Github messages for voidlinux
 help / color / mirror / Atom feed
* [PR PATCH] apparmor: move rules to a separate package
@ 2021-05-17  9:41 paper42
  2021-05-17  9:58 ` [PR PATCH] [Updated] " paper42
                   ` (15 more replies)
  0 siblings, 16 replies; 17+ messages in thread
From: paper42 @ 2021-05-17  9:41 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 904 bytes --]

There is a new pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages apparmor-split-rules
https://github.com/void-linux/void-packages/pull/30946

apparmor: move rules to a separate package
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

@noarchwastaken, I noticed the patch you added for dnsmasq is not in the master branch of apparmor, would you like to make a PR there?

A patch file from https://github.com/void-linux/void-packages/pull/30946.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-split-rules-30946.patch --]
[-- Type: text/x-diff, Size: 30382 bytes --]

From c9eb2bb47080bb718a52e3f818d802d5c96ef700 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:26:24 +0200
Subject: [PATCH 1/3] New package: apparmor-rules-upstream-2021.04.21

---
 srcpkgs/apparmor-rules-upstream/template | 35 ++++++++++++++++++++++++
 srcpkgs/apparmor-rules-upstream/update   |  2 ++
 2 files changed, 37 insertions(+)
 create mode 100644 srcpkgs/apparmor-rules-upstream/template
 create mode 100644 srcpkgs/apparmor-rules-upstream/update

diff --git a/srcpkgs/apparmor-rules-upstream/template b/srcpkgs/apparmor-rules-upstream/template
new file mode 100644
index 000000000000..82947777d152
--- /dev/null
+++ b/srcpkgs/apparmor-rules-upstream/template
@@ -0,0 +1,35 @@
+# Template file for 'apparmor-rules-upstream'
+pkgname=apparmor-rules-upstream
+version=2021.04.21
+revision=1
+_commit=92e27f5566eb5d6e0cd0c54c3bd4b656a3310dba
+wrksrc="apparmor-${_commit}"
+build_wrksrc="profiles"
+build_style=gnu-makefile
+conf_files="/etc/apparmor.d/local/*"
+hostmakedepends="which"
+short_desc="AppArmor upstream rules"
+maintainer="Paper <paper@tilde.institute>"
+license="LGPL-2.1-only"
+homepage="https://gitlab.com/apparmor/apparmor"
+changelog="https://gitlab.com/apparmor/apparmor/-/commits/master/profiles"
+distfiles="https://gitlab.com/apparmor/apparmor/-/archive/${_commit}/apparmor-${_commit}.tar.gz"
+checksum=2a3d7fd711ec01509027638b87584094e4f974ad7db2304adcc3494c7d11d06d
+make_check=no # circular dependency on apparmor_parser from the apparmor package
+
+post_patch() {
+	cd apparmor.d
+
+	for old_filename in sbin.* usr.sbin.*; do
+		new_filename="usr.bin.${old_filename/*sbin.}"
+		vsed -e "s,local/$old_filename,local/$new_filename," -i "$old_filename"
+		mv "$old_filename" "$new_filename"
+	done
+
+	vsed -e 's|/usr/libexec/libvirt_leaseshelper m,|/usr/libexec/libvirt_leaseshelper mr,|' -i usr.bin.dnsmasq
+}
+
+pre_build() {
+	# apparmor-rules-void contains conflicting rules
+	rm -f apparmor.d/php-fpm apparmor/profiles/extra/sbin.dhcpcd
+}
diff --git a/srcpkgs/apparmor-rules-upstream/update b/srcpkgs/apparmor-rules-upstream/update
new file mode 100644
index 000000000000..ec619829d3b4
--- /dev/null
+++ b/srcpkgs/apparmor-rules-upstream/update
@@ -0,0 +1,2 @@
+site=https://gitlab.com/apparmor/apparmor/-/commits/master/profiles/apparmor.d
+pattern='<li class="commits-row" data-day="\K.*(?=">)'

From c3955c5f4306987ee07424c75c566c4004c94731 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:26:35 +0200
Subject: [PATCH 2/3] New package: apparmor-rules-void-2021.05.17

---
 .../files/profiles/usr.bin.dhcpcd             |  66 +++++++++
 .../files/profiles/usr.bin.nginx              |  32 +++++
 .../files/profiles/usr.bin.php-fpm            |  45 ++++++
 .../files/profiles/usr.bin.pulseaudio         | 132 ++++++++++++++++++
 .../files/profiles/usr.bin.uuidd              |  19 +++
 .../files/profiles/usr.bin.wpa_supplicant     |  53 +++++++
 srcpkgs/apparmor-rules-void/template          |  15 ++
 7 files changed, 362 insertions(+)
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
 create mode 100644 srcpkgs/apparmor-rules-void/template

diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
new file mode 100644
index 000000000000..1d6e1b95d62a
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
@@ -0,0 +1,66 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dhcpcd /{usr/,}bin/dhcpcd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+
+  capability chown,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setuid,
+  capability setgid,
+  capability sys_admin,
+  capability sys_chroot,
+  capability bpf,
+
+  network packet dgram,
+  network packet raw,
+  network inet raw,
+  network inet6 raw,
+
+  /dev/pts/* rw,
+
+  /etc/dhcpcd.{conf,duid,secret} r,
+  /etc/ld.so.cache r,
+  /etc/udev/udev.conf r,
+
+  /proc/*/net/if_inet6 r,
+  /proc/sys/net/ipv{4,6}/conf/*/* rw,
+  /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w,
+  /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w,
+
+  /{var/,}run/dhcpcd/ w,
+  /{var/,}run/dhcpcd/{,*.}pid rwk,
+  /{var/,}run/dhcpcd/{,*.}sock rw,
+  /{var/,}run/dhcpcd/unpriv.sock rw,
+  /{var/,}run/udev/data/* r,
+
+  /sys/devices/**/net/*/uevent r,
+
+  /{usr/,}bin/dash ix,
+  /{usr/,}bin/dash mrix,
+
+  /usr/lib/dhcpcd/dev/udev.so m,
+  /usr/lib/ld-*.so m,
+  /usr/lib/libc-*.so m,
+
+  # Trust hooks and run the wrapper unconfined
+  /usr/libexec/dhcpcd-run-hooks CUx,
+
+  /var/db/dhcpcd-*.lease rw,
+  /var/db/dhcpcd/** rw,
+  /{usr/,}bin/dhcpcd mrix,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.dhcpcd>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
new file mode 100644
index 000000000000..be769703f5df
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
@@ -0,0 +1,32 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
+# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
+# /path/to/your/unix/socket rw,
+
+include <tunables/global>
+
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
+
+  capability setgid,
+  capability setuid,
+
+  /etc/nginx/** r,
+
+  /run/nginx.pid rw,
+
+  /usr/bin/nginx mr,
+
+  /usr/share/nginx/html/* r,
+
+  /var/log/nginx/* w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.nginx>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
new file mode 100644
index 000000000000..0b036965da1d
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+# NOTE: This profile uses TCP sockets by default
+# If you wish for php-fpm to listen to unix socket,
+# add the following permission to local/usr.bin.php-fpm
+# /path/to/your/unix/socket w,
+
+include <tunables/global>
+
+# This is PHP open_basedir where script can only be executed from.
+# /home, /tmp have been removed to not open permissions too widely
+# /usr/share/pear have been removed to have its own permission
+@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
+
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
+
+  capability setgid,
+  capability setuid,
+  capability kill,
+
+  /etc/php/php-fpm.conf r,
+  /etc/php/php-fpm.d/* r,
+
+  # This is set to make php-fpm work by default, but if you don't use these paths
+  # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
+  # to where your PHP app is located
+  @{PHP_BASEDIRS}/** r,
+
+  /usr/bin/php-fpm mr,
+
+  /usr/share/pear/** r,
+  /usr/share/php/fpm/status.html r,
+
+  /var/log/php-fpm.log w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.php-fpm>
+
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
new file mode 100644
index 000000000000..f8ceb4c23343
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
@@ -0,0 +1,132 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile pulseaudio /usr/bin/pulseaudio {
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/RealtimeKit1
+       interface=org.freedesktop.RealtimeKit1
+       member={MakeThreadRealtime,MakeThreadHighPriority}
+       peer=(name=org.freedesktop.RealtimeKit1),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/RealtimeKit1
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+  ptrace (read,trace) peer=@{profile_name},
+  signal (send) peer=pulseaudio//pulse-gsettings-helper,
+
+  /usr/bin/pulseaudio mixr,
+
+  /etc/pulse/ r,
+  /etc/pulse/* r,
+  /etc/udev/udev.conf r,
+  /etc/timidity/.pulse_cookie w,
+
+  /etc/asound.conf r,
+
+  owner @{HOME}/.esd_auth rwk,
+  owner @{HOME}/.pulse-cookie rwk,
+  owner @{HOME}/.config/pulse/cookie rwk,
+  owner @{HOME}/{.config/pulse,.pulse}/ rw,
+  owner @{HOME}/{.config/pulse,.pulse}/* rw,
+
+  owner /run/pulse/ rw,
+  owner /run/pulse/.pulse-cookie rwk,
+  owner /run/pulse/dbus-socket rwk,
+  owner /run/pulse/native rwk,
+  owner /run/pulse/pid rwk,
+  owner /run/user/[0-9]*/pulse/  rw,
+  owner /run/user/[0-9]*/pulse/* rwk,
+  /run/udev/data/+sound:card* r,
+  /run/udev/data/c116:[0-9]* r,
+  /run/udev/data/c14:[0-9]* r,
+
+  # logind
+  /run/user/[0-9]*/dconf/user k,
+
+  /sys/bus/ r,
+  /sys/class/ r,
+  /sys/class/sound/ r,
+  /sys/devices/pci[0-9]*/**/*class r,
+  /sys/devices/pci[0-9]*/**/uevent r,
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/online r,
+  /sys/devices/virtual/dmi/id/bios_vendor r,
+  /sys/devices/virtual/dmi/id/board_vendor r,
+  /sys/devices/virtual/dmi/id/sys_vendor r,
+  /sys/devices/virtual/sound/**/uevent r,
+
+  /usr/share/alsa/** r,
+  /usr/share/pulseaudio/** r,
+  /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
+  /usr/libexec/pulse/gsettings-helper Cx,
+
+  /usr/{,local/}share/applications/ r,
+  /usr/{,local/}share/applications/* r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
+  /var/lib/flatpak/exports/share/applications/ r,
+  /var/lib/flatpak/exports/share/applications/* r,
+
+  owner /var/lib/gdm3/.config/pulse/ rw,
+  owner /var/lib/gdm3/.config/pulse/* rw,
+  owner /var/lib/gdm3/.config/pulse/cookie rwk,
+
+  owner /var/lib/lightdm/.Xauthority r,
+  owner /var/lib/lightdm/.esd_auth rwk,
+  owner /var/lib/lightdm/.config/pulse/cookie rwk,
+  owner /var/lib/lightdm/.config/pulse/ rw,
+  owner /var/lib/lightdm/.config/pulse/* rw,
+
+  # are these needed?
+  /var/lib/pulse/ rw,
+  /var/lib/pulse/*-default-sink rw,
+  /var/lib/pulse/*-default-source rw,
+  /var/lib/pulse/*.tdb rw,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/{maps,mountinfo,stat} r,
+
+  owner /tmp/pulse-*/pid rwk,
+  owner /tmp/pulse-*/native rwk,
+  owner /tmp/pulse-*/autospawn.lock rwk,
+  owner /run/user/*/pulse/autospawn.lock rwk,
+
+  owner /tmp/orcexec.* mrw,
+  owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
+  # needed if /tmp is mounted noexec:
+  owner @{HOME}/orcexec.* mrw,
+
+  owner /tmp/.esd-@{pid}*/ rw,
+  owner /tmp/.esd-@{pid}*/socket rw,
+
+  profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
+
+    /usr/libexec/pulse/gsettings-helper mr,
+    owner /{,var/}run/user/*/dconf/user rw,
+    owner @{HOME}/.config/dconf/user rw,
+    owner @{PROC}/@{pid}/fd/ r,
+    signal (receive) peer=pulseaudio,
+  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.pulseaudio>
+}
+
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
new file mode 100644
index 000000000000..b365c927b656
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  network inet dgram,
+
+  /usr/bin/uuidd mr,
+
+  /run/uuidd/request rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.uuidd>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
new file mode 100644
index 000000000000..c5bb67d562fa
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
@@ -0,0 +1,53 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
+
+  capability net_admin,
+  capability net_raw,
+  capability chown,
+  capability dac_override,
+  capability fsetid,
+  network inet dgram,
+  network inet raw,
+  network packet dgram,
+  network netlink,
+
+  /usr/bin/wpa_supplicant mr,
+
+  /run/wpa_supplicant/ rw,
+  /run/wpa_supplicant/** rw,
+
+  /run/dbus/system_bus_socket rw,
+  /run/sendsigs.omit.d/wpasupplicant.pid rw,
+
+  /etc/wpa_supplicant/ rw,
+  /etc/wpa_supplicant/** rw,
+  
+  /etc/nsswitch.conf r,
+  /etc/group r,
+ 
+  @{PROC}/sys/net/ipv{4,6}/conf/*/* rw,
+  @{PROC}/@{pid}/psched r,
+
+  /dev/rfkill r,
+
+  dbus (send, receive)
+       bus=system
+       path=/fi/w1/wpa_supplicant1,
+
+  dbus (send, receive)
+       bus=system
+       path=/fi/w1/wpa_supplicant1/**,
+
+  dbus (send,receive)
+       bus=system
+       path=/fi/epitest/hostap/WPASupplicant/**,
+
+  include if exists <local/usr.bin.wpa_supplicant>
+}
diff --git a/srcpkgs/apparmor-rules-void/template b/srcpkgs/apparmor-rules-void/template
new file mode 100644
index 000000000000..70be42a614c0
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/template
@@ -0,0 +1,15 @@
+# Template file for 'apparmor-rules-void'
+pkgname=apparmor-rules-void
+version=2021.05.17
+revision=1
+build_style=meta
+conf_files="/etc/apparmor.d/local/*"
+short_desc="AppArmor Void Linux rules"
+maintainer="Paper <paper@tilde.institute>"
+license="GPL-2.0-only"
+homepage="https://github.com/void-linux/void-packages/"
+
+do_install() {
+	vmkdir etc/apparmor.d/
+	cp ${FILESDIR}/profiles/* ${DESTDIR}/etc/apparmor.d/
+}

