From: paper42 <paper42@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: [PR PATCH] apparmor: move rules to a separate package
Date: Mon, 17 May 2021 11:41:31 +0200 [thread overview]
Message-ID: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-30946@inbox.vuxu.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 904 bytes --]
There is a new pull request by paper42 against master on the void-packages repository
https://github.com/paper42/void-packages apparmor-split-rules
https://github.com/void-linux/void-packages/pull/30946
apparmor: move rules to a separate package
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
@noarchwastaken, I noticed the patch you added for dnsmasq is not in the master branch of apparmor, would you like to make a PR there?
A patch file from https://github.com/void-linux/void-packages/pull/30946.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-split-rules-30946.patch --]
[-- Type: text/x-diff, Size: 30382 bytes --]
From c9eb2bb47080bb718a52e3f818d802d5c96ef700 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:26:24 +0200
Subject: [PATCH 1/3] New package: apparmor-rules-upstream-2021.04.21
---
srcpkgs/apparmor-rules-upstream/template | 35 ++++++++++++++++++++++++
srcpkgs/apparmor-rules-upstream/update | 2 ++
2 files changed, 37 insertions(+)
create mode 100644 srcpkgs/apparmor-rules-upstream/template
create mode 100644 srcpkgs/apparmor-rules-upstream/update
diff --git a/srcpkgs/apparmor-rules-upstream/template b/srcpkgs/apparmor-rules-upstream/template
new file mode 100644
index 000000000000..82947777d152
--- /dev/null
+++ b/srcpkgs/apparmor-rules-upstream/template
@@ -0,0 +1,35 @@
+# Template file for 'apparmor-rules-upstream'
+pkgname=apparmor-rules-upstream
+version=2021.04.21
+revision=1
+_commit=92e27f5566eb5d6e0cd0c54c3bd4b656a3310dba
+wrksrc="apparmor-${_commit}"
+build_wrksrc="profiles"
+build_style=gnu-makefile
+conf_files="/etc/apparmor.d/local/*"
+hostmakedepends="which"
+short_desc="AppArmor upstream rules"
+maintainer="Paper <paper@tilde.institute>"
+license="LGPL-2.1-only"
+homepage="https://gitlab.com/apparmor/apparmor"
+changelog="https://gitlab.com/apparmor/apparmor/-/commits/master/profiles"
+distfiles="https://gitlab.com/apparmor/apparmor/-/archive/${_commit}/apparmor-${_commit}.tar.gz"
+checksum=2a3d7fd711ec01509027638b87584094e4f974ad7db2304adcc3494c7d11d06d
+make_check=no # circular dependency on apparmor_parser from the apparmor package
+
+post_patch() {
+ cd apparmor.d
+
+ for old_filename in sbin.* usr.sbin.*; do
+ new_filename="usr.bin.${old_filename/*sbin.}"
+ vsed -e "s,local/$old_filename,local/$new_filename," -i "$old_filename"
+ mv "$old_filename" "$new_filename"
+ done
+
+ vsed -e 's|/usr/libexec/libvirt_leaseshelper m,|/usr/libexec/libvirt_leaseshelper mr,|' -i usr.bin.dnsmasq
+}
+
+pre_build() {
+ # apparmor-rules-void contains conflicting rules
+ rm -f apparmor.d/php-fpm apparmor/profiles/extra/sbin.dhcpcd
+}
diff --git a/srcpkgs/apparmor-rules-upstream/update b/srcpkgs/apparmor-rules-upstream/update
new file mode 100644
index 000000000000..ec619829d3b4
--- /dev/null
+++ b/srcpkgs/apparmor-rules-upstream/update
@@ -0,0 +1,2 @@
+site=https://gitlab.com/apparmor/apparmor/-/commits/master/profiles/apparmor.d
+pattern='<li class="commits-row" data-day="\K.*(?=">)'
From c3955c5f4306987ee07424c75c566c4004c94731 Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:26:35 +0200
