From: PaperMountainStudio <PaperMountainStudio@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] [WIP] apparmor: update to 3.0.0
Date: Thu, 29 Oct 2020 23:49:59 +0100 [thread overview]
Message-ID: <20201029224959.ZzMaAY8DMpGRVjDHIp5qALjSotvtIhHN6H0givsJqZs@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-25967@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 922 bytes --]
There is an updated pull request by PaperMountainStudio against master on the void-packages repository
https://github.com/PaperMountainStudio/void-packages 0001-apparmor-update-to-3.0.0.patch
https://github.com/void-linux/void-packages/pull/25967
[WIP] apparmor: update to 3.0.0
+ builds and works fine for x86_64-glibc
- [x] doesn't build for musl yet and I am not experienced enough to fix it
- [ ] should I bump libapparmor.so in common/shlibs?
- [ ] this update breaks compatibility with older apparmor profiles, are there any which have to be fixed?
- [ ] akonadi5
- [ ] brillo
- [ ] firejail
- [ ] gammastep
- [ ] ippusbxd
- [ ] libvirt
- [ ] lightdm
- [ ] lxc
- [ ] mako
- [ ] onionshare
- [ ] torbrowser
If anyone wants to adopt this PR, feel free to do so.
A patch file from https://github.com/void-linux/void-packages/pull/25967.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-update-to-3.0.0.patch-25967.patch --]
[-- Type: text/x-diff, Size: 13654 bytes --]
From 3faf3f930062ffc59daa37a63aaa8887f513b6f5 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 21 Oct 2020 17:25:50 +0200
Subject: [PATCH] apparmor: update to 3.0.0
---
.../apparmor/files/profiles/usr.bin.dhcpcd | 9 +--
srcpkgs/apparmor/files/profiles/usr.bin.nginx | 12 ++--
.../apparmor/files/profiles/usr.bin.php-fpm | 12 ++--
.../files/profiles/usr.bin.pulseaudio | 24 ++++----
srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 8 +--
.../files/profiles/usr.bin.wpa_supplicant | 10 ++--
.../patches/correct_paths_logprofconf.patch | 60 ++++++++++++++-----
srcpkgs/apparmor/patches/fix-musl.patch | 24 ++++++++
srcpkgs/apparmor/template | 48 +++++++--------
9 files changed, 134 insertions(+), 73 deletions(-)
create mode 100644 srcpkgs/apparmor/patches/fix-musl.patch
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
index 26364f36385..f9fd40f33a6 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
@@ -1,10 +1,10 @@
# vim:syntax=apparmor
-#include <tunables/global>
+include <tunables/global>
profile dhcpcd /{usr/,}bin/dhcpcd {
- #include <abstractions/base>
- #include <abstractions/nameservice>
+ include <abstractions/base>
+ include <abstractions/nameservice>
capability chown,
capability fowner,
@@ -16,6 +16,7 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
capability setgid,
capability sys_admin,
capability sys_chroot,
+ capability bpf,
network packet dgram,
network inet raw,
@@ -58,5 +59,5 @@ profile dhcpcd /{usr/,}bin/dhcpcd {
owner @{PROC}/@{pid}/stat r,
# Site-specific additions and overrides. See local/README for details.
- #include <local/usr.bin.dhcpcd>
+ include if exists <local/usr.bin.dhcpcd>
}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
index 5e4854d9032..46590dda151 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
@@ -4,13 +4,13 @@
# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
# /path/to/your/unix/socket rw,
-#include <tunables/global>
+include <tunables/global>
/usr/bin/nginx {
- #include <abstractions/base>
- #include <abstractions/nameservice>
- #include <abstractions/nis>
- #include <abstractions/openssl>
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/nis>
+ include <abstractions/openssl>
capability setgid,
capability setuid,
@@ -30,5 +30,5 @@
/var/log/nginx/* w,
# Site-specific additions and overrides. See local/README for details.
- #include <local/usr.bin.nginx>
+ include if exists <local/usr.bin.nginx>
}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
index 98366dcaabf..93fb02fe509 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