From 827cb45a4b84b035e53cbb2573302f585d63930b Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:27:04 +0200
Subject: [PATCH 3/3] apparmor: move rules to a separate package

also fix license - libapparmor is LGPL-2.1-only, everything else is
GPL-2.0-only
---
 .../apparmor/files/profiles/usr.bin.dhcpcd    |  66 ---------
 srcpkgs/apparmor/files/profiles/usr.bin.nginx |  32 -----
 .../apparmor/files/profiles/usr.bin.php-fpm   |  45 ------
 .../files/profiles/usr.bin.pulseaudio         | 132 ------------------
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd |  19 ---
 .../files/profiles/usr.bin.wpa_supplicant     |  53 -------
 .../patches/fix-dnsmasq-libvirt.patch         |  13 --
 srcpkgs/apparmor/template                     |  27 ++--
 8 files changed, 9 insertions(+), 378 deletions(-)
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.nginx
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.uuidd
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
 delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
deleted file mode 100644
index 1d6e1b95d62a..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ /dev/null
@@ -1,66 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile dhcpcd /{usr/,}bin/dhcpcd {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-
-  capability chown,
-  capability fowner,
-  capability fsetid,
-  capability kill,
-  capability net_admin,
-  capability net_raw,
-  capability setuid,
-  capability setgid,
-  capability sys_admin,
-  capability sys_chroot,
-  capability bpf,
-
-  network packet dgram,
-  network packet raw,
-  network inet raw,
-  network inet6 raw,
-
-  /dev/pts/* rw,
-
-  /etc/dhcpcd.{conf,duid,secret} r,
-  /etc/ld.so.cache r,
-  /etc/udev/udev.conf r,
-
-  /proc/*/net/if_inet6 r,
-  /proc/sys/net/ipv{4,6}/conf/*/* rw,
-  /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w,
-  /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w,
-
-  /{var/,}run/dhcpcd/ w,
-  /{var/,}run/dhcpcd/{,*.}pid rwk,
-  /{var/,}run/dhcpcd/{,*.}sock rw,
-  /{var/,}run/dhcpcd/unpriv.sock rw,
-  /{var/,}run/udev/data/* r,
-
-  /sys/devices/**/net/*/uevent r,
-
-  /{usr/,}bin/dash ix,
-  /{usr/,}bin/dash mrix,
-
-  /usr/lib/dhcpcd/dev/udev.so m,
-  /usr/lib/ld-*.so m,
-  /usr/lib/libc-*.so m,
-
-  # Trust hooks and run the wrapper unconfined
-  /usr/libexec/dhcpcd-run-hooks CUx,
-
-  /var/db/dhcpcd-*.lease rw,
-  /var/db/dhcpcd/** rw,
-  /{usr/,}bin/dhcpcd mrix,
-
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/stat r,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.dhcpcd>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
deleted file mode 100644
index be769703f5df..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ /dev/null
@@ -1,32 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
-# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
-# /path/to/your/unix/socket rw,
-
-include <tunables/global>
-
-profile nginx /usr/bin/nginx {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-  include <abstractions/nis>
-  include <abstractions/openssl>
-
-  capability setgid,
-  capability setuid,
-
-  /etc/nginx/** r,
-
-  /run/nginx.pid rw,
-
-  /usr/bin/nginx mr,
-
-  /usr/share/nginx/html/* r,
-
-  /var/log/nginx/* w,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.nginx>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
deleted file mode 100644
index 0b036965da1d..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ /dev/null
@@ -1,45 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-# NOTE: This profile uses TCP sockets by default
-# If you wish for php-fpm to listen to unix socket,
-# add the following permission to local/usr.bin.php-fpm
-# /path/to/your/unix/socket w,
-
-include <tunables/global>
-
-# This is PHP open_basedir where script can only be executed from.
-# /home, /tmp have been removed to not open permissions too widely
-# /usr/share/pear have been removed to have its own permission
-@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
-
-profile php-fpm /usr/bin/php-fpm {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-  include <abstractions/openssl>
-  include <abstractions/php>
-
-  capability setgid,
-  capability setuid,
-  capability kill,
-
-  /etc/php/php-fpm.conf r,
-  /etc/php/php-fpm.d/* r,
-
-  # This is set to make php-fpm work by default, but if you don't use these paths
-  # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
-  # to where your PHP app is located
-  @{PHP_BASEDIRS}/** r,
-
-  /usr/bin/php-fpm mr,
-
-  /usr/share/pear/** r,
-  /usr/share/php/fpm/status.html r,
-
-  /var/log/php-fpm.log w,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.php-fpm>
-
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
deleted file mode 100644
index f8ceb4c23343..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ /dev/null
@@ -1,132 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile pulseaudio /usr/bin/pulseaudio {
-  include <abstractions/base>
-  include <abstractions/audio>
-  include <abstractions/dbus-session>
-  include <abstractions/dbus-strict>
-  include <abstractions/nameservice>
-  include <abstractions/X>
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.RealtimeKit1
-       member={MakeThreadRealtime,MakeThreadHighPriority}
-       peer=(name=org.freedesktop.RealtimeKit1),
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.DBus.Properties
-       member=Get,
-
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
-  ptrace (read,trace) peer=@{profile_name},
-  signal (send) peer=pulseaudio//pulse-gsettings-helper,
-
-  /usr/bin/pulseaudio mixr,
-
-  /etc/pulse/ r,
-  /etc/pulse/* r,
-  /etc/udev/udev.conf r,
-  /etc/timidity/.pulse_cookie w,
-
-  /etc/asound.conf r,
-
-  owner @{HOME}/.esd_auth rwk,
-  owner @{HOME}/.pulse-cookie rwk,
-  owner @{HOME}/.config/pulse/cookie rwk,
-  owner @{HOME}/{.config/pulse,.pulse}/ rw,
-  owner @{HOME}/{.config/pulse,.pulse}/* rw,
-
-  owner /run/pulse/ rw,
-  owner /run/pulse/.pulse-cookie rwk,
-  owner /run/pulse/dbus-socket rwk,
-  owner /run/pulse/native rwk,
-  owner /run/pulse/pid rwk,
-  owner /run/user/[0-9]*/pulse/  rw,
-  owner /run/user/[0-9]*/pulse/* rwk,
-  /run/udev/data/+sound:card* r,
-  /run/udev/data/c116:[0-9]* r,
-  /run/udev/data/c14:[0-9]* r,
-
-  # logind
-  /run/user/[0-9]*/dconf/user k,
-
-  /sys/bus/ r,
-  /sys/class/ r,
-  /sys/class/sound/ r,
-  /sys/devices/pci[0-9]*/**/*class r,
-  /sys/devices/pci[0-9]*/**/uevent r,
-  /sys/devices/system/cpu/ r,
-  /sys/devices/system/cpu/online r,
-  /sys/devices/virtual/dmi/id/bios_vendor r,
-  /sys/devices/virtual/dmi/id/board_vendor r,
-  /sys/devices/virtual/dmi/id/sys_vendor r,
-  /sys/devices/virtual/sound/**/uevent r,
-
-  /usr/share/alsa/** r,
-  /usr/share/pulseaudio/** r,
-  /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
-  /usr/libexec/pulse/gsettings-helper Cx,
-
-  /usr/{,local/}share/applications/ r,
-  /usr/{,local/}share/applications/* r,
-  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
-  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
-  /var/lib/flatpak/exports/share/applications/ r,
-  /var/lib/flatpak/exports/share/applications/* r,
-
-  owner /var/lib/gdm3/.config/pulse/ rw,
-  owner /var/lib/gdm3/.config/pulse/* rw,
-  owner /var/lib/gdm3/.config/pulse/cookie rwk,
-
-  owner /var/lib/lightdm/.Xauthority r,
-  owner /var/lib/lightdm/.esd_auth rwk,
-  owner /var/lib/lightdm/.config/pulse/cookie rwk,
-  owner /var/lib/lightdm/.config/pulse/ rw,
-  owner /var/lib/lightdm/.config/pulse/* rw,
-
-  # are these needed?
-  /var/lib/pulse/ rw,
-  /var/lib/pulse/*-default-sink rw,
-  /var/lib/pulse/*-default-source rw,
-  /var/lib/pulse/*.tdb rw,
-
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/{maps,mountinfo,stat} r,
-
-  owner /tmp/pulse-*/pid rwk,
-  owner /tmp/pulse-*/native rwk,
-  owner /tmp/pulse-*/autospawn.lock rwk,
-  owner /run/user/*/pulse/autospawn.lock rwk,
-
-  owner /tmp/orcexec.* mrw,
-  owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
-  # needed if /tmp is mounted noexec:
-  owner @{HOME}/orcexec.* mrw,
-
-  owner /tmp/.esd-@{pid}*/ rw,
-  owner /tmp/.esd-@{pid}*/socket rw,
-
-  profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    include <abstractions/base>
-    include <abstractions/gnome>
-    include <abstractions/dconf>
-
-    /usr/libexec/pulse/gsettings-helper mr,
-    owner /{,var/}run/user/*/dconf/user rw,
-    owner @{HOME}/.config/dconf/user rw,
-    owner @{PROC}/@{pid}/fd/ r,
-    signal (receive) peer=pulseaudio,
-  }
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.pulseaudio>
-}
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
deleted file mode 100644
index b365c927b656..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ /dev/null
@@ -1,19 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile uuid /usr/bin/uuidd {
-  include <abstractions/base>
-  include <abstractions/consoles>
-
-  network inet dgram,
-
-  /usr/bin/uuidd mr,
-
-  /run/uuidd/request rw,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.uuidd>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
deleted file mode 100644
index c5bb67d562fa..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ /dev/null
@@ -1,53 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile wpa_supplicant /usr/bin/wpa_supplicant {
-  include <abstractions/base>
-  include <abstractions/dbus-strict>
-
-  capability net_admin,
-  capability net_raw,
-  capability chown,
-  capability dac_override,
-  capability fsetid,
-  network inet dgram,
-  network inet raw,
-  network packet dgram,
-  network netlink,
-
-  /usr/bin/wpa_supplicant mr,
-
-  /run/wpa_supplicant/ rw,
-  /run/wpa_supplicant/** rw,
-
-  /run/dbus/system_bus_socket rw,
-  /run/sendsigs.omit.d/wpasupplicant.pid rw,
-
-  /etc/wpa_supplicant/ rw,
-  /etc/wpa_supplicant/** rw,
-  
-  /etc/nsswitch.conf r,
-  /etc/group r,
- 
-  @{PROC}/sys/net/ipv{4,6}/conf/*/* rw,
-  @{PROC}/@{pid}/psched r,
-
-  /dev/rfkill r,
-
-  dbus (send, receive)
-       bus=system
-       path=/fi/w1/wpa_supplicant1,
-
-  dbus (send, receive)
-       bus=system
-       path=/fi/w1/wpa_supplicant1/**,
-
-  dbus (send,receive)
-       bus=system
-       path=/fi/epitest/hostap/WPASupplicant/**,
-
-  include if exists <local/usr.bin.wpa_supplicant>
-}
diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-     /etc/libnl-3/classid r,
- 
-     /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
--    /usr/libexec/libvirt_leaseshelper m,
-+    /usr/libexec/libvirt_leaseshelper mr,
- 
-     owner @{PROC}/@{pid}/net/psched r,
-     owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 0d8c1ec7087e..45a39b8d97c6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,19 +1,20 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=4
+revision=5
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
-conf_files="/etc/apparmor.d/local/* /etc/apparmor/*"
+conf_files="/etc/apparmor/*"
 make_dirs="/etc/apparmor.d/disable 0755 root root"
 hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
 makedepends="perl python3-devel"
-depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2 python3-psutil"
+depends="runit-void-apparmor apparmor-rules-upstream apparmor-rules-void
+ libapparmor-${version}_${revision} python3-notify2 python3-psutil"
 checkdepends="dejagnu"
 short_desc="Mandatory access control to restrict programs"
 maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+license="GPL-2.0-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
@@ -28,23 +29,15 @@ pre_configure() {
 	autoreconf -if
 }
 