Subject: [PATCH 2/3] New package: apparmor-rules-void-2021.05.17
---
.../files/profiles/usr.bin.dhcpcd | 66 +++++++++
.../files/profiles/usr.bin.nginx | 32 +++++
.../files/profiles/usr.bin.php-fpm | 45 ++++++
.../files/profiles/usr.bin.pulseaudio | 132 ++++++++++++++++++
.../files/profiles/usr.bin.uuidd | 19 +++
.../files/profiles/usr.bin.wpa_supplicant | 53 +++++++
srcpkgs/apparmor-rules-void/template | 15 ++
7 files changed, 362 insertions(+)
create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
create mode 100644 srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
create mode 100644 srcpkgs/apparmor-rules-void/template
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
new file mode 100644
index 000000000000..1d6e1b95d62a
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.dhcpcd
@@ -0,0 +1,66 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile dhcpcd /{usr/,}bin/dhcpcd {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+
+ capability chown,
+ capability fowner,
+ capability fsetid,
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setuid,
+ capability setgid,
+ capability sys_admin,
+ capability sys_chroot,
+ capability bpf,
+
+ network packet dgram,
+ network packet raw,
+ network inet raw,
+ network inet6 raw,
+
+ /dev/pts/* rw,
+
+ /etc/dhcpcd.{conf,duid,secret} r,
+ /etc/ld.so.cache r,
+ /etc/udev/udev.conf r,
+
+ /proc/*/net/if_inet6 r,
+ /proc/sys/net/ipv{4,6}/conf/*/* rw,
+ /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w,
+ /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w,
+
+ /{var/,}run/dhcpcd/ w,
+ /{var/,}run/dhcpcd/{,*.}pid rwk,
+ /{var/,}run/dhcpcd/{,*.}sock rw,
+ /{var/,}run/dhcpcd/unpriv.sock rw,
+ /{var/,}run/udev/data/* r,
+
+ /sys/devices/**/net/*/uevent r,
+
+ /{usr/,}bin/dash ix,
+ /{usr/,}bin/dash mrix,
+
+ /usr/lib/dhcpcd/dev/udev.so m,
+ /usr/lib/ld-*.so m,
+ /usr/lib/libc-*.so m,
+
+ # Trust hooks and run the wrapper unconfined
+ /usr/libexec/dhcpcd-run-hooks CUx,
+
+ /var/db/dhcpcd-*.lease rw,
+ /var/db/dhcpcd/** rw,
+ /{usr/,}bin/dhcpcd mrix,
+
+ owner @{PROC}/@{pid}/mountinfo r,
+ owner @{PROC}/@{pid}/stat r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.bin.dhcpcd>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
new file mode 100644
index 000000000000..be769703f5df
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.nginx
@@ -0,0 +1,32 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
+# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
+# /path/to/your/unix/socket rw,
+
+include <tunables/global>
+
+profile nginx /usr/bin/nginx {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/nis>
+ include <abstractions/openssl>
+
+ capability setgid,
+ capability setuid,
+
+ /etc/nginx/** r,
+
+ /run/nginx.pid rw,
+
+ /usr/bin/nginx mr,
+
+ /usr/share/nginx/html/* r,
+
+ /var/log/nginx/* w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.bin.nginx>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
new file mode 100644
index 000000000000..0b036965da1d
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.php-fpm
@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+# NOTE: This profile uses TCP sockets by default
+# If you wish for php-fpm to listen to unix socket,
+# add the following permission to local/usr.bin.php-fpm
+# /path/to/your/unix/socket w,
+
+include <tunables/global>
+
+# This is PHP open_basedir where script can only be executed from.
