apparmor: Bump to 2.13 and include custom profiles directly on top of defaults
This commit is contained in:
Olivier Mauras
parent
7785ff628f
commit
5390642a48
|
|
@ -0,0 +1,89 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
profile dhcpcd /{usr/,}bin/dhcpcd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
capability chown,
|
||||
capability net_admin,
|
||||
capability net_raw,
|
||||
capability sys_admin,
|
||||
|
||||
network packet dgram,
|
||||
network inet raw,
|
||||
network inet6 raw,
|
||||
|
||||
/dev/pts/* rw,
|
||||
|
||||
/etc/dhcpcd.{conf,duid,secret} r,
|
||||
/etc/ld.so.cache r,
|
||||
/etc/udev/udev.conf r,
|
||||
|
||||
/proc/*/net/if_inet6 r,
|
||||
/proc/sys/net/ipv{4,6}/conf/*/* rw,
|
||||
|
||||
/{var/,}run/dhcpcd{-*,}.pid rwk,
|
||||
/{var/,}run/dhcpcd.sock rw,
|
||||
/{var/,}run/dhcpcd.unpriv.sock rw,
|
||||
/{var/,}run/udev/data/* r,
|
||||
|
||||
/sys/devices/*/*/{*/,}net/*/uevent r,
|
||||
/sys/devices/virtual/net/*/uevent r,
|
||||
|
||||
/{usr/,}bin/dash ix,
|
||||
/{usr/,}bin/dash mrix,
|
||||
|
||||
/usr/lib/dhcpcd/dev/udev.so m,
|
||||
/usr/lib/ld-*.so m,
|
||||
/usr/lib/libc-*.so m,
|
||||
|
||||
# Transition to a child profile for hooks
|
||||
/usr/libexec/dhcpcd-run-hooks Cx -> dhcpcd_run_hooks,
|
||||
|
||||
/var/db/dhcpcd-*.lease rw,
|
||||
/var/db/dhcpcd/** rw,
|
||||
/{usr/,}bin/dhcpcd mrix,
|
||||
|
||||
# Child profile for hooks
|
||||
profile dhcpcd_run_hooks {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
capability sys_admin,
|
||||
capability sys_tty_config,
|
||||
|
||||
/etc/chrony.conf rw,
|
||||
/etc/ntpd.conf rw,
|
||||
/etc/resolv.conf rw,
|
||||
/etc/wpa_supplicant/wpa_supplicant*.conf r,
|
||||
|
||||
/{var/,}run/dhcpcd/ rw,
|
||||
/{var/,}run/dhcpcd/{ntp,resolv}.conf.** rw,
|
||||
/{var/,}run/dhcpcd/{ntp,resolv}.conf/ rw,
|
||||
/{var/,}run/dhcpcd/{ntp,resolv}.conf/*.dhcp rw,
|
||||
|
||||
/usr/bin/cat mrix,
|
||||
/usr/bin/chmod mrix,
|
||||
/usr/bin/cmp mrix,
|
||||
/usr/bin/dash mr,
|
||||
/usr/bin/hostname-coreutils mrix,
|
||||
/usr/bin/mkdir mrix,
|
||||
/usr/bin/rm mrix,
|
||||
/usr/bin/sed mrix,
|
||||
/usr/bin/util-linux-logger mrix,
|
||||
/usr/bin/wpa_supplicant CUx,
|
||||
/usr/bin/wpa_cli CUx,
|
||||
/usr/bin/resolvconf CUx,
|
||||
|
||||
/usr/libexec/dhcpcd-hooks/ r,
|
||||
/usr/libexec/dhcpcd-hooks/* r,
|
||||
/usr/libexec/dhcpcd-run-hooks r,
|
||||
|
||||
/usr/share/dhcpcd/hooks/* r,
|
||||
}
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.bin.dhcpcd>
|
||||
}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
#include <tunables/global>
|
||||
profile ping /{usr/,}bin/iputils-ping {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
#include <abstractions/nameservice>
|
||||
|
||||
capability net_raw,
|
||||
capability setuid,
|
||||
network inet raw,
|
||||
network inet6 raw,
|
||||
|
||||
/{usr/,}bin/iputils-ping mixr,
|
||||
/etc/modules.conf r,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.bin.iputils-ping>
|
||||
}
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
# NOTE: This profile will by default work with pfp-fpm on TCP sockets.
|
||||
# If you need to make use of php-fpm unix socket, add the following to local/usr.bin.nginx
|
||||
# /path/to/your/unix/socket rw,
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/bin/nginx {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/nis>
