From 772d4a49b5aa405b53802cf99e69e2496c05f5cb Mon Sep 17 00:00:00 2001 From: cat-master21 <96554164+cat-master21@users.noreply.github.com> Date: Thu, 16 Mar 2023 21:18:48 -0700 Subject: [PATCH] feat: add apparmor (#282) * feat: add apparmor * fix(apparmor): add anda.hcl --- ...ions-of-RHEL-and-Fedora-that-are-not.patch | 48 +++ ...i-daemon-authselect-denial-in-fedora.patch | 27 ++ anda/lib/apparmor/anda.hcl | 5 + anda/lib/apparmor/apparmor.preset | 1 + anda/lib/apparmor/apparmor.spec | 340 ++++++++++++++++++ 5 files changed, 421 insertions(+) create mode 100644 anda/lib/apparmor/0001-All-current-versions-of-RHEL-and-Fedora-that-are-not.patch create mode 100644 anda/lib/apparmor/0001-fix-avahi-daemon-authselect-denial-in-fedora.patch create mode 100644 anda/lib/apparmor/anda.hcl create mode 100644 anda/lib/apparmor/apparmor.preset create mode 100644 anda/lib/apparmor/apparmor.spec diff --git a/anda/lib/apparmor/0001-All-current-versions-of-RHEL-and-Fedora-that-are-not.patch b/anda/lib/apparmor/0001-All-current-versions-of-RHEL-and-Fedora-that-are-not.patch new file mode 100644 index 0000000000..0041761b76 --- /dev/null +++ b/anda/lib/apparmor/0001-All-current-versions-of-RHEL-and-Fedora-that-are-not.patch @@ -0,0 +1,48 @@ +From 092ccc544c66f2a233bb074a5b3f9d9edcad2716 Mon Sep 17 00:00:00 2001 +From: Thomas Crider +Date: Thu, 17 Nov 2022 23:46:54 -0500 +Subject: [PATCH] All current versions of RHEL and Fedora that are not EOL (End + of Life) or ELS (Extended Lifecycle Support) currently only support systemd. + Legacy init scripts are not supported. Standard systemd installation should + be used. + +--- + parser/Makefile | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/parser/Makefile b/parser/Makefile +index 15f9d97..64f5db6 100644 +--- a/parser/Makefile ++++ b/parser/Makefile +@@ -352,13 +352,10 @@ tests: apparmor_parser ${TESTS} + $(AAREOBJECT): FORCE + $(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)" + +-.PHONY: install-rhel4 +-install-rhel4: install-redhat +- + .PHONY: install-redhat +-install-redhat: +- install -m 755 -d $(DESTDIR)/etc/init.d +- install -m 755 rc.apparmor.$(subst install-,,$@) $(DESTDIR)/etc/init.d/apparmor ++install-redhat: install-systemd ++ install -m 755 -d $(SBINDIR) ++ ln -sf service $(SBINDIR)/rcapparmor + + .PHONY: install-suse + install-suse: install-systemd +@@ -389,9 +386,9 @@ DISTRO=$(shell if [ -f /etc/slackware-version ] ; then \ + if [ "$$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \ + echo suse ;\ + elif [ "$$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \ +- echo rhel4 ;\ ++ echo redhat ;\ + elif [ "$$(rpm --eval '0%{?fedora}')" != "0" ] ; then \ +- echo rhel4 ;\ ++ echo redhat ;\ + else \ + echo unknown ;\ + fi ;\ +-- +2.38.1 + diff --git a/anda/lib/apparmor/0001-fix-avahi-daemon-authselect-denial-in-fedora.patch b/anda/lib/apparmor/0001-fix-avahi-daemon-authselect-denial-in-fedora.patch new file mode 100644 index 0000000000..282e2e66c8 --- /dev/null +++ b/anda/lib/apparmor/0001-fix-avahi-daemon-authselect-denial-in-fedora.patch @@ -0,0 +1,27 @@ +From 334e335909b8faab63bf9289e63f9dc1a3c82a83 Mon Sep 17 00:00:00 2001 +From: Thomas Crider +Date: Thu, 17 Nov 2022 22:46:54 -0500 +Subject: [PATCH] fix avahi-daemon authselect denial in fedora + +Fixes this denial: + +type=AVC msg=audit(1668734812.755:243): apparmor="DENIED" operation="open" profile="avahi-daemon" name="/etc/authselect/nsswitch.conf" pid=1418 comm="avahi-daemon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root" +--- + profiles/apparmor.d/usr.sbin.avahi-daemon | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/profiles/apparmor.d/usr.sbin.avahi-daemon b/profiles/apparmor.d/usr.sbin.avahi-daemon +index 010b385..da69072 100644 +--- a/profiles/apparmor.d/usr.sbin.avahi-daemon ++++ b/profiles/apparmor.d/usr.sbin.avahi-daemon +@@ -21,6 +21,7 @@ profile avahi-daemon /usr/{bin,sbin}/avahi-daemon { + /etc/avahi/hosts r, + /etc/avahi/services/ r, + /etc/avahi/services/*.service r, ++ /etc/authselect/nsswitch.conf r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, +-- +2.38.1 + diff --git a/anda/lib/apparmor/anda.hcl b/anda/lib/apparmor/anda.hcl new file mode 100644 index 0000000000..9ea400dfb8 --- /dev/null +++ b/anda/lib/apparmor/anda.hcl @@ -0,0 +1,5 @@ +project "pkg" { + rpm { + spec = "apparmor.spec" + } +} diff --git a/anda/lib/apparmor/apparmor.preset b/anda/lib/apparmor/apparmor.preset new file mode 100644 index 0000000000..510175f40e --- /dev/null +++ b/anda/lib/apparmor/apparmor.preset @@ -0,0 +1 @@ +enable apparmor.service diff --git a/anda/lib/apparmor/apparmor.spec b/anda/lib/apparmor/apparmor.spec new file mode 100644 index 0000000000..b488e75b69 --- /dev/null +++ b/anda/lib/apparmor/apparmor.spec @@ -0,0 +1,340 @@ +%{?python_enable_dependency_generator} + +%bcond_with tests + +Name: apparmor +Version: 3.1.3 +Release: %autorelease +Summary: AppArmor userspace components + +%define baseversion %(echo %{version} | cut -d. -f-2) + +License: GPL-2.0 +URL: https://launchpad.net/apparmor +Source0: %{url}/%{baseversion}/%{version}/+download/%{name}-%{version}.tar.gz +Source1: apparmor.preset +Patch01: 0001-fix-avahi-daemon-authselect-denial-in-fedora.patch +Patch02: 0001-All-current-versions-of-RHEL-and-Fedora-that-are-not.patch + +BuildRequires: gcc +BuildRequires: automake +BuildRequires: libtool +BuildRequires: gcc-c++ +BuildRequires: libstdc++-static +BuildRequires: flex +BuildRequires: bison +BuildRequires: swig +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: %{_bindir}/podchecker +BuildRequires: %{_bindir}/pod2html +BuildRequires: gettext +BuildRequires: pam-devel +BuildRequires: httpd-devel +BuildRequires: systemd-rpm-macros +BuildRequires: gawk +BuildRequires: which +%if %{with tests} +BuildRequires: %{_bindir}/runtest +BuildRequires: %{_bindir}/prove +BuildRequires: perl(Locale::gettext) +BuildRequires: perl(Test::More) +%endif + +Provides: %{name}-profiles = %{version}-%{release} +Requires: %{name}-parser +Recommends: %{name}-utils +%{?systemd_requires} + +%description +AppArmor protects systems from insecure or untrusted processes by running +them in restricted confinement, while still allowing processes to share files, +exercise privilege and communicate with other processes. AppArmor is a Mandatory +Access Control (MAC) mechanism which uses the Linux Security Module (LSM) +framework. The confinement's restrictions are mandatory and are not bound to +identity, group membership, or object ownership. The protections provided are in +addition to the kernel's regular access control mechanisms (including DAC) and +can be used to restrict the superuser. + +%package libs +Summary: AppArmor library + +%description libs +This package contains the shared library used for making use of the AppArmor +profile and changehat functionality, as well as common log parsing routines. + +%package devel +Summary: AppArmor development libraries and header files +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description devel +This package contains AppArmor development libraries and header files. + +%package -n python3-apparmor +Summary: AppArmor Python3 utility library +Requires: python3-LibAppArmor = %{version}-%{release} +BuildArch: noarch + +%description -n python3-apparmor +This package provides the python interface to AppArmor. It is used for python +applications interfacing with AppArmor. + +%package -n python3-LibAppArmor +Summary: AppArmor library Python3 bindings +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description -n python3-LibAppArmor +This package contains Python3 module that contains the language bindings for +the AppArmor library, libapparmor, which were autogenerated via