[PR PATCH] apparmor: update to 3.0.3.

[PR PATCH] apparmor: update to 3.0.3.

[paper42]

[-- Attachment #1: Type: text/plain, Size: 1317 bytes --]

There is a new pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages apparmor-3.0.3
https://github.com/void-linux/void-packages/pull/32451

apparmor: update to 3.0.3.
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

I still need to test this PR.

- [ ] adopt, @olivier-mauras are you ok with this?
- [ ] support python 3.10 fix https://gitlab.com/apparmor/apparmor/-/issues/187 or do we want to wait if there will be an apparmor release with a fix before Void switches to Python 3.10?
- [x] switch to complain mode by default, disabled doesn't make sense, when a user modifies the kernel cmdline to load apparmor, they probably want to use apparmor, so enable at least logging
- [x] add common shells to logprof.conf
- [x] fix licenses, libapparmor is LGPL* adopt
* fix licenses

A patch file from https://github.com/void-linux/void-packages/pull/32451.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-3.0.3-32451.patch --]
[-- Type: text/x-diff, Size: 9835 bytes --]

From 4f50c710336a980aa8bb3a25dfdcb7e8c416a23c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Tue, 10 Aug 2021 23:13:46 +0200
Subject: [PATCH 1/2] apparmor: update to 3.0.3.

* adopt
* fix licenses
---
 .../patches/fix-dnsmasq-libvirt.patch         | 13 ----
 .../patches/fix-setting-proc_attr_base.patch  | 52 --------------
 ...ogprofconf.patch => fix_logprofconf.patch} | 67 ++++++++++++-------
 srcpkgs/apparmor/template                     | 12 ++--
 4 files changed, 51 insertions(+), 93 deletions(-)
 delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
 delete mode 100644 srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
 rename srcpkgs/apparmor/patches/{correct_paths_logprofconf.patch => fix_logprofconf.patch} (50%)

diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-     /etc/libnl-3/classid r,
- 
-     /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
--    /usr/libexec/libvirt_leaseshelper m,
-+    /usr/libexec/libvirt_leaseshelper mr,
- 
-     owner @{PROC}/@{pid}/net/psched r,
-     owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
deleted file mode 100644
index 35e9101f81b9..000000000000
--- a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-upstream: yes
-From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
-From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
-Date: Wed, 20 Jan 2021 17:26:37 -0600
-Subject: [PATCH] fix setting proc_attr_base
-
-There is currently a case in which proc_attr_base won't get set when
-asprintf is able to generate the path, but the file doesn't exist, it
-will exit proc_attr_base_init_once() without proc_attr_base having been
-set as the fall-through if/else logic will get bypassed when asprintf is
-successful.
----
- libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
-index 0fa77b014..6ba028614 100644
---- a/libraries/libapparmor/src/kernel.c
-+++ b/libraries/libapparmor/src/kernel.c
-@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
- 	/* if we fail we just fall back to the default value */
- 	if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
- 		autoclose int fd = open(tmp, O_RDONLY);
--		if (fd != -1)
-+		if (fd != -1) {
- 			proc_attr_base = proc_attr_base_stacking;
--	} else if (!is_enabled() && is_private_enabled()) {
-+			return;
-+		}
-+	}
-+	if (!is_enabled() && is_private_enabled()) {
- 		/* new stacking interfaces aren't available and apparmor
--		 * is disabled, but available. do not use the
--		 * /proc/<pid>/attr/ * interfaces as they could be
--		 * in use by another LSM
--		 */
-+		* is disabled, but available. do not use the
-+		* /proc/<pid>/attr/ * interfaces as they could be
-+		* in use by another LSM
-+		*/
- 		proc_attr_base = proc_attr_base_unavailable;
--	} else {
--		proc_attr_base = proc_attr_base_old;
-+		return;
- 	}
-+	proc_attr_base = proc_attr_base_old;
- }
- 
- static char *procattr_path(pid_t pid, const char *attr)
--- 
-GitLab
-
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/fix_logprofconf.patch
similarity index 50%
rename from srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
rename to srcpkgs/apparmor/patches/fix_logprofconf.patch
index e34e69af8bfb..c8607cf4ce5b 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/fix_logprofconf.patch
@@ -1,17 +1,8 @@
-From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
-From: Paper <paper@tilde.institute>
-Date: Wed, 21 Oct 2020 10:20:47 +0200
-Subject: [PATCH] correct paths in logprof.conf
+modify logprof.conf for Void Linux
 
----
- utils/logprof.conf | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a778792..a9f7b79 100644
---- a/utils/logprof.conf
-+++ b/utils/logprof.conf
-@@ -12,9 +12,9 @@
+--- a/logprof.conf
++++ b/logprof.conf
+@@ -12,11 +12,11 @@
  [settings]
    profiledir = /etc/apparmor.d /etc/subdomain.d
    inactive_profiledir = /usr/share/apparmor/extra-profiles 
@@ -21,9 +12,39 @@ index a778792..a9f7b79 100644
 -  parser = /sbin/apparmor_parser /sbin/subdomain_parser
 +  parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
    ldd = /usr/bin/ldd
-   logger = /bin/logger /usr/bin/logger
-
-@@ -51,12 +51,10 @@
+-  logger = /bin/logger /usr/bin/logger
++  logger = /usr/bin/logger
+ 
+   # customize how file ownership permissions are presented
+   # 0 - off
+@@ -38,27 +38,29 @@
+ 
+ [qualifiers]
+   # things will be painfully broken if bash has a profile
+-  /bin/bash     = icnu
+-  /usr/bin/bash = icnu
+-  /bin/ksh	    = icnu
+-  /usr/bin/ksh	= icnu
+-  /bin/dash	    = icnu
+-  /usr/bin/dash	= icnu
+-  /bin/zsh      = icnu
+-  /usr/bin/zsh  = icnu
++  /bin/bash      = icnu
++  /usr/bin/bash  = icnu
++  /bin/ksh	     = icnu
++  /usr/bin/ksh	 = icnu
++  /bin/dash	     = icnu
++  /usr/bin/dash	 = icnu
++  /bin/zsh       = icnu
++  /usr/bin/zsh   = icnu
++  /bin/fish      = icnu
++  /usr/bin/fish  = icnu
++  /bin/ash       = icnu
++  /usr/bin/ash   = icnu
++  /bin/rc        = icnu
++  /usr/bin/rc    = icnu
+ 
+   # these programs can't function if they're confined
    /bin/mount    = u
    /usr/bin/mount = u
    /etc/init.d/subdomain = u
@@ -33,14 +54,16 @@ index a778792..a9f7b79 100644
 -  /usr/sbin/subdomain_parser = u
 -  /usr/sbin/genprof = u
 -  /usr/sbin/logprof = u
+-  /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+-  /usr/lib/YaST2/servers_non_y2/ag_logprof = u
 +  /usr/bin/cardmgr = u
 +  /usr/bin/subdomain_parser = u
 +  /usr/bin/genprof = u
 +  /usr/bin/logprof = u
-   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
-   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
-@@ -97,8 +95,7 @@
+   # these ones shouln't have their own profiles
+   /bin/awk      = icn
+@@ -97,8 +99,7 @@
    /usr/bin/sed  = icn
    /bin/touch    = icn
    /usr/bin/touch = icn
@@ -50,15 +73,13 @@ index a778792..a9f7b79 100644
    /usr/bin/find = icn
    /usr/bin/killall = icn
    /usr/bin/nice = icn
-@@ -112,6 +109,8 @@
+@@ -112,6 +113,9 @@
    /usr/bin/python3.5    = icn
    /usr/bin/python3.6    = icn
    /usr/bin/python3.7    = icn
 +  /usr/bin/python3.8    = icn
 +  /usr/bin/python3.9    = icn
++  /usr/bin/python3.10    = icn
    /usr/bin/tr   = icn
  
