Github messages for voidlinux
 help / color / mirror / Atom feed
* [PR PATCH] apparmor: move rules to a separate package
@ 2021-05-17  9:41 paper42
  2021-05-17  9:58 ` [PR PATCH] [Updated] " paper42
                   ` (15 more replies)
  0 siblings, 16 replies; 17+ messages in thread
From: paper42 @ 2021-05-17  9:41 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 904 bytes --]

There is a new pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages apparmor-split-rules
https://github.com/void-linux/void-packages/pull/30946

apparmor: move rules to a separate package
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

@noarchwastaken, I noticed the patch you added for dnsmasq is not in the master branch of apparmor, would you like to make a PR there?

A patch file from https://github.com/void-linux/void-packages/pull/30946.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-split-rules-30946.patch --]
[-- Type: text/x-diff, Size: 30382 bytes --]

From c9eb2bb47080bb718a52e3f818d802d5c96ef700 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:26:24 +0200
Subject: [PATCH 1/3] New package: apparmor-rules-upstream-2021.04.21

---
 srcpkgs/apparmor-rules-upstream/template | 35 ++++++++++++++++++++++++
 srcpkgs/apparmor-rules-upstream/update   |  2 ++
 2 files changed, 37 insertions(+)
 create mode 100644 srcpkgs/apparmor-rules-upstream/template
 create mode 100644 srcpkgs/apparmor-rules-upstream/update

diff --git a/srcpkgs/apparmor-rules-upstream/template b/srcpkgs/apparmor-rules-upstream/template
new file mode 100644
index 000000000000..82947777d152
--- /dev/null
+++ b/srcpkgs/apparmor-rules-upstream/template
@@ -0,0 +1,35 @@
+# Template file for 'apparmor-rules-upstream'
+pkgname=apparmor-rules-upstream
+version=2021.04.21
+revision=1
+_commit=92e27f5566eb5d6e0cd0c54c3bd4b656a3310dba
+wrksrc="apparmor-${_commit}"
+build_wrksrc="profiles"
+build_style=gnu-makefile
+conf_files="/etc/apparmor.d/local/*"
+hostmakedepends="which"
+short_desc="AppArmor upstream rules"
+maintainer="Paper <paper@tilde.institute>"
+license="LGPL-2.1-only"
+homepage="https://gitlab.com/apparmor/apparmor"
+changelog="https://gitlab.com/apparmor/apparmor/-/commits/master/profiles"
+distfiles="https://gitlab.com/apparmor/apparmor/-/archive/${_commit}/apparmor-${_commit}.tar.gz"
+checksum=2a3d7fd711ec01509027638b87584094e4f974ad7db2304adcc3494c7d11d06d
+make_check=no # circular dependency on apparmor_parser from the apparmor package
+
+post_patch() {
+	cd apparmor.d
+
+	for old_filename in sbin.* usr.sbin.*; do
+		new_filename="usr.bin.${old_filename/*sbin.}"
+		vsed -e "s,local/$old_filename,local/$new_filename," -i "$old_filename"
+		mv "$old_filename" "$new_filename"
+	done
+
+	vsed -e 's|/usr/libexec/libvirt_leaseshelper m,|/usr/libexec/libvirt_leaseshelper mr,|' -i usr.bin.dnsmasq
+}
+
+pre_build() {
+	# apparmor-rules-void contains conflicting rules
+	rm -f apparmor.d/php-fpm apparmor/profiles/extra/sbin.dhcpcd
+}
diff --git a/srcpkgs/apparmor-rules-upstream/update b/srcpkgs/apparmor-rules-upstream/update
new file mode 100644
index 000000000000..ec619829d3b4
--- /dev/null
+++ b/srcpkgs/apparmor-rules-upstream/update
@@ -0,0 +1,2 @@
+site=https://gitlab.com/apparmor/apparmor/-/commits/master/profiles/apparmor.d
+pattern='<li class="commits-row" data-day="\K.*(?=">)'

From c3955c5f4306987ee07424c75c566c4004c94731 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:26:35 +0200
Subject: [PATCH 2/3] New package: apparmor-rules-void-2021.05.17

