From 3b64ee48d3683e472af528399da0252d3dd26e87 Mon Sep 17 00:00:00 2001 From: Paper Date: Wed, 3 Feb 2021 20:13:56 +0100 Subject: [PATCH] apparmor: various fixes * add missing dependency python3-notify2 for aa-notify * do not rewrite logfiles option in logprof.conf aggressively * remove an old patch --- .../add-missing-typedef-definitions.patch | 49 ----------------- .../patches/correct_paths_logprofconf.patch | 9 ++-- .../patches/fix-setting-proc_attr_base.patch | 52 +++++++++++++++++++ srcpkgs/apparmor/template | 7 +-- 4 files changed, 60 insertions(+), 57 deletions(-) delete mode 100644 srcpkgs/apparmor/patches/add-missing-typedef-definitions.patch create mode 100644 srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch diff --git a/srcpkgs/apparmor/patches/add-missing-typedef-definitions.patch b/srcpkgs/apparmor/patches/add-missing-typedef-definitions.patch deleted file mode 100644 index 30925916350..00000000000 --- a/srcpkgs/apparmor/patches/add-missing-typedef-definitions.patch +++ /dev/null @@ -1,49 +0,0 @@ -Source: Alpine Linux -Upstream: Unknown -Reason: Fixes compilation with musl libc ---- - -diff --git a/parser/missingdefs.h b/parser/missingdefs.h -new file mode 100644 -index 0000000..8097aef ---- /dev/null -+++ b/parser/missingdefs.h -@@ -0,0 +1,8 @@ -+#ifndef PARSER_MISSINGDEFS_H -+#define PARSER_MISSINGDEFS_H -+ -+typedef int (*__compar_fn_t) (const void *, const void *); -+typedef __compar_fn_t comparison_fn_t; -+typedef void (*__free_fn_t) (void *__nodep); -+ -+#endif -diff --git a/parser/parser_alias.c b/parser/parser_alias.c -index f5b6da4..d57f580 100644 ---- a/parser/parser_alias.c -+++ b/parser/parser_alias.c -@@ -25,6 +25,10 @@ - #include "parser.h" - #include "profile.h" - -+#ifndef __GLIBC__ -+#include "missingdefs.h" -+#endif -+ - struct alias_rule { - char *from; - char *to; -diff --git a/parser/parser_symtab.c b/parser/parser_symtab.c -index 3e667d8..e109f4d 100644 ---- a/parser/parser_symtab.c -+++ b/parser/parser_symtab.c -@@ -25,6 +25,10 @@ - #include "immunix.h" - #include "parser.h" - -+#ifndef __GLIBC__ -+#include "missingdefs.h" -+#endif -+ - enum var_type { - sd_boolean, - sd_set, diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch index fb6ce53ffdc..e34e69af8bf 100644 --- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch +++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch @@ -11,15 +11,18 @@ diff --git a/utils/logprof.conf b/utils/logprof.conf index a778792..a9f7b79 100644 --- a/utils/logprof.conf +++ b/utils/logprof.conf -@@ -14,7 +14,7 @@ +@@ -12,9 +12,9 @@ + [settings] + profiledir = /etc/apparmor.d /etc/subdomain.d inactive_profiledir = /usr/share/apparmor/extra-profiles - logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages +- logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages ++ logfiles = /var/log/audit/audit.log /var/log/socklog/kernel/current /var/log/syslog /var/log/messages - parser = /sbin/apparmor_parser /sbin/subdomain_parser + parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser ldd = /usr/bin/ldd logger = /bin/logger /usr/bin/logger - + @@ -51,12 +51,10 @@ /bin/mount = u /usr/bin/mount = u diff --git a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch new file mode 100644 index 00000000000..35e9101f81b --- /dev/null +++ b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch @@ -0,0 +1,52 @@ +upstream: yes +From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001 +From: Aaron U'Ren +Date: Wed, 20 Jan 2021 17:26:37 -0600 +Subject: [PATCH] fix setting proc_attr_base + +There is currently a case in which proc_attr_base won't get set when +asprintf is able to generate the path, but the file doesn't exist, it +will exit proc_attr_base_init_once() without proc_attr_base having been +set as the fall-through if/else logic will get bypassed when asprintf is +successful. +--- + libraries/libapparmor/src/kernel.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c +index 0fa77b014..6ba028614 100644 +--- a/libraries/libapparmor/src/kernel.c ++++ b/libraries/libapparmor/src/kernel.c +@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void) + /* if we fail we just fall back to the default value */ + if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) { + autoclose int fd = open(tmp, O_RDONLY); +- if (fd != -1) ++ if (fd != -1) { + proc_attr_base = proc_attr_base_stacking; +- } else if (!is_enabled() && is_private_enabled()) { ++ return; ++ } ++ } ++ if (!is_enabled() && is_private_enabled()) { + /* new stacking interfaces aren't available and apparmor +- * is disabled, but available. do not use the +- * /proc//attr/ * interfaces as they could be +- * in use by another LSM +- */ ++ * is disabled, but available. do not use the ++ * /proc//attr/ * interfaces as they could be ++ * in use by another LSM ++ */ + proc_attr_base = proc_attr_base_unavailable; +- } else { +- proc_attr_base = proc_attr_base_old; ++ return; + } ++ proc_attr_base = proc_attr_base_old; + } + + static char *procattr_path(pid_t pid, const char *attr) +-- +GitLab + diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template index f6f5bff6aae..27029962cf0 100644 --- a/srcpkgs/apparmor/template +++ b/srcpkgs/apparmor/template @@ -1,7 +1,7 @@ # Template file for 'apparmor' pkgname=apparmor version=3.0.1 -revision=1 +revision=2 wrksrc="${pkgname}-v${version}" build_wrksrc=libraries/libapparmor build_style=gnu-configure @@ -9,7 +9,7 @@ conf_files="/etc/apparmor.d/local/* /etc/apparmor/*" make_dirs="/etc/apparmor.d/disable 0755 root root" hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which" makedepends="perl python3-devel" -depends="runit-void-apparmor python3 libapparmor" +depends="runit-void-apparmor python3 libapparmor python3-notify2" checkdepends="dejagnu" short_desc="Mandatory access control to restrict programs" maintainer="Olivier Mauras " @@ -32,9 +32,6 @@ pre_build() { # Replace release profiles with our own cd ${wrksrc} cp ${FILESDIR}/profiles/* profiles/apparmor.d/ - - # use the correct syslog path - vsed -i utils/logprof.conf -e 's,logfiles = .*,logfiles = /var/log/socklog/kernel/current,' } post_build() {