* [PR PATCH] apparmor: update to 3.0.3.
@ 2021-08-10 22:50 paper42
2021-08-11 1:06 ` ericonr
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: paper42 @ 2021-08-10 22:50 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1317 bytes --]
There is a new pull request by paper42 against master on the void-packages repository
https://github.com/paper42/void-packages apparmor-3.0.3
https://github.com/void-linux/void-packages/pull/32451
apparmor: update to 3.0.3.
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
I still need to test this PR.
- [ ] adopt, @olivier-mauras are you ok with this?
- [ ] support python 3.10 fix https://gitlab.com/apparmor/apparmor/-/issues/187 or do we want to wait if there will be an apparmor release with a fix before Void switches to Python 3.10?
- [x] switch to complain mode by default, disabled doesn't make sense, when a user modifies the kernel cmdline to load apparmor, they probably want to use apparmor, so enable at least logging
- [x] add common shells to logprof.conf
- [x] fix licenses, libapparmor is LGPL* adopt
* fix licenses
A patch file from https://github.com/void-linux/void-packages/pull/32451.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-3.0.3-32451.patch --]
[-- Type: text/x-diff, Size: 9835 bytes --]
From 4f50c710336a980aa8bb3a25dfdcb7e8c416a23c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Tue, 10 Aug 2021 23:13:46 +0200
Subject: [PATCH 1/2] apparmor: update to 3.0.3.
* adopt
* fix licenses
---
.../patches/fix-dnsmasq-libvirt.patch | 13 ----
.../patches/fix-setting-proc_attr_base.patch | 52 --------------
...ogprofconf.patch => fix_logprofconf.patch} | 67 ++++++++++++-------
srcpkgs/apparmor/template | 12 ++--
4 files changed, 51 insertions(+), 93 deletions(-)
delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
delete mode 100644 srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
rename srcpkgs/apparmor/patches/{correct_paths_logprofconf.patch => fix_logprofconf.patch} (50%)
diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
- /etc/libnl-3/classid r,
-
- /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
-- /usr/libexec/libvirt_leaseshelper m,
-+ /usr/libexec/libvirt_leaseshelper mr,
-
- owner @{PROC}/@{pid}/net/psched r,
- owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
deleted file mode 100644
index 35e9101f81b9..000000000000
--- a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-upstream: yes
-From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
-From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
-Date: Wed, 20 Jan 2021 17:26:37 -0600
-Subject: [PATCH] fix setting proc_attr_base
-
-There is currently a case in which proc_attr_base won't get set when
-asprintf is able to generate the path, but the file doesn't exist, it
-will exit proc_attr_base_init_once() without proc_attr_base having been
-set as the fall-through if/else logic will get bypassed when asprintf is
-successful.
----
- libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
-index 0fa77b014..6ba028614 100644
---- a/libraries/libapparmor/src/kernel.c
-+++ b/libraries/libapparmor/src/kernel.c
-@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
- /* if we fail we just fall back to the default value */
- if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
- autoclose int fd = open(tmp, O_RDONLY);
-- if (fd != -1)
-+ if (fd != -1) {
- proc_attr_base = proc_attr_base_stacking;
-- } else if (!is_enabled() && is_private_enabled()) {
-+ return;
-+ }
-+ }
-+ if (!is_enabled() && is_private_enabled()) {
- /* new stacking interfaces aren't available and apparmor
-- * is disabled, but available. do not use the
-- * /proc/<pid>/attr/ * interfaces as they could be
-- * in use by another LSM
-- */
-+ * is disabled, but available. do not use the
-+ * /proc/<pid>/attr/ * interfaces as they could be
-+ * in use by another LSM
-+ */
- proc_attr_base = proc_attr_base_unavailable;
-- } else {
-- proc_attr_base = proc_attr_base_old;
-+ return;
- }
-+ proc_attr_base = proc_attr_base_old;
- }
-
- static char *procattr_path(pid_t pid, const char *attr)
---
-GitLab
-
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/fix_logprofconf.patch
similarity index 50%
rename from srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
rename to srcpkgs/apparmor/patches/fix_logprofconf.patch
index e34e69af8bfb..c8607cf4ce5b 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/fix_logprofconf.patch
@@ -1,17 +1,8 @@
-From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
-From: Paper <paper@tilde.institute>
-Date: Wed, 21 Oct 2020 10:20:47 +0200
-Subject: [PATCH] correct paths in logprof.conf
+modify logprof.conf for Void Linux
----
- utils/logprof.conf | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a778792..a9f7b79 100644
---- a/utils/logprof.conf
-+++ b/utils/logprof.conf
-@@ -12,9 +12,9 @@
+--- a/logprof.conf
++++ b/logprof.conf
+@@ -12,11 +12,11 @@
[settings]
profiledir = /etc/apparmor.d /etc/subdomain.d
inactive_profiledir = /usr/share/apparmor/extra-profiles
@@ -21,9 +12,39 @@ index a778792..a9f7b79 100644
- parser = /sbin/apparmor_parser /sbin/subdomain_parser
+ parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
ldd = /usr/bin/ldd
- logger = /bin/logger /usr/bin/logger
-
-@@ -51,12 +51,10 @@
+- logger = /bin/logger /usr/bin/logger
++ logger = /usr/bin/logger
+
+ # customize how file ownership permissions are presented
+ # 0 - off
+@@ -38,27 +38,29 @@
+
+ [qualifiers]
+ # things will be painfully broken if bash has a profile
+- /bin/bash = icnu
+- /usr/bin/bash = icnu
+- /bin/ksh = icnu
+- /usr/bin/ksh = icnu
+- /bin/dash = icnu
+- /usr/bin/dash = icnu
+- /bin/zsh = icnu
+- /usr/bin/zsh = icnu
++ /bin/bash = icnu
++ /usr/bin/bash = icnu
++ /bin/ksh = icnu
++ /usr/bin/ksh = icnu
++ /bin/dash = icnu
++ /usr/bin/dash = icnu
++ /bin/zsh = icnu
++ /usr/bin/zsh = icnu
++ /bin/fish = icnu
++ /usr/bin/fish = icnu
++ /bin/ash = icnu