---
 .../files/profiles/usr.bin.dhcpcd             |  66 +++++++++
 .../files/profiles/usr.bin.nginx              |  32 +++++
 .../files/profiles/usr.bin.php-fpm            |  45 ++++++
 .../files/profiles/usr.bin.pulseaudio         | 132 ++++++++++++++++++
 .../files/profiles/usr.bin.uuidd              |  19 +++
 .../files/profiles/usr.bin.wpa_supplicant     |  53 +++++++
 srcpkgs/apparmor-rules-void/template          |  15 ++
 7 files changed, 362 insertions(+)
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
 create mode 100644 srcpkgs/apparmor-rules-void/template

diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
new file mode 100644
index 000000000000..1d6e1b95d62a
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
@@ -0,0 +1,66 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dhcpcd /{usr/,}bin/dhcpcd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+
+  capability chown,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setuid,
+  capability setgid,
+  capability sys_admin,
+  capability sys_chroot,
+  capability bpf,
+
+  network packet dgram,
+  network packet raw,
+  network inet raw,
+  network inet6 raw,
+
+  /dev/pts/* rw,
+
+  /etc/dhcpcd.{conf,duid,secret} r,
+  /etc/ld.so.cache r,
+  /etc/udev/udev.conf r,
+
+  /proc/*/net/if_inet6 r,
+  /proc/sys/net/ipv{4,6}/conf/*/* rw,
+  /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w,
+  /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w,
+
+  /{var/,}run/dhcpcd/ w,
+  /{var/,}run/dhcpcd/{,*.}pid rwk,
+  /{var/,}run/dhcpcd/{,*.}sock rw,
+  /{var/,}run/dhcpcd/unpriv.sock rw,
+  /{var/,}run/udev/data/* r,
+
+  /sys/devices/**/net/*/uevent r,
+
+  /{usr/,}bin/dash ix,
+  /{usr/,}bin/dash mrix,
+
+  /usr/lib/dhcpcd/dev/udev.so m,
+  /usr/lib/ld-*.so m,
+  /usr/lib/libc-*.so m,
+
+  # Trust hooks and run the wrapper unconfined
+  /usr/libexec/dhcpcd-run-hooks CUx,
+
+  /var/db/dhcpcd-*.lease rw,
+  /var/db/dhcpcd/** rw,
+  /{usr/,}bin/dhcpcd mrix,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.dhcpcd>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
new file mode 100644
index 000000000000..be769703f5df
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
@@ -0,0 +1,32 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
+# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
+# /path/to/your/unix/socket rw,
+
+include <tunables/global>
+
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
+
+  capability setgid,
+  capability setuid,
+
+  /etc/nginx/** r,
+
+  /run/nginx.pid rw,
+
+  /usr/bin/nginx mr,
+
+  /usr/share/nginx/html/* r,
+
+  /var/log/nginx/* w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.nginx>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
new file mode 100644
index 000000000000..0b036965da1d
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+# NOTE: This profile uses TCP sockets by default
+# If you wish for php-fpm to listen to unix socket,
+# add the following permission to local/usr.bin.php-fpm
+# /path/to/your/unix/socket w,
+
+include <tunables/global>
+
+# This is PHP open_basedir where script can only be executed from.
+# /home, /tmp have been removed to not open permissions too widely
+# /usr/share/pear have been removed to have its own permission
+@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
+
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
+
+  capability setgid,
+  capability setuid,
+  capability kill,
+
+  /etc/php/php-fpm.conf r,
+  /etc/php/php-fpm.d/* r,
+
+  # This is set to make php-fpm work by default, but if you don't use these paths
+  # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
+  # to where your PHP app is located
+  @{PHP_BASEDIRS}/** r,
+
+  /usr/bin/php-fpm mr,
+
+  /usr/share/pear/** r,
+  /usr/share/php/fpm/status.html r,
+
+  /var/log/php-fpm.log w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.php-fpm>
+
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
new file mode 100644
index 000000000000..f8ceb4c23343
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
@@ -0,0 +1,132 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile pulseaudio /usr/bin/pulseaudio {
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/RealtimeKit1
+       interface=org.freedesktop.RealtimeKit1
+       member={MakeThreadRealtime,MakeThreadHighPriority}
+       peer=(name=org.freedesktop.RealtimeKit1),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/RealtimeKit1
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+  ptrace (read,trace) peer=@{profile_name},
+  signal (send) peer=pulseaudio//pulse-gsettings-helper,
+
+  /usr/bin/pulseaudio mixr,
+
+  /etc/pulse/ r,
+  /etc/pulse/* r,
+  /etc/udev/udev.conf r,
+  /etc/timidity/.pulse_cookie w,
+
+  /etc/asound.conf r,
+