+# /home, /tmp have been removed to not open permissions too widely
+# /usr/share/pear have been removed to have its own permission
+@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
+
+profile php-fpm /usr/bin/php-fpm {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/openssl>
+ include <abstractions/php>
+
+ capability setgid,
+ capability setuid,
+ capability kill,
+
+ /etc/php/php-fpm.conf r,
+ /etc/php/php-fpm.d/* r,
+
+ # This is set to make php-fpm work by default, but if you don't use these paths
+ # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
+ # to where your PHP app is located
+ @{PHP_BASEDIRS}/** r,
+
+ /usr/bin/php-fpm mr,
+
+ /usr/share/pear/** r,
+ /usr/share/php/fpm/status.html r,
+
+ /var/log/php-fpm.log w,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.bin.php-fpm>
+
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
new file mode 100644
index 000000000000..f8ceb4c23343
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.pulseaudio
@@ -0,0 +1,132 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile pulseaudio /usr/bin/pulseaudio {
+ include <abstractions/base>
+ include <abstractions/audio>
+ include <abstractions/dbus-session>
+ include <abstractions/dbus-strict>
+ include <abstractions/nameservice>
+ include <abstractions/X>
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/RealtimeKit1
+ interface=org.freedesktop.RealtimeKit1
+ member={MakeThreadRealtime,MakeThreadHighPriority}
+ peer=(name=org.freedesktop.RealtimeKit1),
+
+ dbus send
+ bus=system
+ path=/org/freedesktop/RealtimeKit1
+ interface=org.freedesktop.DBus.Properties
+ member=Get,
+
+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+ ptrace (read,trace) peer=@{profile_name},
+ signal (send) peer=pulseaudio//pulse-gsettings-helper,
+
+ /usr/bin/pulseaudio mixr,
+
+ /etc/pulse/ r,
+ /etc/pulse/* r,
+ /etc/udev/udev.conf r,
+ /etc/timidity/.pulse_cookie w,
+
+ /etc/asound.conf r,
+
+ owner @{HOME}/.esd_auth rwk,
+ owner @{HOME}/.pulse-cookie rwk,
+ owner @{HOME}/.config/pulse/cookie rwk,
+ owner @{HOME}/{.config/pulse,.pulse}/ rw,
+ owner @{HOME}/{.config/pulse,.pulse}/* rw,
+
+ owner /run/pulse/ rw,
+ owner /run/pulse/.pulse-cookie rwk,
+ owner /run/pulse/dbus-socket rwk,
+ owner /run/pulse/native rwk,
+ owner /run/pulse/pid rwk,
+ owner /run/user/[0-9]*/pulse/ rw,
+ owner /run/user/[0-9]*/pulse/* rwk,
+ /run/udev/data/+sound:card* r,
+ /run/udev/data/c116:[0-9]* r,
+ /run/udev/data/c14:[0-9]* r,
+
+ # logind
+ /run/user/[0-9]*/dconf/user k,
+
+ /sys/bus/ r,
+ /sys/class/ r,
+ /sys/class/sound/ r,
+ /sys/devices/pci[0-9]*/**/*class r,
+ /sys/devices/pci[0-9]*/**/uevent r,
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/cpu/online r,
+ /sys/devices/virtual/dmi/id/bios_vendor r,
+ /sys/devices/virtual/dmi/id/board_vendor r,
+ /sys/devices/virtual/dmi/id/sys_vendor r,
+ /sys/devices/virtual/sound/**/uevent r,
+
+ /usr/share/alsa/** r,
+ /usr/share/pulseaudio/** r,
+ /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
+ /usr/libexec/pulse/gsettings-helper Cx,
+
+ /usr/{,local/}share/applications/ r,
+ /usr/{,local/}share/applications/* r,
+ owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
+ owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
+ /var/lib/flatpak/exports/share/applications/ r,
+ /var/lib/flatpak/exports/share/applications/* r,
+
+ owner /var/lib/gdm3/.config/pulse/ rw,
+ owner /var/lib/gdm3/.config/pulse/* rw,
+ owner /var/lib/gdm3/.config/pulse/cookie rwk,
+
+ owner /var/lib/lightdm/.Xauthority r,
+ owner /var/lib/lightdm/.esd_auth rwk,
+ owner /var/lib/lightdm/.config/pulse/cookie rwk,
+ owner /var/lib/lightdm/.config/pulse/ rw,
+ owner /var/lib/lightdm/.config/pulse/* rw,
+
+ # are these needed?