  [required_hats]
--- 
-2.29.0
-
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 4b45ad3ee18d..e94e05e5625b 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=3.0.1
-revision=7
+version=3.0.3
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -13,12 +13,12 @@ depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2
  python3-psutil python3-dbus iproute2"
 checkdepends="dejagnu"
 short_desc="Mandatory access control to restrict programs"
-maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+maintainer="Michal Vasilek <michal@vasilek.cz>"
+license="GPL-2.0-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=5f9afc157c5e2610737186a31fc9bd6a1d339a2ee85ac4f2667dce59cf60f1c7
+checksum=51b1db60e962dd01856a1ec6a9d43b11ed4350dcc5738ef901097c999bcbf50e
 replaces="apparmor-vim>=0"
 
 if [ -z "$CROSS_BUILD" ]; then
@@ -68,6 +68,7 @@ post_install() {
 
 libapparmor_package() {
 	short_desc+=" - Library"
+	license="LGPL-2.1-only"
 	pkg_install() {
 		vmove "usr/lib/libapparmor.so*"
 		if [ -z "$CROSS_BUILD" ]; then
@@ -81,6 +82,7 @@ libapparmor_package() {
 
 libapparmor-devel_package() {
 	short_desc+=" - Library development files"
+	license="LGPL-2.1-only"
 	depends="lib${sourcepkg}-${version}_${revision}"
 	pkg_install() {
 		vmove usr/include

From 788a819f9ed5ac6492a599c2189d76576763d627 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 11 Aug 2021 00:30:17 +0200
Subject: [PATCH 2/2] runit-void: set apparmor to complain mode by default

---
 srcpkgs/runit-void/files/apparmor | 2 +-
 srcpkgs/runit-void/template       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/srcpkgs/runit-void/files/apparmor b/srcpkgs/runit-void/files/apparmor
index 980b5b3eecc7..b32ce11a11ef 100644
--- a/srcpkgs/runit-void/files/apparmor
+++ b/srcpkgs/runit-void/files/apparmor
@@ -4,4 +4,4 @@
 # - disable
 # - complain
 # - enforce
-#APPARMOR=disable
+APPARMOR=complain
diff --git a/srcpkgs/runit-void/template b/srcpkgs/runit-void/template
index 2ac215c253f1..0c98cadc9e18 100644
--- a/srcpkgs/runit-void/template
+++ b/srcpkgs/runit-void/template
@@ -1,7 +1,7 @@
 # Template file for 'runit-void'
 pkgname=runit-void
 version=20210314
-revision=1
+revision=2
 wrksrc="void-runit-${version}"
 build_style=gnu-makefile
 short_desc="Void Linux runit scripts"

Re: apparmor: update to 3.0.3.

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 356 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/32451#issuecomment-896416260

Comment:
Logging can be really spammy, but I'd say having it enabled by default makes more sense than not.

Can you change the PR title to reflect this? I think it'd be nice to draw attention to it (maybe add `[RFC]` too).

Re: [PR PATCH] [Updated] [RFC]: apparmor: change default mode to complain

[paper42]

[-- Attachment #1: Type: text/plain, Size: 1330 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages apparmor-3.0.3
https://github.com/void-linux/void-packages/pull/32451

[RFC]: apparmor: change default mode to complain
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

I still need to test this PR.

- [x] adopt, @olivier-mauras are you ok with this?
- [ ] support python 3.10 - fix https://gitlab.com/apparmor/apparmor/-/issues/187 or do we want to wait if there will be an apparmor release with a fix before Void switches to Python 3.10?
- [x] switch to complain mode by default, disabled doesn't make sense, when a user modifies the kernel cmdline to load apparmor, they probably want to use apparmor, so enable at least logging
- [x] add common shells to logprof.conf
- [x] fix licenses, libapparmor is LGPL* adopt

A patch file from https://github.com/void-linux/void-packages/pull/32451.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-3.0.3-32451.patch --]
[-- Type: text/x-diff, Size: 10012 bytes --]

From 3ea19283556061881d28ee4e9fda12614f821a23 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Tue, 10 Aug 2021 23:13:46 +0200
Subject: [PATCH 1/2] apparmor: update to 3.0.3.