-pre_build() {
-	# Replace release profiles with our own
-	cd ${wrksrc}
-	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
-}
-
 post_build() {
-	cd ${wrksrc}
-
+	cd "${wrksrc}"
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
-	make ${makejobs} -C profiles
 }
 
 post_install() {
-	cd ${wrksrc}
+	cd "${wrksrc}"
 	commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
 	make $commonflags install -C binutils
 	make $commonflags \
@@ -54,15 +47,11 @@ post_install() {
 	make $commonflags \
 		APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
 		install -C parser
-	make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
 		rm -f ${DESTDIR}/usr/bin/aa-notify
 	fi
-
-	# we installed a custom conflicting profile
-	rm ${DESTDIR}/etc/apparmor.d/{,local/}php-fpm
 }
 
 apparmor-vim_package() {
@@ -76,6 +65,7 @@ apparmor-vim_package() {
 
 libapparmor_package() {
 	short_desc+=" - Library"
+	license="LGPL-2.1-only"
 	pkg_install() {
 		vmove "usr/lib/libapparmor.so*"
 		if [ -z "$CROSS_BUILD" ]; then
@@ -89,6 +79,7 @@ libapparmor_package() {
 
 libapparmor-devel_package() {
 	short_desc+=" - Library development files"
+	license="LGPL-2.1-only"
 	depends="lib${sourcepkg}-${version}_${revision}"
 	pkg_install() {
 		vmove usr/include

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PR PATCH] [Updated] apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
@ 2021-05-17  9:58 ` paper42
  2021-05-17 10:06 ` paper42
                   ` (14 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: paper42 @ 2021-05-17  9:58 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 909 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages apparmor-split-rules
https://github.com/void-linux/void-packages/pull/30946

apparmor: move rules to a separate package
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

@noarchwastaken, I noticed the patch you added for dnsmasq is not in the master branch of apparmor, would you like to make a PR there?

A patch file from https://github.com/void-linux/void-packages/pull/30946.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-split-rules-30946.patch --]
[-- Type: text/x-diff, Size: 30589 bytes --]

From c9eb2bb47080bb718a52e3f818d802d5c96ef700 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:26:24 +0200
Subject: [PATCH 1/3] New package: apparmor-rules-upstream-2021.04.21

---
 srcpkgs/apparmor-rules-upstream/template | 35 ++++++++++++++++++++++++
 srcpkgs/apparmor-rules-upstream/update   |  2 ++
 2 files changed, 37 insertions(+)
 create mode 100644 srcpkgs/apparmor-rules-upstream/template
 create mode 100644 srcpkgs/apparmor-rules-upstream/update

diff --git a/srcpkgs/apparmor-rules-upstream/template b/srcpkgs/apparmor-rules-upstream/template
new file mode 100644
index 000000000000..82947777d152
--- /dev/null
+++ b/srcpkgs/apparmor-rules-upstream/template
@@ -0,0 +1,35 @@
+# Template file for 'apparmor-rules-upstream'
+pkgname=apparmor-rules-upstream
+version=2021.04.21
+revision=1
+_commit=92e27f5566eb5d6e0cd0c54c3bd4b656a3310dba
+wrksrc="apparmor-${_commit}"
+build_wrksrc="profiles"
+build_style=gnu-makefile
+conf_files="/etc/apparmor.d/local/*"
+hostmakedepends="which"
+short_desc="AppArmor upstream rules"
+maintainer="Paper <paper@tilde.institute>"
+license="LGPL-2.1-only"
+homepage="https://gitlab.com/apparmor/apparmor"
+changelog="https://gitlab.com/apparmor/apparmor/-/commits/master/profiles"
+distfiles="https://gitlab.com/apparmor/apparmor/-/archive/${_commit}/apparmor-${_commit}.tar.gz"
+checksum=2a3d7fd711ec01509027638b87584094e4f974ad7db2304adcc3494c7d11d06d
+make_check=no # circular dependency on apparmor_parser from the apparmor package
+
+post_patch() {
+	cd apparmor.d
+
+	for old_filename in sbin.* usr.sbin.*; do
+		new_filename="usr.bin.${old_filename/*sbin.}"
+		vsed -e "s,local/$old_filename,local/$new_filename," -i "$old_filename"
+		mv "$old_filename" "$new_filename"
+	done
+
+	vsed -e 's|/usr/libexec/libvirt_leaseshelper m,|/usr/libexec/libvirt_leaseshelper mr,|' -i usr.bin.dnsmasq
+}
+
+pre_build() {
+	# apparmor-rules-void contains conflicting rules
+	rm -f apparmor.d/php-fpm apparmor/profiles/extra/sbin.dhcpcd
+}
diff --git a/srcpkgs/apparmor-rules-upstream/update b/srcpkgs/apparmor-rules-upstream/update
new file mode 100644
index 000000000000..ec619829d3b4
--- /dev/null
+++ b/srcpkgs/apparmor-rules-upstream/update
@@ -0,0 +1,2 @@
+site=https://gitlab.com/apparmor/apparmor/-/commits/master/profiles/apparmor.d
+pattern='<li class="commits-row" data-day="\K.*(?=">)'

From 2ad7ae67fdb4b4fdb7ef959d85b867eedba2c297 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:26:35 +0200
Subject: [PATCH 2/3] New package: apparmor-rules-void-2021.05.17

---
 .../files/profiles/usr.bin.dhcpcd             |  66 +++++++++
 .../files/profiles/usr.bin.nginx              |  32 +++++
 .../files/profiles/usr.bin.php-fpm            |  45 ++++++
 .../files/profiles/usr.bin.pulseaudio         | 132 ++++++++++++++++++
 .../files/profiles/usr.bin.uuidd              |  19 +++
 .../files/profiles/usr.bin.wpa_supplicant     |  53 +++++++
 srcpkgs/apparmor-rules-void/template          |  20 +++
 7 files changed, 367 insertions(+)
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
 create mode 100644 srcpkgs/apparmor-rules-void/template

diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
new file mode 100644
index 000000000000..1d6e1b95d62a
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
@@ -0,0 +1,66 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dhcpcd /{usr/,}bin/dhcpcd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+
+  capability chown,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setuid,
+  capability setgid,
+  capability sys_admin,
+  capability sys_chroot,
+  capability bpf,
+
+  network packet dgram,
+  network packet raw,
+  network inet raw,
+  network inet6 raw,
+
+  /dev/pts/* rw,
+
+  /etc/dhcpcd.{conf,duid,secret} r,
+  /etc/ld.so.cache r,
+  /etc/udev/udev.conf r,
+
+  /proc/*/net/if_inet6 r,
+  /proc/sys/net/ipv{4,6}/conf/*/* rw,
+  /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w,
+  /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w,
+
+  /{var/,}run/dhcpcd/ w,
+  /{var/,}run/dhcpcd/{,*.}pid rwk,
+  /{var/,}run/dhcpcd/{,*.}sock rw,
+  /{var/,}run/dhcpcd/unpriv.sock rw,
+  /{var/,}run/udev/data/* r,
+
+  /sys/devices/**/net/*/uevent r,
+
+  /{usr/,}bin/dash ix,
+  /{usr/,}bin/dash mrix,
+
+  /usr/lib/dhcpcd/dev/udev.so m,
+  /usr/lib/ld-*.so m,
+  /usr/lib/libc-*.so m,
+
+  # Trust hooks and run the wrapper unconfined
+  /usr/libexec/dhcpcd-run-hooks CUx,
+
+  /var/db/dhcpcd-*.lease rw,
+  /var/db/dhcpcd/** rw,
+  /{usr/,}bin/dhcpcd mrix,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.dhcpcd>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
new file mode 100644
index 000000000000..be769703f5df
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
@@ -0,0 +1,32 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
+# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
+# /path/to/your/unix/socket rw,
+
+include <tunables/global>
+
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
+
+  capability setgid,
+  capability setuid,
+
+  /etc/nginx/** r,
+
+  /run/nginx.pid rw,
+
+  /usr/bin/nginx mr,
+
+  /usr/share/nginx/html/* r,
+
+  /var/log/nginx/* w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.nginx>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
new file mode 100644
index 000000000000..0b036965da1d
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+# NOTE: This profile uses TCP sockets by default
+# If you wish for php-fpm to listen to unix socket,
+# add the following permission to local/usr.bin.php-fpm
+# /path/to/your/unix/socket w,
+
+include <tunables/global>
+
+# This is PHP open_basedir where script can only be executed from.
+# /home, /tmp have been removed to not open permissions too widely
+# /usr/share/pear have been removed to have its own permission
+@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
+
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
+
+  capability setgid,
+  capability setuid,
+  capability kill,
+
+  /etc/php/php-fpm.conf r,
+  /etc/php/php-fpm.d/* r,
+
+  # This is set to make php-fpm work by default, but if you don't use these paths
+  # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
+  # to where your PHP app is located
+  @{PHP_BASEDIRS}/** r,
+
+  /usr/bin/php-fpm mr,
+
+  /usr/share/pear/** r,
+  /usr/share/php/fpm/status.html r,
+
+  /var/log/php-fpm.log w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.php-fpm>
+
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
new file mode 100644
index 000000000000..f8ceb4c23343
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
@@ -0,0 +1,132 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile pulseaudio /usr/bin/pulseaudio {
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/RealtimeKit1
+       interface=org.freedesktop.RealtimeKit1
+       member={MakeThreadRealtime,MakeThreadHighPriority}
+       peer=(name=org.freedesktop.RealtimeKit1),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/RealtimeKit1
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+  ptrace (read,trace) peer=@{profile_name},
+  signal (send) peer=pulseaudio//pulse-gsettings-helper,
+
+  /usr/bin/pulseaudio mixr,
+
+  /etc/pulse/ r,
+  /etc/pulse/* r,
+  /etc/udev/udev.conf r,
+  /etc/timidity/.pulse_cookie w,
+
+  /etc/asound.conf r,
+
+  owner @{HOME}/.esd_auth rwk,
+  owner @{HOME}/.pulse-cookie rwk,
+  owner @{HOME}/.config/pulse/cookie rwk,
+  owner @{HOME}/{.config/pulse,.pulse}/ rw,
+  owner @{HOME}/{.config/pulse,.pulse}/* rw,
+
+  owner /run/pulse/ rw,
+  owner /run/pulse/.pulse-cookie rwk,
+  owner /run/pulse/dbus-socket rwk,
+  owner /run/pulse/native rwk,
+  owner /run/pulse/pid rwk,
+  owner /run/user/[0-9]*/pulse/  rw,
+  owner /run/user/[0-9]*/pulse/* rwk,
+  /run/udev/data/+sound:card* r,
+  /run/udev/data/c116:[0-9]* r,
+  /run/udev/data/c14:[0-9]* r,
+
+  # logind
+  /run/user/[0-9]*/dconf/user k,
+
+  /sys/bus/ r,
+  /sys/class/ r,
+  /sys/class/sound/ r,
+  /sys/devices/pci[0-9]*/**/*class r,
+  /sys/devices/pci[0-9]*/**/uevent r,
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/online r,
+  /sys/devices/virtual/dmi/id/bios_vendor r,
+  /sys/devices/virtual/dmi/id/board_vendor r,
+  /sys/devices/virtual/dmi/id/sys_vendor r,
+  /sys/devices/virtual/sound/**/uevent r,
+
+  /usr/share/alsa/** r,
+  /usr/share/pulseaudio/** r,
+  /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
+  /usr/libexec/pulse/gsettings-helper Cx,
+
+  /usr/{,local/}share/applications/ r,
+  /usr/{,local/}share/applications/* r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
+  /var/lib/flatpak/exports/share/applications/ r,
+  /var/lib/flatpak/exports/share/applications/* r,
+
+  owner /var/lib/gdm3/.config/pulse/ rw,
+  owner /var/lib/gdm3/.config/pulse/* rw,
+  owner /var/lib/gdm3/.config/pulse/cookie rwk,
+
+  owner /var/lib/lightdm/.Xauthority r,
+  owner /var/lib/lightdm/.esd_auth rwk,
+  owner /var/lib/lightdm/.config/pulse/cookie rwk,
+  owner /var/lib/lightdm/.config/pulse/ rw,
+  owner /var/lib/lightdm/.config/pulse/* rw,
+
+  # are these needed?
+  /var/lib/pulse/ rw,
+  /var/lib/pulse/*-default-sink rw,
+  /var/lib/pulse/*-default-source rw,
+  /var/lib/pulse/*.tdb rw,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/{maps,mountinfo,stat} r,
+
+  owner /tmp/pulse-*/pid rwk,
+  owner /tmp/pulse-*/native rwk,
+  owner /tmp/pulse-*/autospawn.lock rwk,
+  owner /run/user/*/pulse/autospawn.lock rwk,
+
+  owner /tmp/orcexec.* mrw,
+  owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
+  # needed if /tmp is mounted noexec:
+  owner @{HOME}/orcexec.* mrw,
+
+  owner /tmp/.esd-@{pid}*/ rw,
+  owner /tmp/.esd-@{pid}*/socket rw,
+
+  profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
+
+    /usr/libexec/pulse/gsettings-helper mr,
+    owner /{,var/}run/user/*/dconf/user rw,
+    owner @{HOME}/.config/dconf/user rw,
+    owner @{PROC}/@{pid}/fd/ r,
+    signal (receive) peer=pulseaudio,
+  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.pulseaudio>
+}
+
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
new file mode 100644
index 000000000000..b365c927b656
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  network inet dgram,
+
+  /usr/bin/uuidd mr,
+
+  /run/uuidd/request rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.uuidd>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
new file mode 100644
index 000000000000..c5bb67d562fa
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
@@ -0,0 +1,53 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
+
+  capability net_admin,
+  capability net_raw,
+  capability chown,
+  capability dac_override,
+  capability fsetid,
+  network inet dgram,
+  network inet raw,
+  network packet dgram,
+  network netlink,
+
+  /usr/bin/wpa_supplicant mr,
+
+  /run/wpa_supplicant/ rw,
+  /run/wpa_supplicant/** rw,
+
+  /run/dbus/system_bus_socket rw,
+  /run/sendsigs.omit.d/wpasupplicant.pid rw,
+
+  /etc/wpa_supplicant/ rw,
+  /etc/wpa_supplicant/** rw,
+  
+  /etc/nsswitch.conf r,
+  /etc/group r,
+ 
+  @{PROC}/sys/net/ipv{4,6}/conf/*/* rw,
+  @{PROC}/@{pid}/psched r,
+
+  /dev/rfkill r,
+
+  dbus (send, receive)
+       bus=system
+       path=/fi/w1/wpa_supplicant1,
+
+  dbus (send, receive)
+       bus=system
+       path=/fi/w1/wpa_supplicant1/**,
+
+  dbus (send,receive)
+       bus=system
+       path=/fi/epitest/hostap/WPASupplicant/**,
+
+  include if exists <local/usr.bin.wpa_supplicant>
+}
diff --git a/srcpkgs/apparmor-rules-void/template b/srcpkgs/apparmor-rules-void/template
new file mode 100644
index 000000000000..73830b3279eb
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/template
@@ -0,0 +1,20 @@
+# Template file for 'apparmor-rules-void'
+pkgname=apparmor-rules-void
+version=2021.05.17
+revision=1
+build_style=meta
+conf_files="/etc/apparmor.d/local/*"
+short_desc="AppArmor Void Linux rules"
+maintainer="Paper <paper@tilde.institute>"
+license="GPL-2.0-only"
+homepage="https://github.com/void-linux/void-packages/"
+
+do_install() {
+	vmkdir etc/apparmor.d/local
+	cp ${FILESDIR}/profiles/* ${DESTDIR}/etc/apparmor.d/
+	cd ${DESTDIR}/etc/apparmor.d/
+	find . -maxdepth 1 -type f | while read -r rulepath; do
+		rule="${rulepath/.\/}"
+		echo "# Site-specific additions and overrides for '$rule'" > "local/$rule"
+	done
+}