+ /var/lib/pulse/ rw,
+ /var/lib/pulse/*-default-sink rw,
+ /var/lib/pulse/*-default-source rw,
+ /var/lib/pulse/*.tdb rw,
+
+ owner @{PROC}/@{pid}/fd/ r,
+ owner @{PROC}/@{pid}/{maps,mountinfo,stat} r,
+
+ owner /tmp/pulse-*/pid rwk,
+ owner /tmp/pulse-*/native rwk,
+ owner /tmp/pulse-*/autospawn.lock rwk,
+ owner /run/user/*/pulse/autospawn.lock rwk,
+
+ owner /tmp/orcexec.* mrw,
+ owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
+ # needed if /tmp is mounted noexec:
+ owner @{HOME}/orcexec.* mrw,
+
+ owner /tmp/.esd-@{pid}*/ rw,
+ owner /tmp/.esd-@{pid}*/socket rw,
+
+ profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
+ include <abstractions/base>
+ include <abstractions/gnome>
+ include <abstractions/dconf>
+
+ /usr/libexec/pulse/gsettings-helper mr,
+ owner /{,var/}run/user/*/dconf/user rw,
+ owner @{HOME}/.config/dconf/user rw,
+ owner @{PROC}/@{pid}/fd/ r,
+ signal (receive) peer=pulseaudio,
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.bin.pulseaudio>
+}
+
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
new file mode 100644
index 000000000000..b365c927b656
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.uuidd
@@ -0,0 +1,19 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile uuid /usr/bin/uuidd {
+ include <abstractions/base>
+ include <abstractions/consoles>
+
+ network inet dgram,
+
+ /usr/bin/uuidd mr,
+
+ /run/uuidd/request rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.bin.uuidd>
+}
diff --git a/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
new file mode 100644
index 000000000000..c5bb67d562fa
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/files/profiles/usr.bin.wpa_supplicant
@@ -0,0 +1,53 @@
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile wpa_supplicant /usr/bin/wpa_supplicant {
+ include <abstractions/base>
+ include <abstractions/dbus-strict>
+
+ capability net_admin,
+ capability net_raw,
+ capability chown,
+ capability dac_override,
+ capability fsetid,
+ network inet dgram,
+ network inet raw,
+ network packet dgram,
+ network netlink,
+
+ /usr/bin/wpa_supplicant mr,
+
+ /run/wpa_supplicant/ rw,
+ /run/wpa_supplicant/** rw,
+
+ /run/dbus/system_bus_socket rw,
+ /run/sendsigs.omit.d/wpasupplicant.pid rw,
+
+ /etc/wpa_supplicant/ rw,
+ /etc/wpa_supplicant/** rw,
+
+ /etc/nsswitch.conf r,
+ /etc/group r,
+
+ @{PROC}/sys/net/ipv{4,6}/conf/*/* rw,
+ @{PROC}/@{pid}/psched r,
+
+ /dev/rfkill r,
+
+ dbus (send, receive)
+ bus=system
+ path=/fi/w1/wpa_supplicant1,
+
+ dbus (send, receive)
+ bus=system
+ path=/fi/w1/wpa_supplicant1/**,
+
+ dbus (send,receive)
+ bus=system
+ path=/fi/epitest/hostap/WPASupplicant/**,
+
+ include if exists <local/usr.bin.wpa_supplicant>
+}
diff --git a/srcpkgs/apparmor-rules-void/template b/srcpkgs/apparmor-rules-void/template
new file mode 100644
index 000000000000..70be42a614c0
--- /dev/null
+++ b/srcpkgs/apparmor-rules-void/template
@@ -0,0 +1,15 @@
+# Template file for 'apparmor-rules-void'
+pkgname=apparmor-rules-void
+version=2021.05.17
+revision=1
+build_style=meta
+conf_files="/etc/apparmor.d/local/*"
+short_desc="AppArmor Void Linux rules"
+maintainer="Paper <paper@tilde.institute>"
+license="GPL-2.0-only"
+homepage="https://github.com/void-linux/void-packages/"
+
+do_install() {
+ vmkdir etc/apparmor.d/
+ cp ${FILESDIR}/profiles/* ${DESTDIR}/etc/apparmor.d/
+}
From 827cb45a4b84b035e53cbb2573302f585d63930b Mon Sep 17 00:00:00 2001
From: Paper <paper@tilde.institute>
Date: Mon, 17 May 2021 11:27:04 +0200
Subject: [PATCH 3/3] apparmor: move rules to a separate package
also fix license - libapparmor is LGPL-2.1-only, everything else is
