feat: add apparmor (#282)

* feat: add apparmor * fix(apparmor): add anda.hcl
2026-05-31 09:01:55 +00:00 · 2023-03-16 21:18:48 -07:00
parent 29d6987964
commit 772d4a49b5
5 changed files with 421 additions and 0 deletions
@@ -0,0 +1,48 @@
+From 092ccc544c66f2a233bb074a5b3f9d9edcad2716 Mon Sep 17 00:00:00 2001
+From: Thomas Crider <gloriouseggroll@gmail.com>
+Date: Thu, 17 Nov 2022 23:46:54 -0500
+Subject: [PATCH] All current versions of RHEL and Fedora that are not EOL (End
+ of Life) or ELS (Extended Lifecycle Support) currently only support systemd.
+ Legacy init scripts are not supported. Standard systemd installation should
+ be used.
+
+---
+ parser/Makefile | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/parser/Makefile b/parser/Makefile
+index 15f9d97..64f5db6 100644
+--- a/parser/Makefile
+++ b/parser/Makefile
+@@ -352,13 +352,10 @@ tests: apparmor_parser ${TESTS}
+ $(AAREOBJECT): FORCE
+ 	$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
+ 
+-.PHONY: install-rhel4
+-install-rhel4: install-redhat
+-
+ .PHONY: install-redhat
+-install-redhat:
+-	install -m 755 -d $(DESTDIR)/etc/init.d
+-	install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor
+install-redhat: install-systemd
+	install -m 755 -d $(SBINDIR)
+	ln -sf service $(SBINDIR)/rcapparmor
+ 
+ .PHONY: install-suse
+ install-suse: install-systemd
+@@ -389,9 +386,9 @@ DISTRO=$(shell if [ -f /etc/slackware-version ] ; then \
+ 	         if [ "$$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
+ 	             echo suse ;\
+ 	         elif [ "$$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
+-	            echo rhel4 ;\
+	            echo redhat ;\
+ 	         elif [ "$$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
+-	            echo rhel4 ;\
+	            echo redhat ;\
+ 	         else \
+ 	            echo unknown ;\
+ 	         fi ;\
+-- 
+2.38.1
+
@@ -0,0 +1,27 @@
+From 334e335909b8faab63bf9289e63f9dc1a3c82a83 Mon Sep 17 00:00:00 2001
+From: Thomas Crider <gloriouseggroll@gmail.com>
+Date: Thu, 17 Nov 2022 22:46:54 -0500
+Subject: [PATCH] fix avahi-daemon authselect denial in fedora
+
+Fixes this denial:
+
+type=AVC msg=audit(1668734812.755:243): apparmor="DENIED" operation="open" profile="avahi-daemon" name="/etc/authselect/nsswitch.conf" pid=1418 comm="avahi-daemon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
+---
+ profiles/apparmor.d/usr.sbin.avahi-daemon | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/profiles/apparmor.d/usr.sbin.avahi-daemon b/profiles/apparmor.d/usr.sbin.avahi-daemon
+index 010b385..da69072 100644
+--- a/profiles/apparmor.d/usr.sbin.avahi-daemon
+++ b/profiles/apparmor.d/usr.sbin.avahi-daemon
+@@ -21,6 +21,7 @@ profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
+   /etc/avahi/hosts r,
+   /etc/avahi/services/ r,
+   /etc/avahi/services/*.service r,
+  /etc/authselect/nsswitch.conf r,
+   @{PROC}/@{pid}/fd/ r,
+   @{PROC}/1/environ r,
+   @{PROC}/cmdline r,
+-- 
+2.38.1
+
@@ -0,0 +1,5 @@
+project "pkg" {
+    rpm {
+        spec = "apparmor.spec"
+    }
+}
@@ -0,0 +1 @@
+enable apparmor.service
@@ -0,0 +1,340 @@
+%{?python_enable_dependency_generator}
+
+%bcond_with tests
+
+Name:           apparmor
+Version:        3.1.3
+Release:        %autorelease
+Summary:        AppArmor userspace components
+
+%define baseversion %(echo %{version} | cut -d. -f-2)
+
+License:        GPL-2.0
+URL:            https://launchpad.net/apparmor
+Source0:        %{url}/%{baseversion}/%{version}/+download/%{name}-%{version}.tar.gz
+Source1:        apparmor.preset
+Patch01:        0001-fix-avahi-daemon-authselect-denial-in-fedora.patch
+Patch02:        0001-All-current-versions-of-RHEL-and-Fedora-that-are-not.patch
+
+BuildRequires:  gcc
+BuildRequires:  automake
+BuildRequires:  libtool
+BuildRequires:  gcc-c++
+BuildRequires:  libstdc++-static
+BuildRequires:  flex
