apparmor: various fixes
* add missing python3 dependencies for aa-notify * do not rewrite logfiles option in logprof.conf aggressively * remove an old patch * fix segfault on musl (was also an issue on glibc, just empty output instead of segfault) * depend on explicit libapparmor version Closes #28127 Closes: #28448 [via git-merge-pr]
This commit is contained in:
parent
f89bba4625
commit
5251fe6d9b
4 changed files with 60 additions and 57 deletions
|
@ -1,49 +0,0 @@
|
||||||
Source: Alpine Linux
|
|
||||||
Upstream: Unknown
|
|
||||||
Reason: Fixes compilation with musl libc
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/parser/missingdefs.h b/parser/missingdefs.h
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..8097aef
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/parser/missingdefs.h
|
|
||||||
@@ -0,0 +1,8 @@
|
|
||||||
+#ifndef PARSER_MISSINGDEFS_H
|
|
||||||
+#define PARSER_MISSINGDEFS_H
|
|
||||||
+
|
|
||||||
+typedef int (*__compar_fn_t) (const void *, const void *);
|
|
||||||
+typedef __compar_fn_t comparison_fn_t;
|
|
||||||
+typedef void (*__free_fn_t) (void *__nodep);
|
|
||||||
+
|
|
||||||
+#endif
|
|
||||||
diff --git a/parser/parser_alias.c b/parser/parser_alias.c
|
|
||||||
index f5b6da4..d57f580 100644
|
|
||||||
--- a/parser/parser_alias.c
|
|
||||||
+++ b/parser/parser_alias.c
|
|
||||||
@@ -25,6 +25,10 @@
|
|
||||||
#include "parser.h"
|
|
||||||
#include "profile.h"
|
|
||||||
|
|
||||||
+#ifndef __GLIBC__
|
|
||||||
+#include "missingdefs.h"
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
struct alias_rule {
|
|
||||||
char *from;
|
|
||||||
char *to;
|
|
||||||
diff --git a/parser/parser_symtab.c b/parser/parser_symtab.c
|
|
||||||
index 3e667d8..e109f4d 100644
|
|
||||||
--- a/parser/parser_symtab.c
|
|
||||||
+++ b/parser/parser_symtab.c
|
|
||||||
@@ -25,6 +25,10 @@
|
|
||||||
#include "immunix.h"
|
|
||||||
#include "parser.h"
|
|
||||||
|
|
||||||
+#ifndef __GLIBC__
|
|
||||||
+#include "missingdefs.h"
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
enum var_type {
|
|
||||||
sd_boolean,
|
|
||||||
sd_set,
|
|
|
@ -11,9 +11,12 @@ diff --git a/utils/logprof.conf b/utils/logprof.conf
|
||||||
index a778792..a9f7b79 100644
|
index a778792..a9f7b79 100644
|
||||||
--- a/utils/logprof.conf
|
--- a/utils/logprof.conf
|
||||||
+++ b/utils/logprof.conf
|
+++ b/utils/logprof.conf
|
||||||
@@ -14,7 +14,7 @@
|
@@ -12,9 +12,9 @@
|
||||||
|
[settings]
|
||||||
|
profiledir = /etc/apparmor.d /etc/subdomain.d
|
||||||
inactive_profiledir = /usr/share/apparmor/extra-profiles
|
inactive_profiledir = /usr/share/apparmor/extra-profiles
|
||||||
logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
|
- logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
|
||||||
|
+ logfiles = /var/log/audit/audit.log /var/log/socklog/kernel/current /var/log/syslog /var/log/messages
|
||||||
|
|
||||||
- parser = /sbin/apparmor_parser /sbin/subdomain_parser
|
- parser = /sbin/apparmor_parser /sbin/subdomain_parser
|
||||||
+ parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
|
+ parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
|
||||||
|
|
52
srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
Normal file
52
srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
upstream: yes
|
||||||
|
From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
|
||||||
|
From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
|
||||||
|
Date: Wed, 20 Jan 2021 17:26:37 -0600
|
||||||
|
Subject: [PATCH] fix setting proc_attr_base
|
||||||
|
|
||||||
|
There is currently a case in which proc_attr_base won't get set when
|
||||||
|
asprintf is able to generate the path, but the file doesn't exist, it
|
||||||
|
will exit proc_attr_base_init_once() without proc_attr_base having been
|
||||||
|
set as the fall-through if/else logic will get bypassed when asprintf is
|
||||||
|
successful.