From ee56b6ff495962975029acf59b22b7754a39312b Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:27:04 +0200
Subject: [PATCH 3/3] apparmor: move rules to a separate package

also fix license - libapparmor is LGPL-2.1-only, everything else is
GPL-2.0-only
---
 .../apparmor/files/profiles/usr.bin.dhcpcd    |  66 ---------
 srcpkgs/apparmor/files/profiles/usr.bin.nginx |  32 -----
 .../apparmor/files/profiles/usr.bin.php-fpm   |  45 ------
 .../files/profiles/usr.bin.pulseaudio         | 132 ------------------
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd |  19 ---
 .../files/profiles/usr.bin.wpa_supplicant     |  53 -------
 .../patches/fix-dnsmasq-libvirt.patch         |  13 --
 srcpkgs/apparmor/template                     |  27 ++--
 8 files changed, 9 insertions(+), 378 deletions(-)
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.nginx
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.uuidd
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
 delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
deleted file mode 100644
index 1d6e1b95d62a..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ /dev/null
@@ -1,66 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile dhcpcd /{usr/,}bin/dhcpcd {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-
-  capability chown,
-  capability fowner,
-  capability fsetid,
-  capability kill,
-  capability net_admin,
-  capability net_raw,
-  capability setuid,
-  capability setgid,
-  capability sys_admin,
-  capability sys_chroot,
-  capability bpf,
-
-  network packet dgram,
-  network packet raw,
-  network inet raw,
-  network inet6 raw,
-
-  /dev/pts/* rw,
-
-  /etc/dhcpcd.{conf,duid,secret} r,
-  /etc/ld.so.cache r,
-  /etc/udev/udev.conf r,
-
-  /proc/*/net/if_inet6 r,
-  /proc/sys/net/ipv{4,6}/conf/*/* rw,
-  /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w,
-  /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w,
-
-  /{var/,}run/dhcpcd/ w,
-  /{var/,}run/dhcpcd/{,*.}pid rwk,
-  /{var/,}run/dhcpcd/{,*.}sock rw,
-  /{var/,}run/dhcpcd/unpriv.sock rw,
-  /{var/,}run/udev/data/* r,
-
-  /sys/devices/**/net/*/uevent r,
-
-  /{usr/,}bin/dash ix,
-  /{usr/,}bin/dash mrix,
-
-  /usr/lib/dhcpcd/dev/udev.so m,
-  /usr/lib/ld-*.so m,
-  /usr/lib/libc-*.so m,
-
-  # Trust hooks and run the wrapper unconfined
-  /usr/libexec/dhcpcd-run-hooks CUx,
-
-  /var/db/dhcpcd-*.lease rw,
-  /var/db/dhcpcd/** rw,
-  /{usr/,}bin/dhcpcd mrix,
-
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/stat r,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.dhcpcd>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
deleted file mode 100644
index be769703f5df..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ /dev/null
@@ -1,32 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
-# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
-# /path/to/your/unix/socket rw,
-
-include <tunables/global>
-
-profile nginx /usr/bin/nginx {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-  include <abstractions/nis>
-  include <abstractions/openssl>
-
-  capability setgid,
-  capability setuid,
-
-  /etc/nginx/** r,
-
-  /run/nginx.pid rw,
-
-  /usr/bin/nginx mr,
-
-  /usr/share/nginx/html/* r,
-
-  /var/log/nginx/* w,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.nginx>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
deleted file mode 100644
index 0b036965da1d..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ /dev/null
@@ -1,45 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-# NOTE: This profile uses TCP sockets by default
-# If you wish for php-fpm to listen to unix socket,
-# add the following permission to local/usr.bin.php-fpm
-# /path/to/your/unix/socket w,
-
-include <tunables/global>
-
-# This is PHP open_basedir where script can only be executed from.
-# /home, /tmp have been removed to not open permissions too widely
-# /usr/share/pear have been removed to have its own permission
-@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
-
-profile php-fpm /usr/bin/php-fpm {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-  include <abstractions/openssl>
-  include <abstractions/php>
-
-  capability setgid,
-  capability setuid,
-  capability kill,
-
-  /etc/php/php-fpm.conf r,
-  /etc/php/php-fpm.d/* r,
-
-  # This is set to make php-fpm work by default, but if you don't use these paths
-  # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
-  # to where your PHP app is located
-  @{PHP_BASEDIRS}/** r,
-
-  /usr/bin/php-fpm mr,
-
-  /usr/share/pear/** r,
-  /usr/share/php/fpm/status.html r,
-
-  /var/log/php-fpm.log w,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.php-fpm>
-
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
deleted file mode 100644
index f8ceb4c23343..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ /dev/null
@@ -1,132 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile pulseaudio /usr/bin/pulseaudio {
-  include <abstractions/base>
-  include <abstractions/audio>
-  include <abstractions/dbus-session>
-  include <abstractions/dbus-strict>
-  include <abstractions/nameservice>
-  include <abstractions/X>
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.RealtimeKit1
-       member={MakeThreadRealtime,MakeThreadHighPriority}
-       peer=(name=org.freedesktop.RealtimeKit1),
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.DBus.Properties
-       member=Get,
-
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
-  ptrace (read,trace) peer=@{profile_name},
-  signal (send) peer=pulseaudio//pulse-gsettings-helper,
-
-  /usr/bin/pulseaudio mixr,
-
-  /etc/pulse/ r,
-  /etc/pulse/* r,
-  /etc/udev/udev.conf r,
-  /etc/timidity/.pulse_cookie w,
-
-  /etc/asound.conf r,
-
-  owner @{HOME}/.esd_auth rwk,
-  owner @{HOME}/.pulse-cookie rwk,
-  owner @{HOME}/.config/pulse/cookie rwk,
-  owner @{HOME}/{.config/pulse,.pulse}/ rw,
-  owner @{HOME}/{.config/pulse,.pulse}/* rw,
-
-  owner /run/pulse/ rw,
-  owner /run/pulse/.pulse-cookie rwk,
-  owner /run/pulse/dbus-socket rwk,
-  owner /run/pulse/native rwk,
-  owner /run/pulse/pid rwk,
-  owner /run/user/[0-9]*/pulse/  rw,
-  owner /run/user/[0-9]*/pulse/* rwk,
-  /run/udev/data/+sound:card* r,
-  /run/udev/data/c116:[0-9]* r,
-  /run/udev/data/c14:[0-9]* r,
-
-  # logind
-  /run/user/[0-9]*/dconf/user k,
-
-  /sys/bus/ r,
-  /sys/class/ r,
-  /sys/class/sound/ r,
-  /sys/devices/pci[0-9]*/**/*class r,
-  /sys/devices/pci[0-9]*/**/uevent r,
-  /sys/devices/system/cpu/ r,
-  /sys/devices/system/cpu/online r,
-  /sys/devices/virtual/dmi/id/bios_vendor r,
-  /sys/devices/virtual/dmi/id/board_vendor r,
-  /sys/devices/virtual/dmi/id/sys_vendor r,
-  /sys/devices/virtual/sound/**/uevent r,
-
-  /usr/share/alsa/** r,
-  /usr/share/pulseaudio/** r,
-  /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
-  /usr/libexec/pulse/gsettings-helper Cx,
-
-  /usr/{,local/}share/applications/ r,
-  /usr/{,local/}share/applications/* r,
-  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
-  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
-  /var/lib/flatpak/exports/share/applications/ r,
-  /var/lib/flatpak/exports/share/applications/* r,
-
-  owner /var/lib/gdm3/.config/pulse/ rw,
-  owner /var/lib/gdm3/.config/pulse/* rw,
-  owner /var/lib/gdm3/.config/pulse/cookie rwk,
-
-  owner /var/lib/lightdm/.Xauthority r,
-  owner /var/lib/lightdm/.esd_auth rwk,
-  owner /var/lib/lightdm/.config/pulse/cookie rwk,
-  owner /var/lib/lightdm/.config/pulse/ rw,
-  owner /var/lib/lightdm/.config/pulse/* rw,
-
-  # are these needed?
-  /var/lib/pulse/ rw,
-  /var/lib/pulse/*-default-sink rw,
-  /var/lib/pulse/*-default-source rw,
-  /var/lib/pulse/*.tdb rw,
-
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/{maps,mountinfo,stat} r,
-
-  owner /tmp/pulse-*/pid rwk,
-  owner /tmp/pulse-*/native rwk,
-  owner /tmp/pulse-*/autospawn.lock rwk,
-  owner /run/user/*/pulse/autospawn.lock rwk,
-
-  owner /tmp/orcexec.* mrw,
-  owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
-  # needed if /tmp is mounted noexec:
-  owner @{HOME}/orcexec.* mrw,
-
-  owner /tmp/.esd-@{pid}*/ rw,
-  owner /tmp/.esd-@{pid}*/socket rw,
-
-  profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    include <abstractions/base>
-    include <abstractions/gnome>
-    include <abstractions/dconf>
-
-    /usr/libexec/pulse/gsettings-helper mr,
-    owner /{,var/}run/user/*/dconf/user rw,
-    owner @{HOME}/.config/dconf/user rw,
-    owner @{PROC}/@{pid}/fd/ r,
-    signal (receive) peer=pulseaudio,
-  }
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.pulseaudio>
-}
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
deleted file mode 100644
index b365c927b656..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ /dev/null
@@ -1,19 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile uuid /usr/bin/uuidd {
-  include <abstractions/base>
-  include <abstractions/consoles>
-
-  network inet dgram,
-
-  /usr/bin/uuidd mr,
-
-  /run/uuidd/request rw,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.uuidd>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
deleted file mode 100644
index c5bb67d562fa..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ /dev/null
@@ -1,53 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile wpa_supplicant /usr/bin/wpa_supplicant {
-  include <abstractions/base>
-  include <abstractions/dbus-strict>
-
-  capability net_admin,
-  capability net_raw,
-  capability chown,
-  capability dac_override,
-  capability fsetid,
-  network inet dgram,
-  network inet raw,
-  network packet dgram,
-  network netlink,
-
-  /usr/bin/wpa_supplicant mr,
-
-  /run/wpa_supplicant/ rw,
-  /run/wpa_supplicant/** rw,
-
-  /run/dbus/system_bus_socket rw,
-  /run/sendsigs.omit.d/wpasupplicant.pid rw,
-
-  /etc/wpa_supplicant/ rw,
-  /etc/wpa_supplicant/** rw,
-  
-  /etc/nsswitch.conf r,
-  /etc/group r,
- 
-  @{PROC}/sys/net/ipv{4,6}/conf/*/* rw,
-  @{PROC}/@{pid}/psched r,
-
-  /dev/rfkill r,
-
-  dbus (send, receive)
-       bus=system
-       path=/fi/w1/wpa_supplicant1,
-
-  dbus (send, receive)
-       bus=system
-       path=/fi/w1/wpa_supplicant1/**,
-
-  dbus (send,receive)
-       bus=system
-       path=/fi/epitest/hostap/WPASupplicant/**,
-
-  include if exists <local/usr.bin.wpa_supplicant>
-}
diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-     /etc/libnl-3/classid r,
- 
-     /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
--    /usr/libexec/libvirt_leaseshelper m,
-+    /usr/libexec/libvirt_leaseshelper mr,
- 
-     owner @{PROC}/@{pid}/net/psched r,
-     owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 0d8c1ec7087e..45a39b8d97c6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,19 +1,20 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=4
+revision=5
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
-conf_files="/etc/apparmor.d/local/* /etc/apparmor/*"
+conf_files="/etc/apparmor/*"
 make_dirs="/etc/apparmor.d/disable 0755 root root"
 hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
 makedepends="perl python3-devel"
-depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2 python3-psutil"
+depends="runit-void-apparmor apparmor-rules-upstream apparmor-rules-void
+ libapparmor-${version}_${revision} python3-notify2 python3-psutil"
 checkdepends="dejagnu"
 short_desc="Mandatory access control to restrict programs"
 maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+license="GPL-2.0-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
@@ -28,23 +29,15 @@ pre_configure() {
 	autoreconf -if
 }
 
