From: paper42 <paper42@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] [RFC]: apparmor: change default mode to complain
Date: Sat, 14 Aug 2021 22:44:36 +0200 [thread overview]
Message-ID: <20210814204436.Q0XGCOA76GmzmFnQsBYWVwR3n1ICHVxGYCclxYqLDK0@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-32451@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 1330 bytes --]
There is an updated pull request by paper42 against master on the void-packages repository
https://github.com/paper42/void-packages apparmor-3.0.3
https://github.com/void-linux/void-packages/pull/32451
[RFC]: apparmor: change default mode to complain
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
I still need to test this PR.
- [x] adopt, @olivier-mauras are you ok with this?
- [ ] support python 3.10 - fix https://gitlab.com/apparmor/apparmor/-/issues/187 or do we want to wait if there will be an apparmor release with a fix before Void switches to Python 3.10?
- [x] switch to complain mode by default, disabled doesn't make sense, when a user modifies the kernel cmdline to load apparmor, they probably want to use apparmor, so enable at least logging
- [x] add common shells to logprof.conf
- [x] fix licenses, libapparmor is LGPL* adopt
A patch file from https://github.com/void-linux/void-packages/pull/32451.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-3.0.3-32451.patch --]
[-- Type: text/x-diff, Size: 10012 bytes --]
From 3ea19283556061881d28ee4e9fda12614f821a23 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Tue, 10 Aug 2021 23:13:46 +0200
Subject: [PATCH 1/2] apparmor: update to 3.0.3.
* adopt
* fix licenses
---
.../patches/fix-dnsmasq-libvirt.patch | 13 ----
.../patches/fix-setting-proc_attr_base.patch | 52 ---------------
...ogprofconf.patch => fix_logprofconf.patch} | 63 ++++++++++++-------
srcpkgs/apparmor/template | 14 +++--
4 files changed, 50 insertions(+), 92 deletions(-)
delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
delete mode 100644 srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
rename srcpkgs/apparmor/patches/{correct_paths_logprofconf.patch => fix_logprofconf.patch} (52%)
diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
- /etc/libnl-3/classid r,
-
- /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
-- /usr/libexec/libvirt_leaseshelper m,
-+ /usr/libexec/libvirt_leaseshelper mr,
-
- owner @{PROC}/@{pid}/net/psched r,
- owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
deleted file mode 100644
index 35e9101f81b9..000000000000
--- a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-upstream: yes
-From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
-From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
-Date: Wed, 20 Jan 2021 17:26:37 -0600
-Subject: [PATCH] fix setting proc_attr_base
-
-There is currently a case in which proc_attr_base won't get set when
-asprintf is able to generate the path, but the file doesn't exist, it
-will exit proc_attr_base_init_once() without proc_attr_base having been
-set as the fall-through if/else logic will get bypassed when asprintf is
-successful.
----
- libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
-index 0fa77b014..6ba028614 100644
---- a/libraries/libapparmor/src/kernel.c
-+++ b/libraries/libapparmor/src/kernel.c
-@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
- /* if we fail we just fall back to the default value */
- if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
- autoclose int fd = open(tmp, O_RDONLY);
-- if (fd != -1)
-+ if (fd != -1) {
- proc_attr_base = proc_attr_base_stacking;
-- } else if (!is_enabled() && is_private_enabled()) {
-+ return;
-+ }
-+ }
-+ if (!is_enabled() && is_private_enabled()) {
- /* new stacking interfaces aren't available and apparmor
-- * is disabled, but available. do not use the
-- * /proc/<pid>/attr/ * interfaces as they could be
-- * in use by another LSM
-- */
-+ * is disabled, but available. do not use the
-+ * /proc/<pid>/attr/ * interfaces as they could be
-+ * in use by another LSM
-+ */
- proc_attr_base = proc_attr_base_unavailable;
-- } else {
-- proc_attr_base = proc_attr_base_old;
-+ return;
- }
-+ proc_attr_base = proc_attr_base_old;
- }
-
- static char *procattr_path(pid_t pid, const char *attr)
---
-GitLab
-
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/fix_logprofconf.patch
similarity index 52%
rename from srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
rename to srcpkgs/apparmor/patches/fix_logprofconf.patch
index e34e69af8bfb..a702cce454f0 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/fix_logprofconf.patch
@@ -1,17 +1,8 @@
-From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
-From: Paper <paper@tilde.institute>
-Date: Wed, 21 Oct 2020 10:20:47 +0200
-Subject: [PATCH] correct paths in logprof.conf
+modify logprof.conf for Void Linux
----
- utils/logprof.conf | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a778792..a9f7b79 100644
--- a/utils/logprof.conf
+++ b/utils/logprof.conf
-@@ -12,9 +12,9 @@
+@@ -12,11 +12,11 @@
[settings]
profiledir = /etc/apparmor.d /etc/subdomain.d
inactive_profiledir = /usr/share/apparmor/extra-profiles
@@ -21,9 +12,39 @@ index a778792..a9f7b79 100644
