summaryrefslogtreecommitdiff
path: root/pcr/apparmor
diff options
context:
space:
mode:
authorAurélien DESBRIÈRES <aurelien@hackers.camp>2014-06-13 19:33:59 +0200
committerAurélien DESBRIÈRES <aurelien@hackers.camp>2014-06-13 19:33:59 +0200
commitf18d2cb483f7df99671bcb598b21f6cbb58ce9fa (patch)
treeb81a6a8011063727566ff29847594734053cefea /pcr/apparmor
parent13f0aed75a398179842df0c95475309b85e77268 (diff)
apparmor Linux application security framework - mandatory access control for programs 'metapackage'
Diffstat (limited to 'pcr/apparmor')
-rw-r--r--pcr/apparmor/PKGBUILD156
-rw-r--r--pcr/apparmor/apparmor-utils.install15
-rw-r--r--pcr/apparmor/apparmor.install20
-rw-r--r--pcr/apparmor/apparmor.service11
-rw-r--r--pcr/apparmor/apparmor_load.sh5
-rw-r--r--pcr/apparmor/apparmor_unload.sh8
6 files changed, 215 insertions, 0 deletions
diff --git a/pcr/apparmor/PKGBUILD b/pcr/apparmor/PKGBUILD
new file mode 100644
index 000000000..6a60e5f0b
--- /dev/null
+++ b/pcr/apparmor/PKGBUILD
@@ -0,0 +1,156 @@
+# Contributor (Arch) : Thomas Kuther <archlinux@kuther.net>
+# Contributor (Arch) : Gianni Vialetto <gianni at rootcube dot net>
+# Contributor (Arch) : Paul N. Maxwell <msg dot maxwel at gmail dot com>
+# Contributor (Arch) : Thomas Mudrunka <harvie@@email..cz>
+# Contributor (Arch) : Max Fierke <max@maxfierke.com>
+# Maintainer (Parabola) : Aurélien DESBRIÈRES <aurelien@hackers.camp>
+
+pkgbase=apparmor
+pkgname=($pkgbase apparmor-parser apparmor-libapparmor apparmor-utils apparmor-profiles apparmor-pam apparmor-vim)
+pkgver=2.8.3
+#_majorver=${pkgver%.*} # bleh, AUR...
+_majorver=2.8
+pkgrel=1
+pkgdesc='Linux application security framework - mandatory access control for programs'
+arch=('i686' 'x86_64')
+license=('GPL')
+url='http://wiki.apparmor.net/index.php/Main_Page'
+makedepends=('bzr' 'flex' 'swig' 'perl' 'python' 'perl-locale-gettext' 'perl-rpc-xml' 'audit')
+
+source=("https://launchpad.net/$pkgname/${_majorver}/$pkgver/+download/$pkgname-$pkgver.tar.gz"
+ "apparmor_load.sh"
+ "apparmor_unload.sh"
+ "apparmor.service")
+
+
+#Configuration
+core_perl_dir='/usr/bin/core_perl'
+export MAKEFLAGS+=" POD2MAN=${core_perl_dir}/pod2man"
+export MAKEFLAGS+=" POD2HTML=${core_perl_dir}/pod2html"
+export MAKEFLAGS+=" PROVE=${core_perl_dir}/prove"
+
+
+prepare() {
+ cd "${srcdir}/${pkgbase}-${pkgver}/parser"
+ # avoid depend on texlive-latex
+ sed -i -e 's/pdflatex/true/g' Makefile
+
+ cd "${srcdir}/${pkgbase}-${pkgver}/utils"
+ # Set Arch paths
+ sed -e '/logfiles/ s/syslog /syslog.log /g' \
+ -e '/logfiles/ s/messages/messages.log/g' \
+ -e '/parser/ s# /sbin/# /usr/bin/#g' \
+ -i logprof.conf
+ # do not build/install vim file with utils package (causes ref to $srcdir and wrong location)
+ sed -i '/vim/d' Makefile
+
+ cd "${srcdir}/${pkgbase}-${pkgver}/profiles/apparmor.d"
+ # /usr merge vs. profiles