|
||||
#include <abstractions/openssl>
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
|
||||
# XXX: Maybe switch to "/etc/nginx/** r," ?
|
||||
/etc/nginx/*.conf r,
|
||||
/etc/nginx/*_params r,
|
||||
/etc/nginx/conf.d/* r,
|
||||
/etc/nginx/mime.types r,
|
||||
|
||||
/run/nginx.pid rw,
|
||||
|
||||
/usr/bin/nginx mr,
|
||||
|
||||
/usr/share/nginx/html/* r,
|
||||
|
||||
/var/log/nginx/* w,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.bin.nginx>
|
||||
}
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
# NOTE: This profile uses TCP sockets by default
|
||||
# If you wish for php-fpm to listen to unix socket,
|
||||
# add the following permission to local/usr.bin.php-fpm
|
||||
# /path/to/your/unix/socket w,
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
# This is PHP open_basedir where script can only be executed from.
|
||||
# /home, /tmp have been removed to not open permissions too widely
|
||||
# /usr/share/pear have been removed to have its own permission
|
||||
@{PHP_BASEDIRS} = /srv/www/ /var/www/ /usr/share/webapps/
|
||||
|
||||
/usr/bin/php-fpm {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
#include <abstractions/openssl>
|
||||
#include <abstractions/php>
|
||||
|
||||
capability setgid,
|
||||
capability setuid,
|
||||
capability kill,
|
||||
|
||||
/etc/php/php-fpm.conf r,
|
||||
/etc/php/php-fpm.d/* r,
|
||||
|
||||
# This is set to make php-fpm work by default, but if you don't use these paths
|
||||
# add "deny @{PHP_BASEDIRS}/** r," to local.usr.bin.php-fpm and add read rights
|
||||
# to where your PHP app is located
|
||||
@{PHP_BASEDIRS}/** r,
|
||||
|
||||
/usr/bin/php-fpm mr,
|
||||
|
||||
/usr/share/pear/** r,
|
||||
/usr/share/php/fpm/status.html r,
|
||||
|
||||
/var/log/php-fpm.log w,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.bin.php-fpm>
|
||||
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
# vim:syntax=apparmor
|
||||
|
||||
#include <tunables/global>
|
||||
|
||||
/usr/bin/uuidd {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/consoles>
|
||||
|
||||
network inet dgram,
|
||||
|
||||
/usr/bin/uuidd mr,
|
||||
|
||||
/run/uuidd/request rw,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
#include <local/usr.bin.uuidd>
|
||||
}
|
||||
|
|
@ -1,10 +1,9 @@
|
|||
# Template file for 'apparmor'
|
||||
pkgname=apparmor
|
||||
version=2.12.0
|
||||
version=2.13.0
|
||||
revision=1
|
||||
_short_ver=${version%\.*}
|
||||
_profilesversion=0.6
|
||||
wrksrc="${pkgname}-${_short_ver}"
|
||||
wrksrc="${pkgname}-v${_short_ver}"
|
||||
configure_args="--prefix=/usr --with-perl --with-python"
|
||||
patch_args="-Np1"
|
||||
hostmakedepends="bison flex autoconf automake libtool"
|
||||
|
|
@ -14,19 +13,17 @@ only_for_archs="x86_64 i686"
|
|||
short_desc="Mandatory access control to restrict programs"
|
||||
maintainer="Olivier Mauras <olivier@mauras.ch>"
|
||||
license="GPL-3"
|
||||
homepage="https://launchpad.net/apparmor/"
|
||||
distfiles="
|
||||
https://launchpad.net/apparmor/${_short_ver}/${version}/+download/${pkgname}-${_short_ver}.tar.gz
|
||||
https://github.com/coredumb/void-apparmor-profiles/archive/v${_profilesversion}.tar.gz"
|
||||
checksum="
|
||||
8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056
|
||||
00d1e005561e72376604fb1fe69a42062773759646b4fb5e998eaeaf172807e7"
|
||||
homepage="https://gitlab.com/apparmor/apparmor"
|
||||
distfiles="https://gitlab.com/apparmor/apparmor/-/archive/v${_short_ver}/apparmor-v${_short_ver}.tar.gz"
|
||||
checksum="fdafa0b71cbf574cce76a1ea1542b4540fa1c1040f80d0f0866fc0056ec37747"
|
||||
|
||||
pre_build() {
|
||||
# Replace release profiles by our owns
|
||||
cd ${wrksrc}
|
||||
rm -rf profiles/
|
||||
cp -r ../void-apparmor-profiles-${_profilesversion}/profiles/ ./
|
||||
|
||||
# Put in place our own profiles
|
||||
cp ${FILESDIR}/profiles/* profiles/apparmor.d/
|
||||
mv profiles/apparmor.d/bin.ping profiles/apparmor/profiles/extras/
|
||||
}
|
||||
|
||||
do_build() {
|
||||
|
|
|
|||
Loading…
Reference in New Issue