From 5390642a48b75077d23591af071c85728d66e1c8 Mon Sep 17 00:00:00 2001 From: Olivier Mauras Date: Wed, 9 May 2018 04:54:15 +0000 Subject: [PATCH] apparmor: Bump to 2.13 and include custom profiles directly on top of defaults --- .../apparmor/files/profiles/usr.bin.dhcpcd | 89 +++++++++++++++++++ .../files/profiles/usr.bin.iputils-ping | 19 ++++ srcpkgs/apparmor/files/profiles/usr.bin.nginx | 34 +++++++ .../apparmor/files/profiles/usr.bin.php-fpm | 44 +++++++++ srcpkgs/apparmor/files/profiles/usr.bin.uuidd | 17 ++++ srcpkgs/apparmor/template | 21 ++--- 6 files changed, 212 insertions(+), 12 deletions(-) create mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd create mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.iputils-ping create mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.nginx create mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.php-fpm create mode 100644 srcpkgs/apparmor/files/profiles/usr.bin.uuidd diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd new file mode 100644 index 00000000000..adfed209b6e --- /dev/null +++ b/srcpkgs/apparmor/files/profiles/usr.bin.dhcpcd @@ -0,0 +1,89 @@ +# vim:syntax=apparmor + +#include + +profile dhcpcd /{usr/,}bin/dhcpcd { + #include + #include + + capability chown, + capability net_admin, + capability net_raw, + capability sys_admin, + + network packet dgram, + network inet raw, + network inet6 raw, + + /dev/pts/* rw, + + /etc/dhcpcd.{conf,duid,secret} r, + /etc/ld.so.cache r, + /etc/udev/udev.conf r, + + /proc/*/net/if_inet6 r, + /proc/sys/net/ipv{4,6}/conf/*/* rw, + + /{var/,}run/dhcpcd{-*,}.pid rwk, + /{var/,}run/dhcpcd.sock rw, + /{var/,}run/dhcpcd.unpriv.sock rw, + /{var/,}run/udev/data/* r, + + /sys/devices/*/*/{*/,}net/*/uevent r, + /sys/devices/virtual/net/*/uevent r, + + /{usr/,}bin/dash ix, + /{usr/,}bin/dash mrix, + + /usr/lib/dhcpcd/dev/udev.so m, + /usr/lib/ld-*.so m, + /usr/lib/libc-*.so m, + + # Transition to a child profile for hooks + /usr/libexec/dhcpcd-run-hooks Cx -> dhcpcd_run_hooks, + + /var/db/dhcpcd-*.lease rw, + /var/db/dhcpcd/** rw, + /{usr/,}bin/dhcpcd mrix, + + # Child profile for hooks + profile dhcpcd_run_hooks { + #include + #include + + capability sys_admin, + capability sys_tty_config, + + /etc/chrony.conf rw, + /etc/ntpd.conf rw, + /etc/resolv.conf rw, + /etc/wpa_supplicant/wpa_supplicant*.conf r, + + /{var/,}run/dhcpcd/ rw, + /{var/,}run/dhcpcd/{ntp,resolv}.conf.** rw, + /{var/,}run/dhcpcd/{ntp,resolv}.conf/ rw, + /{var/,}run/dhcpcd/{ntp,resolv}.conf/*.dhcp rw, + + /usr/bin/cat mrix, + /usr/bin/chmod mrix, + /usr/bin/cmp mrix, + /usr/bin/dash mr, + /usr/bin/hostname-coreutils mrix, + /usr/bin/mkdir mrix, + /usr/bin/rm mrix, + /usr/bin/sed mrix, + /usr/bin/util-linux-logger mrix, + /usr/bin/wpa_supplicant CUx, + /usr/bin/wpa_cli CUx, + /usr/bin/resolvconf CUx, + + /usr/libexec/dhcpcd-hooks/ r, + /usr/libexec/dhcpcd-hooks/* r, + /usr/libexec/dhcpcd-run-hooks r, + + /usr/share/dhcpcd/hooks/* r, + } + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.iputils-ping b/srcpkgs/apparmor/files/profiles/usr.bin.iputils-ping new file mode 100644 index 00000000000..3508789e9b2 --- /dev/null +++ b/srcpkgs/apparmor/files/profiles/usr.bin.iputils-ping @@ -0,0 +1,19 @@ +# vim:syntax=apparmor + +#include +profile ping /{usr/,}bin/iputils-ping { + #include + #include + #include + + capability net_raw, + capability setuid, + network inet raw, + network inet6 raw, + + /{usr/,}bin/iputils-ping mixr, + /etc/modules.conf r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.nginx b/srcpkgs/apparmor/files/profiles/usr.bin.nginx new file mode 100644 index 00000000000..5e4854d9032 --- /dev/null +++ b/srcpkgs/apparmor/files/profiles/usr.bin.nginx @@ -0,0 +1,34 @@ +# vim:syntax=apparmor + +# NOTE: This profile will by default work with pfp-fpm on TCP