Merge pull request #13309 from olivier-mauras/lsm_implementation_userland_apparmor

Add AppArmor userland
2018-05-29 16:58:26 +02:00 · 2018-05-29 16:58:26 +02:00 · 575ff55a00
commit 575ff55a00
parent 3744c8c090 4aad527b9f
18 changed files with 414 additions and 2 deletions
--- a/common/shlibs
+++ b/common/shlibs
@ -3347,4 +3347,5 @@ libeditorconfig.so.0 editorconfig-0.12.2_1
 libkid3-core.so.3.6.0 kid3-3.6.0_1
 libkid3-gui.so.3.6.0 kid3-3.6.0_1
 libcfitsio.so.3 cfitsio-3.450_1
-libcue.so.2 libcue-2.2.0_1
+libapparmor.so.1 libapparmor-2.12.0_1
+libcue.so.2 libcue-2.2.0_1
--- a/srcpkgs/apparmor-vim
+++ b/srcpkgs/apparmor-vim
@ -0,0 +1 @@
+apparmor
--- a/srcpkgs/apparmor/INSTALL.msg
+++ b/srcpkgs/apparmor/INSTALL.msg
@ -0,0 +1,2 @@
+To ensure AppArmor is enabled upon reboot add 'apparmor=1 security=apparmor' to your grub CMDLINE and rebuild your grub config with 'grub-mkconfig -o /boot/grub/grub.cfg'.
+You'll also need to swith 'APPARMOR' setting in /etc/default/apparmor to your taste.
--- a/srcpkgs/apparmor/files/apparmor/finish
+++ b/srcpkgs/apparmor/files/apparmor/finish
@ -0,0 +1,7 @@
+#!/bin/sh
+[ -r /etc/default/apparmor ] && . /etc/default/apparmor || exit 1
+
+# Find all profiles in $APPARMORD and unload them
+for profile in $(find /etc/apparmor.d -maxdepth 1 -type f); do
+	apparmor_parser -R $profile
+done
--- a/srcpkgs/apparmor/files/apparmor/run
+++ b/srcpkgs/apparmor/files/apparmor/run
@ -0,0 +1,8 @@
+#!/bin/sh
+[ -r /etc/default/apparmor ] && . /etc/default/apparmor || exit 1
+
+# Find all profiles in $APPARMORD and load them
+for profile in $(find /etc/apparmor.d -maxdepth 1 -type f); do
+	apparmor_parser -a $profile
+done
+exec chpst -b apparmor pause
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@ -0,0 +1,89 @@
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+profile dhcpcd /{usr/,}bin/dhcpcd {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability chown,
+  capability net_admin,
+  capability net_raw,
+  capability sys_admin,
+
+  network packet dgram,
+  network inet raw,
+  network inet6 raw,
+
+  /dev/pts/* rw,
+
+  /etc/dhcpcd.{conf,duid,secret} r,
+  /etc/ld.so.cache r,
+  /etc/udev/udev.conf r,
+
+  /proc/*/net/if_inet6 r,
+  /proc/sys/net/ipv{4,6}/conf/*/* rw,
+
+  /{var/,}run/dhcpcd{-*,}.pid rwk,
+  /{var/,}run/dhcpcd.sock rw,
+  /{var/,}run/dhcpcd.unpriv.sock rw,
+  /{var/,}run/udev/data/* r,
+
+  /sys/devices/*/*/{*/,}net/*/uevent r,
+  /sys/devices/virtual/net/*/uevent r,
+
+  /{usr/,}bin/dash ix,
+  /{usr/,}bin/dash mrix,
+
+  /usr/lib/dhcpcd/dev/udev.so m,
+  /usr/lib/ld-*.so m,
+  /usr/lib/libc-*.so m,
+
+  # Transition to a child profile for hooks
+  /usr/libexec/dhcpcd-run-hooks Cx -> dhcpcd_run_hooks,
+
+  /var/db/dhcpcd-*.lease rw,
+  /var/db/dhcpcd/** rw,