++ /usr/bin/ash = icnu
++ /bin/rc = icnu
++ /usr/bin/rc = icnu
+
+ # these programs can't function if they're confined
/bin/mount = u
/usr/bin/mount = u
/etc/init.d/subdomain = u
@@ -33,14 +54,16 @@ index a778792..a9f7b79 100644
- /usr/sbin/subdomain_parser = u
- /usr/sbin/genprof = u
- /usr/sbin/logprof = u
+- /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+- /usr/lib/YaST2/servers_non_y2/ag_logprof = u
+ /usr/bin/cardmgr = u
+ /usr/bin/subdomain_parser = u
+ /usr/bin/genprof = u
+ /usr/bin/logprof = u
- /usr/lib/YaST2/servers_non_y2/ag_genprof = u
- /usr/lib/YaST2/servers_non_y2/ag_logprof = u
-@@ -97,8 +95,7 @@
+ # these ones shouln't have their own profiles
+ /bin/awk = icn
+@@ -97,8 +99,7 @@
/usr/bin/sed = icn
/bin/touch = icn
/usr/bin/touch = icn
@@ -50,15 +73,13 @@ index a778792..a9f7b79 100644
/usr/bin/find = icn
/usr/bin/killall = icn
/usr/bin/nice = icn
-@@ -112,6 +109,8 @@
+@@ -112,6 +113,9 @@
/usr/bin/python3.5 = icn
/usr/bin/python3.6 = icn
/usr/bin/python3.7 = icn
+ /usr/bin/python3.8 = icn
+ /usr/bin/python3.9 = icn
++ /usr/bin/python3.10 = icn
/usr/bin/tr = icn
[required_hats]
---
-2.29.0
-
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 4b45ad3ee18d..e94e05e5625b 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
# Template file for 'apparmor'
pkgname=apparmor
-version=3.0.1
-revision=7
+version=3.0.3
+revision=1
wrksrc="${pkgname}-v${version}"
build_wrksrc=libraries/libapparmor
build_style=gnu-configure
@@ -13,12 +13,12 @@ depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2
python3-psutil python3-dbus iproute2"
checkdepends="dejagnu"
short_desc="Mandatory access control to restrict programs"
-maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+maintainer="Michal Vasilek <michal@vasilek.cz>"
+license="GPL-2.0-only"
homepage="https://gitlab.com/apparmor/apparmor"
changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=5f9afc157c5e2610737186a31fc9bd6a1d339a2ee85ac4f2667dce59cf60f1c7
+checksum=51b1db60e962dd01856a1ec6a9d43b11ed4350dcc5738ef901097c999bcbf50e
replaces="apparmor-vim>=0"
if [ -z "$CROSS_BUILD" ]; then
@@ -68,6 +68,7 @@ post_install() {
libapparmor_package() {
short_desc+=" - Library"
+ license="LGPL-2.1-only"
pkg_install() {
vmove "usr/lib/libapparmor.so*"
if [ -z "$CROSS_BUILD" ]; then
@@ -81,6 +82,7 @@ libapparmor_package() {
libapparmor-devel_package() {
short_desc+=" - Library development files"
+ license="LGPL-2.1-only"
depends="lib${sourcepkg}-${version}_${revision}"
pkg_install() {
vmove usr/include
From 788a819f9ed5ac6492a599c2189d76576763d627 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 11 Aug 2021 00:30:17 +0200
Subject: [PATCH 2/2] runit-void: set apparmor to complain mode by default
---
srcpkgs/runit-void/files/apparmor | 2 +-
srcpkgs/runit-void/template | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/srcpkgs/runit-void/files/apparmor b/srcpkgs/runit-void/files/apparmor
index 980b5b3eecc7..b32ce11a11ef 100644
--- a/srcpkgs/runit-void/files/apparmor
+++ b/srcpkgs/runit-void/files/apparmor
@@ -4,4 +4,4 @@
# - disable
# - complain
# - enforce
-#APPARMOR=disable
+APPARMOR=complain
diff --git a/srcpkgs/runit-void/template b/srcpkgs/runit-void/template
index 2ac215c253f1..0c98cadc9e18 100644
--- a/srcpkgs/runit-void/template
+++ b/srcpkgs/runit-void/template
@@ -1,7 +1,7 @@
# Template file for 'runit-void'
pkgname=runit-void
version=20210314
-revision=1
+revision=2
wrksrc="void-runit-${version}"
build_style=gnu-makefile
short_desc="Void Linux runit scripts"
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: apparmor: update to 3.0.3.
2021-08-10 22:50 [PR PATCH] apparmor: update to 3.0.3 paper42
@ 2021-08-11 1:06 ` ericonr
2021-08-14 20:44 ` [PR PATCH] [Updated] [RFC]: apparmor: change default mode to complain paper42
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: ericonr @ 2021-08-11 1:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 356 bytes --]
New comment by ericonr on void-packages repository
https://github.com/void-linux/void-packages/pull/32451#issuecomment-896416260
Comment:
Logging can be really spammy, but I'd say having it enabled by default makes more sense than not.
Can you change the PR title to reflect this? I think it'd be nice to draw attention to it (maybe add `[RFC]` too).
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Updated] [RFC]: apparmor: change default mode to complain
2021-08-10 22:50 [PR PATCH] apparmor: update to 3.0.3 paper42
2021-08-11 1:06 ` ericonr
@ 2021-08-14 20:44 ` paper42
2021-08-15 3:52 ` ericonr
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: paper42 @ 2021-08-14 20:44 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1330 bytes --]
There is an updated pull request by paper42 against master on the void-packages repository
https://github.com/paper42/void-packages apparmor-3.0.3
https://github.com/void-linux/void-packages/pull/32451
[RFC]: apparmor: change default mode to complain
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
I still need to test this PR.
- [x] adopt, @olivier-mauras are you ok with this?
- [ ] support python 3.10 - fix https://gitlab.com/apparmor/apparmor/-/issues/187 or do we want to wait if there will be an apparmor release with a fix before Void switches to Python 3.10?
- [x] switch to complain mode by default, disabled doesn't make sense, when a user modifies the kernel cmdline to load apparmor, they probably want to use apparmor, so enable at least logging
- [x] add common shells to logprof.conf
- [x] fix licenses, libapparmor is LGPL* adopt
A patch file from https://github.com/void-linux/void-packages/pull/32451.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-3.0.3-32451.patch --]
[-- Type: text/x-diff, Size: 10012 bytes --]
From 3ea19283556061881d28ee4e9fda12614f821a23 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Tue, 10 Aug 2021 23:13:46 +0200
Subject: [PATCH 1/2] apparmor: update to 3.0.3.