+BuildRequires:  bison
+BuildRequires:  swig
+BuildRequires:  python3-devel
+BuildRequires:  python3-setuptools
+BuildRequires:  %{_bindir}/podchecker
+BuildRequires:  %{_bindir}/pod2html
+BuildRequires:  gettext
+BuildRequires:  pam-devel
+BuildRequires:  httpd-devel
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  gawk
+BuildRequires:  which
+%if %{with tests}
+BuildRequires:  %{_bindir}/runtest
+BuildRequires:  %{_bindir}/prove
+BuildRequires:  perl(Locale::gettext)
+BuildRequires:  perl(Test::More)
+%endif
+
+Provides:       %{name}-profiles = %{version}-%{release}
+Requires:       %{name}-parser
+Recommends:     %{name}-utils
+%{?systemd_requires}
+
+%description
+AppArmor protects systems from insecure or untrusted processes by running
+them in restricted confinement, while still allowing processes to share files,
+exercise privilege and communicate with other processes. AppArmor is a Mandatory
+Access Control (MAC) mechanism which uses the Linux Security Module (LSM)
+framework. The confinement's restrictions are mandatory and are not bound to
+identity, group membership, or object ownership. The protections provided are in
+addition to the kernel's regular access control mechanisms (including DAC) and
+can be used to restrict the superuser.
+
+%package      libs
+Summary:      AppArmor library
+
+%description  libs
+This package contains the shared library used for making use of the AppArmor
+profile and changehat functionality, as well as common log parsing routines.
+
+%package       devel
+Summary:       AppArmor development libraries and header files
+Requires:      %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description    devel
+This package contains AppArmor development libraries and header files.
+
+%package -n     python3-apparmor
+Summary:        AppArmor Python3 utility library
+Requires:       python3-LibAppArmor = %{version}-%{release}
+BuildArch:      noarch
+
+%description -n python3-apparmor
+This package provides the python interface to AppArmor. It is used for python
+applications interfacing with AppArmor.
+
+%package -n     python3-LibAppArmor
+Summary:        AppArmor library Python3 bindings
+Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description -n python3-LibAppArmor
+This package contains Python3 module that contains the language bindings for 
+the AppArmor library, libapparmor, which were autogenerated via SWIG.
+
+%package        profiles
+Summary:        AppArmor profiles
+Provides:       apparmor-profiles = %{version}-%{release}
+BuildArch:      noarch
+
+%description    profiles
+This package contains default AppArmor profiles.
+
+%package        parser
+Summary:        AppArmor userlevel parser utility
+Requires:       python3-apparmor = %{version}
+# Let it be the AppArmor metapackage
+Provides:       %{name} = %{version}-%{release}
+Requires:       %{name}-profiles = %{version}-%{release}
+Recommends:     %{name}-utils
+
+%description    parser
+The AppArmor Parser is a userlevel program that is used to load in
+program profiles to the AppArmor Security kernel module.
+
+%package        utils
+Summary:        AppArmor User-Level Utilities
+Requires:       python3-apparmor = %{version}
+Requires:       python3-notify2
+
+%description    utils
+This package provides the aa-logprof, aa-genprof, aa-autodep,
+aa-enforce, and aa-complain tools to assist with profile authoring.
+Besides it provides the aa-unconfined server information tool.
+
+%package -n     pam_apparmor
+Summary:        PAM module for AppArmor change_hat
+Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+Requires:       pam%{?_isa}
+ 
+%description -n pam_apparmor
+This package provides the PAM module needed to declare various differing
+confinement policies when starting PAM sessions by using the changehat 
+abilities exposed through libapparmor.