* adopt
* fix licenses
---
 .../patches/fix-dnsmasq-libvirt.patch         | 13 ----
 .../patches/fix-setting-proc_attr_base.patch  | 52 ---------------
 ...ogprofconf.patch => fix_logprofconf.patch} | 63 ++++++++++++-------
 srcpkgs/apparmor/template                     | 14 +++--
 4 files changed, 50 insertions(+), 92 deletions(-)
 delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
 delete mode 100644 srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
 rename srcpkgs/apparmor/patches/{correct_paths_logprofconf.patch => fix_logprofconf.patch} (52%)

diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-     /etc/libnl-3/classid r,
- 
-     /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
--    /usr/libexec/libvirt_leaseshelper m,
-+    /usr/libexec/libvirt_leaseshelper mr,
- 
-     owner @{PROC}/@{pid}/net/psched r,
-     owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
deleted file mode 100644
index 35e9101f81b9..000000000000
--- a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-upstream: yes
-From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
-From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
-Date: Wed, 20 Jan 2021 17:26:37 -0600
-Subject: [PATCH] fix setting proc_attr_base
-
-There is currently a case in which proc_attr_base won't get set when
-asprintf is able to generate the path, but the file doesn't exist, it
-will exit proc_attr_base_init_once() without proc_attr_base having been
-set as the fall-through if/else logic will get bypassed when asprintf is
-successful.
----
- libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
-index 0fa77b014..6ba028614 100644
---- a/libraries/libapparmor/src/kernel.c
-+++ b/libraries/libapparmor/src/kernel.c
-@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
- 	/* if we fail we just fall back to the default value */
- 	if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
- 		autoclose int fd = open(tmp, O_RDONLY);
--		if (fd != -1)
-+		if (fd != -1) {
- 			proc_attr_base = proc_attr_base_stacking;
--	} else if (!is_enabled() && is_private_enabled()) {
-+			return;
-+		}
-+	}
-+	if (!is_enabled() && is_private_enabled()) {
- 		/* new stacking interfaces aren't available and apparmor
--		 * is disabled, but available. do not use the
--		 * /proc/<pid>/attr/ * interfaces as they could be
--		 * in use by another LSM
--		 */
-+		* is disabled, but available. do not use the
-+		* /proc/<pid>/attr/ * interfaces as they could be
-+		* in use by another LSM
-+		*/
- 		proc_attr_base = proc_attr_base_unavailable;
--	} else {
--		proc_attr_base = proc_attr_base_old;
-+		return;
- 	}
-+	proc_attr_base = proc_attr_base_old;
- }
- 
- static char *procattr_path(pid_t pid, const char *attr)
--- 
-GitLab
-
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/fix_logprofconf.patch
similarity index 52%
rename from srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
rename to srcpkgs/apparmor/patches/fix_logprofconf.patch
index e34e69af8bfb..a702cce454f0 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/fix_logprofconf.patch
@@ -1,17 +1,8 @@
-From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
-From: Paper <paper@tilde.institute>
-Date: Wed, 21 Oct 2020 10:20:47 +0200
-Subject: [PATCH] correct paths in logprof.conf
+modify logprof.conf for Void Linux
 
----
- utils/logprof.conf | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
-@@ -12,9 +12,9 @@
+@@ -12,11 +12,11 @@
  [settings]
    profiledir = /etc/apparmor.d /etc/subdomain.d
    inactive_profiledir = /usr/share/apparmor/extra-profiles 
@@ -21,9 +12,39 @@ index a778792..a9f7b79 100644
 -  parser = /sbin/apparmor_parser /sbin/subdomain_parser
 +  parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
    ldd = /usr/bin/ldd
-   logger = /bin/logger /usr/bin/logger
-
-@@ -51,12 +51,10 @@
+-  logger = /bin/logger /usr/bin/logger
++  logger = /usr/bin/logger
+ 
+   # customize how file ownership permissions are presented
+   # 0 - off
+@@ -38,27 +38,29 @@
+ 
+ [qualifiers]
+   # things will be painfully broken if bash has a profile
+-  /bin/bash     = icnu
+-  /usr/bin/bash = icnu
+-  /bin/ksh	    = icnu
+-  /usr/bin/ksh	= icnu
+-  /bin/dash	    = icnu
+-  /usr/bin/dash	= icnu
+-  /bin/zsh      = icnu
+-  /usr/bin/zsh  = icnu
++  /bin/bash      = icnu
++  /usr/bin/bash  = icnu
++  /bin/ksh	     = icnu
++  /usr/bin/ksh	 = icnu
++  /bin/dash	     = icnu
++  /usr/bin/dash	 = icnu
++  /bin/zsh       = icnu
++  /usr/bin/zsh   = icnu
++  /bin/fish      = icnu
++  /usr/bin/fish  = icnu
++  /bin/ash       = icnu
++  /usr/bin/ash   = icnu
++  /bin/rc        = icnu
++  /usr/bin/rc    = icnu
+ 
+   # these programs can't function if they're confined
    /bin/mount    = u
    /usr/bin/mount = u
    /etc/init.d/subdomain = u
@@ -33,14 +54,16 @@ index a778792..a9f7b79 100644
 -  /usr/sbin/subdomain_parser = u
 -  /usr/sbin/genprof = u
 -  /usr/sbin/logprof = u
+-  /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+-  /usr/lib/YaST2/servers_non_y2/ag_logprof = u
 +  /usr/bin/cardmgr = u
 +  /usr/bin/subdomain_parser = u
 +  /usr/bin/genprof = u
 +  /usr/bin/logprof = u
-   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
-   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
-@@ -97,8 +95,7 @@
+   # these ones shouln't have their own profiles
+   /bin/awk      = icn
+@@ -97,8 +99,7 @@
    /usr/bin/sed  = icn
    /bin/touch    = icn
    /usr/bin/touch = icn
@@ -50,15 +73,13 @@ index a778792..a9f7b79 100644
    /usr/bin/find = icn
    /usr/bin/killall = icn
    /usr/bin/nice = icn
-@@ -112,6 +109,8 @@
+@@ -112,6 +113,9 @@
    /usr/bin/python3.5    = icn
    /usr/bin/python3.6    = icn
    /usr/bin/python3.7    = icn
 +  /usr/bin/python3.8    = icn
 +  /usr/bin/python3.9    = icn
++  /usr/bin/python3.10    = icn
    /usr/bin/tr   = icn
  