* adopt
* fix licenses
---
.../patches/fix-dnsmasq-libvirt.patch | 13 ----
.../patches/fix-setting-proc_attr_base.patch | 52 ---------------
...ogprofconf.patch => fix_logprofconf.patch} | 63 ++++++++++++-------
srcpkgs/apparmor/template | 14 +++--
4 files changed, 50 insertions(+), 92 deletions(-)
delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
delete mode 100644 srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
rename srcpkgs/apparmor/patches/{correct_paths_logprofconf.patch => fix_logprofconf.patch} (52%)
diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
- /etc/libnl-3/classid r,
-
- /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
-- /usr/libexec/libvirt_leaseshelper m,
-+ /usr/libexec/libvirt_leaseshelper mr,
-
- owner @{PROC}/@{pid}/net/psched r,
- owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
deleted file mode 100644
index 35e9101f81b9..000000000000
--- a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-upstream: yes
-From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
-From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
-Date: Wed, 20 Jan 2021 17:26:37 -0600
-Subject: [PATCH] fix setting proc_attr_base
-
-There is currently a case in which proc_attr_base won't get set when
-asprintf is able to generate the path, but the file doesn't exist, it
-will exit proc_attr_base_init_once() without proc_attr_base having been
-set as the fall-through if/else logic will get bypassed when asprintf is
-successful.
----
- libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
-index 0fa77b014..6ba028614 100644
---- a/libraries/libapparmor/src/kernel.c
-+++ b/libraries/libapparmor/src/kernel.c
-@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
- /* if we fail we just fall back to the default value */
- if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
- autoclose int fd = open(tmp, O_RDONLY);
-- if (fd != -1)
-+ if (fd != -1) {
- proc_attr_base = proc_attr_base_stacking;
-- } else if (!is_enabled() && is_private_enabled()) {
-+ return;
-+ }
-+ }
-+ if (!is_enabled() && is_private_enabled()) {
- /* new stacking interfaces aren't available and apparmor
-- * is disabled, but available. do not use the
-- * /proc/<pid>/attr/ * interfaces as they could be
-- * in use by another LSM
-- */
-+ * is disabled, but available. do not use the
-+ * /proc/<pid>/attr/ * interfaces as they could be
-+ * in use by another LSM
-+ */
- proc_attr_base = proc_attr_base_unavailable;
-- } else {
-- proc_attr_base = proc_attr_base_old;
-+ return;
- }
-+ proc_attr_base = proc_attr_base_old;
- }
-
- static char *procattr_path(pid_t pid, const char *attr)
---
-GitLab
-
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/fix_logprofconf.patch
similarity index 52%
rename from srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
rename to srcpkgs/apparmor/patches/fix_logprofconf.patch
index e34e69af8bfb..a702cce454f0 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/fix_logprofconf.patch
@@ -1,17 +1,8 @@
-From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
-From: Paper <paper@tilde.institute>
-Date: Wed, 21 Oct 2020 10:20:47 +0200
-Subject: [PATCH] correct paths in logprof.conf
+modify logprof.conf for Void Linux
----
- utils/logprof.conf | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a778792..a9f7b79 100644
--- a/utils/logprof.conf
+++ b/utils/logprof.conf
-@@ -12,9 +12,9 @@
+@@ -12,11 +12,11 @@
[settings]
profiledir = /etc/apparmor.d /etc/subdomain.d
inactive_profiledir = /usr/share/apparmor/extra-profiles
@@ -21,9 +12,39 @@ index a778792..a9f7b79 100644
- parser = /sbin/apparmor_parser /sbin/subdomain_parser
+ parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
ldd = /usr/bin/ldd
- logger = /bin/logger /usr/bin/logger
-
-@@ -51,12 +51,10 @@
+- logger = /bin/logger /usr/bin/logger
++ logger = /usr/bin/logger
+
+ # customize how file ownership permissions are presented
+ # 0 - off
+@@ -38,27 +38,29 @@
+
+ [qualifiers]
+ # things will be painfully broken if bash has a profile
+- /bin/bash = icnu
+- /usr/bin/bash = icnu
+- /bin/ksh = icnu
+- /usr/bin/ksh = icnu
+- /bin/dash = icnu
+- /usr/bin/dash = icnu
+- /bin/zsh = icnu
+- /usr/bin/zsh = icnu
++ /bin/bash = icnu
++ /usr/bin/bash = icnu
++ /bin/ksh = icnu
++ /usr/bin/ksh = icnu
++ /bin/dash = icnu
++ /usr/bin/dash = icnu
++ /bin/zsh = icnu
++ /usr/bin/zsh = icnu
++ /bin/fish = icnu
++ /usr/bin/fish = icnu
++ /bin/ash = icnu
++ /usr/bin/ash = icnu
++ /bin/rc = icnu
++ /usr/bin/rc = icnu
+
+ # these programs can't function if they're confined
/bin/mount = u
/usr/bin/mount = u
/etc/init.d/subdomain = u
@@ -33,14 +54,16 @@ index a778792..a9f7b79 100644
- /usr/sbin/subdomain_parser = u
- /usr/sbin/genprof = u
- /usr/sbin/logprof = u
+- /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+- /usr/lib/YaST2/servers_non_y2/ag_logprof = u
+ /usr/bin/cardmgr = u
+ /usr/bin/subdomain_parser = u
+ /usr/bin/genprof = u
+ /usr/bin/logprof = u
- /usr/lib/YaST2/servers_non_y2/ag_genprof = u
- /usr/lib/YaST2/servers_non_y2/ag_logprof = u
-@@ -97,8 +95,7 @@
+ # these ones shouln't have their own profiles
+ /bin/awk = icn
+@@ -97,8 +99,7 @@
/usr/bin/sed = icn
/bin/touch = icn
/usr/bin/touch = icn
@@ -50,15 +73,13 @@ index a778792..a9f7b79 100644
/usr/bin/find = icn
/usr/bin/killall = icn
/usr/bin/nice = icn
-@@ -112,6 +109,8 @@
+@@ -112,6 +113,9 @@
/usr/bin/python3.5 = icn
/usr/bin/python3.6 = icn
/usr/bin/python3.7 = icn
+ /usr/bin/python3.8 = icn
+ /usr/bin/python3.9 = icn
++ /usr/bin/python3.10 = icn
/usr/bin/tr = icn
[required_hats]
---
-2.29.0
-
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 4b45ad3ee18d..2a9e373447b6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
# Template file for 'apparmor'
pkgname=apparmor
-version=3.0.1
-revision=7
+version=3.0.3
+revision=1
wrksrc="${pkgname}-v${version}"
build_wrksrc=libraries/libapparmor
build_style=gnu-configure
@@ -10,15 +10,15 @@ make_dirs="/etc/apparmor.d/disable 0755 root root"
hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