+  owner @{HOME}/.esd_auth rwk,
+  owner @{HOME}/.pulse-cookie rwk,
+  owner @{HOME}/.config/pulse/cookie rwk,
+  owner @{HOME}/{.config/pulse,.pulse}/ rw,
+  owner @{HOME}/{.config/pulse,.pulse}/* rw,
+
+  owner /run/pulse/ rw,
+  owner /run/pulse/.pulse-cookie rwk,
+  owner /run/pulse/dbus-socket rwk,
+  owner /run/pulse/native rwk,
+  owner /run/pulse/pid rwk,
+  owner /run/user/[0-9]*/pulse/  rw,
+  owner /run/user/[0-9]*/pulse/* rwk,
+  /run/udev/data/+sound:card* r,
+  /run/udev/data/c116:[0-9]* r,
+  /run/udev/data/c14:[0-9]* r,
+
+  # logind
+  /run/user/[0-9]*/dconf/user k,
+
+  /sys/bus/ r,
+  /sys/class/ r,
+  /sys/class/sound/ r,
+  /sys/devices/pci[0-9]*/**/*class r,
+  /sys/devices/pci[0-9]*/**/uevent r,
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/online r,
+  /sys/devices/virtual/dmi/id/bios_vendor r,
+  /sys/devices/virtual/dmi/id/board_vendor r,
+  /sys/devices/virtual/dmi/id/sys_vendor r,
+  /sys/devices/virtual/sound/**/uevent r,
+
+  /usr/share/alsa/** r,
+  /usr/share/pulseaudio/** r,
+  /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
+  /usr/libexec/pulse/gsettings-helper Cx,
+
+  /usr/{,local/}share/applications/ r,
+  /usr/{,local/}share/applications/* r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
+  /var/lib/flatpak/exports/share/applications/ r,
+  /var/lib/flatpak/exports/share/applications/* r,
+
+  owner /var/lib/gdm3/.config/pulse/ rw,
+  owner /var/lib/gdm3/.config/pulse/* rw,
+  owner /var/lib/gdm3/.config/pulse/cookie rwk,
+
+  owner /var/lib/lightdm/.Xauthority r,
+  owner /var/lib/lightdm/.esd_auth rwk,
+  owner /var/lib/lightdm/.config/pulse/cookie rwk,
+  owner /var/lib/lightdm/.config/pulse/ rw,
+  owner /var/lib/lightdm/.config/pulse/* rw,
+
+  # are these needed?
+  /var/lib/pulse/ rw,
+  /var/lib/pulse/*-default-sink rw,
+  /var/lib/pulse/*-default-source rw,
+  /var/lib/pulse/*.tdb rw,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/{maps,mountinfo,stat} r,
+
+  owner /tmp/pulse-*/pid rwk,
+  owner /tmp/pulse-*/native rwk,
+  owner /tmp/pulse-*/autospawn.lock rwk,
+  owner /run/user/*/pulse/autospawn.lock rwk,
+
+  owner /tmp/orcexec.* mrw,
+  owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
+  # needed if /tmp is mounted noexec:
+  owner @{HOME}/orcexec.* mrw,
+
+  owner /tmp/.esd-@{pid}*/ rw,
+  owner /tmp/.esd-@{pid}*/socket rw,
+
+  profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
+
+    /usr/libexec/pulse/gsettings-helper mr,
+    owner /{,var/}run/user/*/dconf/user rw,
+    owner @{HOME}/.config/dconf/user rw,
+    owner @{PROC}/@{pid}/fd/ r,
+    signal (receive) peer=pulseaudio,
+  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.pulseaudio>
+}
+
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
new file mode 100644
index 000000000000..b365c927b656
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  network inet dgram,
+
+  /usr/bin/uuidd mr,
+
+  /run/uuidd/request rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.uuidd>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
new file mode 100644
index 000000000000..c5bb67d562fa
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
@@ -0,0 +1,53 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
+
+  capability net_admin,
+  capability net_raw,
+  capability chown,
+  capability dac_override,
+  capability fsetid,
+  network inet dgram,
+  network inet raw,
+  network packet dgram,
+  network netlink,
+
+  /usr/bin/wpa_supplicant mr,
+
+  /run/wpa_supplicant/ rw,
+  /run/wpa_supplicant/** rw,
+
+  /run/dbus/system_bus_socket rw,
+  /run/sendsigs.omit.d/wpasupplicant.pid rw,
+
+  /etc/wpa_supplicant/ rw,
+  /etc/wpa_supplicant/** rw,
+  
+  /etc/nsswitch.conf r,
+  /etc/group r,
+ 
+  @{PROC}/sys/net/ipv{4,6}/conf/*/* rw,
+  @{PROC}/@{pid}/psched r,
+
+  /dev/rfkill r,
+
+  dbus (send, receive)
+       bus=system
+       path=/fi/w1/wpa_supplicant1,
+
+  dbus (send, receive)
+       bus=system
+       path=/fi/w1/wpa_supplicant1/**,
+
+  dbus (send,receive)
+       bus=system
+       path=/fi/epitest/hostap/WPASupplicant/**,
+
+  include if exists <local/usr.bin.wpa_supplicant>
+}
diff --git a/srcpkgs/apparmor-rules-void/template b/srcpkgs/apparmor-rules-void/template
new file mode 100644
index 000000000000..70be42a614c0
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/template
@@ -0,0 +1,15 @@
+# Template file for 'apparmor-rules-void'
+pkgname=apparmor-rules-void
+version=2021.05.17
+revision=1
+build_style=meta
+conf_files="/etc/apparmor.d/local/*"
+short_desc="AppArmor Void Linux rules"
+maintainer="Paper <paper@tilde.institute>"
+license="GPL-2.0-only"
+homepage="https://github.com/void-linux/void-packages/"
+
+do_install() {
+	vmkdir etc/apparmor.d/
+	cp ${FILESDIR}/profiles/* ${DESTDIR}/etc/apparmor.d/
+}