  [required_hats]
--- 
-2.29.0
-
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 4b45ad3ee18d..2a9e373447b6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=3.0.1
-revision=7
+version=3.0.3
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -10,15 +10,15 @@ make_dirs="/etc/apparmor.d/disable 0755 root root"
 hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
 makedepends="perl python3-devel"
 depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2
- python3-psutil python3-dbus iproute2"
+ python3-psutil python3-dbus iproute2 which"
 checkdepends="dejagnu"
 short_desc="Mandatory access control to restrict programs"
-maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+maintainer="Michal Vasilek <michal@vasilek.cz>"
+license="GPL-2.0-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=5f9afc157c5e2610737186a31fc9bd6a1d339a2ee85ac4f2667dce59cf60f1c7
+checksum=51b1db60e962dd01856a1ec6a9d43b11ed4350dcc5738ef901097c999bcbf50e
 replaces="apparmor-vim>=0"
 
 if [ -z "$CROSS_BUILD" ]; then
@@ -68,6 +68,7 @@ post_install() {
 
 libapparmor_package() {
 	short_desc+=" - Library"
+	license="LGPL-2.1-only"
 	pkg_install() {
 		vmove "usr/lib/libapparmor.so*"
 		if [ -z "$CROSS_BUILD" ]; then
@@ -81,6 +82,7 @@ libapparmor_package() {
 
 libapparmor-devel_package() {
 	short_desc+=" - Library development files"
+	license="LGPL-2.1-only"
 	depends="lib${sourcepkg}-${version}_${revision}"
 	pkg_install() {
 		vmove usr/include

From 478d8a1a500883316df953db68c224ea1b81c871 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 11 Aug 2021 00:30:17 +0200
Subject: [PATCH 2/2] runit-void: set apparmor to complain mode by default

---
 srcpkgs/runit-void/files/apparmor | 2 +-
 srcpkgs/runit-void/template       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/srcpkgs/runit-void/files/apparmor b/srcpkgs/runit-void/files/apparmor
index 980b5b3eecc7..b32ce11a11ef 100644
--- a/srcpkgs/runit-void/files/apparmor
+++ b/srcpkgs/runit-void/files/apparmor
@@ -4,4 +4,4 @@
 # - disable
 # - complain
 # - enforce
-#APPARMOR=disable
+APPARMOR=complain
diff --git a/srcpkgs/runit-void/template b/srcpkgs/runit-void/template
index 2ac215c253f1..0c98cadc9e18 100644
--- a/srcpkgs/runit-void/template
+++ b/srcpkgs/runit-void/template
@@ -1,7 +1,7 @@
 # Template file for 'runit-void'
 pkgname=runit-void
 version=20210314
-revision=1
+revision=2
 wrksrc="void-runit-${version}"
 build_style=gnu-makefile
 short_desc="Void Linux runit scripts"

Re: [RFC]: apparmor: change default mode to complain

[ericonr]

[-- Attachment #1: Type: text/plain, Size: 192 bytes --]

New comment by ericonr on void-packages repository

https://github.com/void-linux/void-packages/pull/32451#issuecomment-898991326

Comment:
Also note, I think we'd have to update docs for it.

Re: [PR PATCH] [Updated] [RFC]: apparmor: change default mode to complain

[paper42]

[-- Attachment #1: Type: text/plain, Size: 1323 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages apparmor-3.0.3
https://github.com/void-linux/void-packages/pull/32451

[RFC]: apparmor: change default mode to complain
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

I still need to test this PR.

- [x] adopt, @olivier-mauras are you ok with this?
- [ ] support python 3.10 - fix https://gitlab.com/apparmor/apparmor/-/issues/187 or do we want to wait if there will be an apparmor release with a fix before Void switches to Python 3.10?
- [x] switch to complain mode by default, disabled doesn't make sense, when a user modifies the kernel cmdline to load apparmor, they probably want to use apparmor, so enable at least logging
- [x] add common shells to logprof.conf
- [x] fix licenses, libapparmor is LGPL

A patch file from https://github.com/void-linux/void-packages/pull/32451.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-3.0.3-32451.patch --]
[-- Type: text/x-diff, Size: 10012 bytes --]

From 2cce9a8b67b6fe31ee843b6501cb940790085d2e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Tue, 10 Aug 2021 23:13:46 +0200
Subject: [PATCH 1/2] apparmor: update to 3.0.3.

* adopt
* fix licenses
---
 .../patches/fix-dnsmasq-libvirt.patch         | 13 ----
 .../patches/fix-setting-proc_attr_base.patch  | 52 ---------------
 ...ogprofconf.patch => fix_logprofconf.patch} | 63 ++++++++++++-------
 srcpkgs/apparmor/template                     | 14 +++--
 4 files changed, 50 insertions(+), 92 deletions(-)
 delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
 delete mode 100644 srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
 rename srcpkgs/apparmor/patches/{correct_paths_logprofconf.patch => fix_logprofconf.patch} (52%)

diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-     /etc/libnl-3/classid r,
- 
-     /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
--    /usr/libexec/libvirt_leaseshelper m,
-+    /usr/libexec/libvirt_leaseshelper mr,
- 
-     owner @{PROC}/@{pid}/net/psched r,
-     owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
deleted file mode 100644
index 35e9101f81b9..000000000000
--- a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-upstream: yes
-From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
-From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
-Date: Wed, 20 Jan 2021 17:26:37 -0600
-Subject: [PATCH] fix setting proc_attr_base
-
-There is currently a case in which proc_attr_base won't get set when
-asprintf is able to generate the path, but the file doesn't exist, it
-will exit proc_attr_base_init_once() without proc_attr_base having been
-set as the fall-through if/else logic will get bypassed when asprintf is
-successful.
----
- libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
-index 0fa77b014..6ba028614 100644
---- a/libraries/libapparmor/src/kernel.c
-+++ b/libraries/libapparmor/src/kernel.c
-@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
- 	/* if we fail we just fall back to the default value */
- 	if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
- 		autoclose int fd = open(tmp, O_RDONLY);
--		if (fd != -1)
-+		if (fd != -1) {
- 			proc_attr_base = proc_attr_base_stacking;
--	} else if (!is_enabled() && is_private_enabled()) {
-+			return;
-+		}
-+	}
-+	if (!is_enabled() && is_private_enabled()) {
- 		/* new stacking interfaces aren't available and apparmor
--		 * is disabled, but available. do not use the
--		 * /proc/<pid>/attr/ * interfaces as they could be
--		 * in use by another LSM
--		 */
-+		* is disabled, but available. do not use the
-+		* /proc/<pid>/attr/ * interfaces as they could be
-+		* in use by another LSM
-+		*/
- 		proc_attr_base = proc_attr_base_unavailable;
--	} else {
--		proc_attr_base = proc_attr_base_old;
-+		return;
- 	}
-+	proc_attr_base = proc_attr_base_old;
- }
- 
- static char *procattr_path(pid_t pid, const char *attr)
--- 
-GitLab
-
diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/fix_logprofconf.patch
similarity index 52%
rename from srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
rename to srcpkgs/apparmor/patches/fix_logprofconf.patch
index e34e69af8bfb..a702cce454f0 100644
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/fix_logprofconf.patch
@@ -1,17 +1,8 @@
-From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
-From: Paper <paper@tilde.institute>
-Date: Wed, 21 Oct 2020 10:20:47 +0200
-Subject: [PATCH] correct paths in logprof.conf
+modify logprof.conf for Void Linux
 
