From c9eb2bb47080bb718a52e3f818d802d5c96ef700 Mon Sep 17 00:00:00 2001 From: Paper Date: Mon, 17 May 2021 11:26:24 +0200 Subject: [PATCH 1/3] New package: apparmor-rules-upstream-2021.04.21 --- srcpkgs/apparmor-rules-upstream/template | 35 ++++++++++++++++++++++++ srcpkgs/apparmor-rules-upstream/update | 2 ++ 2 files changed, 37 insertions(+) create mode 100644 srcpkgs/apparmor-rules-upstream/template create mode 100644 srcpkgs/apparmor-rules-upstream/update diff --git a/srcpkgs/apparmor-rules-upstream/template b/srcpkgs/apparmor-rules-upstream/template new file mode 100644 index 000000000000..82947777d152 --- /dev/null +++ b/srcpkgs/apparmor-rules-upstream/template @@ -0,0 +1,35 @@ +# Template file for 'apparmor-rules-upstream' +pkgname=apparmor-rules-upstream +version=2021.04.21 +revision=1 +_commit=92e27f5566eb5d6e0cd0c54c3bd4b656a3310dba +wrksrc="apparmor-${_commit}" +build_wrksrc="profiles" +build_style=gnu-makefile +conf_files="/etc/apparmor.d/local/*" +hostmakedepends="which" +short_desc="AppArmor upstream rules" +maintainer="Paper " +license="LGPL-2.1-only" +homepage="https://gitlab.com/apparmor/apparmor" +changelog="https://gitlab.com/apparmor/apparmor/-/commits/master/profiles" +distfiles="https://gitlab.com/apparmor/apparmor/-/archive/${_commit}/apparmor-${_commit}.tar.gz" +checksum=2a3d7fd711ec01509027638b87584094e4f974ad7db2304adcc3494c7d11d06d +make_check=no # circular dependency on apparmor_parser from the apparmor package + +post_patch() { + cd apparmor.d + + for old_filename in sbin.* usr.sbin.*; do + new_filename="usr.bin.${old_filename/*sbin.}" + vsed -e "s,local/$old_filename,local/$new_filename," -i "$old_filename" + mv "$old_filename" "$new_filename" + done + + vsed -e 's|/usr/libexec/libvirt_leaseshelper m,|/usr/libexec/libvirt_leaseshelper mr,|' -i usr.bin.dnsmasq +} + +pre_build() { + # apparmor-rules-void contains conflicting rules + rm -f apparmor.d/php-fpm apparmor/profiles/extra/sbin.dhcpcd +} diff --git a/srcpkgs/apparmor-rules-upstream/update b/srcpkgs/apparmor-rules-upstream/update new file mode 100644 index 000000000000..ec619829d3b4 --- /dev/null +++ b/srcpkgs/apparmor-rules-upstream/update @@ -0,0 +1,2 @@ +site=https://gitlab.com/apparmor/apparmor/-/commits/master/profiles/apparmor.d +pattern='
  • )' From 2ad7ae67fdb4b4fdb7ef959d85b867eedba2c297 Mon Sep 17 00:00:00 2001 From: Paper Date: Mon, 17 May 2021 11:26:35 +0200 Subject: [PATCH 2/3] New package: apparmor-rules-void-2021.05.17 --- .../files/profiles/usr.bin.dhcpcd | 66 +++++++++ .../files/profiles/usr.bin.nginx | 32 +++++ .../files/profiles/usr.bin.php-fpm | 45 ++++++ .../files/profiles/usr.bin.pulseaudio | 132 ++++++++++++++++++ .../files/profiles/usr.bin.uuidd | 19 +++ .../files/profiles/usr.bin.wpa_supplicant | 53 +++++++ srcpkgs/apparmor-rules-void/template | 20 +++ 7 files changed, 367 insertions(+) create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant create mode 100644 srcpkgs/apparmor-rules-void/template diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd new file mode 100644 index 000000000000..1d6e1b95d62a --- /dev/null +++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd @@ -0,0 +1,66 @@ +# vim:syntax=apparmor + +abi , + +include + +profile dhcpcd /{usr/,}bin/dhcpcd { + include + include + + capability chown, + capability fowner, + capability fsetid, + capability kill, + capability net_admin, + capability net_raw, + capability setuid, + capability setgid, + capability sys_admin, + capability sys_chroot, + capability bpf, + + network packet dgram, + network packet raw, + network inet raw, + network inet6 raw, + + /dev/pts/* rw, + + /etc/dhcpcd.