SWIG. + +%package profiles +Summary: AppArmor profiles +Provides: apparmor-profiles = %{version}-%{release} +BuildArch: noarch + +%description profiles +This package contains default AppArmor profiles. + +%package parser +Summary: AppArmor userlevel parser utility +Requires: python3-apparmor = %{version} +# Let it be the AppArmor metapackage +Provides: %{name} = %{version}-%{release} +Requires: %{name}-profiles = %{version}-%{release} +Recommends: %{name}-utils + +%description parser +The AppArmor Parser is a userlevel program that is used to load in +program profiles to the AppArmor Security kernel module. + +%package utils +Summary: AppArmor User-Level Utilities +Requires: python3-apparmor = %{version} +Requires: python3-notify2 + +%description utils +This package provides the aa-logprof, aa-genprof, aa-autodep, +aa-enforce, and aa-complain tools to assist with profile authoring. +Besides it provides the aa-unconfined server information tool. + +%package -n pam_apparmor +Summary: PAM module for AppArmor change_hat +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: pam%{?_isa} + +%description -n pam_apparmor +This package provides the PAM module needed to declare various differing +confinement policies when starting PAM sessions by using the changehat +abilities exposed through libapparmor. + +%package -n mod_apparmor +Summary: AppArmor module for apache2 +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: httpd%{?_isa} + +%description -n mod_apparmor +This package provides the Apache module needed to declare various differing +confinement policies when running virtual hosts in the webserver by using the +changehat abilities exposed through libapparmor. + +%prep +%autosetup -p1 + +%build +export PYTHON=%{__python3} +export PYTHON_VERSION=3 +export PYTHON_VERSIONS=python3 + +pushd libraries/libapparmor +./autogen.sh +%configure \ + --with-python \ + +%make_build +popd + +%make_build -C binutils +%make_build -C parser +%make_build -C profiles +%make_build -C utils +%make_build -C changehat/pam_apparmor +%make_build -C changehat/mod_apparmor +%make_build -C utils/vim + +%install +%make_install -C libraries/libapparmor +%make_install -C binutils +%make_install -C parser \ + APPARMOR_BIN_PREFIX=%{buildroot}%{_prefix}/lib/apparmor \ + SBINDIR=%{buildroot}%{_sbindir} +%make_install -C profiles +%make_install -C utils +%make_install -C changehat/pam_apparmor \ + SECDIR=%{buildroot}%{_libdir}/security +%make_install -C changehat/mod_apparmor +%make_install -C utils/vim + +install -Dm644 %{SOURCE1} %{buildroot}%{_presetdir}/70-apparmor.preset + +find %{buildroot} \( -name "*.a" -o -name "*.la" \) -delete + +%find_lang aa-binutils +%find_lang apparmor-parser +%find_lang apparmor-utils + +%if %{with tests} +%check +make -C libraries/libapparmor check +make -C binutils check +make -C parser check +# only running check-parser, as check-logprof (included in check) fails: +# https://gitlab.com/apparmor/apparmor/issues/36 +make -C profiles check-parser +make -C profiles check +# shutil.copytree has a regression +# https://gitlab.com/apparmor/apparmor/issues/62 +make -C utils check +%endif + +%post parser +%systemd_post %{name}.service + +%preun parser +%systemd_preun %{name}.service + +%postun parser +%systemd_postun_with_restart %{name}.service + +%files libs +%license LICENSE +%{_libdir}/libapparmor.so.