----
- utils/logprof.conf | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
-@@ -12,9 +12,9 @@
+@@ -12,11 +12,11 @@
  [settings]
    profiledir = /etc/apparmor.d /etc/subdomain.d
    inactive_profiledir = /usr/share/apparmor/extra-profiles 
@@ -21,9 +12,39 @@ index a778792..a9f7b79 100644
 -  parser = /sbin/apparmor_parser /sbin/subdomain_parser
 +  parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
    ldd = /usr/bin/ldd
-   logger = /bin/logger /usr/bin/logger
-
-@@ -51,12 +51,10 @@
+-  logger = /bin/logger /usr/bin/logger
++  logger = /usr/bin/logger
+ 
+   # customize how file ownership permissions are presented
+   # 0 - off
+@@ -38,27 +38,29 @@
+ 
+ [qualifiers]
+   # things will be painfully broken if bash has a profile
+-  /bin/bash     = icnu
+-  /usr/bin/bash = icnu
+-  /bin/ksh	    = icnu
+-  /usr/bin/ksh	= icnu
+-  /bin/dash	    = icnu
+-  /usr/bin/dash	= icnu
+-  /bin/zsh      = icnu
+-  /usr/bin/zsh  = icnu
++  /bin/bash      = icnu
++  /usr/bin/bash  = icnu
++  /bin/ksh	     = icnu
++  /usr/bin/ksh	 = icnu
++  /bin/dash	     = icnu
++  /usr/bin/dash	 = icnu
++  /bin/zsh       = icnu
++  /usr/bin/zsh   = icnu
++  /bin/fish      = icnu
++  /usr/bin/fish  = icnu
++  /bin/ash       = icnu
++  /usr/bin/ash   = icnu
++  /bin/rc        = icnu
++  /usr/bin/rc    = icnu
+ 
+   # these programs can't function if they're confined
    /bin/mount    = u
    /usr/bin/mount = u
    /etc/init.d/subdomain = u
@@ -33,14 +54,16 @@ index a778792..a9f7b79 100644
 -  /usr/sbin/subdomain_parser = u
 -  /usr/sbin/genprof = u
 -  /usr/sbin/logprof = u
+-  /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+-  /usr/lib/YaST2/servers_non_y2/ag_logprof = u
 +  /usr/bin/cardmgr = u
 +  /usr/bin/subdomain_parser = u
 +  /usr/bin/genprof = u
 +  /usr/bin/logprof = u
-   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
-   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
  
-@@ -97,8 +95,7 @@
+   # these ones shouln't have their own profiles
+   /bin/awk      = icn
+@@ -97,8 +99,7 @@
    /usr/bin/sed  = icn
    /bin/touch    = icn
    /usr/bin/touch = icn
@@ -50,15 +73,13 @@ index a778792..a9f7b79 100644
    /usr/bin/find = icn
    /usr/bin/killall = icn
    /usr/bin/nice = icn
-@@ -112,6 +109,8 @@
+@@ -112,6 +113,9 @@
    /usr/bin/python3.5    = icn
    /usr/bin/python3.6    = icn
    /usr/bin/python3.7    = icn
 +  /usr/bin/python3.8    = icn
 +  /usr/bin/python3.9    = icn
++  /usr/bin/python3.10    = icn
    /usr/bin/tr   = icn
  
  [required_hats]
--- 
-2.29.0
-
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 4b45ad3ee18d..2a9e373447b6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=3.0.1
-revision=7
+version=3.0.3
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -10,15 +10,15 @@ make_dirs="/etc/apparmor.d/disable 0755 root root"
 hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
 makedepends="perl python3-devel"
 depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2
- python3-psutil python3-dbus iproute2"
+ python3-psutil python3-dbus iproute2 which"
 checkdepends="dejagnu"
 short_desc="Mandatory access control to restrict programs"
-maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+maintainer="Michal Vasilek <michal@vasilek.cz>"
+license="GPL-2.0-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=5f9afc157c5e2610737186a31fc9bd6a1d339a2ee85ac4f2667dce59cf60f1c7
+checksum=51b1db60e962dd01856a1ec6a9d43b11ed4350dcc5738ef901097c999bcbf50e
 replaces="apparmor-vim>=0"
 
 if [ -z "$CROSS_BUILD" ]; then
@@ -68,6 +68,7 @@ post_install() {
 
 libapparmor_package() {
 	short_desc+=" - Library"
+	license="LGPL-2.1-only"
 	pkg_install() {
 		vmove "usr/lib/libapparmor.so*"
 		if [ -z "$CROSS_BUILD" ]; then
@@ -81,6 +82,7 @@ libapparmor_package() {
 
 libapparmor-devel_package() {
 	short_desc+=" - Library development files"
+	license="LGPL-2.1-only"
 	depends="lib${sourcepkg}-${version}_${revision}"
 	pkg_install() {
 		vmove usr/include

From 91f20e08e2486da8fb83bbe9d76299d59663a455 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 11 Aug 2021 00:30:17 +0200
Subject: [PATCH 2/2] runit-void: set apparmor to complain mode by default

---
 srcpkgs/runit-void/files/apparmor | 2 +-
 srcpkgs/runit-void/template       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/srcpkgs/runit-void/files/apparmor b/srcpkgs/runit-void/files/apparmor
index 980b5b3eecc7..b32ce11a11ef 100644
--- a/srcpkgs/runit-void/files/apparmor
+++ b/srcpkgs/runit-void/files/apparmor
@@ -4,4 +4,4 @@
 # - disable
 # - complain
 # - enforce
-#APPARMOR=disable
+APPARMOR=complain
diff --git a/srcpkgs/runit-void/template b/srcpkgs/runit-void/template
index 2ac215c253f1..0c98cadc9e18 100644
--- a/srcpkgs/runit-void/template
+++ b/srcpkgs/runit-void/template
@@ -1,7 +1,7 @@
 # Template file for 'runit-void'
 pkgname=runit-void
 version=20210314
-revision=1
+revision=2
 wrksrc="void-runit-${version}"
 build_style=gnu-makefile
 short_desc="Void Linux runit scripts"

Re: [PR PATCH] [Updated] [RFC]: apparmor: change default mode to complain

[paper42]

[-- Attachment #1: Type: text/plain, Size: 1323 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages apparmor-3.0.3
https://github.com/void-linux/void-packages/pull/32451

[RFC]: apparmor: change default mode to complain
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [ ] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

I still need to test this PR.

