apparmor: add new package #15481
apparmor: add new package #15481
Conversation
@oskarirauta I read in your description that you need auditd for AppArmor. The only problem is that, as far as I know, this service (auditd-userspace) is not supported for all architectures. If that is the case, then we need to limit its use in the DEPENDS field of AppArmor. With which architectures did you test it? |
@feckert audit's Makefile does not mention anything about not working on some archs. Do you mean kernel's audit support? AppArmor seems to be using Audit on both, user-space and kernel.. Might be possible. As default AppArmor is set to unconfined state, which would mean that it will log changes to files to auditd log with information on username that did or attempted this. Then with proper configuration you can opt-out parts of system's paths to not get logged, and also you can set parts to not allowed for read/write/etc or combination of these, without using acl's. And also use mode that makes a warning when something fishy is going on- this is most likely the option you are looking forward to. But I haven't so far tested this. So maybe you can give it a try if it works out for you? |
Patches allow lesser depencies, like bash and several python modules. Added functions script that suites nicely for OpenWRT, it's more clear than original and a lot shorter. Also information that is put to system log, is more informative now. I also added init script. Signed-off-by: Oskari Rauta <[email protected]>
Requirements
Since management of selinux isn't working at the moment and not anytime soon, I decided to investigate on other similar solutions and came up with AppArmor. Whilst AppArmor and SELinux have differences, they have very similar aim - so I started developing on how to integrate AppArmor on OpenWRT and could that be managed. Turns out I succeeded on this task. I have been testing it now for a month or so, and it works and can be managed. My build is patched. Most patches are changes to python and shell scripts to avoid too many depencies and other minor changes. I also rebuilt apparmor functions script basing it on existing script, it's now less complicated, more informative (smarter log messages) and also a lot shorter than originally provided script. Also there is init script included. AppArmor does not work independently - It requires auditd as it's companion and kernel support. Required kernel flags can be enabled in kernel configuration of menuconf after applying patch from this PR |
I don't think we need to change DEPENDS field of AppArmor, as AppArmor already depends on audit, if audit's depends are updated and one is attempting to build AppArmor on arch that does not support audit, AppArmor cannot be built. Recursive depends. @dangowrt - this is what I emailed you about, here they finally are, userland software for AppArmor. |
|
I broke this commit/pr and cannot fix it. Re-creating it, sorry.. |
|
Replaced by #15643 |
Major changes are: clean-up codes using checkpatch --strict option. fix several warning and build failure from linux-next. change the minimum supported kernel version to v5.4. use xarray for tree connect list. fix reviews from lkml. Signed-off-by: Rosen Penev <[email protected]>
MacOS ignores Bonjour services for which TXT records are not returned. This changes forces umdns service to return a TXT record (`daemon=ksmbd`) for the ksmbd service. The exact content is unimportant and to the best of my knowledge nothing reads the `daemon` tag. Symptoms of the problem (which are also debugging steps): * Finder refuses to open the OpenWRT "computer" in the Network list. * Discovery.app (Bonjour Browser) lists the _ssh._tcp service, but the submenu for it doesn't unfold and no address is shown. * `dns-sd -L OpenWrt _smb._tcp` doesn't return any address. Signed-off-by: Kirill Nikolaev <[email protected]>
Major changes are: disable symlink by default. remove smack inherit leftovers. Enable guest access on IPC$ share by default. Signed-off-by: Rosen Penev <[email protected]>
Signed-off-by: Jan Pavlinec <[email protected]>
Adds modules for BLISS signature scheme, NTRU and New Hope key exchange algorithms, and dependencies ChaCha20-Poly1305 AEAD, ChaCha20 XOF, MGF1 mask generation function, SHA3 hasher SHAKE XOF, and the Number Theoretic Transform library. Signed-off-by: Derek Yerger <[email protected]>
Signed-off-by: Jianhui Zhao <[email protected]>
Instead of just appending the driver serial including the '0x' prefix, use '-' prefix instead to make it more readable. Signed-off-by: Daniel Golle <[email protected]>
Signed-off-by: Dirk Brenken <[email protected]>
This was probably a work-around for an issue with dependencies which was fixed by openwrt/openwrt@988ed00 Remove it as all other packages with `-selinux` variants do provide a non-SELinux-variant without any suffix and that works now, see procd vs. procd-selinux busybox vs. busybox-selinux Signed-off-by: Daniel Golle <[email protected]>
