: This profile will by default work with pfp-fpm on TCP sockets. # If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx # /path/to/your/unix/socket rw, -#include +include -/usr/bin/nginx { - #include - #include - #include - #include +profile nginx /usr/bin/nginx { + include + include + include + include capability setgid, capability setuid, - # XXX: Maybe switch to "/etc/nginx/** r," ? - /etc/nginx/*.conf r, - /etc/nginx/*_params r, - /etc/nginx/conf.d/* r, - /etc/nginx/mime.types r, + /etc/nginx/** r, /run/nginx.pid rw, @@ -30,5 +28,5 @@ /var/log/nginx/* w, # Site-specific additions and overrides. See local/README for details. - #include + include if exists } diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm index 98366dcaab..0b036965da 100644 --- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm +++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm @@ -1,22 +1,24 @@ # vim:syntax=apparmor +abi , + # NOTE: This profile uses TCP sockets by default # If you wish for php-fpm to listen to unix socket, # add the following permission to local/usr.bin.php-fpm # /path/to/your/unix/socket w, -#include +include # This is PHP open_basedir where script can only be executed from. # /home, /tmp have been removed to not open permissions too widely # /usr/share/pear have been removed to have its own permission @{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/ -/usr/bin/php-fpm { - #include - #include - #include - #include +profile php-fpm /usr/bin/php-fpm { + include + include + include + include capability setgid, capability setuid, @@ -38,7 +40,6 @@ /var/log/php-fpm.log w, # Site-specific additions and overrides. See local/README for details. - #include + include if exists } - diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio index 4b17e6edc0..f8ceb4c233 100644 --- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio +++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio @@ -1,12 +1,16 @@ -#include +# vim:syntax=apparmor + +abi , + +include profile pulseaudio /usr/bin/pulseaudio { - #include - #include - #include - #include - #include - #include + include + include + include + include + include + include dbus send bus=system @@ -67,12 +71,17 @@ profile pulseaudio /usr/bin/pulseaudio { /sys/devices/virtual/sound/**/uevent r, /usr/share/alsa/** r, - /usr/share/applications/ r, - /usr/share/applications/* r, /usr/share/pulseaudio/** r, /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr, /usr/libexec/pulse/gsettings-helper Cx, + /usr/{,local/}share/applications/ r, + /usr/{,local/}share/applications/* r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r, + /var/lib/flatpak/exports/share/applications/ r, + /var/lib/flatpak/exports/share/applications/* r, + owner /var/lib/gdm3/.config/pulse/ rw, owner /var/lib/gdm3/.config/pulse/* rw, owner /var/lib/gdm3/.config/pulse/cookie rwk, @@ -106,9 +115,9 @@ profile pulseaudio /usr/bin/pulseaudio { owner /tmp/.esd-@{pid}*/socket rw, profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper { - #include - #include - #include + include + include + include /usr/libexec/pulse/gsettings-helper mr, owner /{,var/}run/user/*/dconf/user rw, @@ -118,6 +127,6 @@ profile pulseaudio /usr/bin/pulseaudio { } # Site-specific additions and overrides. See local/README for details. - #include + include if exists } diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd index 8c00a90361..b365c927b6 100644 --- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd +++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd @@ -1,10 +1,12 @@ # vim:syntax=apparmor -#include +abi , -/usr/bin/uuidd { - #include - #include +include + +profile uuid /usr/bin/uuidd { + include + include network inet dgram, @@ -13,5 +15,5 @@ /run/uuidd/request rw, # Site-specific additions and overrides. See local/README for details. - #include + include if exists } diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant index df53acc82d..c5bb67d562 100644 --- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant +++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant @@ -1,8 +1,12 @@ -#include +# vim:syntax=apparmor -/usr/bin/wpa_supplicant { - #include - #include +abi , + +include + +profile wpa_supplicant /usr/bin/wpa_supplicant { + include + include capability net_admin, capability net_raw, @@ -45,5 +49,5 @@ bus=system path=/fi/epitest/hostap/WPASupplicant/**, - #include + include if exists } diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch index 0f25758486..fb6ce53ffd 100644 --- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch +++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch @@ -1,5 +1,14 @@ +From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001 +From: Paper +Date: Wed, 21 Oct 2020 10:20:47 +0200 +Subject: [PATCH] correct paths in logprof.conf + +--- + utils/logprof.conf | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + diff --git a/utils/logprof.conf b/utils/logprof.conf -index a3d7a31..296dd8b 100644 +index a778792..a9f7b79 100644 --- a/utils/logprof.conf +++ b/utils/logprof.conf @@ -14,7 +14,7 @@ @@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644 ldd = /usr/bin/ldd logger = /bin/logger /usr/bin/logger -@@ -36,10 +36,10 @@ - custom_includes = +@@ -51,12 +51,10 @@ + /bin/mount = u + /usr/bin/mount = u + /etc/init.d/subdomain = u +- /sbin/cardmgr = u +- /usr/sbin/cardmgr = u +- /sbin/subdomain_parser = u +- /usr/sbin/subdomain_parser = u +- /usr/sbin/genprof = u +- /usr/sbin/logprof = u ++ /usr/bin/cardmgr = u ++ /usr/bin/subdomain_parser = u ++ /usr/bin/genprof = u ++ /usr/bin/logprof = u + /usr/lib/YaST2/servers_non_y2/ag_genprof = u + /usr/lib/YaST2/servers_non_y2/ag_logprof = u +@@ -97,8 +95,7 @@ + /usr/bin/sed = icn + /bin/touch = icn + /usr/bin/touch = icn +- /sbin/killall5 = icn +- /usr/sbin/killall5 = icn ++ /usr/bin/killall5 = icn + /usr/bin/find = icn + /usr/bin/killall = icn + /usr/bin/nice = icn +@@ -112,6 +109,8 @@ + /usr/bin/python3.5 = icn + /usr/bin/python3.6 = icn + /usr/bin/python3.7 = icn ++ /usr/bin/python3.8 = icn ++ /usr/bin/python3.9 = icn + /usr/bin/tr = icn --[repository] -- distro = ubuntu-intrepid -- url = http://apparmor.test.opensuse.org/backend/api -- preferred_user = ubuntu -+#[repository] -+# distro = ubuntu-intrepid -+# url = http://apparmor.test.opensuse.org/backend/api -+# preferred_user = ubuntu - - [qualifiers] - # things will be painfully broken if bash has a profile + [required_hats] +-- +2.29.0 diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch new file mode 100644 index 0000000000..484b67dfea --- /dev/null +++ b/srcpkgs/apparmor/patches/fix-musl.patch @@ -0,0 +1,24 @@ +diff --git a/binutils/aa_status.c b/binutils/aa_status.c +index 78b0340..56ecac3 100644 +--- a/binutils/aa_status.c ++++ b/binutils/aa_status.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include + #include +diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h +index 32892d0..dad7664 100644 +--- a/libraries/libapparmor/include/sys/apparmor.h ++++ b/libraries/libapparmor/include/sys/apparmor.h +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #ifdef __cplusplus + extern "C" { diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template index b064f78086..4c260b24a1 100644 --- a/srcpkgs/apparmor/template +++ b/srcpkgs/apparmor/template @@ -1,7 +1,7 @@ # Template file for 'apparmor' pkgname=apparmor -version=2.13.4 -revision=6 +version=3.0.0 +revision=1 wrksrc="${pkgname}-v${version}" build_wrksrc=libraries/libapparmor build_style=gnu-configure @@ -16,23 +16,13 @@ maintainer="Olivier Mauras " license="GPL-2.0-only, LGPL-2.1-only" homepage="https://gitlab.com/apparmor/apparmor" distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz" -checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b +checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f patch_args="-Np1" if [ -z "$CROSS_BUILD" ]; then configure_args="--with-perl --with-python" fi -post_patch() { - # Make.rules feeds some system headers to the C preprocessor to produce - # lists of capability and address-family names that, respectively, - # populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping - # backslash in the '\#include" directives here is seen by the - # preprocessor, causing it to skip the system headers and produce empty - # files. Removing the backslash ensures correct behavior. - vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include