From 827cb45a4b84b035e53cbb2573302f585d63930b Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:27:04 +0200
Subject: [PATCH 3/3] apparmor: move rules to a separate package

also fix license - libapparmor is LGPL-2.1-only, everything else is
GPL-2.0-only
---
 .../apparmor/files/profiles/usr.bin.dhcpcd    |  66 ---------
 srcpkgs/apparmor/files/profiles/usr.bin.nginx |  32 -----
 .../apparmor/files/profiles/usr.bin.php-fpm   |  45 ------
 .../files/profiles/usr.bin.pulseaudio         | 132 ------------------
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd |  19 ---
 .../files/profiles/usr.bin.wpa_supplicant     |  53 -------
 .../patches/fix-dnsmasq-libvirt.patch         |  13 --
 srcpkgs/apparmor/template                     |  27 ++--
 8 files changed, 9 insertions(+), 378 deletions(-)
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.nginx
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.uuidd
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
 delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
deleted file mode 100644
index 1d6e1b95d62a..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ /dev/null
@@ -1,66 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile dhcpcd /{usr/,}bin/dhcpcd {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-
-  capability chown,
-  capability fowner,
-  capability fsetid,
-  capability kill,
-  capability net_admin,
-  capability net_raw,
-  capability setuid,
-  capability setgid,
-  capability sys_admin,
-  capability sys_chroot,
-  capability bpf,
-
-  network packet dgram,
-  network packet raw,
-  network inet raw,
-  network inet6 raw,
-
-  /dev/pts/* rw,
-
-  /etc/dhcpcd.{conf,duid,secret} r,
-  /etc/ld.so.cache r,
-  /etc/udev/udev.conf r,
-
-  /proc/*/net/if_inet6 r,
-  /proc/sys/net/ipv{4,6}/conf/*/* rw,
-  /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w,
-  /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w,
-
-  /{var/,}run/dhcpcd/ w,
-  /{var/,}run/dhcpcd/{,*.}pid rwk,
-  /{var/,}run/dhcpcd/{,*.}sock rw,
-  /{var/,}run/dhcpcd/unpriv.sock rw,
-  /{var/,}run/udev/data/* r,
-
-  /sys/devices/**/net/*/uevent r,
-
-  /{usr/,}bin/dash ix,
-  /{usr/,}bin/dash mrix,
-
-  /usr/lib/dhcpcd/dev/udev.so m,
-  /usr/lib/ld-*.so m,
-  /usr/lib/libc-*.so m,
-
-  # Trust hooks and run the wrapper unconfined
-  /usr/libexec/dhcpcd-run-hooks CUx,
-
-  /var/db/dhcpcd-*.lease rw,
-  /var/db/dhcpcd/** rw,
-  /{usr/,}bin/dhcpcd mrix,
-
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/stat r,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.dhcpcd>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
deleted file mode 100644
index be769703f5df..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ /dev/null
@@ -1,32 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
-# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
-# /path/to/your/unix/socket rw,
-
-include <tunables/global>
-
-profile nginx /usr/bin/nginx {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-  include <abstractions/nis>
-  include <abstractions/openssl>
-
-  capability setgid,
-  capability setuid,
-
-  /etc/nginx/** r,
-
-  /run/nginx.pid rw,
-
-  /usr/bin/nginx mr,
-
-  /usr/share/nginx/html/* r,
-
-  /var/log/nginx/* w,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.nginx>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
deleted file mode 100644
index 0b036965da1d..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ /dev/null
@@ -1,45 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-# NOTE: This profile uses TCP sockets by default
-# If you wish for php-fpm to listen to unix socket,
-# add the following permission to local/usr.bin.php-fpm
-# /path/to/your/unix/socket w,
-
-include <tunables/global>
-
-# This is PHP open_basedir where script can only be executed from.
-# /home, /tmp have been removed to not open permissions too widely