-pre_build() {
-	# Replace release profiles with our own
-	cd ${wrksrc}
-	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
-}
-
 post_build() {
-	cd ${wrksrc}
-
+	cd "${wrksrc}"
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
-	make ${makejobs} -C profiles
 }
 
 post_install() {
-	cd ${wrksrc}
+	cd "${wrksrc}"
 	commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
 	make $commonflags install -C binutils
 	make $commonflags \
@@ -54,15 +47,11 @@ post_install() {
 	make $commonflags \
 		APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
 		install -C parser
-	make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
 		rm -f ${DESTDIR}/usr/bin/aa-notify
 	fi
-
-	# we installed a custom conflicting profile
-	rm ${DESTDIR}/etc/apparmor.d/{,local/}php-fpm
 }
 
 apparmor-vim_package() {
@@ -76,6 +65,7 @@ apparmor-vim_package() {
 
 libapparmor_package() {
 	short_desc+=" - Library"
+	license="LGPL-2.1-only"
 	pkg_install() {
 		vmove "usr/lib/libapparmor.so*"
 		if [ -z "$CROSS_BUILD" ]; then
@@ -89,6 +79,7 @@ libapparmor_package() {
 
 libapparmor-devel_package() {
 	short_desc+=" - Library development files"
+	license="LGPL-2.1-only"
 	depends="lib${sourcepkg}-${version}_${revision}"
 	pkg_install() {
 		vmove usr/include

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
  2021-05-17  9:58 ` [PR PATCH] [Updated] " paper42
@ 2021-05-17 10:06 ` paper42
  2021-05-17 10:07 ` paper42
                   ` (13 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: paper42 @ 2021-05-17 10:06 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 855 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#issuecomment-842197023

Comment:
Before this PR, the apparmor package provided all rules on its own - void specific and upstream roles. This results in broken rules when packages are updated, so I created a package which tracks apparmor master (apparmor-rules-upstream) and a meta package which provides void specific rules (apparmor-rules-void). The rules have an ABI version specified inside, so there shouldn't be any problems with apparmor being older than the rules. 

This update will probably create a lot of .new files in /etc/apparmor.d/local/ for users, but it shouldn't matter.

The upstream rule package has an update file which shows a new version when there are new commits in the profiles/ directory in the apparmor repository. 

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
  2021-05-17  9:58 ` [PR PATCH] [Updated] " paper42
  2021-05-17 10:06 ` paper42
@ 2021-05-17 10:07 ` paper42
  2021-05-17 12:30 ` Duncaen
                   ` (12 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: paper42 @ 2021-05-17 10:07 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 857 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#issuecomment-842197023

Comment:
Before this PR, the apparmor package provided all rules on its own - void specific and upstream roles. This resulted in broken rules when packages were updated, so I created a package which tracks apparmor master (apparmor-rules-upstream) and a meta package which provides void specific rules (apparmor-rules-void). The rules have an ABI version specified inside, so there shouldn't be any problems with apparmor being older than the rules. 

This update will probably create a lot of .new files in /etc/apparmor.d/local/ for users, but it shouldn't matter.

The upstream rule package has an update file which shows a new version when there are new commits in the profiles/ directory in the apparmor repository. 

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (2 preceding siblings ...)
  2021-05-17 10:07 ` paper42
@ 2021-05-17 12:30 ` Duncaen
  2021-05-17 12:32 ` [PR REVIEW] " Duncaen
                   ` (11 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: Duncaen @ 2021-05-17 12:30 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 659 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#issuecomment-842285671

Comment:
Not sure if there is any value in renaming the file in upstream rules, they are most likely also either hard code the specific path in the profile or allow patterns.
Would also break existing `/etc/apparmor.d/local` configuration.

I'm not sure yet if I prefer a package with our profiles or just shipping the profiles we wrote with the package they are for.
If we plan to ship one big package then I think it would be better to create a new separate repository instead of maintaining then inside of void-packages.

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PR REVIEW] apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (3 preceding siblings ...)
  2021-05-17 12:30 ` Duncaen
@ 2021-05-17 12:32 ` Duncaen
  2021-05-17 12:43 ` ericonr
                   ` (10 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: Duncaen @ 2021-05-17 12:32 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 319 bytes --]

New review comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#discussion_r633489008

Comment:
I don't think we should ship local files at all, IMHO better to just `include if exist`.
(They also need to be marked as configuration file in case we keep shipping them).

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (4 preceding siblings ...)
  2021-05-17 12:32 ` [PR REVIEW] " Duncaen
@ 2021-05-17 12:43 ` ericonr
  2021-05-17 13:24 ` [PR REVIEW] " paper42
                   ` (9 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: ericonr @ 2021-05-17 12:43 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 211 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#issuecomment-842293535

Comment:
@Duncaen https://github.com/void-linux/void-infrastructure/issues/82 ?

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PR REVIEW] apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (5 preceding siblings ...)
  2021-05-17 12:43 ` ericonr
@ 2021-05-17 13:24 ` paper42
  2021-05-17 13:47 ` paper42
                   ` (8 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: paper42 @ 2021-05-17 13:24 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 252 bytes --]

New review comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#discussion_r633526713

Comment:
I wanted to match the behavior of the upstream rules, do you think I should remove it from there as well?

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (6 preceding siblings ...)
  2021-05-17 13:24 ` [PR REVIEW] " paper42
@ 2021-05-17 13:47 ` paper42
  2021-05-17 13:55 ` noarchwastaken
                   ` (7 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: paper42 @ 2021-05-17 13:47 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 1552 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#issuecomment-842338740

Comment:
> Not sure if there is any value in renaming the file in upstream rules, they are most likely also either hard code the specific path in the profile or allow patterns.
> Would also break existing `/etc/apparmor.d/local` configuration.

There is not, other than convenience, I will revert this change.

> I'm not sure yet if I prefer a package with our profiles or just shipping the profiles we wrote with the package they are for.
> If we plan to ship one big package then I think it would be better to create a new separate repository instead of maintaining then inside of void-packages.

I am interested in a better solution like what was mentioned in the void-infrastructure issue. I think a separate repository might be a bit better idea, because we might want to modify or create new abstractions. Tracking compatible versions could be done with a simple comment with the version (similar to [krathalan's apparmor profiles for Arch](https://git.sr.ht/~krathalan/apparmor-profiles/tree/master/item/profiles/bluetoothd) and some kind of a warning/notification/lint/CI which would warn when a PR or a commit for a new version is made. There should also be a distinction between well tested profiles and ones that are a bit buggy or not tested enough (which would be a bit ugly with the profiles in packages). This will not be trivial, but I can offer my help when the void maintainers decide on this. 

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (7 preceding siblings ...)
  2021-05-17 13:47 ` paper42
@ 2021-05-17 13:55 ` noarchwastaken
  2021-05-17 13:57 ` [PR PATCH] [Updated] " paper42
                   ` (6 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: noarchwastaken @ 2021-05-17 13:55 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 4623 bytes --]

New comment by noarchwastaken on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#issuecomment-842344930

Comment:
 > @noarchwastaken <https://github.com/noarchwastaken>, I noticed the 
patch you added for dnsmasq is not in the master branch of apparmor, 
would you like to make a PR there?

TBH, I'm not sure if it's a Void-specific issue. I have other machines 
running Arch and Fedora 33 and they work fine. I guess I have to dig 
into the package for those distros...

If it is an upstream issue, sure I will make a PR there.

On 5/17/21 5:41 AM, paper wrote:
>
>
>         General
>
>   * This is a new package and it conforms to the quality requirements
>     <https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements>
>
>
>         Have the results of the proposed changes been tested?
>
>   * I use the packages affected by the proposed changes on a regular
>     basis and confirm this PR works for me
>   * I generally don't use the affected packages but briefly tested this PR
>
> @noarchwastaken <https://github.com/noarchwastaken>, I noticed the 
> patch you added for dnsmasq is not in the master branch of apparmor, 
> would you like to make a PR there?
>
> ------------------------------------------------------------------------
>
>
>         You can view, comment on, or merge this pull request online at:
>
> https://github.com/void-linux/void-packages/pull/30946 
> <https://github.com/void-linux/void-packages/pull/30946>
>
>
>         Commit Summary
>
>   * New package: apparmor-rules-upstream-2021.04.21
>   * New package: apparmor-rules-void-2021.05.17
>   * apparmor: move rules to a separate package
>
>
>         File Changes
>
>   * *A* srcpkgs/apparmor-rules-upstream/template
>     <https://github.com/void-linux/void-packages/pull/30946/files#diff-1b14944e695a352b43329d96ebf0096e9e0f8757a36247af92f551125d329512>
>     (35)
>   * *A* srcpkgs/apparmor-rules-upstream/update
>     <https://github.com/void-linux/void-packages/pull/30946/files#diff-256d89f085b5f71e7c7e8f4a085305499f6c827ef780795c5d9425f3fba4613a>
>     (2)
>   * *R* srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
>     <https://github.com/void-linux/void-packages/pull/30946/files#diff-a3eaf6944249ee5cf3f40693391859459eb6439cbfc1223ce343bb1052a16467>
>     (0)
>   * *R* srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
>     <https://github.com/void-linux/void-packages/pull/30946/files#diff-60fe4867b37b8a5da8967b89e381d1c812e6502a9ba0e901b0773094a62689e1>
>     (0)
>   * *R* srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
>     <https://github.com/void-linux/void-packages/pull/30946/files#diff-615eb875378401831e96bd99db3bd0704fa5eb1ac6dc42ebc4ce94d015516bf5>
>     (0)
>   * *R* srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
>     <https://github.com/void-linux/void-packages/pull/30946/files#diff-bc51334447bea3cfbc105b321f21be0600463fea83cbea8ff6a46aee3b7892e2>
>     (0)
>   * *R* srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
>     <https://github.com/void-linux/void-packages/pull/30946/files#diff-f1513c7cd3248f108d00cc4e53e34d3d742fa811139b162618281f81c33dd746>
>     (0)
>   * *R*
>     srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
>     <https://github.com/void-linux/void-packages/pull/30946/files#diff-f630e66a19e9592b2fbfcfdb2be3212b5bc184593a796b8e82d928f669f3437c>
>     (0)
>   * *A* srcpkgs/apparmor-rules-void/template
>     <https://github.com/void-linux/void-packages/pull/30946/files#diff-ccb01036edac1cf785aea1df7bba251afd3097b4524fe95225198fefd703323e>
>     (15)
>   * *D* srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
>     <https://github.com/void-linux/void-packages/pull/30946/files#diff-9c8d2ca3ae818491b9f89ef1d147d2561951e1b0c889b33a751da241f83b32c2>
>     (13)
>   * *M* srcpkgs/apparmor/template
>     <https://github.com/void-linux/void-packages/pull/30946/files#diff-95b5046d4411626948f0992cfa17ed0317b6397217d7916dd1d4fa86ad1de2e2>
>     (27)
>
>
>         Patch Links:
>
>   * https://github.com/void-linux/void-packages/pull/30946.patch
>     <https://github.com/void-linux/void-packages/pull/30946.patch>
>   * https://github.com/void-linux/void-packages/pull/30946.diff
>     <https://github.com/void-linux/void-packages/pull/30946.diff>
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub 
> <https://github.com/void-linux/void-packages/pull/30946>, or 
> unsubscribe 
> <https://github.com/notifications/unsubscribe-auth/ARLIKXJ4MUJ4KQGSWN5ABDTTODQFTANCNFSM45AC77HQ>.
>