@@ -5,7 +5,7 @@
# add the following permission to local/usr.bin.php-fpm
# /path/to/your/unix/socket w,
-#include <tunables/global>
+include <tunables/global>
# This is PHP open_basedir where script can only be executed from.
# /home, /tmp have been removed to not open permissions too widely
@@ -13,10 +13,10 @@
@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
/usr/bin/php-fpm {
- #include <abstractions/base>
- #include <abstractions/nameservice>
- #include <abstractions/openssl>
- #include <abstractions/php>
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/openssl>
+ include <abstractions/php>
capability setgid,
capability setuid,
@@ -38,7 +38,7 @@
/var/log/php-fpm.log w,
# Site-specific additions and overrides. See local/README for details.
- #include <local/usr.bin.php-fpm>
+ include if exists <local/usr.bin.php-fpm>
}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
index 4b17e6edc08..343be5e7ccf 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
@@ -1,12 +1,14 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+include <tunables/global>
profile pulseaudio /usr/bin/pulseaudio {
- #include <abstractions/base>
- #include <abstractions/audio>
- #include <abstractions/dbus-session>
- #include <abstractions/dbus-strict>
- #include <abstractions/nameservice>
- #include <abstractions/X>
+ include <abstractions/base>
+ include <abstractions/audio>
+ include <abstractions/dbus-session>
+ include <abstractions/dbus-strict>
+ include <abstractions/nameservice>
+ include <abstractions/X>
dbus send
bus=system
@@ -106,9 +108,9 @@ profile pulseaudio /usr/bin/pulseaudio {
owner /tmp/.esd-@{pid}*/socket rw,
profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
- #include <abstractions/base>
- #include <abstractions/gnome>
- #include <abstractions/dconf>
+ include <abstractions/base>
+ include <abstractions/gnome>
+ include <abstractions/dconf>
/usr/libexec/pulse/gsettings-helper mr,
owner /{,var/}run/user/*/dconf/user rw,
@@ -118,6 +120,6 @@ profile pulseaudio /usr/bin/pulseaudio {
}
# Site-specific additions and overrides. See local/README for details.
- #include <local/usr.bin.pulseaudio>
+ include if exists <local/usr.bin.pulseaudio>
}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
index 8c00a903611..a27798f7871 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
@@ -1,10 +1,10 @@
# vim:syntax=apparmor
-#include <tunables/global>
+include <tunables/global>
/usr/bin/uuidd {
- #include <abstractions/base>
- #include <abstractions/consoles>
+ include <abstractions/base>
+ include <abstractions/consoles>
network inet dgram,
@@ -13,5 +13,5 @@
/run/uuidd/request rw,
# Site-specific additions and overrides. See local/README for details.
- #include <local/usr.bin.uuidd>
+ include if exists <local/usr.bin.uuidd>
}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
index df53acc82d6..847ad6cf4a2 100644
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
@@ -1,8 +1,10 @@
-#include <tunables/global>
+# vim:syntax=apparmor
+
+include <tunables/global>
/usr/bin/wpa_supplicant {
- #include <abstractions/base>
- #include <abstractions/dbus-strict>
+ include <abstractions/base>
+ include <abstractions/dbus-strict>
capability net_admin,
capability net_raw,
@@ -45,5 +47,5 @@
bus=system
path=/fi/epitest/hostap/WPASupplicant/**,
- #include <local/usr.bin.wpa_supplicant>
+ include if exists <local/usr.bin.wpa_supplicant>
}
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index 0f25758486a..fb6ce53ffdc 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -1,5 +1,14 @@
+From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
+From: Paper <paper@tilde.institute>