-# /usr/share/pear have been removed to have its own permission
-@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
-
-profile php-fpm /usr/bin/php-fpm {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-  include <abstractions/openssl>
-  include <abstractions/php>
-
-  capability setgid,
-  capability setuid,
-  capability kill,
-
-  /etc/php/php-fpm.conf r,
-  /etc/php/php-fpm.d/* r,
-
-  # This is set to make php-fpm work by default, but if you don't use these paths
-  # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
-  # to where your PHP app is located
-  @{PHP_BASEDIRS}/** r,
-
-  /usr/bin/php-fpm mr,
-
-  /usr/share/pear/** r,
-  /usr/share/php/fpm/status.html r,
-
-  /var/log/php-fpm.log w,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.php-fpm>
-
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
deleted file mode 100644
index f8ceb4c23343..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ /dev/null
@@ -1,132 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile pulseaudio /usr/bin/pulseaudio {
-  include <abstractions/base>
-  include <abstractions/audio>
-  include <abstractions/dbus-session>
-  include <abstractions/dbus-strict>
-  include <abstractions/nameservice>
-  include <abstractions/X>
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.RealtimeKit1
-       member={MakeThreadRealtime,MakeThreadHighPriority}
-       peer=(name=org.freedesktop.RealtimeKit1),
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.DBus.Properties
-       member=Get,
-
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
-  ptrace (read,trace) peer=@{profile_name},
-  signal (send) peer=pulseaudio//pulse-gsettings-helper,
-
-  /usr/bin/pulseaudio mixr,
-
-  /etc/pulse/ r,
-  /etc/pulse/* r,
-  /etc/udev/udev.conf r,
-  /etc/timidity/.pulse_cookie w,
-
-  /etc/asound.conf r,
-
-  owner @{HOME}/.esd_auth rwk,
-  owner @{HOME}/.pulse-cookie rwk,
-  owner @{HOME}/.config/pulse/cookie rwk,
-  owner @{HOME}/{.config/pulse,.pulse}/ rw,
-  owner @{HOME}/{.config/pulse,.pulse}/* rw,
-
-  owner /run/pulse/ rw,
-  owner /run/pulse/.pulse-cookie rwk,
-  owner /run/pulse/dbus-socket rwk,
-  owner /run/pulse/native rwk,
-  owner /run/pulse/pid rwk,
-  owner /run/user/[0-9]*/pulse/  rw,
-  owner /run/user/[0-9]*/pulse/* rwk,
-  /run/udev/data/+sound:card* r,
-  /run/udev/data/c116:[0-9]* r,
-  /run/udev/data/c14:[0-9]* r,
-
-  # logind
-  /run/user/[0-9]*/dconf/user k,
-
-  /sys/bus/ r,
-  /sys/class/ r,
-  /sys/class/sound/ r,
-  /sys/devices/pci[0-9]*/**/*class r,
-  /sys/devices/pci[0-9]*/**/uevent r,
-  /sys/devices/system/cpu/ r,
-  /sys/devices/system/cpu/online r,
-  /sys/devices/virtual/dmi/id/bios_vendor r,
-  /sys/devices/virtual/dmi/id/board_vendor r,
-  /sys/devices/virtual/dmi/id/sys_vendor r,
-  /sys/devices/virtual/sound/**/uevent r,
-
-  /usr/share/alsa/** r,
-  /usr/share/pulseaudio/** r,
-  /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
-  /usr/libexec/pulse/gsettings-helper Cx,
-
-  /usr/{,local/}share/applications/ r,
-  /usr/{,local/}share/applications/* r,
-  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
-  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
-  /var/lib/flatpak/exports/share/applications/ r,
-  /var/lib/flatpak/exports/share/applications/* r,
-
-  owner /var/lib/gdm3/.config/pulse/ rw,
-  owner /var/lib/gdm3/.config/pulse/* rw,
-  owner /var/lib/gdm3/.config/pulse/cookie rwk,
-
-  owner /var/lib/lightdm/.Xauthority r,
-  owner /var/lib/lightdm/.esd_auth rwk,
-  owner /var/lib/lightdm/.config/pulse/cookie rwk,
-  owner /var/lib/lightdm/.config/pulse/ rw,
-  owner /var/lib/lightdm/.config/pulse/* rw,
-
-  # are these needed?
-  /var/lib/pulse/ rw,
-  /var/lib/pulse/*-default-sink rw,
-  /var/lib/pulse/*-default-source rw,
-  /var/lib/pulse/*.tdb rw,
-