- parser = /sbin/apparmor_parser /sbin/subdomain_parser
+ parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
ldd = /usr/bin/ldd
- logger = /bin/logger /usr/bin/logger
-
-@@ -51,12 +51,10 @@
+- logger = /bin/logger /usr/bin/logger
++ logger = /usr/bin/logger
+
+ # customize how file ownership permissions are presented
+ # 0 - off
+@@ -38,27 +38,29 @@
+
+ [qualifiers]
+ # things will be painfully broken if bash has a profile
+- /bin/bash = icnu
+- /usr/bin/bash = icnu
+- /bin/ksh = icnu
+- /usr/bin/ksh = icnu
+- /bin/dash = icnu
+- /usr/bin/dash = icnu
+- /bin/zsh = icnu
+- /usr/bin/zsh = icnu
++ /bin/bash = icnu
++ /usr/bin/bash = icnu
++ /bin/ksh = icnu
++ /usr/bin/ksh = icnu
++ /bin/dash = icnu
++ /usr/bin/dash = icnu
++ /bin/zsh = icnu
++ /usr/bin/zsh = icnu
++ /bin/fish = icnu
++ /usr/bin/fish = icnu
++ /bin/ash = icnu
++ /usr/bin/ash = icnu
++ /bin/rc = icnu
++ /usr/bin/rc = icnu
+
+ # these programs can't function if they're confined
/bin/mount = u
/usr/bin/mount = u
/etc/init.d/subdomain = u
@@ -33,14 +54,16 @@ index a778792..a9f7b79 100644
- /usr/sbin/subdomain_parser = u
- /usr/sbin/genprof = u
- /usr/sbin/logprof = u
+- /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+- /usr/lib/YaST2/servers_non_y2/ag_logprof = u
+ /usr/bin/cardmgr = u
+ /usr/bin/subdomain_parser = u
+ /usr/bin/genprof = u
+ /usr/bin/logprof = u
- /usr/lib/YaST2/servers_non_y2/ag_genprof = u
- /usr/lib/YaST2/servers_non_y2/ag_logprof = u
-@@ -97,8 +95,7 @@
+ # these ones shouln't have their own profiles
+ /bin/awk = icn
+@@ -97,8 +99,7 @@
/usr/bin/sed = icn
/bin/touch = icn
/usr/bin/touch = icn
@@ -50,15 +73,13 @@ index a778792..a9f7b79 100644
/usr/bin/find = icn
/usr/bin/killall = icn
/usr/bin/nice = icn
-@@ -112,6 +109,8 @@
+@@ -112,6 +113,9 @@
/usr/bin/python3.5 = icn
/usr/bin/python3.6 = icn
/usr/bin/python3.7 = icn
+ /usr/bin/python3.8 = icn
+ /usr/bin/python3.9 = icn
++ /usr/bin/python3.10 = icn
/usr/bin/tr = icn
[required_hats]
---
-2.29.0
-
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 4b45ad3ee18d..2a9e373447b6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
# Template file for 'apparmor'
pkgname=apparmor
-version=3.0.1
-revision=7
+version=3.0.3
+revision=1
wrksrc="${pkgname}-v${version}"
build_wrksrc=libraries/libapparmor
build_style=gnu-configure
@@ -10,15 +10,15 @@ make_dirs="/etc/apparmor.d/disable 0755 root root"
hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
makedepends="perl python3-devel"
depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2
- python3-psutil python3-dbus iproute2"
+ python3-psutil python3-dbus iproute2 which"
checkdepends="dejagnu"
short_desc="Mandatory access control to restrict programs"
-maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+maintainer="Michal Vasilek <michal@vasilek.cz>"
+license="GPL-2.0-only"
homepage="https://gitlab.com/apparmor/apparmor"
changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=5f9afc157c5e2610737186a31fc9bd6a1d339a2ee85ac4f2667dce59cf60f1c7
+checksum=51b1db60e962dd01856a1ec6a9d43b11ed4350dcc5738ef901097c999bcbf50e
replaces="apparmor-vim>=0"
if [ -z "$CROSS_BUILD" ]; then
@@ -68,6 +68,7 @@ post_install() {
libapparmor_package() {
short_desc+=" - Library"
+ license="LGPL-2.1-only"
pkg_install() {
vmove "usr/lib/libapparmor.so*"
if [ -z "$CROSS_BUILD" ]; then
@@ -81,6 +82,7 @@ libapparmor_package() {
libapparmor-devel_package() {
short_desc+=" - Library development files"
+ license="LGPL-2.1-only"
depends="lib${sourcepkg}-${version}_${revision}"
pkg_install() {
vmove usr/include
From 478d8a1a500883316df953db68c224ea1b81c871 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 11 Aug 2021 00:30:17 +0200
Subject: [PATCH 2/2] runit-void: set apparmor to complain mode by default
---
srcpkgs/runit-void/files/apparmor | 2 +-
srcpkgs/runit-void/template | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/srcpkgs/runit-void/files/apparmor b/srcpkgs/runit-void/files/apparmor
index 980b5b3eecc7..b32ce11a11ef 100644
--- a/srcpkgs/runit-void/files/apparmor
+++ b/srcpkgs/runit-void/files/apparmor
@@ -4,4 +4,4 @@
# - disable
# - complain
# - enforce
-#APPARMOR=disable
+APPARMOR=complain
diff --git a/srcpkgs/runit-void/template b/srcpkgs/runit-void/template
index 2ac215c253f1..0c98cadc9e18 100644
--- a/srcpkgs/runit-void/template
+++ b/srcpkgs/runit-void/template
@@ -1,7 +1,7 @@
# Template file for 'runit-void'
pkgname=runit-void
version=20210314
-revision=1
+revision=2
wrksrc="void-runit-${version}"
build_style=gnu-makefile
short_desc="Void Linux runit scripts"
next prev parent reply other threads:[~2021-08-14 20:44 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-10 22:50 [PR PATCH] apparmor: update to 3.0.3 paper42
2021-08-11 1:06 ` ericonr
2021-08-14 20:44 ` paper42 [this message]
2021-08-15 3:52 ` [RFC]: apparmor: change default mode to complain ericonr
2021-09-18 11:36 ` [PR PATCH] [Updated] " paper42
2021-09-26 21:51 ` paper42
2021-09-28 9:46 ` [PR PATCH] [Merged]: " paper42
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210814204436.Q0XGCOA76GmzmFnQsBYWVwR3n1ICHVxGYCclxYqLDK0@z \
--to=paper42@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).