GPL-2.0-only
---
.../apparmor/files/profiles/usr.bin.dhcpcd | 66 ---------
srcpkgs/apparmor/files/profiles/usr.bin.nginx | 32 -----
.../apparmor/files/profiles/usr.bin.php-fpm | 45 ------
.../files/profiles/usr.bin.pulseaudio | 132 ------------------
srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 19 ---
.../files/profiles/usr.bin.wpa_supplicant | 53 -------
.../patches/fix-dnsmasq-libvirt.patch | 13 --
srcpkgs/apparmor/template | 27 ++--
8 files changed, 9 insertions(+), 378 deletions(-)
delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.nginx
delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.uuidd
delete mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
deleted file mode 100644
index 1d6e1b95d62a..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd
+++ /dev/null
@@ -1,66 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile dhcpcd /{usr/,}bin/dhcpcd {
- include <abstractions/base>
- include <abstractions/nameservice>
-
- capability chown,
- capability fowner,
- capability fsetid,
- capability kill,
- capability net_admin,
- capability net_raw,
- capability setuid,
- capability setgid,
- capability sys_admin,
- capability sys_chroot,
- capability bpf,
-
- network packet dgram,
- network packet raw,
- network inet raw,
- network inet6 raw,
-
- /dev/pts/* rw,
-
- /etc/dhcpcd.{conf,duid,secret} r,
- /etc/ld.so.cache r,
- /etc/udev/udev.conf r,
-
- /proc/*/net/if_inet6 r,
- /proc/sys/net/ipv{4,6}/conf/*/* rw,
- /proc/sys/net/ipv{4,6}/neigh/*/retrans_time_ms w,
- /proc/sys/net/ipv{4,6}/neigh/*/base_reachable_time_ms w,
-
- /{var/,}run/dhcpcd/ w,
- /{var/,}run/dhcpcd/{,*.}pid rwk,
- /{var/,}run/dhcpcd/{,*.}sock rw,
- /{var/,}run/dhcpcd/unpriv.sock rw,
- /{var/,}run/udev/data/* r,
-
- /sys/devices/**/net/*/uevent r,
-
- /{usr/,}bin/dash ix,
- /{usr/,}bin/dash mrix,
-
- /usr/lib/dhcpcd/dev/udev.so m,
- /usr/lib/ld-*.so m,
- /usr/lib/libc-*.so m,
-
- # Trust hooks and run the wrapper unconfined
- /usr/libexec/dhcpcd-run-hooks CUx,
-
- /var/db/dhcpcd-*.lease rw,
- /var/db/dhcpcd/** rw,
- /{usr/,}bin/dhcpcd mrix,
-
- owner @{PROC}/@{pid}/mountinfo r,
- owner @{PROC}/@{pid}/stat r,
-
- # Site-specific additions and overrides. See local/README for details.
- include if exists <local/usr.bin.dhcpcd>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx
deleted file mode 100644
index be769703f5df..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.nginx
+++ /dev/null
@@ -1,32 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
-# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
-# /path/to/your/unix/socket rw,
-
-include <tunables/global>
-
-profile nginx /usr/bin/nginx {
- include <abstractions/base>
- include <abstractions/nameservice>
- include <abstractions/nis>
- include <abstractions/openssl>
-
- capability setgid,
- capability setuid,
-
- /etc/nginx/** r,
-
- /run/nginx.pid rw,
-
- /usr/bin/nginx mr,
-
- /usr/share/nginx/html/* r,
-
- /var/log/nginx/* w,
-
- # Site-specific additions and overrides. See local/README for details.
- include if exists <local/usr.bin.nginx>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
deleted file mode 100644
index 0b036965da1d..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm
+++ /dev/null
@@ -1,45 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-# NOTE: This profile uses TCP sockets by default
-# If you wish for php-fpm to listen to unix socket,
-# add the following permission to local/usr.bin.php-fpm
-# /path/to/your/unix/socket w,
-
-include <tunables/global>
-
-# This is PHP open_basedir where script can only be executed from.