+  /{usr/,}bin/dhcpcd mrix,
+
+  # Child profile for hooks
+  profile dhcpcd_run_hooks {
+    #include <abstractions/base>
+    #include <abstractions/nameservice>
+
+    capability sys_admin,
+    capability sys_tty_config,
+
+    /etc/chrony.conf rw,
+    /etc/ntpd.conf rw,
+    /etc/resolv.conf rw,
+    /etc/wpa_supplicant/wpa_supplicant*.conf r,
+
+    /{var/,}run/dhcpcd/ rw,
+    /{var/,}run/dhcpcd/{ntp,resolv}.conf.** rw,
+    /{var/,}run/dhcpcd/{ntp,resolv}.conf/ rw,
+    /{var/,}run/dhcpcd/{ntp,resolv}.conf/*.dhcp rw,
+
+    /usr/bin/cat mrix,
+    /usr/bin/chmod mrix,
+    /usr/bin/cmp mrix,
+    /usr/bin/dash mr,
+    /usr/bin/hostname-coreutils mrix,
+    /usr/bin/mkdir mrix,
+    /usr/bin/rm mrix,
+    /usr/bin/sed mrix,
+    /usr/bin/util-linux-logger mrix,
+    /usr/bin/wpa_supplicant CUx,
+    /usr/bin/wpa_cli CUx,
+    /usr/bin/resolvconf CUx,
+
+    /usr/libexec/dhcpcd-hooks/ r,
+    /usr/libexec/dhcpcd-hooks/* r,
+    /usr/libexec/dhcpcd-run-hooks r,
+
+    /usr/share/dhcpcd/hooks/* r,
+  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.dhcpcd>
+}
--- a/srcpkgs/apparmor/files/profiles/usr.bin.iputils-ping
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.iputils-ping
@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+
+#include <tunables/global>
+profile ping /{usr/,}bin/iputils-ping {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/nameservice>
+
+  capability net_raw,
+  capability setuid,
+  network inet raw,
+  network inet6 raw,
+
+  /{usr/,}bin/iputils-ping mixr,
+  /etc/modules.conf r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.iputils-ping>
+}
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@ -0,0 +1,34 @@
+# vim:syntax=apparmor
+
+# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
+# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
+# /path/to/your/unix/socket rw,
+
+#include <tunables/global>
+
+/usr/bin/nginx {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/nis>
+  #include <abstractions/openssl>
+
+  capability setgid,
+  capability setuid,
+
+  # XXX: Maybe switch to "/etc/nginx/** r," ?
+  /etc/nginx/*.conf r,
+  /etc/nginx/*_params r,
+  /etc/nginx/conf.d/* r,
+  /etc/nginx/mime.types r,
+
+  /run/nginx.pid rw,
+
+  /usr/bin/nginx mr,
+
+  /usr/share/nginx/html/* r,
+
+  /var/log/nginx/* w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.nginx>
+}
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@ -0,0 +1,44 @@
+# vim:syntax=apparmor
+
+# NOTE: This profile uses TCP sockets by default
+# If you wish for php-fpm to listen to unix socket,
+# add the following permission to local/usr.bin.php-fpm
+# /path/to/your/unix/socket w,
+
+#include <tunables/global>
+
+# This is PHP open_basedir where script can only be executed from.