makedepends="perl python3-devel"
depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2
- python3-psutil python3-dbus iproute2"
+ python3-psutil python3-dbus iproute2 which"
checkdepends="dejagnu"
short_desc="Mandatory access control to restrict programs"
-maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+maintainer="Michal Vasilek <michal@vasilek.cz>"
+license="GPL-2.0-only"
homepage="https://gitlab.com/apparmor/apparmor"
changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=5f9afc157c5e2610737186a31fc9bd6a1d339a2ee85ac4f2667dce59cf60f1c7
+checksum=51b1db60e962dd01856a1ec6a9d43b11ed4350dcc5738ef901097c999bcbf50e
replaces="apparmor-vim>=0"
if [ -z "$CROSS_BUILD" ]; then
@@ -68,6 +68,7 @@ post_install() {
libapparmor_package() {
short_desc+=" - Library"
+ license="LGPL-2.1-only"
pkg_install() {
vmove "usr/lib/libapparmor.so*"
if [ -z "$CROSS_BUILD" ]; then
@@ -81,6 +82,7 @@ libapparmor_package() {
libapparmor-devel_package() {
short_desc+=" - Library development files"
+ license="LGPL-2.1-only"
depends="lib${sourcepkg}-${version}_${revision}"
pkg_install() {
vmove usr/include
From 478d8a1a500883316df953db68c224ea1b81c871 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 11 Aug 2021 00:30:17 +0200
Subject: [PATCH 2/2] runit-void: set apparmor to complain mode by default
---
srcpkgs/runit-void/files/apparmor | 2 +-
srcpkgs/runit-void/template | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/srcpkgs/runit-void/files/apparmor b/srcpkgs/runit-void/files/apparmor
index 980b5b3eecc7..b32ce11a11ef 100644
--- a/srcpkgs/runit-void/files/apparmor
+++ b/srcpkgs/runit-void/files/apparmor
@@ -4,4 +4,4 @@
# - disable
# - complain
# - enforce
-#APPARMOR=disable
+APPARMOR=complain
diff --git a/srcpkgs/runit-void/template b/srcpkgs/runit-void/template
index 2ac215c253f1..0c98cadc9e18 100644
--- a/srcpkgs/runit-void/template
+++ b/srcpkgs/runit-void/template
@@ -1,7 +1,7 @@
# Template file for 'runit-void'
pkgname=runit-void
version=20210314
-revision=1
+revision=2
wrksrc="void-runit-${version}"
build_style=gnu-makefile
short_desc="Void Linux runit scripts"
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [RFC]: apparmor: change default mode to complain
2021-08-10 22:50 [PR PATCH] apparmor: update to 3.0.3 paper42
2021-08-11 1:06 ` ericonr
2021-08-14 20:44 ` [PR PATCH] [Updated] [RFC]: apparmor: change default mode to complain paper42
@ 2021-08-15 3:52 ` ericonr
2021-09-18 11:36 ` [PR PATCH] [Updated] " paper42
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: ericonr @ 2021-08-15 3:52 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 192 bytes --]
New comment by ericonr on void-packages repository
https://github.com/void-linux/void-packages/pull/32451#issuecomment-898991326
Comment:
Also note, I think we'd have to update docs for it.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Updated] [RFC]: apparmor: change default mode to complain
2021-08-10 22:50 [PR PATCH] apparmor: update to 3.0.3 paper42
` (2 preceding siblings ...)
2021-08-15 3:52 ` ericonr
@ 2021-09-18 11:36 ` paper42
2021-09-26 21:51 ` paper42
2021-09-28 9:46 ` [PR PATCH] [Merged]: " paper42
5 siblings, 0 replies; 7+ messages in thread
From: paper42 @ 2021-09-18 11:36 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1323 bytes --]
There is an updated pull request by paper42 against master on the void-packages repository
https://github.com/paper42/void-packages apparmor-3.0.3
https://github.com/void-linux/void-packages/pull/32451
[RFC]: apparmor: change default mode to complain
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
I still need to test this PR.
- [x] adopt, @olivier-mauras are you ok with this?
- [ ] support python 3.10 - fix https://gitlab.com/apparmor/apparmor/-/issues/187 or do we want to wait if there will be an apparmor release with a fix before Void switches to Python 3.10?
- [x] switch to complain mode by default, disabled doesn't make sense, when a user modifies the kernel cmdline to load apparmor, they probably want to use apparmor, so enable at least logging
- [x] add common shells to logprof.conf
- [x] fix licenses, libapparmor is LGPL
A patch file from https://github.com/void-linux/void-packages/pull/32451.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-3.0.3-32451.patch --]
[-- Type: text/x-diff, Size: 10012 bytes --]
From 2cce9a8b67b6fe31ee843b6501cb940790085d2e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Tue, 10 Aug 2021 23:13:46 +0200
Subject: [PATCH 1/2] apparmor: update to 3.0.3.
* adopt
* fix licenses
---
.../patches/fix-dnsmasq-libvirt.patch | 13 ----
.../patches/fix-setting-proc_attr_base.patch | 52 ---------------
...ogprofconf.patch => fix_logprofconf.patch} | 63 ++++++++++++-------
srcpkgs/apparmor/template | 14 +++--
4 files changed, 50 insertions(+), 92 deletions(-)
delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
delete mode 100644 srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
rename srcpkgs/apparmor/patches/{correct_paths_logprofconf.patch => fix_logprofconf.patch} (52%)
diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
- /etc/libnl-3/classid r,
-
- /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
-- /usr/libexec/libvirt_leaseshelper m,
-+ /usr/libexec/libvirt_leaseshelper mr,
-
- owner @{PROC}/@{pid}/net/psched r,
- owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
deleted file mode 100644
index 35e9101f81b9..000000000000
--- a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-upstream: yes
-From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
-From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
-Date: Wed, 20 Jan 2021 17:26:37 -0600
-Subject: [PATCH] fix setting proc_attr_base
-
-There is currently a case in which proc_attr_base won't get set when
-asprintf is able to generate the path, but the file doesn't exist, it
-will exit proc_attr_base_init_once() without proc_attr_base having been
-set as the fall-through if/else logic will get bypassed when asprintf is
-successful.