+ for i in `find . -name "*sbin*"`; do sed -i -e 's@sbin@bin@g' ${i} && mv ${i} ${i/sbin/bin}; done
+ for i in klogd ping syslog-ng syslogd; do
+ sed -e "s@/bin/${i}@/usr/bin/${i}@g" \
+ -e "s@bin\.${i}@usr\.bin\.${i}@g" \
+ -i bin.${i} && \
+ mv bin.${i} usr.bin.${i}
+ done
+}
+
+build() {
+ msg2 "Building: apparmor-libapparmor"
+ cd "${srcdir}/${pkgbase}-${pkgver}/libraries/libapparmor"
+ unset PERL_MM_OPT
+ NOCONFIGURE=1 ./autogen.sh
+ ./configure --prefix=/usr --sbindir=/usr/bin --with-perl --with-python
+ make
+
+ cd "${srcdir}/${pkgbase}-${pkgver}"
+ msg2 "Building: apparmor-parser"
+ make -C parser
+
+ msg2 "Building: apparmor-utils"
+ make -C utils
+
+ msg2 "Building: apparmor-profiles"
+ make -C profiles
+
+ msg2 "Building: apparmor-pam"
+ make -C changehat/pam_apparmor
+
+ msg2 "Building: apparmor-vim"
+ make -C utils/vim -j1
+}
+
+package_apparmor() {
+ pkgdesc='Linux application security framework - mandatory access control for programs (metapackage)'
+ depends=(apparmor-parser apparmor-libapparmor apparmor-utils apparmor-profiles apparmor-pam apparmor-vim)
+ optdepends=('linux-apparmor: an arch kernel with AppArmor patches')
+ install='apparmor.install'
+}
+
+package_apparmor-parser() {
+ pkgdesc='AppArmor parser - loads AA profiles to kernel module'
+ depends=('apparmor-libapparmor' 'bash')
+
+ cd "${srcdir}/${pkgbase}-${pkgver}"
+ make -C parser install DESTDIR=${pkgdir}
+ mv "${pkgdir}/lib" "${pkgdir}/usr/lib"
+ mv "${pkgdir}/sbin" "${pkgdir}/usr/bin"
+}
+
+package_apparmor-libapparmor() {
+ pkgdesc='AppArmor library'
+ makedepends=('swig' 'perl' 'python')
+ depends=('python')
+
+ cd "${srcdir}/${pkgbase}-${pkgver}"
+ make -C libraries/libapparmor install DESTDIR=${pkgdir}
+ install -D -m644 "libraries/libapparmor/swig/perl/LibAppArmor.pm" "${pkgdir}/usr/lib/perl5/vendor_perl/"
+}
+
+package_apparmor-utils() {
+ pkgdesc='AppArmor userspace utilities'
+ arch=('any')
+ depends=('perl' 'perl-locale-gettext' 'perl-term-readkey'
+ 'perl-file-tail' 'perl-rpc-xml' 'python' 'bash')
+ install='apparmor-utils.install'
+
+ cd "${srcdir}/${pkgbase}-${pkgver}"
+ make -C utils install DESTDIR=${pkgdir} BINDIR=${pkgdir}/usr/bin
+ install -D -m755 "${srcdir}/apparmor_load.sh" "${pkgdir}/usr/bin/apparmor_load.sh"
+ install -D -m755 "${srcdir}/apparmor_unload.sh" "${pkgdir}/usr/bin/apparmor_unload.sh"
+ install -D -m644 "${srcdir}/apparmor.service" "${pkgdir}/usr/lib/systemd/system/apparmor.service"
+}
+
+package_apparmor-profiles() {
+ pkgdesc='AppArmor sample pre-made profiles'
+ depends=(apparmor-parser)
+ arch=('any')
+
+ # backup /etc/apparmor.d/* so using logprof is safe
+ cd "${srcdir}/${pkgbase}-${pkgver}/profiles/apparmor.d"
+ declare -a _profiles=(`find -type f|sed 's@./@etc/apparmor.d/@'`)
+ backup=(`echo ${_profiles[@]}`)
+
+ cd "${srcdir}/${pkgbase}-${pkgver}"
+ make -C profiles install DESTDIR=${pkgdir}
+}
+