+# /home, /tmp have been removed to not open permissions too widely
+# /usr/share/pear have been removed to have its own permission
+@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
+
+/usr/bin/php-fpm {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+  #include <abstractions/php>
+
+  capability setgid,
+  capability setuid,
+  capability kill,
+
+  /etc/php/php-fpm.conf r,
+  /etc/php/php-fpm.d/* r,
+
+  # This is set to make php-fpm work by default, but if you don't use these paths
+  # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
+  # to where your PHP app is located
+  @{PHP_BASEDIRS}/** r,
+
+  /usr/bin/php-fpm mr,
+
+  /usr/share/pear/** r,
+  /usr/share/php/fpm/status.html r,
+
+  /var/log/php-fpm.log w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.php-fpm>
+
+}
+
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@ -0,0 +1,17 @@
+# vim:syntax=apparmor
+
+#include <tunables/global>
+
+/usr/bin/uuidd {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+
+  network inet dgram,
+
+  /usr/bin/uuidd mr,
+
+  /run/uuidd/request rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.bin.uuidd>
+}
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@ -0,0 +1,29 @@
+diff --git a/utils/logprof.conf b/utils/logprof.conf
+index a3d7a31..296dd8b 100644
+--- a/utils/logprof.conf
+++ b/utils/logprof.conf
+@@ -14,7 +14,7 @@
+   inactive_profiledir = /usr/share/apparmor/extra-profiles 
+   logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
+ 
+-  parser = /sbin/apparmor_parser /sbin/subdomain_parser
+  parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
+   ldd = /usr/bin/ldd
+   logger = /bin/logger /usr/bin/logger
+ 
+@@ -36,10 +36,10 @@
+   custom_includes =
+ 
+ 
+-[repository]
+-  distro         = ubuntu-intrepid
+-  url            = http://apparmor.test.opensuse.org/backend/api
+-  preferred_user = ubuntu
+#[repository]
+#  distro         = ubuntu-intrepid
+#  url            = http://apparmor.test.opensuse.org/backend/api
+#  preferred_user = ubuntu
+ 
+ [qualifiers]
+   # things will be painfully broken if bash has a profile
+
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@ -0,0 +1,108 @@
+# Template file for 'apparmor'
+pkgname=apparmor
+version=2.13.0
+revision=1
+_short_ver=${version%\.*}
+wrksrc="${pkgname}-v${_short_ver}"
+configure_args="--prefix=/usr --with-perl --with-python"
+patch_args="-Np1"
+hostmakedepends="bison flex autoconf automake libtool"
+makedepends="perl python3-devel swig"
+depends="runit-void-apparmor python3 libapparmor"
+only_for_archs="x86_64 i686"
+short_desc="Mandatory access control to restrict programs"
+maintainer="Olivier Mauras <olivier@mauras.ch>"
+license="GPL-3"
+homepage="https://gitlab.com/apparmor/apparmor"
+distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${_short_ver}/apparmor-v${_short_ver}.tar.gz"
+checksum="fdafa0b71cbf574cce76a1ea1542b4540fa1c1040f80d0f0866fc0056ec37747"
+
+pre_build() {
+	# Replace release profiles by our owns
+	cd ${wrksrc}
+
+	# Put in place our own profiles
+	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
+	mv profiles/apparmor.d/bin.ping profiles/apparmor/profiles/extras/
+}
+
+do_build() {
+	cd ${wrksrc}/libraries/libapparmor
+	NOCONFIGURE=1 ./autogen.sh
+	./configure ${configure_args}
+	make ${makejobs}
+
+	export CFLAGS+="-fPIC"
+	export LDFLAGS+="-fPIE -pie"
+
+	cd ${wrksrc}/binutils
+	make ${makejobs}
+
+	cd ${wrksrc}/utils
+	make ${makejobs}
+
+	cd ${wrksrc}/parser
+	sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' Makefile
+	sed -i 's#${DESTDIR}/lib#${DESTDIR}/usr/lib#g' Makefile
+	make ${makejobs}
+
+	cd ${wrksrc}/profiles
+	make ${makejobs}
+}
+
+do_install() {
+	cd ${wrksrc}/libraries/libapparmor
+	make DESTDIR=${DESTDIR} install