+Date: Wed, 21 Oct 2020 10:20:47 +0200
+Subject: [PATCH] correct paths in logprof.conf
+
+---
+ utils/logprof.conf | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a3d7a31..296dd8b 100644
+index a778792..a9f7b79 100644
--- a/utils/logprof.conf
+++ b/utils/logprof.conf
@@ -14,7 +14,7 @@
@@ -11,19 +20,42 @@ index a3d7a31..296dd8b 100644
ldd = /usr/bin/ldd
logger = /bin/logger /usr/bin/logger
-@@ -36,10 +36,10 @@
- custom_includes =
-
+@@ -51,12 +51,10 @@
+ /bin/mount = u
+ /usr/bin/mount = u
+ /etc/init.d/subdomain = u
+- /sbin/cardmgr = u
+- /usr/sbin/cardmgr = u
+- /sbin/subdomain_parser = u
+- /usr/sbin/subdomain_parser = u
+- /usr/sbin/genprof = u
+- /usr/sbin/logprof = u
++ /usr/bin/cardmgr = u
++ /usr/bin/subdomain_parser = u
++ /usr/bin/genprof = u
++ /usr/bin/logprof = u
+ /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+ /usr/lib/YaST2/servers_non_y2/ag_logprof = u
--[repository]
-- distro = ubuntu-intrepid
-- url = http://apparmor.test.opensuse.org/backend/api
-- preferred_user = ubuntu
-+#[repository]
-+# distro = ubuntu-intrepid
-+# url = http://apparmor.test.opensuse.org/backend/api
-+# preferred_user = ubuntu
+@@ -97,8 +95,7 @@
+ /usr/bin/sed = icn
+ /bin/touch = icn
+ /usr/bin/touch = icn
+- /sbin/killall5 = icn
+- /usr/sbin/killall5 = icn
++ /usr/bin/killall5 = icn
+ /usr/bin/find = icn
+ /usr/bin/killall = icn
+ /usr/bin/nice = icn
+@@ -112,6 +109,8 @@
+ /usr/bin/python3.5 = icn
+ /usr/bin/python3.6 = icn
+ /usr/bin/python3.7 = icn
++ /usr/bin/python3.8 = icn
++ /usr/bin/python3.9 = icn
+ /usr/bin/tr = icn
- [qualifiers]
- # things will be painfully broken if bash has a profile
+ [required_hats]
+--
+2.29.0
diff --git a/srcpkgs/apparmor/patches/fix-musl.patch b/srcpkgs/apparmor/patches/fix-musl.patch
new file mode 100644
index 00000000000..484b67dfea4
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-musl.patch
@@ -0,0 +1,24 @@
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b0340..56ecac3 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -17,6 +17,7 @@
+ #include <errno.h>
+ #include <ctype.h>
+ #include <dirent.h>
++#include <limits.h>
+
+ #include <sys/apparmor.h>
+ #include <sys/apparmor_private.h>
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d0..dad7664 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -22,6 +22,7 @@
+ #include <stdint.h>
+ #include <unistd.h>
+ #include <sys/types.h>
++#include <sys/socket.h>
+
+ #ifdef __cplusplus
+ extern "C" {
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index b064f78086e..fe71042b85e 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
# Template file for 'apparmor'
pkgname=apparmor
-version=2.13.4
-revision=6
+version=3.0.0
+revision=1
wrksrc="${pkgname}-v${version}"
build_wrksrc=libraries/libapparmor
build_style=gnu-configure
@@ -16,23 +16,13 @@ maintainer="Olivier Mauras <olivier@mauras.ch>"
license="GPL-2.0-only, LGPL-2.1-only"
homepage="https://gitlab.com/apparmor/apparmor"
distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=4f45e5a5de59b72039c6cf218bb61cb4fc42eeb7f47ca109a58238896394a33b
+checksum=8c440ab1848e723483a8550ed2889e18f322e9d7ee9eb4e2e712152ea61da68f
patch_args="-Np1"
if [ -z "$CROSS_BUILD" ]; then
configure_args="--with-perl --with-python"
fi
-post_patch() {
- # Make.rules feeds some system headers to the C preprocessor to produce
- # lists of capability and address-family names that, respectively,
- # populate 'parser/cap_names.h' and 'parser/af_names.h'. The escaping
- # backslash in the '\#include" directives here is seen by the
- # preprocessor, causing it to skip the system headers and produce empty
- # files. Removing the backslash ensures correct behavior.