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/{maps,mountinfo,stat} r,
-
-  owner /tmp/pulse-*/pid rwk,
-  owner /tmp/pulse-*/native rwk,
-  owner /tmp/pulse-*/autospawn.lock rwk,
-  owner /run/user/*/pulse/autospawn.lock rwk,
-
-  owner /tmp/orcexec.* mrw,
-  owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
-  # needed if /tmp is mounted noexec:
-  owner @{HOME}/orcexec.* mrw,
-
-  owner /tmp/.esd-@{pid}*/ rw,
-  owner /tmp/.esd-@{pid}*/socket rw,
-
-  profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    include <abstractions/base>
-    include <abstractions/gnome>
-    include <abstractions/dconf>
-
-    /usr/libexec/pulse/gsettings-helper mr,
-    owner /{,var/}run/user/*/dconf/user rw,
-    owner @{HOME}/.config/dconf/user rw,
-    owner @{PROC}/@{pid}/fd/ r,
-    signal (receive) peer=pulseaudio,
-  }
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.pulseaudio>
-}
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
deleted file mode 100644
index b365c927b656..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ /dev/null
@@ -1,19 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile uuid /usr/bin/uuidd {
-  include <abstractions/base>
-  include <abstractions/consoles>
-
-  network inet dgram,
-
-  /usr/bin/uuidd mr,
-
-  /run/uuidd/request rw,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.uuidd>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
deleted file mode 100644
index c5bb67d562fa..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ /dev/null
@@ -1,53 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile wpa_supplicant /usr/bin/wpa_supplicant {
-  include <abstractions/base>
-  include <abstractions/dbus-strict>
-
-  capability net_admin,
-  capability net_raw,
-  capability chown,
-  capability dac_override,
-  capability fsetid,
-  network inet dgram,
-  network inet raw,
-  network packet dgram,
-  network netlink,
-
-  /usr/bin/wpa_supplicant mr,
-
-  /run/wpa_supplicant/ rw,
-  /run/wpa_supplicant/** rw,
-
-  /run/dbus/system_bus_socket rw,
-  /run/sendsigs.omit.d/wpasupplicant.pid rw,
-
-  /etc/wpa_supplicant/ rw,
-  /etc/wpa_supplicant/** rw,
-  
-  /etc/nsswitch.conf r,
-  /etc/group r,
- 
-  @{PROC}/sys/net/ipv{4,6}/conf/*/* rw,
-  @{PROC}/@{pid}/psched r,
-
-  /dev/rfkill r,
-
-  dbus (send, receive)
-       bus=system
-       path=/fi/w1/wpa_supplicant1,
-
-  dbus (send, receive)
-       bus=system
-       path=/fi/w1/wpa_supplicant1/**,
-
-  dbus (send,receive)
-       bus=system
-       path=/fi/epitest/hostap/WPASupplicant/**,
-
-  include if exists <local/usr.bin.wpa_supplicant>
-}
diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-     /etc/libnl-3/classid r,
- 
-     /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
--    /usr/libexec/libvirt_leaseshelper m,
-+    /usr/libexec/libvirt_leaseshelper mr,
- 
-     owner @{PROC}/@{pid}/net/psched r,
-     owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 0d8c1ec7087e..45a39b8d97c6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,19 +1,20 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=4
+revision=5
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
-conf_files="/etc/apparmor.d/local/* /etc/apparmor/*"
+conf_files="/etc/apparmor/*"
 make_dirs="/etc/apparmor.d/disable 0755 root root"
 hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
 makedepends="perl python3-devel"
-depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2 python3-psutil"
+depends="runit-void-apparmor apparmor-rules-upstream apparmor-rules-void
+ libapparmor-${version}_${revision} python3-notify2 python3-psutil"
 checkdepends="dejagnu"
 short_desc="Mandatory access control to restrict programs"
 maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+license="GPL-2.0-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
@@ -28,23 +29,15 @@ pre_configure() {
 	autoreconf -if
 }
 