----
- libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
-index 0fa77b014..6ba028614 100644
---- a/libraries/libapparmor/src/kernel.c
-+++ b/libraries/libapparmor/src/kernel.c
-@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
- /* if we fail we just fall back to the default value */
- if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
- autoclose int fd = open(tmp, O_RDONLY);
-- if (fd != -1)
-+ if (fd != -1) {
- proc_attr_base = proc_attr_base_stacking;
-- } else if (!is_enabled() && is_private_enabled()) {
-+ return;
-+ }
-+ }
-+ if (!is_enabled() && is_private_enabled()) {
- /* new stacking interfaces aren't available and apparmor
-- * is disabled, but available. do not use the
-- * /proc/<pid>/attr/ * interfaces as they could be
-- * in use by another LSM
-- */
-+ * is disabled, but available. do not use the
-+ * /proc/<pid>/attr/ * interfaces as they could be
-+ * in use by another LSM
-+ */
- proc_attr_base = proc_attr_base_unavailable;
-- } else {
-- proc_attr_base = proc_attr_base_old;
-+ return;
- }
-+ proc_attr_base = proc_attr_base_old;
- }
-
- static char *procattr_path(pid_t pid, const char *attr)
---
-GitLab
-
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/fix_logprofconf.patch
similarity index 52%
rename from srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
rename to srcpkgs/apparmor/patches/fix_logprofconf.patch
index e34e69af8bfb..a702cce454f0 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/fix_logprofconf.patch
@@ -1,17 +1,8 @@
-From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
-From: Paper <paper@tilde.institute>
-Date: Wed, 21 Oct 2020 10:20:47 +0200
-Subject: [PATCH] correct paths in logprof.conf
+modify logprof.conf for Void Linux
----
- utils/logprof.conf | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a778792..a9f7b79 100644
--- a/utils/logprof.conf
+++ b/utils/logprof.conf
-@@ -12,9 +12,9 @@
+@@ -12,11 +12,11 @@
[settings]
profiledir = /etc/apparmor.d /etc/subdomain.d
inactive_profiledir = /usr/share/apparmor/extra-profiles
@@ -21,9 +12,39 @@ index a778792..a9f7b79 100644
- parser = /sbin/apparmor_parser /sbin/subdomain_parser
+ parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
ldd = /usr/bin/ldd
- logger = /bin/logger /usr/bin/logger
-
-@@ -51,12 +51,10 @@
+- logger = /bin/logger /usr/bin/logger
++ logger = /usr/bin/logger
+
+ # customize how file ownership permissions are presented
+ # 0 - off
+@@ -38,27 +38,29 @@
+
+ [qualifiers]
+ # things will be painfully broken if bash has a profile
+- /bin/bash = icnu
+- /usr/bin/bash = icnu
+- /bin/ksh = icnu
+- /usr/bin/ksh = icnu
+- /bin/dash = icnu
+- /usr/bin/dash = icnu
+- /bin/zsh = icnu
+- /usr/bin/zsh = icnu
++ /bin/bash = icnu
++ /usr/bin/bash = icnu
++ /bin/ksh = icnu
++ /usr/bin/ksh = icnu
++ /bin/dash = icnu
++ /usr/bin/dash = icnu
++ /bin/zsh = icnu
++ /usr/bin/zsh = icnu
++ /bin/fish = icnu
++ /usr/bin/fish = icnu
++ /bin/ash = icnu
++ /usr/bin/ash = icnu
++ /bin/rc = icnu
++ /usr/bin/rc = icnu
+
+ # these programs can't function if they're confined
/bin/mount = u
/usr/bin/mount = u
/etc/init.d/subdomain = u
@@ -33,14 +54,16 @@ index a778792..a9f7b79 100644
- /usr/sbin/subdomain_parser = u
- /usr/sbin/genprof = u
- /usr/sbin/logprof = u
+- /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+- /usr/lib/YaST2/servers_non_y2/ag_logprof = u
+ /usr/bin/cardmgr = u
+ /usr/bin/subdomain_parser = u
+ /usr/bin/genprof = u
+ /usr/bin/logprof = u
- /usr/lib/YaST2/servers_non_y2/ag_genprof = u
- /usr/lib/YaST2/servers_non_y2/ag_logprof = u
-@@ -97,8 +95,7 @@
+ # these ones shouln't have their own profiles
+ /bin/awk = icn
+@@ -97,8 +99,7 @@
/usr/bin/sed = icn
/bin/touch = icn
/usr/bin/touch = icn
@@ -50,15 +73,13 @@ index a778792..a9f7b79 100644
/usr/bin/find = icn
/usr/bin/killall = icn
/usr/bin/nice = icn
-@@ -112,6 +109,8 @@
+@@ -112,6 +113,9 @@
/usr/bin/python3.5 = icn
/usr/bin/python3.6 = icn
/usr/bin/python3.7 = icn
+ /usr/bin/python3.8 = icn
+ /usr/bin/python3.9 = icn
++ /usr/bin/python3.10 = icn
/usr/bin/tr = icn
[required_hats]
---
-2.29.0
-
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 4b45ad3ee18d..2a9e373447b6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
# Template file for 'apparmor'
pkgname=apparmor
-version=3.0.1
-revision=7
+version=3.0.3
+revision=1
wrksrc="${pkgname}-v${version}"
build_wrksrc=libraries/libapparmor
build_style=gnu-configure
@@ -10,15 +10,15 @@ make_dirs="/etc/apparmor.d/disable 0755 root root"
hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
makedepends="perl python3-devel"
depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2
- python3-psutil python3-dbus iproute2"
+ python3-psutil python3-dbus iproute2 which"
checkdepends="dejagnu"
short_desc="Mandatory access control to restrict programs"
-maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+maintainer="Michal Vasilek <michal@vasilek.cz>"
+license="GPL-2.0-only"
homepage="https://gitlab.com/apparmor/apparmor"
changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=5f9afc157c5e2610737186a31fc9bd6a1d339a2ee85ac4f2667dce59cf60f1c7
+checksum=51b1db60e962dd01856a1ec6a9d43b11ed4350dcc5738ef901097c999bcbf50e
replaces="apparmor-vim>=0"
if [ -z "$CROSS_BUILD" ]; then
@@ -68,6 +68,7 @@ post_install() {
libapparmor_package() {
short_desc+=" - Library"
+ license="LGPL-2.1-only"
pkg_install() {
vmove "usr/lib/libapparmor.so*"
if [ -z "$CROSS_BUILD" ]; then
@@ -81,6 +82,7 @@ libapparmor_package() {
libapparmor-devel_package() {
short_desc+=" - Library development files"
+ license="LGPL-2.1-only"
depends="lib${sourcepkg}-${version}_${revision}"
pkg_install() {
vmove usr/include
From 91f20e08e2486da8fb83bbe9d76299d59663a455 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 11 Aug 2021 00:30:17 +0200
Subject: [PATCH 2/2] runit-void: set apparmor to complain mode by default
---
srcpkgs/runit-void/files/apparmor | 2 +-
srcpkgs/runit-void/template | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/srcpkgs/runit-void/files/apparmor b/srcpkgs/runit-void/files/apparmor
index 980b5b3eecc7..b32ce11a11ef 100644
--- a/srcpkgs/runit-void/files/apparmor
+++ b/srcpkgs/runit-void/files/apparmor
@@ -4,4 +4,4 @@
# - disable
# - complain
# - enforce
-#APPARMOR=disable
+APPARMOR=complain
diff --git a/srcpkgs/runit-void/template b/srcpkgs/runit-void/template
index 2ac215c253f1..0c98cadc9e18 100644
--- a/srcpkgs/runit-void/template
+++ b/srcpkgs/runit-void/template
@@ -1,7 +1,7 @@
# Template file for 'runit-void'
pkgname=runit-void
version=20210314
-revision=1
+revision=2
wrksrc="void-runit-${version}"
build_style=gnu-makefile
short_desc="Void Linux runit scripts"
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Updated] [RFC]: apparmor: change default mode to complain
2021-08-10 22:50 [PR PATCH] apparmor: update to 3.0.3 paper42
` (3 preceding siblings ...)