{conf,duid,secret} r, + /etc/ld.so.cache r, + /etc/udev/udev.conf r, + + /proc/*/net/if_inet6 r, + /proc/sys/net/ipv{4,6}/conf/*/* rw, + /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w, + /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w, + + /{var/,}run/dhcpcd/ w, + /{var/,}run/dhcpcd/{,*.}pid rwk, + /{var/,}run/dhcpcd/{,*.}sock rw, + /{var/,}run/dhcpcd/unpriv.sock rw, + /{var/,}run/udev/data/* r, + + /sys/devices/**/net/*/uevent r, + + /{usr/,}bin/dash ix, + /{usr/,}bin/dash mrix, + + /usr/lib/dhcpcd/dev/udev.so m, + /usr/lib/ld-*.so m, + /usr/lib/libc-*.so m, + + # Trust hooks and run the wrapper unconfined + /usr/libexec/dhcpcd-run-hooks CUx, + + /var/db/dhcpcd-*.lease rw, + /var/db/dhcpcd/** rw, + /{usr/,}bin/dhcpcd mrix, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx new file mode 100644 index 000000000000..be769703f5df --- /dev/null +++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx @@ -0,0 +1,32 @@ +# vim:syntax=apparmor + +abi , + +# NOTE: This profile will by default work with pfp-fpm on TCP sockets. +# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx +# /path/to/your/unix/socket rw, + +include + +profile nginx /usr/bin/nginx { + include + include + include + include + + capability setgid, + capability setuid, + + /etc/nginx/** r, + + /run/nginx.pid rw, + + /usr/bin/nginx mr, + + /usr/share/nginx/html/* r, + + /var/log/nginx/* w, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm new file mode 100644 index 000000000000..0b036965da1d --- /dev/null +++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm @@ -0,0 +1,45 @@ +# vim:syntax=apparmor + +abi , + +# NOTE: This profile uses TCP sockets by default +# If you wish for php-fpm to listen to unix socket, +# add the following permission to local/usr.bin.php-fpm +# /path/to/your/unix/socket w, + +include + +# This is PHP open_basedir where script can only be executed from. +# /home, /tmp have been removed to not open permissions too widely +# /usr/share/pear have been removed to have its own permission +@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/ + +profile php-fpm /usr/bin/php-fpm { + include + include + include + include + + capability setgid, + capability setuid, + capability kill, + + /etc/php/php-fpm.conf r, + /etc/php/php-fpm.d/* r, + + # This is set to make php-fpm work by default, but if you don't use these paths + # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights + # to where your PHP app is located + @{PHP_BASEDIRS}/** r, + + /usr/bin/php-fpm mr, + + /usr/share/pear/** r, + /usr/share/php/fpm/status.html r, + + /var/log/php-fpm.log w, + + # Site-specific additions and overrides. See local/README for details. + include if exists + +} diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio new file mode 100644 index 000000000000..f8ceb4c23343 --- /dev/null +++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio @@ -0,0 +1,132 @@ +# vim:syntax=apparmor + +abi , + +include + +profile pulseaudio /usr/bin/pulseaudio { + include + include + include + include + include + include + + dbus send + bus=system + path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + member={MakeThreadRealtime,MakeThreadHighPriority} + peer=(name=org.freedesktop.RealtimeKit1), + + dbus send + bus=system + path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.DBus.Properties + member=Get, + + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + ptrace (read,trace) peer=@{profile_name}, + signal (send) peer=pulseaudio//pulse-gsettings-helper, + + /usr/bin/pulseaudio mixr, + + /etc/pulse/ r, + /etc/pulse/* r, + /etc/udev/udev.conf r, + /etc/timidity/.pulse_cookie w, + + /etc/asound.conf r, + + owner @{HOME}/.esd_auth rwk, + owner @{HOME}/.pulse-cookie rwk, + owner @{HOME}/.config/pulse/cookie rwk, + owner @{HOME}/{.config/pulse,.pulse}/ rw, + owner @{HOME}/{.config/pulse,.pulse}/* rw, + + owner /run/pulse/ rw, + owner /run/pulse/.pulse-cookie rwk, + owner /run/pulse/dbus-socket rwk, + owner /run/pulse/native rwk, + owner /run/pulse/pid rwk, + owner /run/user/[0-9]*/pulse/ rw, + owner /run/user/[0-9]*/pulse/* rwk, + /run/udev/data/+sound:card* r, + /run/udev/data/c116:[0-9]* r, + /run/udev/data/c14:[0-9]* r, + + # logind + /run/user/[0-9]*/dconf/user k, + + /sys/bus/ r, + /sys/class/ r, + /sys/class/sound/ r, + /sys/devices/pci[0-9]*/**/*class r, + /sys/devices/pci[0-9]*/**/uevent r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/online r, + /sys/devices/virtual/dmi/id/bios_vendor r, + /sys/devices/virtual/dmi/id/board_vendor r, + /sys/devices/virtual/dmi/id/sys_vendor r, + /sys/devices/virtual/sound/**/uevent r, + + /usr/share/alsa/** r, + /usr/share/pulseaudio/** r, + /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr, + /usr/libexec/pulse/gsettings-helper Cx, + + /usr/{,local/}share/applications/ r, + /usr/{,local/}share/applications/* r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r, + /var/lib/flatpak/exports/share/applications/ r, + /var/lib/flatpak/exports/share/applications/* r, + + owner /var/lib/gdm3/.config/pulse/ rw, + owner /var/lib/gdm3/.config/pulse/* rw, + owner /var/lib/gdm3/.config/pulse/cookie rwk, + + owner /var/lib/lightdm/.Xauthority r, + owner /var/lib/lightdm/.esd_auth rwk, + owner /var/lib/lightdm/.config/pulse/cookie rwk, + owner /var/lib/lightdm/.config/pulse/ rw, + owner /var/lib/lightdm/.config/pulse/* rw, + + # are these needed? + /var/lib/pulse/ rw, + /var/lib/pulse/*-default-sink rw, + /var/lib/pulse/*-default-source rw, + /var/lib/pulse/*.tdb rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/{maps,mountinfo,stat} r, + + owner /tmp/pulse-*/pid rwk, + owner /tmp/pulse-*/native rwk, + owner /tmp/pulse-*/autospawn.lock rwk, + owner /run/user/*/pulse/autospawn.lock rwk, + + owner /tmp/orcexec.* mrw, + owner /{,var/}run/user/[0-9]*/orcexec.* mrw, + # needed if /tmp is mounted noexec: + owner @{HOME}/orcexec.* mrw, + + owner /tmp/.esd-@{pid}*/ rw, + owner /tmp/.esd-@{pid}*/socket rw, + + profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper { + include + include + include + + /usr/libexec/pulse/gsettings-helper mr, + owner /{,var/}run/user/*/dconf/user rw, + owner @{HOME}/.config/dconf/user rw, + owner @{PROC}/@{pid}/fd/ r, + signal (receive) peer=pulseaudio, + } + + # Site-specific additions and overrides. See local/README for details. + include if exists +} + diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd new file mode 100644 index 000000000000..b365c927b656 --- /dev/null +++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd @@ -0,0 +1,19 @@ +# vim:syntax=apparmor + +abi , + +include + +profile uuid /usr/bin/uuidd { + include + include + + network inet dgram, + + /usr/bin/uuidd mr, + + /run/uuidd/request rw, + + # Site-specific additions and overrides. See local/README for details. + include if exists +} diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant new file mode 100644 index 000000000000..c5bb67d562fa --- /dev/null +++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant @@ -0,0 +1,53 @@ +# vim:syntax=apparmor + +abi , + +include + +profile wpa_supplicant /usr/bin/wpa_supplicant { + include + include + + capability