- [x] adopt, @olivier-mauras are you ok with this?
- [ ] support python 3.10 - fix https://gitlab.com/apparmor/apparmor/-/issues/187 or do we want to wait if there will be an apparmor release with a fix before Void switches to Python 3.10?
- [x] switch to complain mode by default, disabled doesn't make sense, when a user modifies the kernel cmdline to load apparmor, they probably want to use apparmor, so enable at least logging
- [x] add common shells to logprof.conf
- [x] fix licenses, libapparmor is LGPL

A patch file from https://github.com/void-linux/void-packages/pull/32451.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-apparmor-3.0.3-32451.patch --]
[-- Type: text/x-diff, Size: 15472 bytes --]

From aa5cbfa999ee27be37449c041c8748e60232131c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Tue, 10 Aug 2021 23:13:46 +0200
Subject: [PATCH 1/2] apparmor: update to 3.0.3.

* adopt
* fix licenses
* add a patch to support Python 3.10
---
 .../patches/correct_paths_logprofconf.patch   | 64 --------------
 .../patches/fix-dnsmasq-libvirt.patch         | 13 ---
 .../patches/fix-setting-proc_attr_base.patch  | 52 ------------
 .../apparmor/patches/fix_logprofconf.patch    | 75 +++++++++++++++++
 srcpkgs/apparmor/patches/python-3.10.patch    | 84 +++++++++++++++++++
 srcpkgs/apparmor/template                     | 14 ++--
 6 files changed, 167 insertions(+), 135 deletions(-)
 delete mode 100644 srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
 delete mode 100644 srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
 delete mode 100644 srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
 create mode 100644 srcpkgs/apparmor/patches/fix_logprofconf.patch
 create mode 100644 srcpkgs/apparmor/patches/python-3.10.patch