2021-09-18 11:36 ` [PR PATCH] [Updated] " paper42
@ 2021-09-26 21:51 ` paper42
2021-09-28 9:46 ` [PR PATCH] [Merged]: " paper42
5 siblings, 0 replies; 7+ messages in thread
From: paper42 @ 2021-09-26 21:51 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1323 bytes --]
There is an updated pull request by paper42 against master on the void-packages repository
https://github.com/paper42/void-packages apparmor-3.0.3
https://github.com/void-linux/void-packages/pull/32451
[RFC]: apparmor: change default mode to complain
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
I still need to test this PR.
- [x] adopt, @olivier-mauras are you ok with this?
- [ ] support python 3.10 - fix https://gitlab.com/apparmor/apparmor/-/issues/187 or do we want to wait if there will be an apparmor release with a fix before Void switches to Python 3.10?
- [x] switch to complain mode by default, disabled doesn't make sense, when a user modifies the kernel cmdline to load apparmor, they probably want to use apparmor, so enable at least logging
- [x] add common shells to logprof.conf
- [x] fix licenses, libapparmor is LGPL
A patch file from https://github.com/void-linux/void-packages/pull/32451.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-3.0.3-32451.patch --]
[-- Type: text/x-diff, Size: 15472 bytes --]
From aa5cbfa999ee27be37449c041c8748e60232131c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Tue, 10 Aug 2021 23:13:46 +0200
Subject: [PATCH 1/2] apparmor: update to 3.0.3.
* adopt
* fix licenses
* add a patch to support Python 3.10
---
.../patches/correct_paths_logprofconf.patch | 64 --------------
.../patches/fix-dnsmasq-libvirt.patch | 13 ---
.../patches/fix-setting-proc_attr_base.patch | 52 ------------
.../apparmor/patches/fix_logprofconf.patch | 75 +++++++++++++++++
srcpkgs/apparmor/patches/python-3.10.patch | 84 +++++++++++++++++++
srcpkgs/apparmor/template | 14 ++--
6 files changed, 167 insertions(+), 135 deletions(-)
delete mode 100644 srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
delete mode 100644 srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
create mode 100644 srcpkgs/apparmor/patches/fix_logprofconf.patch
create mode 100644 srcpkgs/apparmor/patches/python-3.10.patch
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
deleted file mode 100644
index e34e69af8bfb..000000000000
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
-From: Paper <paper@tilde.institute>
-Date: Wed, 21 Oct 2020 10:20:47 +0200
-Subject: [PATCH] correct paths in logprof.conf
-
----
- utils/logprof.conf | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a778792..a9f7b79 100644
---- a/utils/logprof.conf
-+++ b/utils/logprof.conf
-@@ -12,9 +12,9 @@
- [settings]
- profiledir = /etc/apparmor.d /etc/subdomain.d
- inactive_profiledir = /usr/share/apparmor/extra-profiles
-- logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
-+ logfiles = /var/log/audit/audit.log /var/log/socklog/kernel/current /var/log/syslog /var/log/messages
-
-- parser = /sbin/apparmor_parser /sbin/subdomain_parser
-+ parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
- ldd = /usr/bin/ldd
- logger = /bin/logger /usr/bin/logger
-
-@@ -51,12 +51,10 @@
- /bin/mount = u
- /usr/bin/mount = u
- /etc/init.d/subdomain = u
-- /sbin/cardmgr = u
-- /usr/sbin/cardmgr = u
-- /sbin/subdomain_parser = u
-- /usr/sbin/subdomain_parser = u
-- /usr/sbin/genprof = u
-- /usr/sbin/logprof = u
-+ /usr/bin/cardmgr = u
-+ /usr/bin/subdomain_parser = u
-+ /usr/bin/genprof = u
-+ /usr/bin/logprof = u
- /usr/lib/YaST2/servers_non_y2/ag_genprof = u
- /usr/lib/YaST2/servers_non_y2/ag_logprof = u
-
-@@ -97,8 +95,7 @@
- /usr/bin/sed = icn
- /bin/touch = icn
- /usr/bin/touch = icn
-- /sbin/killall5 = icn
-- /usr/sbin/killall5 = icn
-+ /usr/bin/killall5 = icn
- /usr/bin/find = icn
- /usr/bin/killall = icn
- /usr/bin/nice = icn
-@@ -112,6 +109,8 @@
- /usr/bin/python3.5 = icn
- /usr/bin/python3.6 = icn
- /usr/bin/python3.7 = icn
-+ /usr/bin/python3.8 = icn
-+ /usr/bin/python3.9 = icn
- /usr/bin/tr = icn
-
- [required_hats]
---
-2.29.0
-
diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
- /etc/libnl-3/classid r,
-
- /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
-- /usr/libexec/libvirt_leaseshelper m,
-+ /usr/libexec/libvirt_leaseshelper mr,
-
- owner @{PROC}/@{pid}/net/psched r,
- owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
deleted file mode 100644
index 35e9101f81b9..000000000000
--- a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-upstream: yes
-From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
-From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
-Date: Wed, 20 Jan 2021 17:26:37 -0600
-Subject: [PATCH] fix setting proc_attr_base
-
-There is currently a case in which proc_attr_base won't get set when
-asprintf is able to generate the path, but the file doesn't exist, it
-will exit proc_attr_base_init_once() without proc_attr_base having been
-set as the fall-through if/else logic will get bypassed when asprintf is
-successful.
