diff options
author | Aurélien DESBRIÈRES <aurelien@hackers.camp> | 2014-06-13 19:33:59 +0200 |
---|---|---|
committer | Aurélien DESBRIÈRES <aurelien@hackers.camp> | 2014-06-13 19:33:59 +0200 |
commit | f18d2cb483f7df99671bcb598b21f6cbb58ce9fa (patch) | |
tree | b81a6a8011063727566ff29847594734053cefea /pcr/apparmor | |
parent | 13f0aed75a398179842df0c95475309b85e77268 (diff) |
apparmor Linux application security framework - mandatory access control for programs 'metapackage'
Diffstat (limited to 'pcr/apparmor')
-rw-r--r-- | pcr/apparmor/PKGBUILD | 156 | ||||
-rw-r--r-- | pcr/apparmor/apparmor-utils.install | 15 | ||||
-rw-r--r-- | pcr/apparmor/apparmor.install | 20 | ||||
-rw-r--r-- | pcr/apparmor/apparmor.service | 11 | ||||
-rw-r--r-- | pcr/apparmor/apparmor_load.sh | 5 | ||||
-rw-r--r-- | pcr/apparmor/apparmor_unload.sh | 8 |
6 files changed, 215 insertions, 0 deletions
diff --git a/pcr/apparmor/PKGBUILD b/pcr/apparmor/PKGBUILD new file mode 100644 index 000000000..6a60e5f0b --- /dev/null +++ b/pcr/apparmor/PKGBUILD @@ -0,0 +1,156 @@ +# Contributor (Arch) : Thomas Kuther <archlinux@kuther.net> +# Contributor (Arch) : Gianni Vialetto <gianni at rootcube dot net> +# Contributor (Arch) : Paul N. Maxwell <msg dot maxwel at gmail dot com> +# Contributor (Arch) : Thomas Mudrunka <harvie@@email..cz> +# Contributor (Arch) : Max Fierke <max@maxfierke.com> +# Maintainer (Parabola) : Aurélien DESBRIÈRES <aurelien@hackers.camp> + +pkgbase=apparmor +pkgname=($pkgbase apparmor-parser apparmor-libapparmor apparmor-utils apparmor-profiles apparmor-pam apparmor-vim) +pkgver=2.8.3 +#_majorver=${pkgver%.*} # bleh, AUR... +_majorver=2.8 +pkgrel=1 +pkgdesc='Linux application security framework - mandatory access control for programs' +arch=('i686' 'x86_64') +license=('GPL') +url='http://wiki.apparmor.net/index.php/Main_Page' +makedepends=('bzr' 'flex' 'swig' 'perl' 'python' 'perl-locale-gettext' 'perl-rpc-xml' 'audit') + +source=("https://launchpad.net/$pkgname/${_majorver}/$pkgver/+download/$pkgname-$pkgver.tar.gz" + "apparmor_load.sh" + "apparmor_unload.sh" + "apparmor.service") + + +#Configuration +core_perl_dir='/usr/bin/core_perl' +export MAKEFLAGS+=" POD2MAN=${core_perl_dir}/pod2man" +export MAKEFLAGS+=" POD2HTML=${core_perl_dir}/pod2html" +export MAKEFLAGS+=" PROVE=${core_perl_dir}/prove" + + +prepare() { + cd "${srcdir}/${pkgbase}-${pkgver}/parser" + # avoid depend on texlive-latex + sed -i -e 's/pdflatex/true/g' Makefile + + cd "${srcdir}/${pkgbase}-${pkgver}/utils" + # Set Arch paths + sed -e '/logfiles/ s/syslog /syslog.log /g' \ + -e '/logfiles/ s/messages/messages.log/g' \ + -e '/parser/ s# /sbin/# /usr/bin/#g' \ + -i logprof.conf + # do not build/install vim file with utils package (causes ref to $srcdir and wrong location) + sed -i '/vim/d' Makefile + + cd "${srcdir}/${pkgbase}-${pkgver}/profiles/apparmor.d" + # /usr merge vs. profiles + for i in `find . -name "*sbin*"`; do sed -i -e 's@sbin@bin@g' ${i} && mv ${i} ${i/sbin/bin}; done + for i in klogd ping syslog-ng syslogd; do + sed -e "s@/bin/${i}@/usr/bin/${i}@g" \ + -e "s@bin\.${i}@usr\.bin\.${i}@g" \ + -i bin.${i} && \ + mv bin.${i} usr.bin.${i} + done +} + +build() { + msg2 "Building: apparmor-libapparmor" + cd "${srcdir}/${pkgbase}-${pkgver}/libraries/libapparmor" + unset PERL_MM_OPT + NOCONFIGURE=1 ./autogen.sh + ./configure --prefix=/usr --sbindir=/usr/bin --with-perl --with-python + make + + cd "${srcdir}/${pkgbase}-${pkgver}" + msg2 "Building: apparmor-parser" + make -C parser + + msg2 "Building: apparmor-utils" + make -C utils + + msg2 "Building: apparmor-profiles" + make -C profiles + + msg2 "Building: apparmor-pam" + make -C changehat/pam_apparmor + + msg2 "Building: apparmor-vim" + make -C utils/vim -j1 +} + +package_apparmor() { + pkgdesc='Linux application security framework - mandatory access control for programs (metapackage)' + depends=(apparmor-parser apparmor-libapparmor apparmor-utils apparmor-profiles apparmor-pam apparmor-vim) + optdepends=('linux-apparmor: an arch kernel with AppArmor patches') + install='apparmor.install' +} + +package_apparmor-parser() { + pkgdesc='AppArmor parser - loads AA profiles to kernel module' + depends=('apparmor-libapparmor' 'bash') + + cd "${srcdir}/${pkgbase}-${pkgver}" + make -C parser install DESTDIR=${pkgdir} + mv "${pkgdir}/lib" "${pkgdir}/usr/lib" + mv "${pkgdir}/sbin" "${pkgdir}/usr/bin" +} + +package_apparmor-libapparmor() { + pkgdesc='AppArmor library' + makedepends=('swig' 'perl' 'python') + depends=('python') + + cd "${srcdir}/${pkgbase}-${pkgver}" + make -C libraries/libapparmor install DESTDIR=${pkgdir} + install -D -m644 "libraries/libapparmor/swig/perl/LibAppArmor.pm" "${pkgdir}/usr/lib/perl5/vendor_perl/" +} + +package_apparmor-utils() { + pkgdesc='AppArmor userspace utilities' + arch=('any') + depends=('perl' 'perl-locale-gettext' 'perl-term-readkey' + 'perl-file-tail' 'perl-rpc-xml' 'python' 'bash') + install='apparmor-utils.install' + + cd "${srcdir}/${pkgbase}-${pkgver}" + make -C utils install DESTDIR=${pkgdir} BINDIR=${pkgdir}/usr/bin + install -D -m755 "${srcdir}/apparmor_load.sh" "${pkgdir}/usr/bin/apparmor_load.sh" + install -D -m755 "${srcdir}/apparmor_unload.sh" "${pkgdir}/usr/bin/apparmor_unload.sh" + install -D -m644 "${srcdir}/apparmor.service" "${pkgdir}/usr/lib/systemd/system/apparmor.service" +} + +package_apparmor-profiles() { + pkgdesc='AppArmor sample pre-made profiles' + depends=(apparmor-parser) + arch=('any') + + # backup /etc/apparmor.d/* so using logprof is safe + cd "${srcdir}/${pkgbase}-${pkgver}/profiles/apparmor.d" + declare -a _profiles=(`find -type f|sed 's@./@etc/apparmor.d/@'`) + backup=(`echo ${_profiles[@]}`) + + cd "${srcdir}/${pkgbase}-${pkgver}" + make -C profiles install DESTDIR=${pkgdir} +} + +package_apparmor-pam() { + pkgdesc='AppArmor PAM library' + depends=('apparmor-libapparmor' 'pam') + + cd "${srcdir}/${pkgbase}-${pkgver}" + make -C changehat/pam_apparmor install DESTDIR=${pkgdir}/usr + install -D -m644 changehat/pam_apparmor/README "${pkgdir}/usr/share/doc/apparmor/README.pam_apparmor" +} +package_apparmor-vim() { + pkgdesc='AppArmor VIM support' + arch=('any') + depends=('vim') + + cd "${srcdir}/${pkgbase}-${pkgver}/utils/vim" + install -D -m644 apparmor.vim \ + "${pkgdir}/usr/share/vim/vimfiles/syntax/apparmor.vim" +} + +# vim:set ts=2 sw=2 et: diff --git a/pcr/apparmor/apparmor-utils.install b/pcr/apparmor/apparmor-utils.install new file mode 100644 index 000000000..85f69d3a3 --- /dev/null +++ b/pcr/apparmor/apparmor-utils.install @@ -0,0 +1,15 @@ +post_install() { +# echo 'Creating /var/log/messages symlink to improve compatibility...' +# ln -sf messages.log /var/log/messages +cat << EOF + +==> Use /etc/apparmor/logprof.conf to change system log file +==> configuration if you have a not-standard syslog-ng.conf. + +EOF +} + +post_upgrade() { + post_install $1 +} + diff --git a/pcr/apparmor/apparmor.install b/pcr/apparmor/apparmor.install new file mode 100644 index 000000000..dc25ea832 --- /dev/null +++ b/pcr/apparmor/apparmor.install @@ -0,0 +1,20 @@ +post_install() { + cat << EOF +==> To enable apparmor, add this to kernel boot line: + + apparmor=1 security=apparmor + +==> Warning: To full functionality you must have kernel +==> with apparmor patchset. +EOF +} + +post_remove() { + cat << EOF +==> To completely remove, delete this from kernel boot line: + + apparmor=1 security=apparmor + +EOF +} + diff --git a/pcr/apparmor/apparmor.service b/pcr/apparmor/apparmor.service new file mode 100644 index 000000000..7cee03ad9 --- /dev/null +++ b/pcr/apparmor/apparmor.service @@ -0,0 +1,11 @@ +[Unit] +Description=AppArmor profiles + +[Service] +Type=oneshot +ExecStart=/usr/bin/apparmor_load.sh +ExecStop=/usr/bin/apparmor_unload.sh +RemainAfterExit=yes + +[Install] +WantedBy=basic.target diff --git a/pcr/apparmor/apparmor_load.sh b/pcr/apparmor/apparmor_load.sh new file mode 100644 index 000000000..30ce04086 --- /dev/null +++ b/pcr/apparmor/apparmor_load.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +aa_profiles='/etc/apparmor.d/' +aa_log='/var/log/apparmor.init.log' +/usr/bin/apparmor_parser -r $(find "$aa_profiles" -maxdepth 1 -type f) 2>> "$aa_log" diff --git a/pcr/apparmor/apparmor_unload.sh b/pcr/apparmor/apparmor_unload.sh new file mode 100644 index 000000000..de13938ab --- /dev/null +++ b/pcr/apparmor/apparmor_unload.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +aa_profiles='/etc/apparmor.d/' +aa_log='/var/log/apparmor.init.log' +PROFILES=`find "$aa_profiles" -maxdepth 1 -type f` +for profile in $PROFILES; do + apparmor_parser -R "$profile" 2>> "$aa_log" +done |