+
+%package -n     mod_apparmor
+Summary:        AppArmor module for apache2
+Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+Requires:       httpd%{?_isa}
+
+%description -n mod_apparmor
+This package provides the Apache module needed to declare various differing
+confinement policies when running virtual hosts in the webserver by using the
+changehat abilities exposed through libapparmor.
+
+%prep
+%autosetup -p1
+
+%build
+export PYTHON=%{__python3}
+export PYTHON_VERSION=3
+export PYTHON_VERSIONS=python3
+
+pushd libraries/libapparmor
+./autogen.sh
+%configure \
+    --with-python \
+
+%make_build
+popd
+
+%make_build -C binutils
+%make_build -C parser
+%make_build -C profiles
+%make_build -C utils
+%make_build -C changehat/pam_apparmor
+%make_build -C changehat/mod_apparmor
+%make_build -C utils/vim
+
+%install
+%make_install -C libraries/libapparmor
+%make_install -C binutils
+%make_install -C parser \
+    APPARMOR_BIN_PREFIX=%{buildroot}%{_prefix}/lib/apparmor \
+    SBINDIR=%{buildroot}%{_sbindir}
+%make_install -C profiles
+%make_install -C utils
+%make_install -C changehat/pam_apparmor \
+    SECDIR=%{buildroot}%{_libdir}/security
+%make_install -C changehat/mod_apparmor
+%make_install -C utils/vim
+
+install -Dm644 %{SOURCE1} %{buildroot}%{_presetdir}/70-apparmor.preset
+
+find %{buildroot} \( -name "*.a" -o -name "*.la" \) -delete
+
+%find_lang aa-binutils
+%find_lang apparmor-parser
+%find_lang apparmor-utils
+
+%if %{with tests}
+%check
+make -C libraries/libapparmor check
+make -C binutils check
+make -C parser check
+# only running check-parser, as check-logprof (included in check) fails:
+# https://gitlab.com/apparmor/apparmor/issues/36
+make -C profiles check-parser
+make -C profiles check
+# shutil.copytree has a regression
+# https://gitlab.com/apparmor/apparmor/issues/62
+make -C utils check
+%endif
+
+%post parser
+%systemd_post %{name}.service
+
+%preun parser
+%systemd_preun %{name}.service
+
+%postun parser
+%systemd_postun_with_restart %{name}.service
+
+%files libs
+%license LICENSE
+%{_libdir}/libapparmor.so.*
+
+%files devel
+%{_libdir}/libapparmor.so
+%{_includedir}/aalogparse
+%{_includedir}/sys/apparmor*
+%{_libdir}/pkgconfig/libapparmor.pc
+%{_mandir}/man2/aa_*.2.gz
+%{_mandir}/man3/aa_*.3.gz
+
+%files -n python3-apparmor
+%{python3_sitelib}/apparmor
+%{python3_sitelib}/apparmor-*.egg-info
+
+%files -n python3-LibAppArmor
+%{python3_sitearch}/LibAppArmor
+%{python3_sitearch}/LibAppArmor-*.egg-info
+
+%files profiles
+%dir %{_sysconfdir}/apparmor.d/
+%dir %{_sysconfdir}/apparmor.d/abi
+%config(noreplace) %{_sysconfdir}/apparmor.d/abi/3.0
+%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-outoftree-network
+%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-vanilla
+%config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm
+%config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd
+%config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd
+%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd
+%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-classic
+%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-spoolss
+%config(noreplace) %{_sysconfdir}/apparmor.d/zgrep
+%dir %{_sysconfdir}/apparmor.d/abstractions