----
- libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
-index 0fa77b014..6ba028614 100644
---- a/libraries/libapparmor/src/kernel.c
-+++ b/libraries/libapparmor/src/kernel.c
-@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
- /* if we fail we just fall back to the default value */
- if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
- autoclose int fd = open(tmp, O_RDONLY);
-- if (fd != -1)
-+ if (fd != -1) {
- proc_attr_base = proc_attr_base_stacking;
-- } else if (!is_enabled() && is_private_enabled()) {
-+ return;
-+ }
-+ }
-+ if (!is_enabled() && is_private_enabled()) {
- /* new stacking interfaces aren't available and apparmor
-- * is disabled, but available. do not use the
-- * /proc/<pid>/attr/ * interfaces as they could be
-- * in use by another LSM
-- */
-+ * is disabled, but available. do not use the
-+ * /proc/<pid>/attr/ * interfaces as they could be
-+ * in use by another LSM
-+ */
- proc_attr_base = proc_attr_base_unavailable;
-- } else {
-- proc_attr_base = proc_attr_base_old;
-+ return;
- }
-+ proc_attr_base = proc_attr_base_old;
- }
-
- static char *procattr_path(pid_t pid, const char *attr)
---
-GitLab
-
diff --git a/srcpkgs/apparmor/patches/fix_logprofconf.patch b/srcpkgs/apparmor/patches/fix_logprofconf.patch
new file mode 100644
index 000000000000..62de9909717e
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix_logprofconf.patch
@@ -0,0 +1,75 @@
+modify logprof.conf for Void Linux
+
+--- a/utils/logprof.conf
++++ b/utils/logprof.conf
+@@ -12,11 +12,11 @@
+ [settings]
+ profiledir = /etc/apparmor.d /etc/subdomain.d
+ inactive_profiledir = /usr/share/apparmor/extra-profiles
+- logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
++ logfiles = /var/log/audit/audit.log /var/log/socklog/kernel/current /var/log/syslog /var/log/messages
+
+- parser = /sbin/apparmor_parser /sbin/subdomain_parser
++ parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
+ ldd = /usr/bin/ldd
+- logger = /bin/logger /usr/bin/logger
++ logger = /usr/bin/logger
+
+ # customize how file ownership permissions are presented
+ # 0 - off
+@@ -38,27 +38,29 @@
+
+ [qualifiers]
+ # things will be painfully broken if bash has a profile
+- /bin/bash = icnu
+- /usr/bin/bash = icnu
+- /bin/ksh = icnu
+- /usr/bin/ksh = icnu
+- /bin/dash = icnu
+- /usr/bin/dash = icnu
+- /bin/zsh = icnu
+- /usr/bin/zsh = icnu
++ /bin/bash = icnu
++ /usr/bin/bash = icnu
++ /bin/ksh = icnu
++ /usr/bin/ksh = icnu
++ /bin/dash = icnu
++ /usr/bin/dash = icnu
++ /bin/zsh = icnu
++ /usr/bin/zsh = icnu
++ /bin/fish = icnu
++ /usr/bin/fish = icnu
++ /bin/ash = icnu
++ /usr/bin/ash = icnu
++ /bin/rc = icnu
++ /usr/bin/rc = icnu
+
+ # these programs can't function if they're confined
+ /bin/mount = u
+ /usr/bin/mount = u
+ /etc/init.d/subdomain = u
+- /sbin/cardmgr = u
+- /usr/sbin/cardmgr = u
+- /sbin/subdomain_parser = u
+- /usr/sbin/subdomain_parser = u
+- /usr/sbin/genprof = u
+- /usr/sbin/logprof = u
+- /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+- /usr/lib/YaST2/servers_non_y2/ag_logprof = u
++ /usr/bin/cardmgr = u
++ /usr/bin/subdomain_parser = u
++ /usr/bin/genprof = u
++ /usr/bin/logprof = u
+
+ # these ones shouln't have their own profiles
+ /bin/awk = icn
+@@ -112,6 +113,9 @@
+ /usr/bin/python3.5 = icn
+ /usr/bin/python3.6 = icn
+ /usr/bin/python3.7 = icn
++ /usr/bin/python3.8 = icn
++ /usr/bin/python3.9 = icn
++ /usr/bin/python3.10 = icn
+ /usr/bin/tr = icn
+
+ [required_hats]
diff --git a/srcpkgs/apparmor/patches/python-3.10.patch b/srcpkgs/apparmor/patches/python-3.10.patch
new file mode 100644
index 000000000000..90d176d3b8c2
--- /dev/null
+++ b/srcpkgs/apparmor/patches/python-3.10.patch
@@ -0,0 +1,84 @@
+From ea7b201ba48b87469297d58751c57b03ceb82320 Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor@cboltz.de>
+Date: Wed, 11 Aug 2021 21:37:40 +0200
+Subject: [PATCH] Update abstractions/python and profiles for python 3.10
+
+Fixes: https://gitlab.com/apparmor/apparmor/-/issues/187
+---
+ profiles/apparmor.d/abstractions/python | 18 +++++++++---------
+ profiles/apparmor.d/lsb_release | 2 +-
+ .../profiles/extras/usr.bin.chromium-browser | 4 ++--
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/profiles/apparmor.d/abstractions/python b/profiles/apparmor.d/abstractions/python
+index 1b5cc9d0d..727030bdf 100644
+--- a/profiles/apparmor.d/abstractions/python
++++ b/profiles/apparmor.d/abstractions/python
+@@ -12,18 +12,18 @@
+
+ abi <abi/3.0>,
+
+- /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
+- /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
+- /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
++ /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/**.{pyc,so} mr,
++ /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
++ /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
+ /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
+
+- /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr,
+- /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
+- /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
+- /usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
++ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so} mr,
++ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
++ /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
++ /usr/local/lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr,
+
+ # Site-wide configuration
+- /etc/python{2.[4-7],3.[0-9]}/** r,
++ /etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r,
+
+ # shared python paths