net_admin, + capability net_raw, + capability chown, + capability dac_override, + capability fsetid, + network inet dgram, + network inet raw, + network packet dgram, + network netlink, + + /usr/bin/wpa_supplicant mr, + + /run/wpa_supplicant/ rw, + /run/wpa_supplicant/** rw, + + /run/dbus/system_bus_socket rw, + /run/sendsigs.omit.d/wpasupplicant.pid rw, + + /etc/wpa_supplicant/ rw, + /etc/wpa_supplicant/** rw, + + /etc/nsswitch.conf r, + /etc/group r, + + @{PROC}/sys/net/ipv{4,6}/conf/*/* rw, + @{PROC}/@{pid}/psched r, + + /dev/rfkill r, + + dbus (send, receive) + bus=system + path=/fi/w1/wpa_supplicant1, + + dbus (send, receive) + bus=system + path=/fi/w1/wpa_supplicant1/**, + + dbus (send,receive) + bus=system + path=/fi/epitest/hostap/WPASupplicant/**, + + include if exists +} diff --git a/srcpkgs/apparmor-rules-void/template b/srcpkgs/apparmor-rules-void/template new file mode 100644 index 000000000000..73830b3279eb --- /dev/null +++ b/srcpkgs/apparmor-rules-void/template @@ -0,0 +1,20 @@ +# Template file for 'apparmor-rules-void' +pkgname=apparmor-rules-void +version=2021.05.17 +revision=1 +build_style=meta +conf_files="/etc/apparmor.d/local/*" +short_desc="AppArmor Void Linux rules" +maintainer="Paper " +license="GPL-2.0-only" +homepage="https://github.com/void-linux/void-packages/" + +do_install() { + vmkdir etc/apparmor.d/local + cp ${FILESDIR}/profiles/* ${DESTDIR}/etc/apparmor.d/ + cd ${DESTDIR}/etc/apparmor.d/ + find . -maxdepth 1 -type f | while read -r rulepath; do + rule="${rulepath/.\/}" + echo "# Site-specific additions and overrides for '$rule'" > "local/$rule" + done +} From ee56b6ff495962975029acf59b22b7754a39312b Mon Sep 17 00:00:00 2001 From: Paper Date: Mon, 17 May 2021 11:27:04 +0200 Subject: [PATCH 3/3] apparmor: move rules to a separate package also fix license - libapparmor is LGPL-2.1-only, everything else is GPL-2.0-only --- .../apparmor/files/profiles/usr.bin.dhcpcd | 66 --------- srcpkgs/apparmor/files/profiles/usr.bin.nginx | 32 ----- .../apparmor/files/profiles/usr.bin.php-fpm | 45 ------ .../files/profiles/usr.bin.pulseaudio | 132 ------------------ srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 19 --- .../files/profiles/usr.bin.wpa_supplicant | 53 ------- .../patches/fix-dnsmasq-libvirt.patch | 13 -- srcpkgs/apparmor/template | 27 ++-- 8 files changed, 9 insertions(+), 378 deletions(-) delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.nginx delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.php-fpm delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.uuidd delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd deleted file mode 100644 index 1d6e1b95d62a..000000000000 --- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd +++ /dev/null @@ -1,66 +0,0 @@ -# vim:syntax=apparmor - -abi , - -include - -profile dhcpcd /{usr/,}bin/dhcpcd { - include - include - - capability chown, - capability fowner, - capability fsetid, - capability kill, - capability net_admin, - capability net_raw, - capability setuid, - capability setgid, - capability sys_admin, - capability sys_chroot, - capability bpf, - - network packet dgram, - network packet raw, - network inet raw, - network inet6 raw, - - /dev/pts/* rw, - - /etc/dhcpcd.{conf,duid,secret} r, - /etc/ld.so.cache r, - /etc/udev/udev.conf r, - - /proc/*/net/if_inet6 r, - /proc/sys/net/ipv{4,6}/conf/*/* rw, - /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w, - /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w, - - /{var/,}run/dhcpcd/ w, - /{var/,}run/dhcpcd/{,*.}pid rwk, - /{var/,}run/dhcpcd/{,*.