-# /home, /tmp have been removed to not open permissions too widely
-# /usr/share/pear have been removed to have its own permission
-@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
-
-profile php-fpm /usr/bin/php-fpm {
- include <abstractions/base>
- include <abstractions/nameservice>
- include <abstractions/openssl>
- include <abstractions/php>
-
- capability setgid,
- capability setuid,
- capability kill,
-
- /etc/php/php-fpm.conf r,
- /etc/php/php-fpm.d/* r,
-
- # This is set to make php-fpm work by default, but if you don't use these paths
- # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
- # to where your PHP app is located
- @{PHP_BASEDIRS}/** r,
-
- /usr/bin/php-fpm mr,
-
- /usr/share/pear/** r,
- /usr/share/php/fpm/status.html r,
-
- /var/log/php-fpm.log w,
-
- # Site-specific additions and overrides. See local/README for details.
- include if exists <local/usr.bin.php-fpm>
-
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio b/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
deleted file mode 100644
index f8ceb4c23343..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.pulseaudio
+++ /dev/null
@@ -1,132 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile pulseaudio /usr/bin/pulseaudio {
- include <abstractions/base>
- include <abstractions/audio>
- include <abstractions/dbus-session>
- include <abstractions/dbus-strict>
- include <abstractions/nameservice>
- include <abstractions/X>
-
- dbus send
- bus=system
- path=/org/freedesktop/RealtimeKit1
- interface=org.freedesktop.RealtimeKit1
- member={MakeThreadRealtime,MakeThreadHighPriority}
- peer=(name=org.freedesktop.RealtimeKit1),
-
- dbus send
- bus=system
- path=/org/freedesktop/RealtimeKit1
- interface=org.freedesktop.DBus.Properties
- member=Get,
-
- unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
- ptrace (read,trace) peer=@{profile_name},
- signal (send) peer=pulseaudio//pulse-gsettings-helper,
-
- /usr/bin/pulseaudio mixr,
-
- /etc/pulse/ r,
- /etc/pulse/* r,
- /etc/udev/udev.conf r,
- /etc/timidity/.pulse_cookie w,
-
- /etc/asound.conf r,
-
- owner @{HOME}/.esd_auth rwk,
- owner @{HOME}/.pulse-cookie rwk,
- owner @{HOME}/.config/pulse/cookie rwk,
- owner @{HOME}/{.config/pulse,.pulse}/ rw,
- owner @{HOME}/{.config/pulse,.pulse}/* rw,
-
- owner /run/pulse/ rw,
- owner /run/pulse/.pulse-cookie rwk,
- owner /run/pulse/dbus-socket rwk,
- owner /run/pulse/native rwk,
- owner /run/pulse/pid rwk,
- owner /run/user/[0-9]*/pulse/ rw,
- owner /run/user/[0-9]*/pulse/* rwk,
- /run/udev/data/+sound:card* r,
- /run/udev/data/c116:[0-9]* r,
- /run/udev/data/c14:[0-9]* r,
-
- # logind
- /run/user/[0-9]*/dconf/user k,
-
- /sys/bus/ r,
- /sys/class/ r,
- /sys/class/sound/ r,
- /sys/devices/pci[0-9]*/**/*class r,
- /sys/devices/pci[0-9]*/**/uevent r,
- /sys/devices/system/cpu/ r,
- /sys/devices/system/cpu/online r,
- /sys/devices/virtual/dmi/id/bios_vendor r,
- /sys/devices/virtual/dmi/id/board_vendor r,
- /sys/devices/virtual/dmi/id/sys_vendor r,
- /sys/devices/virtual/sound/**/uevent r,
-
- /usr/share/alsa/** r,
- /usr/share/pulseaudio/** r,
- /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr,
- /usr/libexec/pulse/gsettings-helper Cx,
-
- /usr/{,local/}share/applications/ r,
- /usr/{,local/}share/applications/* r,
- owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r,
- owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/* r,
- /var/lib/flatpak/exports/share/applications/ r,
- /var/lib/flatpak/exports/share/applications/* r,
-
- owner /var/lib/gdm3/.config/pulse/ rw,
- owner /var/lib/gdm3/.config/pulse/* rw,
- owner /var/lib/gdm3/.config/pulse/cookie rwk,
-
- owner /var/lib/lightdm/.Xauthority r,
- owner /var/lib/lightdm/.esd_auth rwk,
- owner /var/lib/lightdm/.config/pulse/cookie rwk,
- owner /var/lib/lightdm/.config/pulse/ rw,
- owner /var/lib/lightdm/.config/pulse/* rw,
-
- # are these needed?
