From: paper42 <paper42@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] apparmor: various fixes
Date: Thu, 04 Feb 2021 11:42:51 +0100 [thread overview]
Message-ID: <20210204104251.--zeGJsdbAXnTW-9oecPq9VU5m-CoYxZxFVnkIl4GUY@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-28448@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 1650 bytes --]
There is an updated pull request by paper42 against master on the void-packages repository
https://github.com/paper42/void-packages 0001-apparmor-add-missing-dependency.patch
https://github.com/void-linux/void-packages/pull/28448
apparmor: various fixes
<!-- Mark items with [x] where applicable -->
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
required by aa-notify
<!--
If GitHub CI cannot be used to validate the build result (for example, if the
build is likely to take several hours), make sure to
[skip CI](https://github.com/void-linux/void-packages/blob/master/CONTRIBUTING.md#continuous-integration).
When skipping CI, uncomment and fill out the following section.
Note: for builds that are likely to complete in less than 2 hours, it is not
acceptable to skip CI.
-->
<!--
#### Does it build and run successfully?
(Please choose at least one native build and, if supported, at least one cross build. More are better.)
- [ ] I built this PR locally for my native architecture, (ARCH-LIBC)
- [ ] I built this PR locally for these architectures (if supported. mark crossbuilds):
- [ ] aarch64-musl
- [ ] armv7l
- [ ] armv6l-musl
-->
A patch file from https://github.com/void-linux/void-packages/pull/28448.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-apparmor-add-missing-dependency.patch-28448.patch --]
[-- Type: text/x-diff, Size: 6660 bytes --]
From 3b64ee48d3683e472af528399da0252d3dd26e87 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Wed, 3 Feb 2021 20:13:56 +0100
Subject: [PATCH] apparmor: various fixes
* add missing dependency python3-notify2 for aa-notify
* do not rewrite logfiles option in logprof.conf aggressively
* remove an old patch
---
.../add-missing-typedef-definitions.patch | 49 -----------------
.../patches/correct_paths_logprofconf.patch | 9 ++--
.../patches/fix-setting-proc_attr_base.patch | 52 +++++++++++++++++++
srcpkgs/apparmor/template | 7 +--
4 files changed, 60 insertions(+), 57 deletions(-)
delete mode 100644 srcpkgs/apparmor/patches/add-missing-typedef-definitions.patch
create mode 100644 srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
diff --git a/srcpkgs/apparmor/patches/add-missing-typedef-definitions.patch b/srcpkgs/apparmor/patches/add-missing-typedef-definitions.patch
deleted file mode 100644
index 30925916350..00000000000
--- a/srcpkgs/apparmor/patches/add-missing-typedef-definitions.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Source: Alpine Linux
-Upstream: Unknown
-Reason: Fixes compilation with musl libc
----
-
-diff --git a/parser/missingdefs.h b/parser/missingdefs.h
-new file mode 100644
-index 0000000..8097aef
---- /dev/null
-+++ b/parser/missingdefs.h
-@@ -0,0 +1,8 @@
-+#ifndef PARSER_MISSINGDEFS_H
-+#define PARSER_MISSINGDEFS_H
-+
-+typedef int (*__compar_fn_t) (const void *, const void *);
-+typedef __compar_fn_t comparison_fn_t;
-+typedef void (*__free_fn_t) (void *__nodep);
-+
-+#endif
-diff --git a/parser/parser_alias.c b/parser/parser_alias.c
-index f5b6da4..d57f580 100644
---- a/parser/parser_alias.c
-+++ b/parser/parser_alias.c
-@@ -25,6 +25,10 @@
- #include "parser.h"
- #include "profile.h"
-
-+#ifndef __GLIBC__
-+#include "missingdefs.h"
-+#endif
-+
- struct alias_rule {
- char *from;
- char *to;
-diff --git a/parser/parser_symtab.c b/parser/parser_symtab.c
-index 3e667d8..e109f4d 100644
---- a/parser/parser_symtab.c
-+++ b/parser/parser_symtab.c
-@@ -25,6 +25,10 @@
- #include "immunix.h"
- #include "parser.h"
-
-+#ifndef __GLIBC__
-+#include "missingdefs.h"
-+#endif
-+
- enum var_type {
- sd_boolean,
- sd_set,
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
index fb6ce53ffdc..e34e69af8bf 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@@ -11,15 +11,18 @@ diff --git a/utils/logprof.conf b/utils/logprof.conf
index a778792..a9f7b79 100644
--- a/utils/logprof.conf
+++ b/utils/logprof.conf
-@@ -14,7 +14,7 @@
+@@ -12,9 +12,9 @@
+ [settings]
+ profiledir = /etc/apparmor.d /etc/subdomain.d
inactive_profiledir = /usr/share/apparmor/extra-profiles
- logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
+- logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
++ logfiles = /var/log/audit/audit.log /var/log/socklog/kernel/current /var/log/syslog /var/log/messages
- parser = /sbin/apparmor_parser /sbin/subdomain_parser
+ parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
ldd = /usr/bin/ldd
logger = /bin/logger /usr/bin/logger
-
+
@@ -51,12 +51,10 @@
/bin/mount = u
/usr/bin/mount = u
diff --git a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
new file mode 100644
index 00000000000..35e9101f81b
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
@@ -0,0 +1,52 @@
+upstream: yes
+From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
+From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
+Date: Wed, 20 Jan 2021 17:26:37 -0600
+Subject: [PATCH] fix setting proc_attr_base
+
+There is currently a case in which proc_attr_base won't get set when
+asprintf is able to generate the path, but the file doesn't exist, it
+will exit proc_attr_base_init_once() without proc_attr_base having been
+set as the fall-through if/else logic will get bypassed when asprintf is
+successful.
