apparmor: various fixes

* add missing python3 dependencies for aa-notify * do not rewrite logfiles option in logprof.conf aggressively * remove an old patch * fix segfault on musl (was also an issue on glibc, just empty output instead of segfault) * depend on explicit libapparmor version Closes #28127 Closes: #28448 [via git-merge-pr]
2021-02-03 20:13:56 +01:00 · 2021-02-03 20:13:56 +01:00 · 5251fe6d9b
parent f89bba4625
commit 5251fe6d9b
4 changed files with 60 additions and 57 deletions
--- a/srcpkgs/apparmor/patches/add-missing-typedef-definitions.patch
+++ b/srcpkgs/apparmor/patches/add-missing-typedef-definitions.patch
@ -1,49 +0,0 @@
-Source: Alpine Linux
-Upstream: Unknown
-Reason: Fixes compilation with musl libc
---
-
-diff --git a/parser/missingdefs.h b/parser/missingdefs.h
-new file mode 100644
-index 0000000..8097aef
--- /dev/null
-+++ b/parser/missingdefs.h
-@@ -0,0 +1,8 @@
-+#ifndef PARSER_MISSINGDEFS_H
-+#define PARSER_MISSINGDEFS_H
-+
-+typedef int (*__compar_fn_t) (const void *, const void *);
-+typedef __compar_fn_t comparison_fn_t;
-+typedef void (*__free_fn_t) (void *__nodep);
-+
-+#endif
-diff --git a/parser/parser_alias.c b/parser/parser_alias.c
-index f5b6da4..d57f580 100644
--- a/parser/parser_alias.c
-+++ b/parser/parser_alias.c
-@@ -25,6 +25,10 @@
- #include "parser.h"
- #include "profile.h"
- 
-+#ifndef __GLIBC__
-+#include "missingdefs.h"
-+#endif
-+
- struct alias_rule {
- 	char *from;
- 	char *to;
-diff --git a/parser/parser_symtab.c b/parser/parser_symtab.c
-index 3e667d8..e109f4d 100644
--- a/parser/parser_symtab.c
-+++ b/parser/parser_symtab.c
-@@ -25,6 +25,10 @@
- #include "immunix.h"
- #include "parser.h"
- 
-+#ifndef __GLIBC__
-+#include "missingdefs.h"
-+#endif
-+
- enum var_type {
- 	sd_boolean,
- 	sd_set,
--- a/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
+++ b/srcpkgs/apparmor/patches/correct_paths_logprofconf.patch
@ -11,15 +11,18 @@ diff --git a/utils/logprof.conf b/utils/logprof.conf
 index a778792..a9f7b79 100644
 --- a/utils/logprof.conf
 +++ b/utils/logprof.conf
-@@ -14,7 +14,7 @@
+@@ -12,9 +12,9 @@
+ [settings]
+   profiledir = /etc/apparmor.d /etc/subdomain.d
   inactive_profiledir = /usr/share/apparmor/extra-profiles 
-   logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
+-  logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
+  logfiles = /var/log/audit/audit.log /var/log/socklog/kernel/current /var/log/syslog /var/log/messages
 
 -  parser = /sbin/apparmor_parser /sbin/subdomain_parser
 +  parser = /usr/bin/apparmor_parser /usr/bin/subdomain_parser
   ldd = /usr/bin/ldd
   logger = /bin/logger /usr/bin/logger
- 
+
@@ -51,12 +51,10 @@
   /bin/mount    = u
   /usr/bin/mount = u
--- a/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
+++ b/srcpkgs/apparmor/patches/fix-setting-proc_attr_base.patch
@ -0,0 +1,52 @@
+upstream: yes
+From cc113f4820721808c9efec8b075a5482e6f9a3ad Mon Sep 17 00:00:00 2001
+From: Aaron U'Ren <aauren@users.noreply.gitlab.com>
+Date: Wed, 20 Jan 2021 17:26:37 -0600
+Subject: [PATCH] fix setting proc_attr_base
+
+There is currently a case in which proc_attr_base won't get set when
+asprintf is able to generate the path, but the file doesn't exist, it
+will exit proc_attr_base_init_once() without proc_attr_base having been
+set as the fall-through if/else logic will get bypassed when asprintf is
+successful.
+---
+ libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
+index 0fa77b014..6ba028614 100644
+--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
+@@ -239,18 +239,21 @@ static void proc_attr_base_init_once(void)
+ 	/* if we fail we just fall back to the default value */
+ 	if (asprintf(&tmp, "/proc/%d/attr/apparmor/current", aa_gettid())) {
+ 		autoclose int fd = open(tmp, O_RDONLY);
+-		if (fd != -1)
+		if (fd != -1) {
+ 			proc_attr_base = proc_attr_base_stacking;
+-	} else if (!is_enabled() && is_private_enabled()) {
+			return;
+		}
+	}
+	if (!is_enabled() && is_private_enabled()) {
+ 		/* new stacking interfaces aren't available and apparmor
+-		 * is disabled, but available. do not use the
+-		 * /proc/<pid>/attr/ * interfaces as they could be
+-		 * in use by another LSM
+-		 */
+		* is disabled, but available. do not use the
+		* /proc/<pid>/attr/ * interfaces as they could be
+		* in use by another LSM
+		*/
+ 		proc_attr_base = proc_attr_base_unavailable;
+-	} else {
+-		proc_attr_base = proc_attr_base_old;
+		return;
+ 	}
+	proc_attr_base = proc_attr_base_old;
+ }
+ 
+ static char *procattr_path(pid_t pid, const char *attr)
+-- 
+GitLab
+
--- a/srcpkgs/apparmor/template
+++ b/srcpkgs/apparmor/template
@ -1,7 +1,7 @@
 # Template file for 'apparmor'
 pkgname=apparmor
 version=3.0.1
-revision=1
+revision=2
 wrksrc="${pkgname}-v${version}"
 build_wrksrc=libraries/libapparmor
 build_style=gnu-configure
@ -9,7 +9,7 @@ conf_files="/etc/apparmor.d/local/* /etc/apparmor/*"
 make_dirs="/etc/apparmor.d/disable 0755 root root"
 hostmakedepends="bison flex autoconf automake libtool gettext swig python3 which"
 makedepends="perl python3-devel"
-depends="runit-void-apparmor python3 libapparmor"
+depends="runit-void-apparmor libapparmor-${version}_${revision} python3-notify2 python3-psutil"
 checkdepends="dejagnu"
 short_desc="Mandatory access control to restrict programs"
 maintainer="Olivier Mauras <olivier@mauras.ch>"
@ -32,9 +32,6 @@ pre_build() {
 	# Replace release profiles with our own
 	cd ${wrksrc}
 	cp ${FILESDIR}/profiles/* profiles/apparmor.d/
-
-	# use the correct syslog path
-	vsed -i utils/logprof.conf -e 's,logfiles = .*,logfiles = /var/log/socklog/kernel/current,'
 }

 post_build() {