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PR PATCH] [Updated] apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (8 preceding siblings ...)
  2021-05-17 13:55 ` noarchwastaken
@ 2021-05-17 13:57 ` paper42
  2021-05-17 14:04 ` noarchwastaken
                   ` (5 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: paper42 @ 2021-05-17 13:57 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 909 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages apparmor-split-rules
https://github.com/void-linux/void-packages/pull/30946

apparmor: move rules to a separate package
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

@noarchwastaken, I noticed the patch you added for dnsmasq is not in the master branch of apparmor, would you like to make a PR there?

A patch file from https://github.com/void-linux/void-packages/pull/30946.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-split-rules-30946.patch --]
[-- Type: text/x-diff, Size: 30122 bytes --]

From 1f18efae05fc85059cc822837c7f129bd1b1e876 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:26:24 +0200
Subject: [PATCH 1/3] New package: apparmor-rules-upstream-2021.04.21

---
 srcpkgs/apparmor-rules-upstream/template | 27 ++++++++++++++++++++++++
 srcpkgs/apparmor-rules-upstream/update   |  2 ++
 2 files changed, 29 insertions(+)
 create mode 100644 srcpkgs/apparmor-rules-upstream/template
 create mode 100644 srcpkgs/apparmor-rules-upstream/update

diff --git a/srcpkgs/apparmor-rules-upstream/template b/srcpkgs/apparmor-rules-upstream/template
new file mode 100644
index 000000000000..c3fdb12818f3
--- /dev/null
+++ b/srcpkgs/apparmor-rules-upstream/template
@@ -0,0 +1,27 @@
+# Template file for 'apparmor-rules-upstream'
+pkgname=apparmor-rules-upstream
+version=2021.04.21
+revision=1
+_commit=92e27f5566eb5d6e0cd0c54c3bd4b656a3310dba
+wrksrc="apparmor-${_commit}"
+build_wrksrc="profiles"
+build_style=gnu-makefile
+conf_files="/etc/apparmor.d/local/*"
+hostmakedepends="which"
+short_desc="AppArmor upstream rules"
+maintainer="Paper <paper@tilde.institute>"
+license="LGPL-2.1-only"
+homepage="https://gitlab.com/apparmor/apparmor"
+changelog="https://gitlab.com/apparmor/apparmor/-/commits/master/profiles"
+distfiles="https://gitlab.com/apparmor/apparmor/-/archive/${_commit}/apparmor-${_commit}.tar.gz"
+checksum=2a3d7fd711ec01509027638b87584094e4f974ad7db2304adcc3494c7d11d06d
+make_check=no # circular dependency on apparmor_parser from the apparmor package
+
+post_patch() {
+	vsed -e 's|/usr/libexec/libvirt_leaseshelper m,|/usr/libexec/libvirt_leaseshelper mr,|' -i apparmor.d/usr.sbin.dnsmasq
+}
+
+pre_build() {
+	# apparmor-rules-void contains conflicting rules
+	rm -f apparmor.d/php-fpm apparmor/profiles/extra/sbin.dhcpcd
+}
diff --git a/srcpkgs/apparmor-rules-upstream/update b/srcpkgs/apparmor-rules-upstream/update
new file mode 100644
index 000000000000..ec619829d3b4
--- /dev/null
+++ b/srcpkgs/apparmor-rules-upstream/update
@@ -0,0 +1,2 @@
+site=https://gitlab.com/apparmor/apparmor/-/commits/master/profiles/apparmor.d
+pattern='<li class="commits-row" data-day="\K.*(?=">)'

From 3cc07e151115529931b0410e3dd2554e2fb5b7b8 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:26:35 +0200
Subject: [PATCH 2/3] New package: apparmor-rules-void-2021.05.17

---
 .../files/profiles/usr.bin.dhcpcd             |  66 +++++++++
 .../files/profiles/usr.bin.nginx              |  32 +++++
 .../files/profiles/usr.bin.php-fpm            |  45 ++++++
 .../files/profiles/usr.bin.pulseaudio         | 132 ++++++++++++++++++
 .../files/profiles/usr.bin.uuidd              |  19 +++
 .../files/profiles/usr.bin.wpa_supplicant     |  53 +++++++
 srcpkgs/apparmor-rules-void/template          |  14 ++
 7 files changed, 361 insertions(+)
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
 create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
 create mode 100644 srcpkgs/apparmor-rules-void/template

diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
new file mode 100644
index 000000000000..1d6e1b95d62a
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
@@ -0,0 +1,66 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dhcpcd /{usr/,}bin/dhcpcd {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+
+  capability chown,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setuid,
+  capability setgid,
+  capability sys_admin,
+  capability sys_chroot,
+  capability bpf,
+
+  network packet dgram,
+  network packet raw,
+  network inet raw,
+  network inet6 raw,
+
+  /dev/pts/* rw,
+
+  /etc/dhcpcd.{conf,duid,secret} r,
+  /etc/ld.so.cache r,
+  /etc/udev/udev.conf r,
+
+  /proc/*/net/if_inet6 r,
+  /proc/sys/net/ipv{4,6}/conf/*/* rw,
+  /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w,
+  /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w,
+
+  /{var/,}run/dhcpcd/ w,
+  /{var/,}run/dhcpcd/{,*.}pid rwk,
+  /{var/,}run/dhcpcd/{,*.}sock rw,
+  /{var/,}run/dhcpcd/unpriv.sock rw,
+  /{var/,}run/udev/data/* r,
+
+  /sys/devices/**/net/*/uevent r,
+
+  /{usr/,}bin/dash ix,
+  /{usr/,}bin/dash mrix,
+
+  /usr/lib/dhcpcd/dev/udev.so m,
+  /usr/lib/ld-*.so m,
+  /usr/lib/libc-*.so m,
+
+  # Trust hooks and run the wrapper unconfined
+  /usr/libexec/dhcpcd-run-hooks CUx,
+
+  /var/db/dhcpcd-*.lease rw,
+  /var/db/dhcpcd/** rw,
+  /{usr/,}bin/dhcpcd mrix,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.dhcpcd>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
new file mode 100644
index 000000000000..be769703f5df
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
@@ -0,0 +1,32 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
+# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
+# /path/to/your/unix/socket rw,
+
+include <tunables/global>
+
+profile nginx /usr/bin/nginx {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/nis>
+  include <abstractions/openssl>
+
+  capability setgid,
+  capability setuid,
+
+  /etc/nginx/** r,
+
+  /run/nginx.pid rw,
+
+  /usr/bin/nginx mr,
+
+  /usr/share/nginx/html/* r,
+
+  /var/log/nginx/* w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.nginx>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
new file mode 100644
index 000000000000..0b036965da1d
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+# NOTE: This profile uses TCP sockets by default
+# If you wish for php-fpm to listen to unix socket,
+# add the following permission to local/usr.bin.php-fpm
+# /path/to/your/unix/socket w,
+
+include <tunables/global>
+
+# This is PHP open_basedir where script can only be executed from.
+# /home, /tmp have been removed to not open permissions too widely
+# /usr/share/pear have been removed to have its own permission
+@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
+
+profile php-fpm /usr/bin/php-fpm {
+  include <abstractions/base>
+  include <abstractions/nameservice>
+  include <abstractions/openssl>
+  include <abstractions/php>
+
+  capability setgid,
+  capability setuid,
+  capability kill,
+
+  /etc/php/php-fpm.conf r,
+  /etc/php/php-fpm.d/* r,
+
+  # This is set to make php-fpm work by default, but if you don't use these paths
+  # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
+  # to where your PHP app is located
+  @{PHP_BASEDIRS}/** r,
+
+  /usr/bin/php-fpm mr,
+
+  /usr/share/pear/** r,
+  /usr/share/php/fpm/status.html r,
+
+  /var/log/php-fpm.log w,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.php-fpm>
+
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
new file mode 100644
index 000000000000..f8ceb4c23343
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
@@ -0,0 +1,132 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile pulseaudio /usr/bin/pulseaudio {
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice>
+  include <abstractions/X>
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/RealtimeKit1
+       interface=org.freedesktop.RealtimeKit1
+       member={MakeThreadRealtime,MakeThreadHighPriority}
+       peer=(name=org.freedesktop.RealtimeKit1),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/RealtimeKit1
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+  ptrace (read,trace) peer=@{profile_name},
+  signal (send) peer=pulseaudio//pulse-gsettings-helper,
+
+  /usr/bin/pulseaudio mixr,
+
+  /etc/pulse/ r,
+  /etc/pulse/* r,
+  /etc/udev/udev.conf r,
+  /etc/timidity/.pulse_cookie w,
+
+  /etc/asound.conf r,
+
+  owner @{HOME}/.esd_auth rwk,
+  owner @{HOME}/.pulse-cookie rwk,
+  owner @{HOME}/.config/pulse/cookie rwk,
+  owner @{HOME}/{.config/pulse,.pulse}/ rw,
+  owner @{HOME}/{.config/pulse,.pulse}/* rw,
+
+  owner /run/pulse/ rw,
+  owner /run/pulse/.pulse-cookie rwk,
+  owner /run/pulse/dbus-socket rwk,
+  owner /run/pulse/native rwk,
+  owner /run/pulse/pid rwk,
+  owner /run/user/[0-9]*/pulse/  rw,
+  owner /run/user/[0-9]*/pulse/* rwk,
+  /run/udev/data/+sound:card* r,
+  /run/udev/data/c116:[0-9]* r,
+  /run/udev/data/c14:[0-9]* r,
+
+  # logind
+  /run/user/[0-9]*/dconf/user k,
+
+  /sys/bus/ r,
+  /sys/class/ r,
+  /sys/class/sound/ r,
+  /sys/devices/pci[0-9]*/**/*class r,
+  /sys/devices/pci[0-9]*/**/uevent r,
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/cpu/online r,
+  /sys/devices/virtual/dmi/id/bios_vendor r,
+  /sys/devices/virtual/dmi/id/board_vendor r,
+  /sys/devices/virtual/dmi/id/sys_vendor r,
+  /sys/devices/virtual/sound/**/uevent r,
+
+  /usr/share/alsa/** r,
+  /usr/share/pulseaudio/** r,
+  /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
+  /usr/libexec/pulse/gsettings-helper Cx,
+
+  /usr/{,local/}share/applications/ r,
+  /usr/{,local/}share/applications/* r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
+  /var/lib/flatpak/exports/share/applications/ r,
+  /var/lib/flatpak/exports/share/applications/* r,
+
+  owner /var/lib/gdm3/.config/pulse/ rw,
+  owner /var/lib/gdm3/.config/pulse/* rw,
+  owner /var/lib/gdm3/.config/pulse/cookie rwk,
+
+  owner /var/lib/lightdm/.Xauthority r,
+  owner /var/lib/lightdm/.esd_auth rwk,
+  owner /var/lib/lightdm/.config/pulse/cookie rwk,
+  owner /var/lib/lightdm/.config/pulse/ rw,
+  owner /var/lib/lightdm/.config/pulse/* rw,
+
+  # are these needed?
+  /var/lib/pulse/ rw,
+  /var/lib/pulse/*-default-sink rw,
+  /var/lib/pulse/*-default-source rw,
+  /var/lib/pulse/*.tdb rw,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/{maps,mountinfo,stat} r,
+
+  owner /tmp/pulse-*/pid rwk,
+  owner /tmp/pulse-*/native rwk,
+  owner /tmp/pulse-*/autospawn.lock rwk,
+  owner /run/user/*/pulse/autospawn.lock rwk,
+
+  owner /tmp/orcexec.* mrw,
+  owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
+  # needed if /tmp is mounted noexec:
+  owner @{HOME}/orcexec.* mrw,
+
+  owner /tmp/.esd-@{pid}*/ rw,
+  owner /tmp/.esd-@{pid}*/socket rw,
+
+  profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
+    include <abstractions/base>
+    include <abstractions/gnome>
+    include <abstractions/dconf>
+
+    /usr/libexec/pulse/gsettings-helper mr,
+    owner /{,var/}run/user/*/dconf/user rw,
+    owner @{HOME}/.config/dconf/user rw,
+    owner @{PROC}/@{pid}/fd/ r,
+    signal (receive) peer=pulseaudio,
+  }
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.pulseaudio>
+}
+
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
new file mode 100644
index 000000000000..b365c927b656
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  network inet dgram,
+
+  /usr/bin/uuidd mr,
+
+  /run/uuidd/request rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.uuidd>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
new file mode 100644
index 000000000000..c5bb67d562fa
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
@@ -0,0 +1,53 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
+
+  capability net_admin,
+  capability net_raw,
+  capability chown,
+  capability dac_override,
+  capability fsetid,
+  network inet dgram,
+  network inet raw,
+  network packet dgram,
+  network netlink,
+
+  /usr/bin/wpa_supplicant mr,
+
+  /run/wpa_supplicant/ rw,
+  /run/wpa_supplicant/** rw,
+
+  /run/dbus/system_bus_socket rw,
+  /run/sendsigs.omit.d/wpasupplicant.pid rw,
+
+  /etc/wpa_supplicant/ rw,
+  /etc/wpa_supplicant/** rw,
+  
+  /etc/nsswitch.conf r,
+  /etc/group r,
+ 
+  @{PROC}/sys/net/ipv{4,6}/conf/*/* rw,
+  @{PROC}/@{pid}/psched r,
+
+  /dev/rfkill r,
+
+  dbus (send, receive)
+       bus=system
+       path=/fi/w1/wpa_supplicant1,
+
+  dbus (send, receive)
+       bus=system
+       path=/fi/w1/wpa_supplicant1/**,
+
+  dbus (send,receive)
+       bus=system
+       path=/fi/epitest/hostap/WPASupplicant/**,
+
+  include if exists <local/usr.bin.wpa_supplicant>
+}
diff --git a/srcpkgs/apparmor-rules-void/template b/srcpkgs/apparmor-rules-void/template
new file mode 100644
index 000000000000..8c9521b2b246
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/template
@@ -0,0 +1,14 @@
+# Template file for 'apparmor-rules-void'
+pkgname=apparmor-rules-void
+version=2021.05.17
+revision=1
+build_style=meta
+short_desc="AppArmor Void Linux rules"
+maintainer="Paper <paper@tilde.institute>"
+license="GPL-2.0-only"
+homepage="https://github.com/void-linux/void-packages/"
+
+do_install() {
+	vmkdir etc/apparmor.d
+	cp ${FILESDIR}/profiles/* ${DESTDIR}/etc/apparmor.d/
+}