}sock rw, - /{var/,}run/dhcpcd/unpriv.sock rw, - /{var/,}run/udev/data/* r, - - /sys/devices/**/net/*/uevent r, - - /{usr/,}bin/dash ix, - /{usr/,}bin/dash mrix, - - /usr/lib/dhcpcd/dev/udev.so m, - /usr/lib/ld-*.so m, - /usr/lib/libc-*.so m, - - # Trust hooks and run the wrapper unconfined - /usr/libexec/dhcpcd-run-hooks CUx, - - /var/db/dhcpcd-*.lease rw, - /var/db/dhcpcd/** rw, - /{usr/,}bin/dhcpcd mrix, - - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx deleted file mode 100644 index be769703f5df..000000000000 --- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx +++ /dev/null @@ -1,32 +0,0 @@ -# vim:syntax=apparmor - -abi , - -# NOTE: This profile will by default work with pfp-fpm on TCP sockets. -# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx -# /path/to/your/unix/socket rw, - -include - -profile nginx /usr/bin/nginx { - include - include - include - include - - capability setgid, - capability setuid, - - /etc/nginx/** r, - - /run/nginx.pid rw, - - /usr/bin/nginx mr, - - /usr/share/nginx/html/* r, - - /var/log/nginx/* w, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm deleted file mode 100644 index 0b036965da1d..000000000000 --- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm +++ /dev/null @@ -1,45 +0,0 @@ -# vim:syntax=apparmor - -abi , - -# NOTE: This profile uses TCP sockets by default -# If you wish for php-fpm to listen to unix socket, -# add the following permission to local/usr.bin.php-fpm -# /path/to/your/unix/socket w, - -include - -# This is PHP open_basedir where script can only be executed from. -# /home, /tmp have been removed to not open permissions too widely -# /usr/share/pear have been removed to have its own permission -@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/ - -profile php-fpm /usr/bin/php-fpm { - include - include - include - include - - capability setgid, - capability setuid, - capability kill, - - /etc/php/php-fpm.conf r, - /etc/php/php-fpm.d/* r, - - # This is set to make php-fpm work by default, but if you don't use these paths - # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights - # to where your PHP app is located - @{PHP_BASEDIRS}/** r, - - /usr/bin/php-fpm mr, - - /usr/share/pear/** r, - /usr/share/php/fpm/status.html r, - - /var/log/php-fpm.log w, - - # Site-specific additions and overrides. See local/README for details. - include if exists - -} diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio deleted file mode 100644 index f8ceb4c23343..000000000000 --- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio +++ /dev/null @@ -1,132 +0,0 @@ -# vim:syntax=apparmor - -abi , - -include - -profile pulseaudio /usr/bin/pulseaudio { - include - include - include - include - include - include - - dbus send - bus=system - path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - member={MakeThreadRealtime,MakeThreadHighPriority} - peer=(name=org.freedesktop.RealtimeKit1), - - dbus send - bus=system - path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.DBus.Properties - member=Get, - - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), - ptrace (read,trace) peer=@{profile_name}, - signal (send) peer=pulseaudio//pulse-gsettings-helper, - - /usr/bin/pulseaudio mixr, - - /etc/pulse/ r, - /etc/pulse/* r, - /etc/udev/udev.conf r, - /etc/timidity/.pulse_cookie w, - - /etc/asound.conf r, - - owner @{HOME}/.esd_auth rwk, - owner @{HOME}/.pulse-cookie rwk, - owner @{HOME}/.config/pulse/cookie rwk, - owner @{HOME}/{.config/pulse,.pulse}/ rw, - owner @{HOME}/{.config/pulse,.pulse}/* rw, - - owner /run/pulse/ rw, - owner /run/pulse/.pulse-cookie rwk, - owner /run/pulse/dbus-socket rwk, - owner /run/pulse/native rwk, - owner /run/pulse/pid rwk, - owner /run/user/[0-9]*/pulse/ rw, - owner /run/user/[0-9]*/pulse/* rwk, - /run/udev/data/+sound:card* r, - /run/udev/data/c116:[0-9]* r, - /run/udev/data/c14:[0-9]* r, - - # logind - /run/user/[0-9]*/dconf/user k, - - /sys/bus/ r, - /sys/class/ r, - /sys/class/sound/ r, - /sys/devices/pci[0-9]*/**/*class r, - /sys/devices/pci[0-9]*/**/uevent r, - /sys/devices/system/cpu/ r, - /sys/devices/system/cpu/online r, - /sys/devices/virtual/dmi/id/bios_vendor r, - /sys/devices/virtual/dmi/id/board_vendor r, - /sys/devices/virtual/dmi/id/sys_vendor r, - /sys/devices/virtual/sound/**/uevent r, - - /usr/share/alsa/** r, - /usr/share/pulseaudio/** r, - /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr, - /usr/libexec/pulse/gsettings-helper Cx, - - /usr/{,local/}share/applications/ r, - /usr/{,local/}share/applications/* r, - owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r, - owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r, - /var/lib/flatpak/exports/share/applications/ r, - /var/lib/flatpak/exports/share/applications/* r, - - owner /var/lib/gdm3/.config/pulse/ rw, - owner /var/lib/gdm3/.config/pulse/* rw, - owner /var/lib/gdm3/.config/pulse/cookie rwk, - - owner /var/lib/lightdm/.Xauthority r, - owner /var/lib/lightdm/.esd_auth rwk, - owner /var/lib/lightdm/.config/pulse/cookie rwk, - owner /var/lib/lightdm/.config/pulse/ rw, - owner /var/lib/lightdm/.config/pulse/* rw, - - # are these needed? - /var/lib/pulse/ rw, - /var/lib/pulse/*-default-sink rw, - /var/lib/pulse/*-default-source rw, - /var/lib/pulse/*.tdb rw, - - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/{maps,mountinfo,stat} r, - - owner /tmp/pulse-*/pid rwk, - owner /tmp/pulse-*/native rwk, - owner /tmp/pulse-*/autospawn.lock rwk, - owner /run/user/*/pulse/autospawn.lock rwk, - - owner /tmp/orcexec.* mrw, - owner /{,var/}run/user/[0-9]*/orcexec.* mrw, - # needed if /tmp is mounted noexec: - owner @{HOME}/orcexec.* mrw, - - owner /tmp/.esd-@{pid}*/ rw, - owner /tmp/.esd-@{pid}*/socket rw, - - profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper { - include - include - include - - /usr/libexec/pulse/gsettings-helper mr, - owner /{,var/}run/user/*/dconf/user rw, - owner @{HOME}/.config/dconf/user rw, - owner @{PROC}/@{pid}/fd/ r, - signal (receive) peer=pulseaudio, - } - - # Site-specific additions and overrides. See local/README for details. - include if exists -} - diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd deleted file mode 100644 index b365c927b656..000000000000 --- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd +++ /dev/null @@ -1,19 +0,0 @@ -# vim:syntax=apparmor - -abi , - -include - -profile uuid /usr/bin/uuidd { - include - include - - network inet dgram, - - /usr/bin/uuidd mr, - - /run/uuidd/request rw, - - # Site-specific additions and overrides. See local/README for details. - include if exists -} diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant deleted file mode 100644 index c5bb67d562fa..000000000000 --- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant +++ /dev/null @@ -1,53 +0,0 @@ -# vim:syntax=apparmor - -abi , - -include - -profile wpa_supplicant /usr/bin/wpa_supplicant { - include - include - - capability net_admin, - capability net_raw, - capability chown, - capability dac_override, - capability fsetid, - network inet dgram, - network inet raw, - network packet dgram, - network netlink, - - /usr/bin/wpa_supplicant mr, - - /run/wpa_supplicant/ rw, - /run/wpa_supplicant/** rw, - - /run/dbus/system_bus_socket