|
||||||
|
---
|
||||||
|
libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
|
||||||
|
1 file changed, 11 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
|
||||||
|
index 0fa77b014..6ba028614 100644
|
||||||
|
--- a/libraries/libapparmor/src/kernel.c
|
||||||
|
+++ b/libraries/libapparmor/src/kernel.c
|
||||||
|
@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
|
||||||
|
/* if we fail we just fall back to the default value */
|
||||||
|
if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
|
||||||
|
autoclose int fd = open(tmp, O_RDONLY);
|
||||||
|
- if (fd != -1)
|
||||||
|
+ if (fd != -1) {
|
||||||
|
proc_attr_base = proc_attr_base_stacking;
|
||||||
|
- } else if (!is_enabled() && is_private_enabled()) {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (!is_enabled() && is_private_enabled()) {
|
||||||
|
/* new stacking interfaces aren't available and apparmor
|
||||||
|
- * is disabled, but available. do not use the
|
||||||
|
- * /proc/<pid>/attr/ * interfaces as they could be
|
||||||
|
- * in use by another LSM
|
||||||
|
- */
|
||||||
|
+ * is disabled, but available. do not use the
|
||||||
|
+ * /proc/<pid>/attr/ * interfaces as they could be
|
||||||
|
+ * in use by another LSM
|
||||||
|
+ */
|
||||||
|
proc_attr_base = proc_attr_base_unavailable;
|
||||||
|
- } else {
|
||||||
|
- proc_attr_base = proc_attr_base_old;
|
||||||
|
+ return;
|
||||||
|
}
|
||||||
|
+ proc_attr_base = proc_attr_base_old;
|
||||||
|
}
|
||||||
|
|
||||||
|
static char *procattr_path(pid_t pid, const char *attr)
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Template file for 'apparmor'
|
# Template file for 'apparmor'
|
||||||
pkgname=apparmor
|
pkgname=apparmor
|
||||||
version=3.0.1
|
version=3.0.1
|
||||||
revision=1
|
revision=2
|
||||||
wrksrc="${pkgname}-v${version}"
|
wrksrc="${pkgname}-v${version}"
|
||||||
build_wrksrc=libraries/libapparmor
|
build_wrksrc=libraries/libapparmor
|
||||||
build_style=gnu-configure
|
build_style=gnu-configure
|
||||||
|
@ -9,7 +9,7 @@ conf_files="/etc/apparmor.d/local/* /etc/apparmor/*"
|
||||||
make_dirs="/etc/apparmor.d/disable 0755 root root"
|
make_dirs="/etc/apparmor.d/disable 0755 root root"
|
||||||
hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
|
hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
|
||||||
makedepends="perl python3-devel"
|
makedepends="perl python3-devel"
|
||||||
depends="runit-void-apparmor python3 libapparmor"
|
depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2 python3-psutil"
|
||||||
checkdepends="dejagnu"
|
checkdepends="dejagnu"
|
||||||
short_desc="Mandatory access control to restrict programs"
|
short_desc="Mandatory access control to restrict programs"
|
||||||
maintainer="Olivier Mauras <olivier@mauras.ch>"
|
maintainer="Olivier Mauras <olivier@mauras.ch>"
|
||||||
|
@ -32,9 +32,6 @@ pre_build() {
|
||||||
# Replace release profiles with our own
|
# Replace release profiles with our own
|
||||||
cd ${wrksrc}
|
cd ${wrksrc}
|
||||||
cp ${FILESDIR}/profiles/* profiles/apparmor.d/
|
cp ${FILESDIR}/profiles/* profiles/apparmor.d/
|
||||||
|
|
||||||
# use the correct syslog path
|
|
||||||
vsed -i utils/logprof.conf -e 's,logfiles = .*,logfiles = /var/log/socklog/kernel/current,'
|
|
||||||
}
|
}
|
||||||
|
|
||||||
post_build() {
|
post_build() {
|
||||||
|
|
Loading…
Reference in a new issue