+ /usr/share/{pyshared,pycentral,python-support}/** r,
+@@ -36,7 +36,7 @@
+ /usr/lib/wx/python/*.pth r,
+
+ # python build configuration and headers
+- /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
++ /usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/python.d>
+diff --git a/profiles/apparmor.d/lsb_release b/profiles/apparmor.d/lsb_release
+index 33a1c71db..ad8b998fc 100644
+--- a/profiles/apparmor.d/lsb_release
++++ b/profiles/apparmor.d/lsb_release
+@@ -18,7 +18,7 @@ profile lsb_release {
+ /dev/tty rw,
+
+ /usr/bin/lsb_release r,
+- /usr/bin/python3.[0-9] mr,
++ /usr/bin/python3.{1,}[0-9] mr,
+
+ /etc/debian_version r,
+ /etc/default/apport r,
+diff --git a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
+index 2df5338db..b47b6f721 100644
+--- a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
++++ b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
+@@ -267,9 +267,9 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
+ /usr/share/distro-info/** r,
+ /var/lib/dpkg/** r,
+
+- /usr/local/lib/python3.[0-9]/dist-packages/ r,
++ /usr/local/lib/python3.{1,}[0-9]/dist-packages/ r,
+ /usr/bin/ r,
+- /usr/bin/python3.[0-9] mr,
++ /usr/bin/python3.{1,}[0-9] mr,
+ }
+
+ profile sandbox {
+--
+GitLab
+
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 4b45ad3ee18d..2a9e373447b6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
# Template file for 'apparmor'
pkgname=apparmor
-version=3.0.1
-revision=7
+version=3.0.3
+revision=1
wrksrc="${pkgname}-v${version}"
build_wrksrc=libraries/libapparmor
build_style=gnu-configure
@@ -10,15 +10,15 @@ make_dirs="/etc/apparmor.d/disable 0755 root root"
hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
makedepends="perl python3-devel"
depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2
- python3-psutil python3-dbus iproute2"
+ python3-psutil python3-dbus iproute2 which"
checkdepends="dejagnu"
short_desc="Mandatory access control to restrict programs"
-maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+maintainer="Michal Vasilek <michal@vasilek.cz>"
+license="GPL-2.0-only"
homepage="https://gitlab.com/apparmor/apparmor"
changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=5f9afc157c5e2610737186a31fc9bd6a1d339a2ee85ac4f2667dce59cf60f1c7
+checksum=51b1db60e962dd01856a1ec6a9d43b11ed4350dcc5738ef901097c999bcbf50e
replaces="apparmor-vim>=0"
if [ -z "$CROSS_BUILD" ]; then
@@ -68,6 +68,7 @@ post_install() {
libapparmor_package() {
short_desc+=" - Library"
+ license="LGPL-2.1-only"
pkg_install() {
vmove "usr/lib/libapparmor.so*"
if [ -z "$CROSS_BUILD" ]; then
@@ -81,6 +82,7 @@ libapparmor_package() {
libapparmor-devel_package() {
short_desc+=" - Library development files"
+ license="LGPL-2.1-only"
depends="lib${sourcepkg}-${version}_${revision}"
pkg_install() {
vmove usr/include
From b8e983861f22c960d7a8bbd16451fccfbc00e1c2 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 11 Aug 2021 00:30:17 +0200
Subject: [PATCH 2/2] runit-void: set apparmor to complain mode by default
---
srcpkgs/runit-void/files/apparmor | 2 +-
srcpkgs/runit-void/template | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/srcpkgs/runit-void/files/apparmor b/srcpkgs/runit-void/files/apparmor
index 980b5b3eecc7..b32ce11a11ef 100644
--- a/srcpkgs/runit-void/files/apparmor
+++ b/srcpkgs/runit-void/files/apparmor
@@ -4,4 +4,4 @@
# - disable
# - complain
# - enforce
-#APPARMOR=disable
+APPARMOR=complain
diff --git a/srcpkgs/runit-void/template b/srcpkgs/runit-void/template
index 2ac215c253f1..0c98cadc9e18 100644
--- a/srcpkgs/runit-void/template
+++ b/srcpkgs/runit-void/template
@@ -1,7 +1,7 @@
# Template file for 'runit-void'
pkgname=runit-void
version=20210314
-revision=1
+revision=2
wrksrc="void-runit-${version}"
build_style=gnu-makefile
short_desc="Void Linux runit scripts"
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PR PATCH] [Merged]: [RFC]: apparmor: change default mode to complain
2021-08-10 22:50 [PR PATCH] apparmor: update to 3.0.3 paper42
` (4 preceding siblings ...)
2021-09-26 21:51 ` paper42
@ 2021-09-28 9:46 ` paper42
5 siblings, 0 replies; 7+ messages in thread
From: paper42 @ 2021-09-28 9:46 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1139 bytes --]
There's a merged pull request on the void-packages repository
[RFC]: apparmor: change default mode to complain
https://github.com/void-linux/void-packages/pull/32451
Description:
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)
#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR
#### Tasks
- [x] adopt, @olivier-mauras are you ok with this?
- [x] support python 3.10 - fix https://gitlab.com/apparmor/apparmor/-/issues/187 or do we want to wait if there will be an apparmor release with a fix before Void switches to Python 3.10?
- [x] switch to complain mode by default, disabled doesn't make sense, when a user modifies the kernel cmdline to load apparmor, they probably want to use apparmor, so enable at least logging
- [x] add common shells to logprof.conf
- [x] fix licenses, libapparmor is LGPL
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-09-28 9:46 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-10 22:50 [PR PATCH] apparmor: update to 3.0.3 paper42
2021-08-11 1:06 ` ericonr
2021-08-14 20:44 ` [PR PATCH] [Updated] [RFC]: apparmor: change default mode to complain paper42
2021-08-15 3:52 ` ericonr
2021-09-18 11:36 ` [PR PATCH] [Updated] " paper42
2021-09-26 21:51 ` paper42
2021-09-28 9:46 ` [PR PATCH] [Merged]: " paper42
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).