+
+	cd ${wrksrc}/binutils
+	make DESTDIR=${DESTDIR} install
+
+	cd ${wrksrc}/utils
+	make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install
+
+	cd ${wrksrc}/parser
+	make DESTDIR=${DESTDIR} install
+
+	cd ${wrksrc}/profiles
+	make DESTDIR=${DESTDIR} install
+}
+
+post_install() {
+	# Put Vim syntax in the correct place
+	mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
+	mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+
+	# We want to keep this empty directory
+	touch ${DESTDIR}/etc/apparmor.d/disable/.empty
+}
+
+apparmor-vim_package() {
+	short_desc+=" - Vim syntax"
+	depends="vim"
+	pkg_install() {
+		vmove usr/share/vim/vim80/syntax/apparmor.vim
+		vmove usr/share/man/man5/apparmor.vim.5
+	}
+}
+
+libapparmor_package() {
+	short_desc+=" - Library"
+	pkg_install() {
+		vmove "usr/lib/libapparmor.so*"
+		vmove usr/lib/perl5
+		vmove "usr/lib/python3.6/site-packages/LibAppArmor*"
+		vmove usr/share/man/man2
+		vmove usr/share/man/man3
+	}
+}
+
+libapparmor-devel_package() {
+	short_desc+=" - Library development files"
+	depends="${sourcepkg}-${version}_${revision}"
+	pkg_install() {
+		vmove usr/include/
+		vmove "usr/lib/*.a"
+		vmove usr/lib/pkgconfig
+	}
+}
+
--- a/srcpkgs/libapparmor
+++ b/srcpkgs/libapparmor
@ -0,0 +1 @@
+apparmor/
--- a/srcpkgs/libapparmor-devel
+++ b/srcpkgs/libapparmor-devel
@ -0,0 +1 @@
+apparmor/
--- a/srcpkgs/runit-void-apparmor
+++ b/srcpkgs/runit-void-apparmor
@ -0,0 +1 @@
+runit-void
--- a/srcpkgs/runit-void/files/09-apparmor.sh
+++ b/srcpkgs/runit-void/files/09-apparmor.sh
@ -0,0 +1,32 @@
+# vim: set ts=4 sw=4 et:
+
+# AppArmor is not enabled in kernel, silently exit
+[ ! -d /sys/kernel/security/apparmor ] && return
+
+# Load config
+[ -r /etc/default/apparmor ] && . /etc/default/apparmor
+
+# Proceed to load profiles depending on user settings
+msg "Loading AppArmor profiles..."
+
+if [ -n "$APPARMOR" ]; then
+	if [ "$APPARMOR" != "complain" -a "$APPARMOR" != "enforce" ]; then
+		printf '! AppArmor set to %s - ignoring profiles\n' "$APPARMOR"
+		return
+	fi
+
+	[ "$APPARMOR" = "complain" ] && AACOMPLAIN="-C"
+
+	if [ -d /etc/apparmor.d -a -x /usr/bin/apparmor_parser ]; then
+		for profile in /etc/apparmor.d/*; do
+		if [ -f "$profile" ]; then
+			printf '* Load profile %s: %s\n' "($APPARMOR)" "$profile"
+			apparmor_parser -a $AACOMPLAIN "$profile"
+		fi
+		done
+	else
+		printf '! AppArmor installation problem - ensure you have installed apparmor package\n'
+	fi
+else
+	printf '! AppArmor disabled - ignoring profiles\n'
+fi
--- a/srcpkgs/runit-void/files/rc.apparmor
+++ b/srcpkgs/runit-void/files/rc.apparmor
@ -0,0 +1,7 @@
+# AppArmor configuration
+
+# Possible options:
+# - disable
+# - complain
+# - enforce
+#APPARMOR=disable
--- a/srcpkgs/runit-void/template
+++ b/srcpkgs/runit-void/template
@ -1,7 +1,7 @@
 # Template file for 'runit-void'
 pkgname=runit-void
 version=20171102
-revision=1
+revision=2
 wrksrc="void-runit-${version}"
 build_style=gnu-makefile
 homepage="http://www.voidlinux.eu"
@ -32,9 +32,20 @@ post_install() {
 	vconf ${FILESDIR}/hostname
 	vconf ${FILESDIR}/os-release
 	vconf ${FILESDIR}/locale.conf
+	vinstall ${FILESDIR}/rc.apparmor 644 /etc/default/apparmor
+	vinstall ${FILESDIR}/09-apparmor.sh 644 /etc/runit/core-services/
 	# Enable services at post-install time instead.
 	rm -f ${DESTDIR}/etc/runit/runsvdir/current
 	rm -rf ${DESTDIR}/etc/runit/runsvdir/default
 	rm -rf ${DESTDIR}/etc/runit/runsvdir/single
 	ln -s runit-init ${DESTDIR}/usr/bin/init
 }
+
+runit-void-apparmor_package() {
+	short_desc+=" - AppArmor initialization"
+	depends="${sourcepkg}-${version}_${revision}"
+	pkg_install() {
+		vmove etc/default/apparmor
+		vmove etc/runit/core-services/09-apparmor.sh
+	}
+}