+---
+ libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
+index 0fa77b014..6ba028614 100644
+--- a/libraries/libapparmor/src/kernel.c
++++ b/libraries/libapparmor/src/kernel.c
+@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
+ /* if we fail we just fall back to the default value */
+ if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
+ autoclose int fd = open(tmp, O_RDONLY);
+- if (fd != -1)
++ if (fd != -1) {
+ proc_attr_base = proc_attr_base_stacking;
+- } else if (!is_enabled() && is_private_enabled()) {
++ return;
++ }
++ }
++ if (!is_enabled() && is_private_enabled()) {
+ /* new stacking interfaces aren't available and apparmor
+- * is disabled, but available. do not use the
+- * /proc/<pid>/attr/ * interfaces as they could be
+- * in use by another LSM
+- */
++ * is disabled, but available. do not use the
++ * /proc/<pid>/attr/ * interfaces as they could be
++ * in use by another LSM
++ */
+ proc_attr_base = proc_attr_base_unavailable;
+- } else {
+- proc_attr_base = proc_attr_base_old;
++ return;
+ }
++ proc_attr_base = proc_attr_base_old;
+ }
+
+ static char *procattr_path(pid_t pid, const char *attr)
+--
+GitLab
+
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index f6f5bff6aae..27029962cf0 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
# Template file for 'apparmor'
pkgname=apparmor
version=3.0.1
-revision=1
+revision=2
wrksrc="${pkgname}-v${version}"
build_wrksrc=libraries/libapparmor
build_style=gnu-configure
@@ -9,7 +9,7 @@ conf_files="/etc/apparmor.d/local/* /etc/apparmor/*"
make_dirs="/etc/apparmor.d/disable 0755 root root"
hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
makedepends="perl python3-devel"
-depends="runit-void-apparmor python3 libapparmor"
+depends="runit-void-apparmor python3 libapparmor python3-notify2"
checkdepends="dejagnu"
short_desc="Mandatory access control to restrict programs"
maintainer="Olivier Mauras <olivier@mauras.ch>"
@@ -32,9 +32,6 @@ pre_build() {
# Replace release profiles with our own
cd ${wrksrc}
cp ${FILESDIR}/profiles/* profiles/apparmor.d/
-
- # use the correct syslog path
- vsed -i utils/logprof.conf -e 's,logfiles = .*,logfiles = /var/log/socklog/kernel/current,'
}
post_build() {
next prev parent reply other threads:[~2021-02-04 10:42 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-03 19:35 [PR PATCH] apparmor: add missing dependency paper42
2021-02-03 19:51 ` ericonr
2021-02-03 22:31 ` [PR PATCH] [Updated] " paper42
2021-02-03 22:31 ` paper42
2021-02-04 1:11 ` [PR REVIEW] apparmor: various fixes ericonr
2021-02-04 3:31 ` ericonr
2021-02-04 10:42 ` paper42 [this message]
2021-02-04 10:44 ` [PR REVIEW] " paper42
2021-02-04 10:45 ` [PR PATCH] [Updated] " paper42
2021-02-04 12:58 ` [PR REVIEW] " ericonr
2021-02-04 13:12 ` [PR PATCH] [Closed]: " ericonr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210204104251.--zeGJsdbAXnTW-9oecPq9VU5m-CoYxZxFVnkIl4GUY@z \
--to=paper42@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).