- vsed -i ${wrksrc}/common/Make.rules -e 's/\\#include </#include </'
-}
-
pre_configure() {
autoreconf -if
}
@@ -47,7 +37,10 @@ pre_build() {
post_build() {
cd ${wrksrc}
- sed -i 's#$(DESTDIR)/sbin#$(DESTDIR)/usr/bin#g' parser/Makefile
+
+ # fix cross compilation
+ vsed -i parser/Makefile -e 's,cpp,$(CPP),'
+
make ${makejobs} -C binutils
make ${makejobs} -C utils
make ${makejobs} -C parser
@@ -56,15 +49,22 @@ post_build() {
post_install() {
cd ${wrksrc}
- make DESTDIR=${DESTDIR} install -C binutils
- make DESTDIR=${DESTDIR} BINDIR=${DESTDIR}/usr/bin install -C utils
- make DESTDIR=${DESTDIR} APPARMOR_BIN_PREFIX=${DESTDIR}/usr/lib/apparmor \
- SBINDIR=${DESTDIR}/usr/bin USR_SBINDIR=${DESTDIR}/usr/bin install -C parser
- make DESTDIR=${DESTDIR} install -C profiles
-
- # Put Vim syntax in the correct place
- mkdir -p ${DESTDIR}/usr/share/vim/vim80/syntax/
- mv ${DESTDIR}/usr/share/apparmor/apparmor.vim ${DESTDIR}/usr/share/vim/vim80/syntax/
+ make DESTDIR="${DESTDIR}" \
+ SBINDIR="${DESTDIR}/usr/bin" \
+ USR_SBINDIR="${DESTDIR}/usr/bin" \
+ install -C binutils
+ make DESTDIR="${DESTDIR}" \
+ SBINDIR="${DESTDIR}/usr/bin" \
+ USR_SBINDIR="${DESTDIR}/usr/bin" \
+ BINDIR="${DESTDIR}/usr/bin" \
+ VIM_INSTALL_PATH="${DESTDIR}/usr/share/vim/vimfiles/syntax" \
+ install -C utils
+ make DESTDIR="${DESTDIR}" \
+ SBINDIR="${DESTDIR}/usr/bin" \
+ USR_SBINDIR="${DESTDIR}/usr/bin" \
+ APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
+ install -C parser
+ make DESTDIR="${DESTDIR}" install -C profiles
# requires perl bindings not generated when cross-compiling
if [ "$CROSS_BUILD" ]; then
@@ -76,7 +76,7 @@ apparmor-vim_package() {
short_desc+=" - Vim syntax"
depends="vim"
pkg_install() {
- vmove usr/share/vim/vim80/syntax/apparmor.vim
+ vmove usr/share/vim/vimfiles/syntax/apparmor.vim
vmove usr/share/man/man5/apparmor.vim.5
}
}
next prev parent reply other threads:[~2020-10-29 22:50 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-29 11:41 [PR PATCH] " PaperMountainStudio
2020-10-29 13:32 ` ericonr
2020-10-29 14:55 ` ericonr
2020-10-29 17:45 ` [PR REVIEW] " CameronNemo
2020-10-29 17:46 ` CameronNemo
2020-10-29 17:47 ` CameronNemo
2020-10-29 21:19 ` PaperMountainStudio
2020-10-29 21:43 ` [PR PATCH] [Updated] " PaperMountainStudio
2020-10-29 21:43 ` PaperMountainStudio
2020-10-29 22:45 ` [PR REVIEW] " CameronNemo
2020-10-29 22:46 ` CameronNemo
2020-10-29 22:49 ` PaperMountainStudio [this message]
2020-10-29 22:51 ` PaperMountainStudio
2020-10-30 23:26 ` [PR PATCH] [Updated] " PaperMountainStudio
2020-10-30 23:33 ` PaperMountainStudio
2020-10-31 22:01 ` PaperMountainStudio
2020-11-01 13:33 ` PaperMountainStudio
2020-11-01 14:27 ` PaperMountainStudio
2020-11-01 15:03 ` PaperMountainStudio
2020-11-01 19:59 ` [PR PATCH] [Updated] " PaperMountainStudio
2020-11-01 20:00 ` PaperMountainStudio
2020-11-01 20:01 ` [PR PATCH] [Updated] " PaperMountainStudio
2020-11-09 3:59 ` ericonr
2020-11-11 23:24 ` [PR PATCH] [Updated] " PaperMountainStudio
2020-11-11 23:27 ` PaperMountainStudio
2020-11-12 1:08 ` [PR REVIEW] " CameronNemo
2020-11-12 9:58 ` [PR PATCH] [Updated] " PaperMountainStudio
2020-11-22 3:16 ` the-maldridge
2020-11-22 3:26 ` ericonr
2020-11-22 3:58 ` [PR PATCH] [Merged]: " ericonr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201029224959.ZzMaAY8DMpGRVjDHIp5qALjSotvtIhHN6H0givsJqZs@z \
--to=papermountainstudio@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).