diff --git a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
deleted file mode 100644
index e34e69af8bfb..000000000000
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 6f2649203d6bfc26b79f624b5b4625603923bccd Mon Sep 17 00:00:00 2001
-From: Paper <paper@tilde.institute>
-Date: Wed, 21 Oct 2020 10:20:47 +0200
-Subject: [PATCH] correct paths in logprof.conf
-
----
- utils/logprof.conf | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/utils/logprof.conf b/utils/logprof.conf
-index a778792..a9f7b79 100644
---- a/utils/logprof.conf
-+++ b/utils/logprof.conf
-@@ -12,9 +12,9 @@
- [settings]
-   profiledir = /etc/apparmor.d /etc/subdomain.d
-   inactive_profiledir = /usr/share/apparmor/extra-profiles 
--  logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
-+  logfiles = /var/log/audit/audit.log /var/log/socklog/kernel/current /var/log/syslog /var/log/messages
- 
--  parser = /sbin/apparmor_parser /sbin/subdomain_parser
-+  parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
-   ldd = /usr/bin/ldd
-   logger = /bin/logger /usr/bin/logger
-
-@@ -51,12 +51,10 @@
-   /bin/mount    = u
-   /usr/bin/mount = u
-   /etc/init.d/subdomain = u
--  /sbin/cardmgr = u
--  /usr/sbin/cardmgr = u
--  /sbin/subdomain_parser = u
--  /usr/sbin/subdomain_parser = u
--  /usr/sbin/genprof = u
--  /usr/sbin/logprof = u
-+  /usr/bin/cardmgr = u
-+  /usr/bin/subdomain_parser = u
-+  /usr/bin/genprof = u
-+  /usr/bin/logprof = u
-   /usr/lib/YaST2/servers_non_y2/ag_genprof = u
-   /usr/lib/YaST2/servers_non_y2/ag_logprof = u
- 
-@@ -97,8 +95,7 @@
-   /usr/bin/sed  = icn
-   /bin/touch    = icn
-   /usr/bin/touch = icn
--  /sbin/killall5 = icn
--  /usr/sbin/killall5 = icn
-+  /usr/bin/killall5 = icn
-   /usr/bin/find = icn
-   /usr/bin/killall = icn
-   /usr/bin/nice = icn
-@@ -112,6 +109,8 @@
-   /usr/bin/python3.5    = icn
-   /usr/bin/python3.6    = icn
-   /usr/bin/python3.7    = icn
-+  /usr/bin/python3.8    = icn
-+  /usr/bin/python3.9    = icn
-   /usr/bin/tr   = icn
- 
- [required_hats]
--- 
-2.29.0
-
diff --git a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch b/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
deleted file mode 100644
index 99ba9d3b5ab9..000000000000
--- a/srcpkgs/apparmor/patches/fix-dnsmasq-libvirt.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq
-index 7ae9a148..a32d24ca 100644
---- a/profiles/apparmor.d/usr.sbin.dnsmasq
-+++ b/profiles/apparmor.d/usr.sbin.dnsmasq
-@@ -113,7 +113,7 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
-     /etc/libnl-3/classid r,
- 
-     /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
--    /usr/libexec/libvirt_leaseshelper m,
-+    /usr/libexec/libvirt_leaseshelper mr,
- 
-     owner @{PROC}/@{pid}/net/psched r,
-     owner @{PROC}/@{pid}/status r,
diff --git a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
deleted file mode 100644
index 35e9101f81b9..000000000000
--- a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-upstream: yes
-From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
-From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
-Date: Wed, 20 Jan 2021 17:26:37 -0600
-Subject: [PATCH] fix setting proc_attr_base
-
-There is currently a case in which proc_attr_base won't get set when
-asprintf is able to generate the path, but the file doesn't exist, it
-will exit proc_attr_base_init_once() without proc_attr_base having been
-set as the fall-through if/else logic will get bypassed when asprintf is
-successful.
----
- libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
-index 0fa77b014..6ba028614 100644
---- a/libraries/libapparmor/src/kernel.c
-+++ b/libraries/libapparmor/src/kernel.c
-@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
- 	/* if we fail we just fall back to the default value */
- 	if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
- 		autoclose int fd = open(tmp, O_RDONLY);
--		if (fd != -1)
-+		if (fd != -1) {
- 			proc_attr_base = proc_attr_base_stacking;
--	} else if (!is_enabled() && is_private_enabled()) {
-+			return;
-+		}
-+	}
-+	if (!is_enabled() && is_private_enabled()) {
- 		/* new stacking interfaces aren't available and apparmor
--		 * is disabled, but available. do not use the
--		 * /proc/<pid>/attr/ * interfaces as they could be
--		 * in use by another LSM
--		 */
-+		* is disabled, but available. do not use the
-+		* /proc/<pid>/attr/ * interfaces as they could be
-+		* in use by another LSM
-+		*/
- 		proc_attr_base = proc_attr_base_unavailable;
--	} else {
--		proc_attr_base = proc_attr_base_old;
-+		return;
- 	}
-+	proc_attr_base = proc_attr_base_old;
- }
- 
- static char *procattr_path(pid_t pid, const char *attr)
--- 
-GitLab
-
diff --git a/srcpkgs/apparmor/patches/fix_logprofconf.patch b/srcpkgs/apparmor/patches/fix_logprofconf.patch
new file mode 100644
index 000000000000..62de9909717e
--- /dev/null
+++ b/srcpkgs/apparmor/patches/fix_logprofconf.patch
@@ -0,0 +1,75 @@
+modify logprof.conf for Void Linux
+
+--- a/utils/logprof.conf
++++ b/utils/logprof.conf
+@@ -12,11 +12,11 @@
+ [settings]
+   profiledir = /etc/apparmor.d /etc/subdomain.d
+   inactive_profiledir = /usr/share/apparmor/extra-profiles 
+-  logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
++  logfiles = /var/log/audit/audit.log /var/log/socklog/kernel/current /var/log/syslog /var/log/messages
+ 
+-  parser = /sbin/apparmor_parser /sbin/subdomain_parser
++  parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
+   ldd = /usr/bin/ldd
+-  logger = /bin/logger /usr/bin/logger
++  logger = /usr/bin/logger
+ 
+   # customize how file ownership permissions are presented
+   # 0 - off
+@@ -38,27 +38,29 @@
+ 
+ [qualifiers]
+   # things will be painfully broken if bash has a profile
+-  /bin/bash     = icnu
+-  /usr/bin/bash = icnu
+-  /bin/ksh	    = icnu
+-  /usr/bin/ksh	= icnu
+-  /bin/dash	    = icnu
+-  /usr/bin/dash	= icnu
+-  /bin/zsh      = icnu
+-  /usr/bin/zsh  = icnu
++  /bin/bash      = icnu
++  /usr/bin/bash  = icnu
++  /bin/ksh	     = icnu
++  /usr/bin/ksh	 = icnu
++  /bin/dash	     = icnu
++  /usr/bin/dash	 = icnu
++  /bin/zsh       = icnu
++  /usr/bin/zsh   = icnu
++  /bin/fish      = icnu
++  /usr/bin/fish  = icnu
++  /bin/ash       = icnu
++  /usr/bin/ash   = icnu
++  /bin/rc        = icnu
++  /usr/bin/rc    = icnu
+ 
+   # these programs can't function if they're confined
+   /bin/mount    = u
+   /usr/bin/mount = u
+   /etc/init.d/subdomain = u
+-  /sbin/cardmgr = u
+-  /usr/sbin/cardmgr = u
+-  /sbin/subdomain_parser = u
+-  /usr/sbin/subdomain_parser = u
+-  /usr/sbin/genprof = u
+-  /usr/sbin/logprof = u
+-  /usr/lib/YaST2/servers_non_y2/ag_genprof = u
+-  /usr/lib/YaST2/servers_non_y2/ag_logprof = u
++  /usr/bin/cardmgr = u
++  /usr/bin/subdomain_parser = u
++  /usr/bin/genprof = u
++  /usr/bin/logprof = u
+ 
+   # these ones shouln't have their own profiles
+   /bin/awk      = icn
+@@ -112,6 +113,9 @@
+   /usr/bin/python3.5    = icn
+   /usr/bin/python3.6    = icn
+   /usr/bin/python3.7    = icn
++  /usr/bin/python3.8    = icn
++  /usr/bin/python3.9    = icn
++  /usr/bin/python3.10    = icn
+   /usr/bin/tr   = icn
+ 
+ [required_hats]
diff --git a/srcpkgs/apparmor/patches/python-3.10.patch b/srcpkgs/apparmor/patches/python-3.10.patch
new file mode 100644
index 000000000000..90d176d3b8c2
--- /dev/null
+++ b/srcpkgs/apparmor/patches/python-3.10.patch
@@ -0,0 +1,84 @@
+From ea7b201ba48b87469297d58751c57b03ceb82320 Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor@cboltz.de>
+Date: Wed, 11 Aug 2021 21:37:40 +0200
+Subject: [PATCH] Update abstractions/python and profiles for python 3.10
+
+Fixes: https://gitlab.com/apparmor/apparmor/-/issues/187
+---
+ profiles/apparmor.d/abstractions/python        | 18 +++++++++---------
+ profiles/apparmor.d/lsb_release                |  2 +-
+ .../profiles/extras/usr.bin.chromium-browser   |  4 ++--
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/profiles/apparmor.d/abstractions/python b/profiles/apparmor.d/abstractions/python
+index 1b5cc9d0d..727030bdf 100644
+--- a/profiles/apparmor.d/abstractions/python
++++ b/profiles/apparmor.d/abstractions/python
+@@ -12,18 +12,18 @@
+ 
+   abi <abi/3.0>,
+ 
+-  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so}           mr,
+-  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth}       r,
+-  /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
++  /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/**.{pyc,so}           mr,
++  /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/**.{egg,py,pth}       r,
++  /usr/lib{,32,64}/python{2.[4-7],3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
+   /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so            mr,
+ 
+-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so}           mr,
+-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth}       r,
+-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
+-  /usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so            mr,
++  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so}           mr,
++  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth}       r,
++  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
++  /usr/local/lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so            mr,
+ 
+   # Site-wide configuration
+-  /etc/python{2.[4-7],3.[0-9]}/** r,
++  /etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r,
+ 
+   # shared python paths
+   /usr/share/{pyshared,pycentral,python-support}/**      r,
+@@ -36,7 +36,7 @@
+   /usr/lib/wx/python/*.pth r,
+ 
+   # python build configuration and headers
+-  /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
++  /usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
+ 
+   # Include additions to the abstraction
+   include if exists <abstractions/python.d>
+diff --git a/profiles/apparmor.d/lsb_release b/profiles/apparmor.d/lsb_release
+index 33a1c71db..ad8b998fc 100644
+--- a/profiles/apparmor.d/lsb_release
++++ b/profiles/apparmor.d/lsb_release
+@@ -18,7 +18,7 @@ profile lsb_release {
+   /dev/tty rw,
+ 
+   /usr/bin/lsb_release r,
+-  /usr/bin/python3.[0-9] mr,
++  /usr/bin/python3.{1,}[0-9] mr,
+ 
+   /etc/debian_version r,
+   /etc/default/apport r,
+diff --git a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
+index 2df5338db..b47b6f721 100644
+--- a/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
++++ b/profiles/apparmor/profiles/extras/usr.bin.chromium-browser
+@@ -267,9 +267,9 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
+     /usr/share/distro-info/** r,
+     /var/lib/dpkg/** r,
+ 
+-    /usr/local/lib/python3.[0-9]/dist-packages/ r,
++    /usr/local/lib/python3.{1,}[0-9]/dist-packages/ r,
+     /usr/bin/ r,
+-    /usr/bin/python3.[0-9] mr,
++    /usr/bin/python3.{1,}[0-9] mr,
+   }
+ 
+   profile sandbox {
+-- 
+GitLab
+
diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template
index 4b45ad3ee18d..2a9e373447b6 100644
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
-version=3.0.1
-revision=7
+version=3.0.3
+revision=1
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@@ -10,15 +10,15 @@ make_dirs="/etc/apparmor.d/disable 0755 root root"
 hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
 makedepends="perl python3-devel"
 depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2
- python3-psutil python3-dbus iproute2"
+ python3-psutil python3-dbus iproute2 which"
 checkdepends="dejagnu"
 short_desc="Mandatory access control to restrict programs"
-maintainer="Olivier Mauras <olivier@mauras.ch>"
-license="GPL-2.0-only, LGPL-2.1-only"
+maintainer="Michal Vasilek <michal@vasilek.cz>"
+license="GPL-2.0-only"
 homepage="https://gitlab.com/apparmor/apparmor"
 changelog="https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_${version}"
 distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${version}/apparmor-v${version}.tar.gz"
-checksum=5f9afc157c5e2610737186a31fc9bd6a1d339a2ee85ac4f2667dce59cf60f1c7
+checksum=51b1db60e962dd01856a1ec6a9d43b11ed4350dcc5738ef901097c999bcbf50e
 replaces="apparmor-vim>=0"
 