+package_apparmor-pam() {
+ pkgdesc='AppArmor PAM library'
+ depends=('apparmor-libapparmor' 'pam')
+
+ cd "${srcdir}/${pkgbase}-${pkgver}"
+ make -C changehat/pam_apparmor install DESTDIR=${pkgdir}/usr
+ install -D -m644 changehat/pam_apparmor/README "${pkgdir}/usr/share/doc/apparmor/README.pam_apparmor"
+}
+package_apparmor-vim() {
+ pkgdesc='AppArmor VIM support'
+ arch=('any')
+ depends=('vim')
+
+ cd "${srcdir}/${pkgbase}-${pkgver}/utils/vim"
+ install -D -m644 apparmor.vim \
+ "${pkgdir}/usr/share/vim/vimfiles/syntax/apparmor.vim"
+}
+
+# vim:set ts=2 sw=2 et:
diff --git a/pcr/apparmor/apparmor-utils.install b/pcr/apparmor/apparmor-utils.install
new file mode 100644
index 000000000..85f69d3a3
--- /dev/null
+++ b/pcr/apparmor/apparmor-utils.install
@@ -0,0 +1,15 @@
+post_install() {
+# echo 'Creating /var/log/messages symlink to improve compatibility...'
+# ln -sf messages.log /var/log/messages
+cat << EOF
+
+==> Use /etc/apparmor/logprof.conf to change system log file
+==> configuration if you have a not-standard syslog-ng.conf.
+
+EOF
+}
+
+post_upgrade() {
+ post_install $1
+}
+
diff --git a/pcr/apparmor/apparmor.install b/pcr/apparmor/apparmor.install
new file mode 100644
index 000000000..dc25ea832
--- /dev/null
+++ b/pcr/apparmor/apparmor.install
@@ -0,0 +1,20 @@
+post_install() {
+ cat << EOF
+==> To enable apparmor, add this to kernel boot line:
+
+ apparmor=1 security=apparmor
+
+==> Warning: To full functionality you must have kernel
+==> with apparmor patchset.
+EOF
+}
+
+post_remove() {
+ cat << EOF
+==> To completely remove, delete this from kernel boot line:
+
+ apparmor=1 security=apparmor
+
+EOF
+}
+
diff --git a/pcr/apparmor/apparmor.service b/pcr/apparmor/apparmor.service
new file mode 100644
index 000000000..7cee03ad9
--- /dev/null
+++ b/pcr/apparmor/apparmor.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=AppArmor profiles
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/apparmor_load.sh
+ExecStop=/usr/bin/apparmor_unload.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=basic.target
diff --git a/pcr/apparmor/apparmor_load.sh b/pcr/apparmor/apparmor_load.sh
new file mode 100644
index 000000000..30ce04086
--- /dev/null
+++ b/pcr/apparmor/apparmor_load.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+aa_profiles='/etc/apparmor.d/'
+aa_log='/var/log/apparmor.init.log'
+/usr/bin/apparmor_parser -r $(find "$aa_profiles" -maxdepth 1 -type f) 2>> "$aa_log"
diff --git a/pcr/apparmor/apparmor_unload.sh b/pcr/apparmor/apparmor_unload.sh
new file mode 100644
index 000000000..de13938ab
--- /dev/null
+++ b/pcr/apparmor/apparmor_unload.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+aa_profiles='/etc/apparmor.d/'
+aa_log='/var/log/apparmor.init.log'
+PROFILES=`find "$aa_profiles" -maxdepth 1 -type f`
+for profile in $PROFILES; do
+ apparmor_parser -R "$profile" 2>> "$aa_log"
+done