-pre_build() {
-	# Replace release profiles with our own
-	cd ${wrksrc}
-	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
-}
-
 post_build() {
-	cd ${wrksrc}
-
+	cd "${wrksrc}"
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
-	make ${makejobs} -C profiles
 }
 
 post_install() {
-	cd ${wrksrc}
+	cd "${wrksrc}"
 	commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
 	make $commonflags install -C binutils
 	make $commonflags \
@@ -54,15 +47,11 @@ post_install() {
 	make $commonflags \
 		APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
 		install -C parser
-	make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
 		rm -f ${DESTDIR}/usr/bin/aa-notify
 	fi
-
-	# we installed a custom conflicting profile
-	rm ${DESTDIR}/etc/apparmor.d/{,local/}php-fpm
 }
 
 apparmor-vim_package() {
@@ -76,6 +65,7 @@ apparmor-vim_package() {
 
 libapparmor_package() {
 	short_desc+=" - Library"
+	license="LGPL-2.1-only"
 	pkg_install() {
 		vmove "usr/lib/libapparmor.so*"
 		if [ -z "$CROSS_BUILD" ]; then
@@ -89,6 +79,7 @@ libapparmor_package() {
 
 libapparmor-devel_package() {
 	short_desc+=" - Library development files"
+	license="LGPL-2.1-only"
 	depends="lib${sourcepkg}-${version}_${revision}"
 	pkg_install() {
 		vmove usr/include

^ permalink raw reply	[flat|nested] 17+ messages in thread
end of thread, other threads:[~2021-07-05 21:09 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
2021-05-17  9:58 ` [PR PATCH] [Updated] " paper42
2021-05-17 10:06 ` paper42
2021-05-17 10:07 ` paper42
2021-05-17 12:30 ` Duncaen
2021-05-17 12:32 ` [PR REVIEW] " Duncaen
2021-05-17 12:43 ` ericonr
2021-05-17 13:24 ` [PR REVIEW] " paper42
2021-05-17 13:47 ` paper42
2021-05-17 13:55 ` noarchwastaken
2021-05-17 13:57 ` [PR PATCH] [Updated] " paper42
2021-05-17 14:04 ` noarchwastaken
2021-05-17 14:04 ` noarchwastaken
2021-05-17 14:04 ` noarchwastaken
2021-05-23 19:01 ` noarchwastaken
2021-05-23 19:05 ` noarchwastaken
2021-07-05 21:09 ` [PR PATCH] [Closed]: " paper42

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).