 if [ -z "$CROSS_BUILD" ]; then
@@ -68,6 +68,7 @@ post_install() {
 
 libapparmor_package() {
 	short_desc+=" - Library"
+	license="LGPL-2.1-only"
 	pkg_install() {
 		vmove "usr/lib/libapparmor.so*"
 		if [ -z "$CROSS_BUILD" ]; then
@@ -81,6 +82,7 @@ libapparmor_package() {
 
 libapparmor-devel_package() {
 	short_desc+=" - Library development files"
+	license="LGPL-2.1-only"
 	depends="lib${sourcepkg}-${version}_${revision}"
 	pkg_install() {
 		vmove usr/include

From b8e983861f22c960d7a8bbd16451fccfbc00e1c2 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 11 Aug 2021 00:30:17 +0200
Subject: [PATCH 2/2] runit-void: set apparmor to complain mode by default

---
 srcpkgs/runit-void/files/apparmor | 2 +-
 srcpkgs/runit-void/template       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/srcpkgs/runit-void/files/apparmor b/srcpkgs/runit-void/files/apparmor
index 980b5b3eecc7..b32ce11a11ef 100644
--- a/srcpkgs/runit-void/files/apparmor
+++ b/srcpkgs/runit-void/files/apparmor
@@ -4,4 +4,4 @@
 # - disable
 # - complain
 # - enforce
-#APPARMOR=disable
+APPARMOR=complain
diff --git a/srcpkgs/runit-void/template b/srcpkgs/runit-void/template
index 2ac215c253f1..0c98cadc9e18 100644
--- a/srcpkgs/runit-void/template
+++ b/srcpkgs/runit-void/template
@@ -1,7 +1,7 @@
 # Template file for 'runit-void'
 pkgname=runit-void
 version=20210314
-revision=1
+revision=2
 wrksrc="void-runit-${version}"
 build_style=gnu-makefile
 short_desc="Void Linux runit scripts"

Re: [PR PATCH] [Merged]: [RFC]: apparmor: change default mode to complain

[paper42]

[-- Attachment #1: Type: text/plain, Size: 1139 bytes --]

There's a merged pull request on the void-packages repository

[RFC]: apparmor: change default mode to complain
https://github.com/void-linux/void-packages/pull/32451

Description:
#### General
- [ ] This is a new package and it conforms to the [quality requirements](https://github.com/void-linux/void-packages/blob/master/Manual.md#quality-requirements)

#### Have the results of the proposed changes been tested?
- [x] I use the packages affected by the proposed changes on a regular basis and confirm this PR works for me
- [ ] I generally don't use the affected packages but briefly tested this PR

#### Tasks
- [x] adopt, @olivier-mauras are you ok with this?
- [x] support python 3.10 - fix https://gitlab.com/apparmor/apparmor/-/issues/187 or do we want to wait if there will be an apparmor release with a fix before Void switches to Python 3.10?
- [x] switch to complain mode by default, disabled doesn't make sense, when a user modifies the kernel cmdline to load apparmor, they probably want to use apparmor, so enable at least logging
- [x] add common shells to logprof.conf
- [x] fix licenses, libapparmor is LGPL