From cf6b7b18303acf356e6479f342d5ab15b427ce7e Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:27:04 +0200
Subject: [PATCH 3/3] apparmor: move rules to a separate package

also fix license - libapparmor is LGPL-2.1-only, everything else is
GPL-2.0-only
---
 .../apparmor/files/profiles/usr.bin.dhcpcd    |  66 ---------
 srcpkgs/apparmor/files/profiles/usr.bin.nginx |  32 -----
 .../apparmor/files/profiles/usr.bin.php-fpm   |  45 ------
 .../files/profiles/usr.bin.pulseaudio         | 132 ------------------
 srcpkgs/apparmor/files/profiles/usr.bin.uuidd |  19 ---
 .../files/profiles/usr.bin.wpa_supplicant     |  53 -------
 .../patches/fix-dnsmasq-libvirt.patch         |  13 --
 srcpkgs/apparmor/template                     |  27 ++--
 8 files changed, 9 insertions(+), 378 deletions(-)
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.nginx
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.uuidd
 delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
 delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch

diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
deleted file mode 100644
index 1d6e1b95d62a..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ /dev/null
@@ -1,66 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile dhcpcd /{usr/,}bin/dhcpcd {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-
-  capability chown,
-  capability fowner,
-  capability fsetid,
-  capability kill,
-  capability net_admin,
-  capability net_raw,
-  capability setuid,
-  capability setgid,
-  capability sys_admin,
-  capability sys_chroot,
-  capability bpf,
-
-  network packet dgram,
-  network packet raw,
-  network inet raw,
-  network inet6 raw,
-
-  /dev/pts/* rw,
-
-  /etc/dhcpcd.{conf,duid,secret} r,
-  /etc/ld.so.cache r,
-  /etc/udev/udev.conf r,
-
-  /proc/*/net/if_inet6 r,
-  /proc/sys/net/ipv{4,6}/conf/*/* rw,
-  /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w,
-  /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w,
-
-  /{var/,}run/dhcpcd/ w,
-  /{var/,}run/dhcpcd/{,*.}pid rwk,
-  /{var/,}run/dhcpcd/{,*.}sock rw,
-  /{var/,}run/dhcpcd/unpriv.sock rw,
-  /{var/,}run/udev/data/* r,
-
-  /sys/devices/**/net/*/uevent r,
-
-  /{usr/,}bin/dash ix,
-  /{usr/,}bin/dash mrix,
-
-  /usr/lib/dhcpcd/dev/udev.so m,
-  /usr/lib/ld-*.so m,
-  /usr/lib/libc-*.so m,
-
-  # Trust hooks and run the wrapper unconfined
-  /usr/libexec/dhcpcd-run-hooks CUx,
-
-  /var/db/dhcpcd-*.lease rw,
-  /var/db/dhcpcd/** rw,
-  /{usr/,}bin/dhcpcd mrix,
-
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/stat r,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.dhcpcd>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
deleted file mode 100644
index be769703f5df..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ /dev/null
@@ -1,32 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
-# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
-# /path/to/your/unix/socket rw,
-
-include <tunables/global>
-
-profile nginx /usr/bin/nginx {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-  include <abstractions/nis>
-  include <abstractions/openssl>
-
-  capability setgid,
-  capability setuid,
-
-  /etc/nginx/** r,
-
-  /run/nginx.pid rw,
-
-  /usr/bin/nginx mr,
-
-  /usr/share/nginx/html/* r,
-
-  /var/log/nginx/* w,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.nginx>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
deleted file mode 100644
index 0b036965da1d..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ /dev/null
@@ -1,45 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-# NOTE: This profile uses TCP sockets by default
-# If you wish for php-fpm to listen to unix socket,
-# add the following permission to local/usr.bin.php-fpm
-# /path/to/your/unix/socket w,
-
-include <tunables/global>
-
-# This is PHP open_basedir where script can only be executed from.
-# /home, /tmp have been removed to not open permissions too widely
-# /usr/share/pear have been removed to have its own permission
-@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
-
-profile php-fpm /usr/bin/php-fpm {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-  include <abstractions/openssl>
-  include <abstractions/php>
-
-  capability setgid,
-  capability setuid,
-  capability kill,
-
-  /etc/php/php-fpm.conf r,
-  /etc/php/php-fpm.d/* r,
-
-  # This is set to make php-fpm work by default, but if you don't use these paths
-  # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
-  # to where your PHP app is located
-  @{PHP_BASEDIRS}/** r,
-
-  /usr/bin/php-fpm mr,
-
-  /usr/share/pear/** r,
-  /usr/share/php/fpm/status.html r,
-
-  /var/log/php-fpm.log w,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.php-fpm>
-
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
deleted file mode 100644
index f8ceb4c23343..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ /dev/null
@@ -1,132 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile pulseaudio /usr/bin/pulseaudio {
-  include <abstractions/base>
-  include <abstractions/audio>
-  include <abstractions/dbus-session>
-  include <abstractions/dbus-strict>
-  include <abstractions/nameservice>
-  include <abstractions/X>
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.RealtimeKit1
-       member={MakeThreadRealtime,MakeThreadHighPriority}
-       peer=(name=org.freedesktop.RealtimeKit1),
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.DBus.Properties
-       member=Get,
-
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
-  ptrace (read,trace) peer=@{profile_name},
-  signal (send) peer=pulseaudio//pulse-gsettings-helper,
-
-  /usr/bin/pulseaudio mixr,
-
-  /etc/pulse/ r,
-  /etc/pulse/* r,
-  /etc/udev/udev.conf r,
-  /etc/timidity/.pulse_cookie w,
-
-  /etc/asound.conf r,
-
-  owner @{HOME}/.esd_auth rwk,
-  owner @{HOME}/.pulse-cookie rwk,
-  owner @{HOME}/.config/pulse/cookie rwk,
-  owner @{HOME}/{.config/pulse,.pulse}/ rw,
-  owner @{HOME}/{.config/pulse,.pulse}/* rw,
-
-  owner /run/pulse/ rw,
-  owner /run/pulse/.pulse-cookie rwk,
-  owner /run/pulse/dbus-socket rwk,
-  owner /run/pulse/native rwk,
-  owner /run/pulse/pid rwk,
-  owner /run/user/[0-9]*/pulse/  rw,
-  owner /run/user/[0-9]*/pulse/* rwk,
-  /run/udev/data/+sound:card* r,
-  /run/udev/data/c116:[0-9]* r,
-  /run/udev/data/c14:[0-9]* r,
-
-  # logind
-  /run/user/[0-9]*/dconf/user k,
-
-  /sys/bus/ r,
-  /sys/class/ r,
-  /sys/class/sound/ r,
-  /sys/devices/pci[0-9]*/**/*class r,
-  /sys/devices/pci[0-9]*/**/uevent r,
-  /sys/devices/system/cpu/ r,
-  /sys/devices/system/cpu/online r,
-  /sys/devices/virtual/dmi/id/bios_vendor r,
-  /sys/devices/virtual/dmi/id/board_vendor r,
-  /sys/devices/virtual/dmi/id/sys_vendor r,
-  /sys/devices/virtual/sound/**/uevent r,
-
-  /usr/share/alsa/** r,
-  /usr/share/pulseaudio/** r,
-  /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
-  /usr/libexec/pulse/gsettings-helper Cx,
-
-  /usr/{,local/}share/applications/ r,
-  /usr/{,local/}share/applications/* r,
-  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
-  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
-  /var/lib/flatpak/exports/share/applications/ r,
-  /var/lib/flatpak/exports/share/applications/* r,
-
-  owner /var/lib/gdm3/.config/pulse/ rw,
-  owner /var/lib/gdm3/.config/pulse/* rw,
-  owner /var/lib/gdm3/.config/pulse/cookie rwk,
-
-  owner /var/lib/lightdm/.Xauthority r,
-  owner /var/lib/lightdm/.esd_auth rwk,
-  owner /var/lib/lightdm/.config/pulse/cookie rwk,
-  owner /var/lib/lightdm/.config/pulse/ rw,
-  owner /var/lib/lightdm/.config/pulse/* rw,
-
-  # are these needed?
-  /var/lib/pulse/ rw,
-  /var/lib/pulse/*-default-sink rw,
-  /var/lib/pulse/*-default-source rw,
-  /var/lib/pulse/*.tdb rw,
-
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/{maps,mountinfo,stat} r,
-
-  owner /tmp/pulse-*/pid rwk,
-  owner /tmp/pulse-*/native rwk,
-  owner /tmp/pulse-*/autospawn.lock rwk,
-  owner /run/user/*/pulse/autospawn.lock rwk,
-
-  owner /tmp/orcexec.* mrw,
-  owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
-  # needed if /tmp is mounted noexec:
-  owner @{HOME}/orcexec.* mrw,
-
-  owner /tmp/.esd-@{pid}*/ rw,
-  owner /tmp/.esd-@{pid}*/socket rw,
-
-  profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
-    include <abstractions/base>
-    include <abstractions/gnome>
-    include <abstractions/dconf>
-
-    /usr/libexec/pulse/gsettings-helper mr,
-    owner /{,var/}run/user/*/dconf/user rw,
-    owner @{HOME}/.config/dconf/user rw,
-    owner @{PROC}/@{pid}/fd/ r,
-    signal (receive) peer=pulseaudio,
-  }
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.pulseaudio>
-}
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
deleted file mode 100644
index b365c927b656..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ /dev/null
@@ -1,19 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile uuid /usr/bin/uuidd {
-  include <abstractions/base>
-  include <abstractions/consoles>
-
-  network inet dgram,
-
-  /usr/bin/uuidd mr,
-
-  /run/uuidd/request rw,
-
-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.uuidd>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
deleted file mode 100644
index c5bb67d562fa..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ /dev/null
@@ -1,53 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile wpa_supplicant /usr/bin/wpa_supplicant {
-  include <abstractions/base>
-  include <abstractions/dbus-strict>
-
-  capability net_admin,
-  capability net_raw,
-  capability chown,
-  capability dac_override,
-  capability fsetid,
-  network inet dgram,
-  network inet raw,
-  network packet dgram,
-  network netlink,
-
-  /usr/bin/wpa_supplicant mr,
-
-  /run/wpa_supplicant/ rw,
-  /run/wpa_supplicant/** rw,
-
-  /run/dbus/system_bus_socket rw,
-  /run/sendsigs.omit.d/wpasupplicant.pid rw,
-
-  /etc/wpa_supplicant/ rw,
-  /etc/wpa_supplicant/** rw,
-  
-  /etc/nsswitch.conf r,
-  /etc/group r,
- 
-  @{PROC}/sys/net/ipv{4,6}/conf/*/* rw,
-  @{PROC}/@{pid}/psched r,
-
-  /dev/rfkill r,
-
-  dbus (send, receive)
-       bus=system
-       path=/fi/w1/wpa_supplicant1,
-
-  dbus (send, receive)
-       bus=system
-       path=/fi/w1/wpa_supplicant1/**,
-
-  dbus (send,receive)
-       bus=system
-       path=/fi/epitest/hostap/WPASupplicant/**,
-
-  include if exists <local/usr.bin.wpa_supplicant>
-}
diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-     /etc/libnl-3/classid r,
- 
-     /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
--    /usr/libexec/libvirt_leaseshelper m,
-+    /usr/libexec/libvirt_leaseshelper mr,
- 
-     owner @{PROC}/@{pid}/net/psched r,
-     owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 0d8c1ec7087e..45a39b8d97c6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,19 +1,20 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=4
+revision=5
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
-conf_files="/etc/apparmor.d/local/* /etc/apparmor/*"
+conf_files="/etc/apparmor/*"
 make_dirs="/etc/apparmor.d/disable 0755 root root"
 hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
 makedepends="perl python3-devel"
-depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2 python3-psutil"
+depends="runit-void-apparmor apparmor-rules-upstream apparmor-rules-void
+ libapparmor-${version}_${revision} python3-notify2 python3-psutil"
 checkdepends="dejagnu"
 short_desc="Mandatory access control to restrict programs"
 maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+license="GPL-2.0-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
@@ -28,23 +29,15 @@ pre_configure() {
 	autoreconf -if
 }
 