* + +%files devel +%{_libdir}/libapparmor.so +%{_includedir}/aalogparse +%{_includedir}/sys/apparmor* +%{_libdir}/pkgconfig/libapparmor.pc +%{_mandir}/man2/aa_*.2.gz +%{_mandir}/man3/aa_*.3.gz + +%files -n python3-apparmor +%{python3_sitelib}/apparmor +%{python3_sitelib}/apparmor-*.egg-info + +%files -n python3-LibAppArmor +%{python3_sitearch}/LibAppArmor +%{python3_sitearch}/LibAppArmor-*.egg-info + +%files profiles +%dir %{_sysconfdir}/apparmor.d/ +%dir %{_sysconfdir}/apparmor.d/abi +%config(noreplace) %{_sysconfdir}/apparmor.d/abi/3.0 +%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-outoftree-network +%config(noreplace) %{_sysconfdir}/apparmor.d/abi/kernel-5.4-vanilla +%config(noreplace) %{_sysconfdir}/apparmor.d/php-fpm +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-bgqd +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-dcerpcd +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-classic +%config(noreplace) %{_sysconfdir}/apparmor.d/samba-rpcd-spoolss +%config(noreplace) %{_sysconfdir}/apparmor.d/zgrep +%dir %{_sysconfdir}/apparmor.d/abstractions +%config(noreplace) %{_sysconfdir}/apparmor.d/abstractions/* +%dir %{_sysconfdir}/apparmor.d/disable +%dir %{_sysconfdir}/apparmor.d/local +%dir %{_sysconfdir}/apparmor.d/tunables +%config(noreplace) %{_sysconfdir}/apparmor.d/tunables/* +%dir %{_sysconfdir}/apparmor.d/apache2.d +%config(noreplace) %{_sysconfdir}/apparmor.d/apache2.d/phpsysinfo +%config(noreplace) %{_sysconfdir}/apparmor.d/bin.* +%config(noreplace) %{_sysconfdir}/apparmor.d/sbin.* +%config(noreplace) %{_sysconfdir}/apparmor.d/usr.* +%config(noreplace) %{_sysconfdir}/apparmor.d/lsb_release +%config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe +%config(noreplace) %{_sysconfdir}/apparmor.d/local/* +%dir %{_datadir}/apparmor/ +%{_datadir}/apparmor/extra-profiles + +%files parser -f apparmor-parser.lang -f aa-binutils.lang +%license parser/COPYING.GPL +%doc parser/README +%doc parser/*.[1-9].html +%doc common/apparmor.css +%doc parser/techdoc.pdf +%{_sbindir}/apparmor_parser +%{_bindir}/aa-enabled +%{_bindir}/aa-exec +%{_bindir}/aa-features-abi +%{_sbindir}/aa-teardown +%{_sbindir}/rcapparmor +%{_unitdir}/apparmor.service +%{_presetdir}/70-apparmor.preset +%{_prefix}/lib/apparmor +%dir %{_sysconfdir}/apparmor +%config(noreplace) %{_sysconfdir}/apparmor/parser.conf +%{_sharedstatedir}/apparmor +%{_mandir}/man1/aa-enabled.1.gz +%{_mandir}/man1/aa-exec.1.gz +%{_mandir}/man1/aa-features-abi.1.gz +%{_mandir}/man5/apparmor.d.5.gz +%{_mandir}/man5/apparmor.vim.5.gz +%{_mandir}/man7/apparmor.7.gz +%{_mandir}/man7/apparmor_xattrs.7.gz +%{_mandir}/man8/aa-teardown.8.gz +%{_mandir}/man8/apparmor_parser.8.gz + +%files utils -f apparmor-utils.lang +%doc utils/*.[0-9].html +%doc utils/vim/apparmor.vim.5.html +%doc common/apparmor.css +%dir %{_sysconfdir}/apparmor +%config(noreplace) %{_sysconfdir}/apparmor/easyprof.conf +%config(noreplace) %{_sysconfdir}/apparmor/logprof.conf +%config(noreplace) %{_sysconfdir}/apparmor/notify.conf +%config(noreplace) %{_sysconfdir}/apparmor/severity.db +%{_sbindir}/aa-audit +%{_sbindir}/aa-autodep +%{_sbindir}/aa-cleanprof +%{_sbindir}/aa-complain +%{_sbindir}/aa-decode +%{_sbindir}/aa-disable +%{_sbindir}/aa-enforce +%{_sbindir}/aa-genprof +%{_sbindir}/aa-logprof +%{_sbindir}/aa-mergeprof +%{_sbindir}/aa-notify +%{_sbindir}/aa-remove-unknown +%{_sbindir}/aa-status +%{_sbindir}/aa-unconfined +%{_sbindir}/apparmor_status +%{_bindir}/aa-easyprof +%dir %{_datadir}/apparmor +%{_datadir}/apparmor/easyprof +%{_datadir}/apparmor/apparmor.vim +%{_mandir}/man5/logprof.conf.5.gz +%{_mandir}/man8/aa-audit.8.gz +%{_mandir}/man8/aa-autodep.8.gz +%{_mandir}/man8/aa-cleanprof.8.gz +%{_mandir}/man8/aa-complain.8.gz +%{_mandir}/man8/aa-decode.8.gz +%{_mandir}/man8/aa-disable.8.gz +%{_mandir}/man8/aa-easyprof.8.gz +%{_mandir}/man8/aa-enforce.8.gz +%{_mandir}/man8/aa-genprof.8.gz +%{_mandir}/man8/aa-logprof.8.gz +%{_mandir}/man8/aa-mergeprof.8.gz +%{_mandir}/man8/aa-notify.8.gz +%{_mandir}/man8/aa-remove-unknown.8.gz +%{_mandir}/man8/aa-status.8.gz +%{_mandir}/man8/aa-unconfined.8.gz +%{_mandir}/man8/apparmor_status.8.gz + +%files -n pam_apparmor +%{_libdir}/security/pam_apparmor.so + +%files -n mod_apparmor +%{_libdir}/httpd/modules/mod_apparmor.so +%{_mandir}/man8/mod_apparmor.8.gz + +%changelog +%autochangelog