+%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/*
+%dir %{_sysconfdir}/apparmor.d/disable
+%dir %{_sysconfdir}/apparmor.d/local
+%dir %{_sysconfdir}/apparmor.d/tunables
+%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/*
+%dir %{_sysconfdir}/apparmor.d/apache2.d
+%config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo
+%config(noreplace) %{_sysconfdir}/apparmor.d/bin.*
+%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.*
+%config(noreplace) %{_sysconfdir}/apparmor.d/usr.*
+%config(noreplace) %{_sysconfdir}/apparmor.d/lsb_release
+%config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe
+%config(noreplace) %{_sysconfdir}/apparmor.d/local/*
+%dir %{_datadir}/apparmor/
+%{_datadir}/apparmor/extra-profiles
+
+%files parser -f apparmor-parser.lang -f aa-binutils.lang
+%license parser/COPYING.GPL
+%doc parser/README
+%doc parser/*.[1-9].html
+%doc common/apparmor.css
+%doc parser/techdoc.pdf
+%{_sbindir}/apparmor_parser
+%{_bindir}/aa-enabled
+%{_bindir}/aa-exec
+%{_bindir}/aa-features-abi
+%{_sbindir}/aa-teardown
+%{_sbindir}/rcapparmor
+%{_unitdir}/apparmor.service
+%{_presetdir}/70-apparmor.preset
+%{_prefix}/lib/apparmor
+%dir %{_sysconfdir}/apparmor
+%config(noreplace) %{_sysconfdir}/apparmor/parser.conf
+%{_sharedstatedir}/apparmor
+%{_mandir}/man1/aa-enabled.1.gz
+%{_mandir}/man1/aa-exec.1.gz
+%{_mandir}/man1/aa-features-abi.1.gz
+%{_mandir}/man5/apparmor.d.5.gz
+%{_mandir}/man5/apparmor.vim.5.gz
+%{_mandir}/man7/apparmor.7.gz
+%{_mandir}/man7/apparmor_xattrs.7.gz
+%{_mandir}/man8/aa-teardown.8.gz
+%{_mandir}/man8/apparmor_parser.8.gz
+
+%files utils -f apparmor-utils.lang
+%doc utils/*.[0-9].html
+%doc utils/vim/apparmor.vim.5.html
+%doc common/apparmor.css
+%dir %{_sysconfdir}/apparmor
+%config(noreplace) %{_sysconfdir}/apparmor/easyprof.conf
+%config(noreplace) %{_sysconfdir}/apparmor/logprof.conf
+%config(noreplace) %{_sysconfdir}/apparmor/notify.conf
+%config(noreplace) %{_sysconfdir}/apparmor/severity.db
+%{_sbindir}/aa-audit
+%{_sbindir}/aa-autodep
+%{_sbindir}/aa-cleanprof
+%{_sbindir}/aa-complain
+%{_sbindir}/aa-decode
+%{_sbindir}/aa-disable
+%{_sbindir}/aa-enforce
+%{_sbindir}/aa-genprof
+%{_sbindir}/aa-logprof
+%{_sbindir}/aa-mergeprof
+%{_sbindir}/aa-notify
+%{_sbindir}/aa-remove-unknown
+%{_sbindir}/aa-status
+%{_sbindir}/aa-unconfined
+%{_sbindir}/apparmor_status
+%{_bindir}/aa-easyprof
+%dir %{_datadir}/apparmor
+%{_datadir}/apparmor/easyprof
+%{_datadir}/apparmor/apparmor.vim
+%{_mandir}/man5/logprof.conf.5.gz
+%{_mandir}/man8/aa-audit.8.gz
+%{_mandir}/man8/aa-autodep.8.gz
+%{_mandir}/man8/aa-cleanprof.8.gz
+%{_mandir}/man8/aa-complain.8.gz
+%{_mandir}/man8/aa-decode.8.gz
+%{_mandir}/man8/aa-disable.8.gz
+%{_mandir}/man8/aa-easyprof.8.gz
+%{_mandir}/man8/aa-enforce.8.gz
+%{_mandir}/man8/aa-genprof.8.gz
+%{_mandir}/man8/aa-logprof.8.gz
+%{_mandir}/man8/aa-mergeprof.8.gz
+%{_mandir}/man8/aa-notify.8.gz
+%{_mandir}/man8/aa-remove-unknown.8.gz
+%{_mandir}/man8/aa-status.8.gz
+%{_mandir}/man8/aa-unconfined.8.gz
+%{_mandir}/man8/apparmor_status.8.gz
+
+%files -n pam_apparmor
+%{_libdir}/security/pam_apparmor.so
+
+%files -n mod_apparmor
+%{_libdir}/httpd/modules/mod_apparmor.so
+%{_mandir}/man8/mod_apparmor.8.gz
+
+%changelog
+%autochangelog