diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2020-12-02 00:37:51 +0000 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2020-12-02 00:37:51 +0000 |
commit | c6cf800d47749adeb5bc320496c57889aca1dfec (patch) | |
tree | cd0a304482d4b76625883eede601b9c617ca16c9 /sys-apps/apparmor/files | |
parent | 2cca27e774050972882e8428e7626e592ec3615c (diff) |
sys-apps/apparmor : bugfix https://bugs.gentoo.org/750860
Diffstat (limited to 'sys-apps/apparmor/files')
-rw-r--r-- | sys-apps/apparmor/files/apparmor-2.11.1-dynamic-link.patch | 11 | ||||
-rw-r--r-- | sys-apps/apparmor/files/apparmor-3.0.0-makefile.patch | 18 | ||||
-rw-r--r-- | sys-apps/apparmor/files/apparmor-init | 91 | ||||
-rw-r--r-- | sys-apps/apparmor/files/apparmor-init-1 | 88 | ||||
-rw-r--r-- | sys-apps/apparmor/files/apparmor.service | 14 | ||||
-rw-r--r-- | sys-apps/apparmor/files/apparmor_load.sh | 2 | ||||
-rw-r--r-- | sys-apps/apparmor/files/apparmor_unload.sh | 2 | ||||
-rw-r--r-- | sys-apps/apparmor/files/fixcaps.patch | 12 |
8 files changed, 238 insertions, 0 deletions
diff --git a/sys-apps/apparmor/files/apparmor-2.11.1-dynamic-link.patch b/sys-apps/apparmor/files/apparmor-2.11.1-dynamic-link.patch new file mode 100644 index 00000000..bde21c30 --- /dev/null +++ b/sys-apps/apparmor/files/apparmor-2.11.1-dynamic-link.patch @@ -0,0 +1,11 @@ +--- a/Makefile ++++ b/Makefile +@@ -87,7 +87,7 @@ + AAREOBJECT = ${AAREDIR}/libapparmor_re.a + AAREOBJECTS = $(AAREOBJECT) + AARE_LDFLAGS = -static-libgcc -static-libstdc++ -L. $(LDFLAGS) +-AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread ++AALIB = -Wl,-Bdynamic -lapparmor -Wl,-Bdynamic -lpthread + + ifdef USE_SYSTEM + # Using the system libapparmor so Makefile dependencies can't be used diff --git a/sys-apps/apparmor/files/apparmor-3.0.0-makefile.patch b/sys-apps/apparmor/files/apparmor-3.0.0-makefile.patch new file mode 100644 index 00000000..9c03a446 --- /dev/null +++ b/sys-apps/apparmor/files/apparmor-3.0.0-makefile.patch @@ -0,0 +1,18 @@ +* Avoid installing empty /var/lib/apparmor +* Install rc.apparmor.functions to Gentoo-appropriate location + +--- a/Makefile ++++ b/Makefile +@@ -407,10 +407,10 @@ + .PHONY: install-indep + install-indep: indep + install -m 755 -d $(INSTALL_CONFDIR) ++ install -m 755 -d ${DESTDIR}/usr/libexec + install -m 644 parser.conf $(INSTALL_CONFDIR) +- install -m 755 -d ${DESTDIR}/var/lib/apparmor + install -m 755 -d $(APPARMOR_BIN_PREFIX) +- install -m 755 rc.apparmor.functions $(APPARMOR_BIN_PREFIX) ++ install -m 755 rc.apparmor.functions ${DESTDIR}/usr/libexec + $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR} + $(MAKE) install_manpages DESTDIR=${DESTDIR} + diff --git a/sys-apps/apparmor/files/apparmor-init b/sys-apps/apparmor/files/apparmor-init new file mode 100644 index 00000000..48877e4b --- /dev/null +++ b/sys-apps/apparmor/files/apparmor-init @@ -0,0 +1,91 @@ +#!/sbin/openrc-run +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +description="Load all configured profiles for the AppArmor security module." +description_reload="Reload all profiles" + +extra_started_commands="reload" + +aa_action() { + local arg=$1 + local return + + shift + $* + return=$? + + if [ ${return} -eq 0 ]; then + aa_log_success_msg $arg + else + aa_log_failure_msg arg + fi + + return $return +} + +aa_log_action_start() { + ebegin $1 +} + +aa_log_action_end() { + eend $1 +} + +aa_log_success_msg() { + einfo $1 +} + +aa_log_warning_msg() { + ewarn $1 +} + +aa_log_failure_msg() { + eerror $1 +} + +aa_log_skipped_msg() { + einfo $1 +} + +aa_log_daemon_msg() { + einfo $1 +} + +aa_log_end_msg() { + eend $1 +} + +. /usr/libexec/rc.apparmor.functions + +start() { + ebegin "Starting AppArmor" + eindent + + if ! is_apparmor_loaded ; then + load_module + if [ $? -ne 0 ]; then + eerror "AppArmor kernel support is not present" + eend 1 + return 1 + fi + fi + + parse_profiles load + + eoutdent +} + +stop() { + ebegin "Stopping AppArmor" + eindent + apparmor_stop + eoutdent +} + +reload() { + # todo: split out clean_profiles into its own function upstream + # so we can do parse_profiles reload && clean_profiles + # and do a proper reload instead of restart + apparmor_restart +} diff --git a/sys-apps/apparmor/files/apparmor-init-1 b/sys-apps/apparmor/files/apparmor-init-1 new file mode 100644 index 00000000..4addaee2 --- /dev/null +++ b/sys-apps/apparmor/files/apparmor-init-1 @@ -0,0 +1,88 @@ +#!/sbin/openrc-run +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +description="Load all configured profiles for the AppArmor security module." +description_reload="Reload all profiles" + +extra_started_commands="reload" + +aa_action() { + local arg=$1 + local return + + shift + $* + return=$? + + if [ ${return} -eq 0 ]; then + aa_log_success_msg $arg + else + aa_log_failure_msg arg + fi + + return $return +} + +aa_log_action_start() { + ebegin $1 +} + +aa_log_action_end() { + eend $1 +} + +aa_log_success_msg() { + einfo $1 +} + +aa_log_warning_msg() { + ewarn $1 +} + +aa_log_failure_msg() { + eerror $1 +} + +aa_log_skipped_msg() { + einfo $1 +} + +aa_log_daemon_msg() { + einfo $1 +} + +aa_log_end_msg() { + eend $1 +} + +. /usr/libexec/rc.apparmor.functions + +start() { + ebegin "Starting AppArmor" + eindent + + if ! is_apparmor_loaded ; then + eerror "AppArmor kernel support is not present" + eend 1 + return 1 + fi + + parse_profiles load + + eoutdent +} + +stop() { + ebegin "Stopping AppArmor" + eindent + apparmor_stop + eoutdent +} + +reload() { + # todo: split out clean_profiles into its own function upstream + # so we can do parse_profiles reload && clean_profiles + # and do a proper reload instead of restart + apparmor_restart +} diff --git a/sys-apps/apparmor/files/apparmor.service b/sys-apps/apparmor/files/apparmor.service new file mode 100644 index 00000000..89f14fed --- /dev/null +++ b/sys-apps/apparmor/files/apparmor.service @@ -0,0 +1,14 @@ +[Unit] +Description=AppArmor profiles +DefaultDependencies=no +After=local-fs.target +Before=sysinit.target + +[Service] +Type=oneshot +ExecStart=/usr/share/apparmor/apparmor_load.sh +ExecStop=/usr/share/apparmor/apparmor_unload.sh +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/sys-apps/apparmor/files/apparmor_load.sh b/sys-apps/apparmor/files/apparmor_load.sh new file mode 100644 index 00000000..e6fe6b68 --- /dev/null +++ b/sys-apps/apparmor/files/apparmor_load.sh @@ -0,0 +1,2 @@ +#!/bin/sh +find "/etc/apparmor.d/" -maxdepth 1 -type f -exec apparmor_parser -r {} + diff --git a/sys-apps/apparmor/files/apparmor_unload.sh b/sys-apps/apparmor/files/apparmor_unload.sh new file mode 100644 index 00000000..19e598bb --- /dev/null +++ b/sys-apps/apparmor/files/apparmor_unload.sh @@ -0,0 +1,2 @@ +#!/bin/sh +find "/etc/apparmor.d/" -maxdepth 1 -type f -exec apparmor_parser -R {} \; diff --git a/sys-apps/apparmor/files/fixcaps.patch b/sys-apps/apparmor/files/fixcaps.patch new file mode 100644 index 00000000..6b830e3c --- /dev/null +++ b/sys-apps/apparmor/files/fixcaps.patch @@ -0,0 +1,12 @@ +diff -Nur a/base_cap_names.h b/base_cap_names.h +--- a/base_cap_names.h 2020-10-01 17:50:10.000000000 +0100 ++++ b/base_cap_names.h 2020-12-02 00:33:25.268531744 +0000 +@@ -8,6 +8,8 @@ + + {"bpf", CAP_BPF, CAP_SYS_ADMIN, CAPFLAG_BASE_FEATURE}, + ++{"checkpoint_restore", CAP_CHECKPOINT_RESTORE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE}, ++ + {"chown", CAP_CHOWN, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE}, + + {"dac_override", CAP_DAC_OVERRIDE, NO_BACKMAP_CAP, CAPFLAG_BASE_FEATURE}, |