- /var/lib/pulse/ rw,
- /var/lib/pulse/*-default-sink rw,
- /var/lib/pulse/*-default-source rw,
- /var/lib/pulse/*.tdb rw,
-
- owner @{PROC}/@{pid}/fd/ r,
- owner @{PROC}/@{pid}/{maps,mountinfo,stat} r,
-
- owner /tmp/pulse-*/pid rwk,
- owner /tmp/pulse-*/native rwk,
- owner /tmp/pulse-*/autospawn.lock rwk,
- owner /run/user/*/pulse/autospawn.lock rwk,
-
- owner /tmp/orcexec.* mrw,
- owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
- # needed if /tmp is mounted noexec:
- owner @{HOME}/orcexec.* mrw,
-
- owner /tmp/.esd-@{pid}*/ rw,
- owner /tmp/.esd-@{pid}*/socket rw,
-
- profile pulse-gsettings-helper /usr/libexec/pulse/gsettings-helper {
- include <abstractions/base>
- include <abstractions/gnome>
- include <abstractions/dconf>
-
- /usr/libexec/pulse/gsettings-helper mr,
- owner /{,var/}run/user/*/dconf/user rw,
- owner @{HOME}/.config/dconf/user rw,
- owner @{PROC}/@{pid}/fd/ r,
- signal (receive) peer=pulseaudio,
- }
-
- # Site-specific additions and overrides. See local/README for details.
- include if exists <local/usr.bin.pulseaudio>
-}
-
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
deleted file mode 100644
index b365c927b656..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd
+++ /dev/null
@@ -1,19 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile uuid /usr/bin/uuidd {
- include <abstractions/base>
- include <abstractions/consoles>
-
- network inet dgram,
-
- /usr/bin/uuidd mr,
-
- /run/uuidd/request rw,
-
- # Site-specific additions and overrides. See local/README for details.
- include if exists <local/usr.bin.uuidd>
-}
diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant b/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
deleted file mode 100644
index c5bb67d562fa..000000000000
--- a/srcpkgs/apparmor/files/profiles/usr.bin.wpa_supplicant
+++ /dev/null
@@ -1,53 +0,0 @@
-# vim:syntax=apparmor
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile wpa_supplicant /usr/bin/wpa_supplicant {
- include <abstractions/base>
- include <abstractions/dbus-strict>
-
- capability net_admin,
- capability net_raw,
- capability chown,
- capability dac_override,
- capability fsetid,
- network inet dgram,
- network inet raw,
- network packet dgram,
- network netlink,
-
- /usr/bin/wpa_supplicant mr,
-
- /run/wpa_supplicant/ rw,
- /run/wpa_supplicant/** rw,
-
- /run/dbus/system_bus_socket rw,
- /run/sendsigs.omit.d/wpasupplicant.pid rw,
-
- /etc/wpa_supplicant/ rw,
- /etc/wpa_supplicant/** rw,
-
- /etc/nsswitch.conf r,
- /etc/group r,
-
- @{PROC}/sys/net/ipv{4,6}/conf/*/* rw,
- @{PROC}/@{pid}/psched r,
-
- /dev/rfkill r,
-
- dbus (send, receive)
- bus=system
- path=/fi/w1/wpa_supplicant1,
-
- dbus (send, receive)
- bus=system
- path=/fi/w1/wpa_supplicant1/**,
-
- dbus (send,receive)
- bus=system
- path=/fi/epitest/hostap/WPASupplicant/**,
-
- include if exists <local/usr.bin.wpa_supplicant>
-}
diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
- /etc/libnl-3/classid r,
-
- /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
-- /usr/libexec/libvirt_leaseshelper m,
-+ /usr/libexec/libvirt_leaseshelper mr,
-
- owner @{PROC}/@{pid}/net/psched r,
- owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 0d8c1ec7087e..45a39b8d97c6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,19 +1,20 @@
# Template file for 'apparmor'
pkgname=apparmor
version=3.0.1
-revision=4
+revision=5
wrksrc="${pkgname}-v${version}"
build_wrksrc=libraries/libapparmor
build_style=gnu-configure
-conf_files="/etc/apparmor.d/local/* /etc/apparmor/*"
+conf_files="/etc/apparmor/*"
make_dirs="/etc/apparmor.d/disable 0755 root root"
hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
makedepends="perl python3-devel"
-depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2 python3-psutil"
+depends="runit-void-apparmor apparmor-rules-upstream apparmor-rules-void
+ libapparmor-${version}_${revision} python3-notify2 python3-psutil"
checkdepends="dejagnu"
short_desc="Mandatory access control to restrict programs"
maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+license="GPL-2.0-only"
homepage="https://gitlab.com/apparmor/apparmor"
changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
@@ -28,23 +29,15 @@ pre_configure() {
autoreconf -if
}
-pre_build() {
- # Replace release profiles with our own
- cd ${wrksrc}
- cp ${FILESDIR}/profiles/* profiles/apparmor.d/
-}
-
post_build() {
- cd ${wrksrc}
-
+ cd "${wrksrc}"
make ${makejobs} -C binutils
make ${makejobs} -C utils
make ${makejobs} -C parser
- make ${makejobs} -C profiles
}
post_install() {
- cd ${wrksrc}
+ cd "${wrksrc}"
commonflags="DESTDIR=\"${DESTDIR}\" SBINDIR=\"${DESTDIR}/usr/bin\" USR_SBINDIR=\"${DESTDIR}/usr/bin\""
make $commonflags install -C binutils
make $commonflags \
@@ -54,15 +47,11 @@ post_install() {
make $commonflags \
APPARMOR_BIN_PREFIX="${DESTDIR}/usr/lib/apparmor" \
install -C parser
- make DESTDIR="${DESTDIR}" install -C profiles
# requires perl bindings not generated when cross-compiling
if [ "$CROSS_BUILD" ]; then
rm -f ${DESTDIR}/usr/bin/aa-notify
fi
-
- # we installed a custom conflicting profile
- rm ${DESTDIR}/etc/apparmor.d/{,local/}php-fpm
}
apparmor-vim_package() {
@@ -76,6 +65,7 @@ apparmor-vim_package() {
libapparmor_package() {
short_desc+=" - Library"
+ license="LGPL-2.1-only"
pkg_install() {
vmove "usr/lib/libapparmor.so*"
if [ -z "$CROSS_BUILD" ]; then
@@ -89,6 +79,7 @@ libapparmor_package() {
libapparmor-devel_package() {
short_desc+=" - Library development files"
+ license="LGPL-2.1-only"
depends="lib${sourcepkg}-${version}_${revision}"
pkg_install() {
vmove usr/include
next reply other threads:[~2021-05-17 9:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-17 9:41 paper42 [this message]
2021-05-17 9:58 ` [PR PATCH] [Updated] " paper42
2021-05-17 10:06 ` paper42
2021-05-17 10:07 ` paper42
2021-05-17 12:30 ` Duncaen
2021-05-17 12:32 ` [PR REVIEW] " Duncaen
2021-05-17 12:43 ` ericonr
2021-05-17 13:24 ` [PR REVIEW] " paper42
2021-05-17 13:47 ` paper42
2021-05-17 13:55 ` noarchwastaken
2021-05-17 13:57 ` [PR PATCH] [Updated] " paper42
2021-05-17 14:04 ` noarchwastaken
2021-05-17 14:04 ` noarchwastaken
2021-05-17 14:04 ` noarchwastaken
2021-05-23 19:01 ` noarchwastaken
2021-05-23 19:05 ` noarchwastaken
2021-07-05 21:09 ` [PR PATCH] [Closed]: " paper42
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-30946@inbox.vuxu.org \
--to=paper42@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).