sockets. +# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx +# /path/to/your/unix/socket rw, + +#include + +/usr/bin/nginx { + #include + #include + #include + #include + + capability setgid, + capability setuid, + + # XXX: Maybe switch to "/etc/nginx/** r," ? + /etc/nginx/*.conf r, + /etc/nginx/*_params r, + /etc/nginx/conf.d/* r, + /etc/nginx/mime.types r, + + /run/nginx.pid rw, + + /usr/bin/nginx mr, + + /usr/share/nginx/html/* r, + + /var/log/nginx/* w, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm new file mode 100644 index 00000000000..98366dcaabf --- /dev/null +++ b/srcpkgs/apparmor/files/profiles/usr.bin.php-fpm @@ -0,0 +1,44 @@ +# vim:syntax=apparmor + +# NOTE: This profile uses TCP sockets by default +# If you wish for php-fpm to listen to unix socket, +# add the following permission to local/usr.bin.php-fpm +# /path/to/your/unix/socket w, + +#include + +# This is PHP open_basedir where script can only be executed from. +# /home, /tmp have been removed to not open permissions too widely +# /usr/share/pear have been removed to have its own permission +@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/ + +/usr/bin/php-fpm { + #include + #include + #include + #include + + capability setgid, + capability setuid, + capability kill, + + /etc/php/php-fpm.conf r, + /etc/php/php-fpm.d/* r, + + # This is set to make php-fpm work by default, but if you don't use these paths + # add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights + # to where your PHP app is located + @{PHP_BASEDIRS}/** r, + + /usr/bin/php-fpm mr, + + /usr/share/pear/** r, + /usr/share/php/fpm/status.html r, + + /var/log/php-fpm.log w, + + # Site-specific additions and overrides. See local/README for details. + #include + +} + diff --git a/srcpkgs/apparmor/files/profiles/usr.bin.uuidd b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd new file mode 100644 index 00000000000..8c00a903611 --- /dev/null +++ b/srcpkgs/apparmor/files/profiles/usr.bin.uuidd @@ -0,0 +1,17 @@ +# vim:syntax=apparmor + +#include + +/usr/bin/uuidd { + #include + #include + + network inet dgram, + + /usr/bin/uuidd mr, + + /run/uuidd/request rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/srcpkgs/apparmor/template b/srcpkgs/apparmor/template index e51f7b79869..ffe94cadc53 100644 --- a/srcpkgs/apparmor/template +++ b/srcpkgs/apparmor/template @@ -1,10 +1,9 @@ # Template file for 'apparmor' pkgname=apparmor -version=2.12.0 +version=2.13.0 revision=1 _short_ver=${version%\.*} -_profilesversion=0.6 -wrksrc="${pkgname}-${_short_ver}" +wrksrc="${pkgname}-v${_short_ver}" configure_args="--prefix=/usr --with-perl --with-python" patch_args="-Np1" hostmakedepends="bison flex autoconf automake libtool" @@ -14,19 +13,17 @@ only_for_archs="x86_64 i686" short_desc="Mandatory access control to restrict programs" maintainer="Olivier Mauras " license="GPL-3" -homepage="https://launchpad.net/apparmor/" -distfiles=" - https://launchpad.net/apparmor/${_short_ver}/${version}/+download/${pkgname}-${_short_ver}.tar.gz - https://github.com/coredumb/void-apparmor-profiles/archive/v${_profilesversion}.tar.gz" -checksum=" - 8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056 - 00d1e005561e72376604fb1fe69a42062773759646b4fb5e998eaeaf172807e7" +homepage="https://gitlab.com/apparmor/apparmor" +distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${_short_ver}/apparmor-v${_short_ver}.tar.gz" +checksum="fdafa0b71cbf574cce76a1ea1542b4540fa1c1040f80d0f0866fc0056ec37747" pre_build() { # Replace release profiles by our owns cd ${wrksrc} - rm -rf profiles/ - cp -r ../void-apparmor-profiles-${_profilesversion}/profiles/ ./ + + # Put in place our own profiles + cp ${FILESDIR}/profiles/* profiles/apparmor.d/ + mv profiles/apparmor.d/bin.ping profiles/apparmor/profiles/extras/ } do_build() {