-pre_build() {
-	# Replace release profiles with our own
-	cd ${wrksrc}
-	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
-}
-
 post_build() {
-	cd ${wrksrc}
-
+	cd "${wrksrc}"
 	make ${makejobs} -C binutils
 	make ${makejobs} -C utils
 	make ${makejobs} -C parser
-	make ${makejobs} -C profiles
 }
 
 post_install() {
-	cd ${wrksrc}
+	cd "${wrksrc}"
 	commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
 	make $commonflags install -C binutils
 	make $commonflags \
@@ -54,15 +47,11 @@ post_install() {
 	make $commonflags \
 		APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
 		install -C parser
-	make DESTDIR="${DESTDIR}" install -C profiles
 
 	# requires perl bindings not generated when cross-compiling
 	if [ "$CROSS_BUILD" ]; then
 		rm -f ${DESTDIR}/usr/bin/aa-notify
 	fi
-
-	# we installed a custom conflicting profile
-	rm ${DESTDIR}/etc/apparmor.d/{,local/}php-fpm
 }
 
 apparmor-vim_package() {
@@ -76,6 +65,7 @@ apparmor-vim_package() {
 
 libapparmor_package() {
 	short_desc+=" - Library"
+	license="LGPL-2.1-only"
 	pkg_install() {
 		vmove "usr/lib/libapparmor.so*"
 		if [ -z "$CROSS_BUILD" ]; then
@@ -89,6 +79,7 @@ libapparmor_package() {
 
 libapparmor-devel_package() {
 	short_desc+=" - Library development files"
+	license="LGPL-2.1-only"
 	depends="lib${sourcepkg}-${version}_${revision}"
 	pkg_install() {
 		vmove usr/include

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (9 preceding siblings ...)
  2021-05-17 13:57 ` [PR PATCH] [Updated] " paper42
@ 2021-05-17 14:04 ` noarchwastaken
  2021-05-17 14:04 ` noarchwastaken
                   ` (4 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: noarchwastaken @ 2021-05-17 14:04 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 4205 bytes --]

New comment by noarchwastaken on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#issuecomment-842352140

Comment:
> @noarchwastaken <https://github.com/noarchwastaken>, I noticed the patch you added for dnsmasq is not in the master branch of apparmor, would you like to make a PR there? TBH, I'm not sure if it's a Void-specific issue. I have other machines running Arch and Fedora 33 and they work fine. I guess I have to dig into the package for those distros... If it is an upstream issue, sure I will make a PR there.
> […](#)
> On 5/17/21 5:41 AM, paper wrote: General * This is a new package and it conforms to the quality requirements <https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements> Have the results of the proposed changes been tested? * I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me * I generally don't use the affected packages but briefly tested this PR @noarchwastaken <https://github.com/noarchwastaken>, I noticed the patch you added for dnsmasq is not in the master branch of apparmor, would you like to make a PR there? ------------------------------------------------------------------------ You can view, comment on, or merge this pull request online at: #30946 <#30946> Commit Summary * New package: apparmor-rules-upstream-2021.04.21 * New package: apparmor-rules-void-2021.05.17 * apparmor: move rules to a separate package File Changes * *A* srcpkgs/apparmor-rules-upstream/template <https://github.com/void-linux/void-packages/pull/30946/files#diff-1b14944e695a352b43329d96ebf0096e9e0f8757a36247af92f551125d329512> (35) * *A* srcpkgs/apparmor-rules-upstream/update <https://github.com/void-linux/void-packages/pull/30946/files#diff-256d89f085b5f71e7c7e8f4a085305499f6c827ef780795c5d9425f3fba4613a> (2) * *R* srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd <https://github.com/void-linux/void-packages/pull/30946/files#diff-a3eaf6944249ee5cf3f40693391859459eb6439cbfc1223ce343bb1052a16467> (0) * *R* srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx <https://github.com/void-linux/void-packages/pull/30946/files#diff-60fe4867b37b8a5da8967b89e381d1c812e6502a9ba0e901b0773094a62689e1> (0) * *R* srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm <https://github.com/void-linux/void-packages/pull/30946/files#diff-615eb875378401831e96bd99db3bd0704fa5eb1ac6dc42ebc4ce94d015516bf5> (0) * *R* srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio <https://github.com/void-linux/void-packages/pull/30946/files#diff-bc51334447bea3cfbc105b321f21be0600463fea83cbea8ff6a46aee3b7892e2> (0) * *R* srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd <https://github.com/void-linux/void-packages/pull/30946/files#diff-f1513c7cd3248f108d00cc4e53e34d3d742fa811139b162618281f81c33dd746> (0) * *R* srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant <https://github.com/void-linux/void-packages/pull/30946/files#diff-f630e66a19e9592b2fbfcfdb2be3212b5bc184593a796b8e82d928f669f3437c> (0) * *A* srcpkgs/apparmor-rules-void/template <https://github.com/void-linux/void-packages/pull/30946/files#diff-ccb01036edac1cf785aea1df7bba251afd3097b4524fe95225198fefd703323e> (15) * *D* srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch <https://github.com/void-linux/void-packages/pull/30946/files#diff-9c8d2ca3ae818491b9f89ef1d147d2561951e1b0c889b33a751da241f83b32c2> (13) * *M* srcpkgs/apparmor/template <https://github.com/void-linux/void-packages/pull/30946/files#diff-95b5046d4411626948f0992cfa17ed0317b6397217d7916dd1d4fa86ad1de2e2> (27) Patch Links: * https://github.com/void-linux/void-packages/pull/30946.patch <https://github.com/void-linux/void-packages/pull/30946.patch> * https://github.com/void-linux/void-packages/pull/30946.diff <https://github.com/void-linux/void-packages/pull/30946.diff> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#30946>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ARLIKXJ4MUJ4KQGSWN5ABDTTODQFTANCNFSM45AC77HQ>.

Ah wait, FC33 is using SELinux. For Arch, I have to check the apparmor status on that...

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (10 preceding siblings ...)
  2021-05-17 14:04 ` noarchwastaken
@ 2021-05-17 14:04 ` noarchwastaken
  2021-05-17 14:04 ` noarchwastaken
                   ` (3 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: noarchwastaken @ 2021-05-17 14:04 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 469 bytes --]

New comment by noarchwastaken on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#issuecomment-842352140

Comment:
> I'm not sure if it's a Void-specific issue. I have other machines running Arch and Fedora 33 and they work fine. I guess I have to dig into the package for those distros... If it is an upstream issue, sure I will make a PR there.
Ah wait, FC33 is using SELinux. For Arch, I have to check the apparmor status on that...

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (11 preceding siblings ...)
  2021-05-17 14:04 ` noarchwastaken
@ 2021-05-17 14:04 ` noarchwastaken
  2021-05-23 19:01 ` noarchwastaken
                   ` (2 subsequent siblings)
  15 siblings, 0 replies; 17+ messages in thread
From: noarchwastaken @ 2021-05-17 14:04 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 471 bytes --]

New comment by noarchwastaken on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#issuecomment-842352140

Comment:
> I'm not sure if it's a Void-specific issue. I have other machines running Arch and Fedora 33 and they work fine. I guess I have to dig into the package for those distros... If it is an upstream issue, sure I will make a PR there.

Ah wait, FC33 is using SELinux. For Arch, I have to check the apparmor status on that...

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (12 preceding siblings ...)
  2021-05-17 14:04 ` noarchwastaken
@ 2021-05-23 19:01 ` noarchwastaken
  2021-05-23 19:05 ` noarchwastaken
  2021-07-05 21:09 ` [PR PATCH] [Closed]: " paper42
  15 siblings, 0 replies; 17+ messages in thread
From: noarchwastaken @ 2021-05-23 19:01 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 312 bytes --]

New comment by noarchwastaken on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#issuecomment-846609187

Comment:
I just tested apparmor, dnsmasq and libvirt on Arch, and they worked fine without changing any configs. So it seems like my patch was solving a Void-specific issue.

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (13 preceding siblings ...)
  2021-05-23 19:01 ` noarchwastaken
@ 2021-05-23 19:05 ` noarchwastaken
  2021-07-05 21:09 ` [PR PATCH] [Closed]: " paper42
  15 siblings, 0 replies; 17+ messages in thread
From: noarchwastaken @ 2021-05-23 19:05 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 525 bytes --]

New comment by noarchwastaken on void-packages repository

https://github.com/void-linux/void-packages/pull/30946#issuecomment-846609187

Comment:
I just tested apparmor, dnsmasq and libvirt on Arch, and they worked fine without changing any configs. So it seems like my patch was solving a Void-specific issue.

Edit:

I also coudn't find related issue elsewhere, and the dnsmasq profile on other distros do seem identical with upstream.

Overall, this PR could make dealing with apparmor rules a lot easier for sure.

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PR PATCH] [Closed]: apparmor: move rules to a separate package
  2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
                   ` (14 preceding siblings ...)
  2021-05-23 19:05 ` noarchwastaken
@ 2021-07-05 21:09 ` paper42
  15 siblings, 0 replies; 17+ messages in thread
From: paper42 @ 2021-07-05 21:09 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 740 bytes --]

There's a closed pull request on the void-packages repository

apparmor: move rules to a separate package
https://github.com/void-linux/void-packages/pull/30946

Description:
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

@noarchwastaken, I noticed the patch you added for dnsmasq is not in the master branch of apparmor, would you like to make a PR there?

^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, other threads:[~2021-07-05 21:09 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-17  9:41 [PR PATCH] apparmor: move rules to a separate package paper42
2021-05-17  9:58 ` [PR PATCH] [Updated] " paper42
2021-05-17 10:06 ` paper42
2021-05-17 10:07 ` paper42
2021-05-17 12:30 ` Duncaen
2021-05-17 12:32 ` [PR REVIEW] " Duncaen
2021-05-17 12:43 ` ericonr
2021-05-17 13:24 ` [PR REVIEW] " paper42
2021-05-17 13:47 ` paper42
2021-05-17 13:55 ` noarchwastaken
2021-05-17 13:57 ` [PR PATCH] [Updated] " paper42
2021-05-17 14:04 ` noarchwastaken
2021-05-17 14:04 ` noarchwastaken
2021-05-17 14:04 ` noarchwastaken
2021-05-23 19:01 ` noarchwastaken
2021-05-23 19:05 ` noarchwastaken
2021-07-05 21:09 ` [PR PATCH] [Closed]: " paper42

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).