rw, - /run/sendsigs.omit.d/wpasupplicant.pid rw, - - /etc/wpa_supplicant/ rw, - /etc/wpa_supplicant/** rw, - - /etc/nsswitch.conf r, - /etc/group r, - - @{PROC}/sys/net/ipv{4,6}/conf/*/* rw, - @{PROC}/@{pid}/psched r, - - /dev/rfkill r, - - dbus (send, receive) - bus=system - path=/fi/w1/wpa_supplicant1, - - dbus (send, receive) - bus=system - path=/fi/w1/wpa_supplicant1/**, - - dbus (send,receive) - bus=system - path=/fi/epitest/hostap/WPASupplicant/**, - - include if exists -} diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch deleted file mode 100644 index 99ba9d3b5ab9..000000000000 --- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq -index 7ae9a148..a32d24ca 100644 ---- a/profiles/apparmor.d/usr.sbin.dnsmasq -+++ b/profiles/apparmor.d/usr.sbin.dnsmasq -@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { - /etc/libnl-3/classid r, - - /usr/lib{,64}/libvirt/libvirt_leaseshelper m, -- /usr/libexec/libvirt_leaseshelper m, -+ /usr/libexec/libvirt_leaseshelper mr, - - owner @{PROC}/@{pid}/net/psched r, - owner @{PROC}/@{pid}/status r, diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template index 0d8c1ec7087e..45a39b8d97c6 100644 --- a/srcpkgs/apparmor/template +++ b/srcpkgs/apparmor/template @@ -1,19 +1,20 @@ # Template file for 'apparmor' pkgname=apparmor version=3.0.1 -revision=4 +revision=5 wrksrc="${pkgname}-v${version}" build_wrksrc=libraries/libapparmor build_style=gnu-configure -conf_files="/etc/apparmor.d/local/* /etc/apparmor/*" +conf_files="/etc/apparmor/*" make_dirs="/etc/apparmor.d/disable 0755 root root" hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which" makedepends="perl python3-devel" -depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2 python3-psutil" +depends="runit-void-apparmor apparmor-rules-upstream apparmor-rules-void + libapparmor-${version}_${revision} python3-notify2 python3-psutil" checkdepends="dejagnu" short_desc="Mandatory access control to restrict programs" maintainer="Olivier Mauras " -license="GPL-2.0-only, LGPL-2.1-only" +license="GPL-2.0-only" homepage="https://gitlab.com/apparmor/apparmor" changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}" distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz" @@ -28,23 +29,15 @@ pre_configure() { autoreconf -if } -pre_build() { - # Replace release profiles with our own - cd ${wrksrc} - cp ${FILESDIR}/profiles/* profiles/apparmor.d/ -} - post_build() { - cd ${wrksrc} - + cd "${wrksrc}" make ${makejobs} -C binutils make ${makejobs} -C utils make ${makejobs} -C parser - make ${makejobs} -C profiles } post_install() { - cd ${wrksrc} + cd "${wrksrc}" commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\"" make $commonflags install -C binutils make $commonflags \ @@ -54,15 +47,11 @@ post_install() { make $commonflags \ APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \ install -C parser - make DESTDIR="${DESTDIR}" install -C profiles # requires perl bindings not generated when cross-compiling if [ "$CROSS_BUILD" ]; then rm -f ${DESTDIR}/usr/bin/aa-notify fi - - # we installed a custom conflicting profile - rm ${DESTDIR}/etc/apparmor.d/{,local/}php-fpm } apparmor-vim_package() { @@ -76,6 +65,7 @@ apparmor-vim_package() { libapparmor_package() { short_desc+=" - Library" + license="LGPL-2.1-only" pkg_install() { vmove "usr/lib/libapparmor.so*" if [ -z "$CROSS_BUILD" ]; then @@ -89,6 +79,7 @@ libapparmor_package() { libapparmor-devel_package() { short_desc+=" - Library development files" + license="LGPL-2.1-only" depends="lib${sourcepkg}-${version}_${revision}" pkg_install() { vmove usr/include