uvol is a wrapper-script which allows automated handling of storage volumes. uvol currently comes with backend support for LVM2 and UBI, covering practically all options for storage large enough to be managed (NAND, SPI-NAND, eMMC, SATA, NVME, virtio-blk, ...). Signed-off-by: Daniel Golle <[email protected]>
Fixes: 312594f ("uvol: add new package") Signed-off-by: Daniel Golle <[email protected]>
This patch prevents multiple cron jobs from being created to run the safe-search-maintenance script. To reproduce this bug, perform the following: - Install safe-search - Perform an OpenWRT firmware upgrade (choose to preserve user settings) - Install safe-search again Signed-off-by: Gregory L. Dietsche <[email protected]>
modbus-utils was not intended to be added at this stage. Remove it. Fixes: 312594f ("uvol: add new package") Signed-off-by: Daniel Golle <[email protected]>
Fix post-merge comments in #15316 and update source. Signed-off-by: Daniel Golle <[email protected]>
Signed-off-by: Rosen Penev <[email protected]>
Signed-off-by: Rosen Penev <[email protected]>
Signed-off-by: Rosen Penev <[email protected]>
Signed-off-by: Michael Heimpold <[email protected]>
Signed-off-by: Michael Heimpold <[email protected]>
Signed-off-by: Jan Pavlinec <[email protected]>
Fixes CVE-2021-29477 Signed-off-by: Jan Pavlinec <[email protected]>
gpgrt-config is trying to use the host's /usr/lib path when looking for libgpg-error. Therefore, disable it and gpg-error-config will be used as a fallback. Signed-off-by: Alexander Egorenkov <[email protected]>
Signed-off-by: W. Michael Petullo <[email protected]>
Refreshed Python patches. Updated pip & setuptools version. For pip, patch '001-pep517-pyc-fix.patch' was reworked. Also, the current version of the bundled pip (21.1.1) no longer supports Python2, so the 'py2.py3' suffix gets replaced with just py3. For setuptools, there is no longer a script/module: pypa/setuptools#2544 Signed-off-by: Alexandru Ardelean <[email protected]>
Signed-off-by: Tianling Shen <[email protected]>
Signed-off-by: Jan Pavlinec <[email protected]>
* Full changelog available at: * https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.106.2 Signed-off-by: Dobroslaw Kijowski <[email protected]>
Signed-off-by: W. Michael Petullo <[email protected]>
Signed-off-by: W. Michael Petullo <[email protected]>
Signed-off-by: W. Michael Petullo <[email protected]>
Signed-off-by: W. Michael Petullo <[email protected]>
Signed-off-by: W. Michael Petullo <[email protected]>
Signed-off-by: W. Michael Petullo <[email protected]>
Signed-off-by: W. Michael Petullo <[email protected]>
Signed-off-by: W. Michael Petullo <[email protected]>
Miscellaneous: - Remove prompt to use docker compose in the up command - Bump py to 1.10.0 in requirements-indirect.txt Signed-off-by: Javier Marcet <[email protected]>
Paul Blazejowski discovered that the recent update to this package broke cross-compiling for some OpenWrt platforms. This backports commit 33593864 (March 26, 2021) from the upstream libgpg-error project to fix this problem. Signed-off-by: W. Michael Petullo <[email protected]>
Signed-off-by: Jan Hak <[email protected]>
Signed-off-by: Miroslav Lichvar <[email protected]>
Recreate symbolic link if it's missing after a sysupgrade with a private and public key present in /etc/atlas/ Signed-off-by: Ansuel Smith <[email protected]>
Signed-off-by: Igor Bezzubchenko <[email protected]>
Rrsync is a perl script that is supplied as an extra with the rsync program. It must be used in conjunction with openssh-server or openssh-server-pam as it requires ~/.ssh/authorized_keys which is not supported by dropbear. Rrsync allows selective access to subdirectories in either read-only, write-only or read-write, depending on settings in authorized_keys. This allows for safe, restrictive access. It's particularly useful for automated backup purposes. An example usage would be this entry: command="/usr/bin/rrsync -ro /home" <public key here> This would allow a system connecting with this public key to be able to rsync FROM the /home directory tree only. It could not write to this directory, nor read from any other directory. Signed-off-by: Matt Reeve <[email protected]>
Signed-off-by: Philip Prindeville <[email protected]>
Notable Changes: Diagnostics channel (experimental module) UUID support in the crypto module Experimental support for AbortController and AbortSignal Signed-off-by: Hirokazu MORIKAWA <[email protected]>
…kages into feature_apparmor
This reverts commit 3c47003.
This reverts commit 8068b0a.
Signed-off-by: Oskari Rauta [email protected]
Maintainer: Oskari Rauta / @oskarirauta (find it by checking history of the package Makefile)
Compile tested: x86_64, server, recent snapshot
Run tested: x86_64, server, recent snapshot, tested, works
Description:
Contains AppArmor userland libraries and utilities.
Requires python3-readline #15369