diff --git a/elements/components/apache.yml b/elements/components/apache.yml index ff5371dc..379d55bc 100644 --- a/elements/components/apache.yml +++ b/elements/components/apache.yml @@ -1,5 +1,5 @@ id: apache -version: 2.4.57 +version: 2.4.62 about: Apache HTTP server version 2.4.x configure: > @@ -8,8 +8,8 @@ configure: > --enable-mods-shared="all cgi" --enable-mpms-shared=all --enable-suexec=shared - --with-apr=/usr/bin/apr-1-config - --with-apr-util=/usr/bin/apu-1-config + --with-apr=%{bindir}/apr-1-config + --with-apr-util=%{bindir}/apu-1-config --with-suexec-bin=/usr/lib/httpd/suexec --with-suexec-caller=apache --with-suexec-docroot=/srv/www @@ -19,20 +19,29 @@ configure: > post-script: | install -v -d -m 0755 %{install-root}/run/httpd - # mv -v %{install-root}/usr/bin/suexec %{install-root}/usr/lib/httpd/suexec + # mv -v %{install-root}%{bindir}/suexec %{install-root}/usr/lib/httpd/suexec # chgrp 25 %{install-root}/usr/lib/httpd/suexec # chmod 4754 %{install-root}/usr/lib/httpd/suexec - install -v -d -m 0755 -o 25 -g 25 %{install-root}/srv/www + # install -v -d -m 0755 -o 25 -g 25 %{install-root}/srv/www #install -v -D -m 0644 /files/apache/service %{install-root}/usr/lib/systemd/system/httpd.service depends: - components/apr.yml - # - components/apr-utils.yml + - components/apr-util.yml - components/pcre.yml - components/openssl.yml - components/libxml2.yml sources: - - https://downloads.apache.org/httpd/httpd-%{version}.tar.gz + - https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 + - patches/apache/httpd-%{version}-RLXOS_layout-1.patch pre-script: | - patch -Np1 -i /files/apache/layout-%{version}.patch + patch -Np1 -i httpd-%{version}-RLXOS_layout-1.patch sed '/dir.*CFG_PREFIX/s@^@#@' -i support/apxs.in + + sed -e '/HTTPD_ROOT/s:${ap_prefix}:/etc/httpd:' \ + -e '/SERVER_CONFIG_FILE/s:${rel_sysconfdir}/::' \ + -e '/AP_TYPES_CONFIG_FILE/s:${rel_sysconfdir}/::' \ + -i configure + + sed -e '/encoding.h/a # include ' \ + -i modules/filters/mod_xml2enc.c diff --git a/elements/components/apparmor.yml b/elements/components/apparmor.yml new file mode 100644 index 00000000..8e1f36af --- /dev/null +++ b/elements/components/apparmor.yml @@ -0,0 +1,39 @@ +id: apparmor +version: 3.1.7 +about: Mandatory Access Control (MAC) using Linux Security Module (LSM) + +script: |- + ( + cd libraries/libapparmor + ./configure --prefix=%{prefix} --sbindir=%{bindir} --with-python + make $MAKEFLAGS + ) + + for target in binutils parser profiles utils changehat/pam_apparmor changehat/mod_apparmor utils/vim ; do + make -C $target + done + + make -C libraries/libapparmor DESTDIR="%{install-root}" install + make -C changehat/pam_apparmor DESTDIR="%{install-root}%{prefix}" install + make -C changehat/mod_apparmor DESTDIR="%{install-root}" install + make -C binutils DESTDIR="%{install-root}" SBINDIR="%{install-root}%{bindir}" USR_SBINDIR="%{install-root}%{bindir}" install + make -C parser -j1 DESTDIR="%{install-root}" SBINDIR="%{install-root}%{bindir}" USR_SBINDIR="%{install-root}%{bindir}" APPARMOR_BIN_PREFIX="%{install-root}%{libdir}/apparmor" install install-systemd + make -C profiles DESTDIR="%{install-root}" install + make -C utils DESTDIR="%{install-root}" SBINDIR="%{install-root}%{bindir}" USR_SBINDIR="%{install-root}%{bindir}" BINDIR="%{install-root}%{bindir}" VIM_INSTALL_PATH="%{install-root}%{datadir}/vim/vimfiles/syntax" install + + +depends: + - components/audit.yml + - components/bash.yml + - components/libgcc.yml + - components/pam.yml + - components/python.yml + - components/py/py-notify2.yml + - components/py/py-psutil.yml + +build-depends: + - components/apache.yml + - components/py/py-setuptools.yml + +sources: + - https://launchpad.net/apparmor/%{version:2}/%{version}/+download/apparmor-%{version}.tar.gz diff --git a/elements/components/apr.yml b/elements/components/apr.yml index aad1347d..8a891e03 100644 --- a/elements/components/apr.yml +++ b/elements/components/apr.yml @@ -13,4 +13,4 @@ depends: - components/gdbm.yml - components/sqlite.yml sources: - - http://www.apache.org/dist/apr/apr-%{version}.tar.bz2 + - https://archive.apache.org/dist/apr/apr-%{version}.tar.bz2 diff --git a/elements/components/py/py-notify2.yml b/elements/components/py/py-notify2.yml new file mode 100644 index 00000000..97323753 --- /dev/null +++ b/elements/components/py/py-notify2.yml @@ -0,0 +1,13 @@ +id: py-notify2 +version: 0.3.1 +about: Python interface to DBus notifications + +depends: + - components/python.yml + - components/py/py-dbus.yml + +build-depends: + - components/py/py-setuptools.yml + +sources: + - https://files.pythonhosted.org/packages/source/n/notify2/notify2-%{version}.tar.gz diff --git a/elements/kernel/linux.yml b/elements/kernel/linux.yml index 8122ee6a..62702bab 100644 --- a/elements/kernel/linux.yml +++ b/elements/kernel/linux.yml @@ -834,10 +834,11 @@ script: |- enable MODULES enable MODULE_UNLOAD - enable MODULE_SIG_FORMAT + enable MODULE_SIG remove MODULE_SIG_ALL enable MODULE_SIG_SHA512 + enable MODULE_SIG_FORMAT value_str MODULE_SIG_HASH "sha512" enable MODULE_COMPRESS_NONE value_str MODPROBE_PATH "/usr/sbin/modprobe" @@ -7788,6 +7789,8 @@ script: |- value SECURITY_SELINUX_SIDTAB_HASH_BITS 9 value SECURITY_SELINUX_SID2STR_CACHE_SIZE 256 enable SECURITY_YAMA + enable SECURITY_APPARMOR + enable SECURITY_LOCKDOWN_LSM enable SECURITY_LOCKDOWN_LSM_EARLY enable LOCK_DOWN_KERNEL_FORCE_NONE @@ -7819,7 +7822,7 @@ script: |- enable EVM enable EVM_ATTR_FSUUID enable DEFAULT_SECURITY_SELINUX - value_str LSM "lockdown,yama,integrity,selinux,bpf,landlock" + value_str LSM "lockdown,lockdown,yama,integrity,apparmor,bpf" # # Kernel hardening options @@ -8078,7 +8081,8 @@ script: |- # # Certificates for signature checking # - value_str MODULE_SIG_KEY "" + value_str MODULE_SIG_KEY "/files/sign-keys/linux-module-cert.key" + enable MODULE_SIG_KEY_TYPE_ECDSA enable SYSTEM_TRUSTED_KEYRING value_str SYSTEM_TRUSTED_KEYS "/files/sign-keys/linux-module-cert.crt" enable SYSTEM_EXTRA_CERTIFICATE diff --git a/patches/apache/httpd-2.4.62-RLXOS_layout-1.patch b/patches/apache/httpd-2.4.62-RLXOS_layout-1.patch new file mode 100644 index 00000000..3798aeae --- /dev/null +++ b/patches/apache/httpd-2.4.62-RLXOS_layout-1.patch @@ -0,0 +1,259 @@ +diff -Naur a/config.layout b/config.layout +--- a/config.layout 2020-02-21 01:39:22.000000000 +0100 ++++ b/config.layout 2022-03-19 10:58:09.199098421 +0100 +@@ -9,6 +9,30 @@ + ## (This may become a configurable parameter at some point.) + ## + ++ ++ prefix: ++ exec_prefix: ${prefix}/usr ++ bindir: ${exec_prefix}/bin ++ sbindir: ${exec_prefix}/sbin ++ libdir: ${exec_prefix}/lib ++ libexecdir: ${exec_prefix}/lib/httpd/modules ++ mandir: ${exec_prefix}/share/man ++ sysconfdir: ${prefix}/etc/httpd ++ datadir: ${exec_prefix}/share/httpd ++ iconsdir: ${datadir}/icons ++ htdocsdir: ${prefix}/srv/www ++ manualdir: ${datadir}/manual ++ cgidir: ${exec_prefix}/lib/httpd/cgi-bin ++ includedir: ${exec_prefix}/include/httpd ++ localstatedir: ${prefix}/var/lock/httpd ++ runtimedir: ${prefix}/run/httpd ++ logfiledir: ${prefix}/var/log/httpd ++ proxycachedir: ${prefix}/var/cache/httpd/proxy ++ infodir: ${exec_prefix}/share/info ++ installbuilddir: ${datadir}/build ++ errordir: ${datadir}/error ++ ++ + # Classical Apache path layout. + + prefix: /usr/local/apache2 + +diff -Naur a/configure.in b/configure.in +--- a/configure.in 2022-02-24 23:18:42.000000000 +0100 ++++ b/configure.in 2022-03-19 10:58:09.202098385 +0100 +@@ -901,11 +901,11 @@ + echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c + + APR_EXPAND_VAR(ap_prefix, $prefix) +-AC_DEFINE_UNQUOTED(HTTPD_ROOT, "${ap_prefix}", ++AC_DEFINE_UNQUOTED(HTTPD_ROOT, "/etc/httpd", + [Root directory of the Apache install area]) +-AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf", ++AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${progname}.conf", + [Location of the config file, relative to the Apache root directory]) +-AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "${rel_sysconfdir}/mime.types", ++AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "mime.types", + [Location of the MIME types config file, relative to the Apache root directory]) + + perlbin=`$ac_aux_dir/PrintPath perl` + +diff -Naur a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in +--- a/docs/conf/httpd.conf.in 2016-08-17 01:12:07.000000000 +0200 ++++ b/docs/conf/httpd.conf.in 2022-03-19 10:58:09.203098373 +0100 +@@ -28,7 +28,7 @@ + # same ServerRoot for multiple httpd daemons, you will need to change at + # least PidFile. + # +-ServerRoot "@@ServerRoot@@" ++#ServerRoot "@@ServerRoot@@" + + # + # Mutex: Allows you to set the mutex mechanism and mutex file directory +@@ -74,8 +74,8 @@ + # It is usually good practice to create a dedicated user and group for + # running httpd, as with most system services. + # +-User daemon +-Group daemon ++User apache ++Group apache + + + +@@ -96,7 +96,7 @@ + # e-mailed. This address appears on some server-generated pages, such + # as error documents. e.g. admin@your-domain.com + # +-ServerAdmin you@example.com ++ServerAdmin admin@localhost + + # + # ServerName gives the name and port that the server uses to identify itself. +@@ -105,7 +105,7 @@ + # + # If your host doesn't have a registered DNS name, enter its IP address here. + # +-#ServerName www.example.com:@@Port@@ ++#ServerName localhost:@@Port@@ + + # + # Deny access to the entirety of your server's filesystem. You must +@@ -181,7 +181,7 @@ + # logged here. If you *do* define an error logfile for a + # container, that host's errors will be logged there and not here. + # +-ErrorLog "@rel_logfiledir@/error_log" ++ErrorLog "@rel_logfiledir@/error.log" + + # + # LogLevel: Control the number of messages logged to the error_log. +@@ -210,13 +210,13 @@ + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # +- CustomLog "@rel_logfiledir@/access_log" common ++ CustomLog "@rel_logfiledir@/access.log" common + + # + # If you prefer a logfile with access, agent, and referer information + # (Combined Logfile Format) you can use the following directive. + # +- #CustomLog "@rel_logfiledir@/access_log" combined ++ #CustomLog "@rel_logfiledir@/access.log" combined + + + +diff -Naur a/include/ap_config_layout.h.in b/include/ap_config_layout.h.in +--- a/include/ap_config_layout.h.in 2006-07-11 22:55:32.000000000 +0200 ++++ b/include/ap_config_layout.h.in 2022-03-19 10:58:09.203098373 +0100 +@@ -60,5 +60,6 @@ + #define DEFAULT_REL_LOGFILEDIR "@rel_logfiledir@" + #define DEFAULT_EXP_PROXYCACHEDIR "@exp_proxycachedir@" + #define DEFAULT_REL_PROXYCACHEDIR "@rel_proxycachedir@" ++#define DEFAULT_PIDLOG "/run/httpd/httpd.pid" + + #endif /* AP_CONFIG_LAYOUT_H */ +diff -Naur a/include/httpd.h b/include/httpd.h +--- a/include/httpd.h 2022-03-09 15:04:15.000000000 +0100 ++++ b/include/httpd.h 2022-03-19 10:58:09.203098373 +0100 +@@ -110,7 +110,7 @@ + #define DOCUMENT_LOCATION HTTPD_ROOT "/docs" + #else + /* Set default for non OS/2 file system */ +-#define DOCUMENT_LOCATION HTTPD_ROOT "/htdocs" ++#define DOCUMENT_LOCATION "/srv/www" + #endif + #endif /* DOCUMENT_LOCATION */ + +diff -Naur a/Makefile.in b/Makefile.in +--- a/Makefile.in 2021-06-02 09:11:47.000000000 +0200 ++++ b/Makefile.in 2022-03-19 11:07:06.441588175 +0100 +@@ -121,9 +121,9 @@ + done ; \ + done ; \ + if test -f "$(builddir)/envvars-std"; then \ +- cp -p envvars-std $(DESTDIR)$(sbindir); \ +- if test ! -f $(DESTDIR)$(sbindir)/envvars; then \ +- cp -p envvars-std $(DESTDIR)$(sbindir)/envvars ; \ ++ install -m644 envvars-std $(DESTDIR)$(installbuilddir); \ ++ if test ! -f $(DESTDIR)$(sysconfdir)/envvars; then \ ++ install -m644 envvars-std $(DESTDIR)$(sysconfdir)/envvars; \ + fi ; \ + fi + +@@ -195,7 +195,7 @@ + if test -d $(htdocs-srcdir) && test "x$(RSYNC)" != "x" && test -x $(RSYNC) ; then \ + $(RSYNC) --exclude .svn -rlpt --numeric-ids $(htdocs-srcdir)/ $(DESTDIR)$(htdocsdir)/; \ + else \ +- test -d $(htdocs-srcdir) && (cd $(htdocs-srcdir) && cp -rp * $(DESTDIR)$(htdocsdir)) ; \ ++ test -d $(htdocs-srcdir) && (cd $(htdocs-srcdir) && cp -r * $(DESTDIR)$(htdocsdir)) ; \ + cd $(DESTDIR)$(htdocsdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ + fi; \ + fi +@@ -206,7 +206,7 @@ + else \ + echo Installing error documents ; \ + $(MKINSTALLDIRS) $(DESTDIR)$(errordir) ; \ +- cd $(top_srcdir)/docs/error && cp -rp * $(DESTDIR)$(errordir) ; \ ++ cd $(top_srcdir)/docs/error && cp -r * $(DESTDIR)$(errordir) ; \ + test "x$(errordir)" != "x" && cd $(DESTDIR)$(errordir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ + fi + +@@ -216,7 +216,7 @@ + else \ + echo Installing icons ; \ + $(MKINSTALLDIRS) $(DESTDIR)$(iconsdir) ; \ +- cd $(top_srcdir)/docs/icons && cp -rp * $(DESTDIR)$(iconsdir) ; \ ++ cd $(top_srcdir)/docs/icons && cp -r * $(DESTDIR)$(iconsdir) ; \ + test "x$(iconsdir)" != "x" && cd $(DESTDIR)$(iconsdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ + fi + +@@ -226,7 +226,7 @@ + else \ + echo Installing CGIs ; \ + $(MKINSTALLDIRS) $(DESTDIR)$(cgidir) ; \ +- cd $(top_srcdir)/docs/cgi-examples && cp -rp * $(DESTDIR)$(cgidir) ; \ ++ cd $(top_srcdir)/docs/cgi-examples && cp -r * $(DESTDIR)$(cgidir) ; \ + test "x$(cgidir)" != "x" && cd $(DESTDIR)$(cgidir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ + fi + +@@ -280,12 +280,12 @@ + @test -d $(DESTDIR)$(mandir)/man1 || $(MKINSTALLDIRS) $(DESTDIR)$(mandir)/man1 + @test -d $(DESTDIR)$(mandir)/man8 || $(MKINSTALLDIRS) $(DESTDIR)$(mandir)/man8 + @test -d $(DESTDIR)$(manualdir) || $(MKINSTALLDIRS) $(DESTDIR)$(manualdir) +- @cp -p $(top_srcdir)/docs/man/*.1 $(DESTDIR)$(mandir)/man1 +- @cp -p $(top_srcdir)/docs/man/*.8 $(DESTDIR)$(mandir)/man8 ++ @cp $(top_srcdir)/docs/man/*.1 $(DESTDIR)$(mandir)/man1 ++ @cp $(top_srcdir)/docs/man/*.8 $(DESTDIR)$(mandir)/man8 + @if test "x$(RSYNC)" != "x" && test -x $(RSYNC) ; then \ + $(RSYNC) --exclude .svn -rlpt --numeric-ids $(top_srcdir)/docs/manual/ $(DESTDIR)$(manualdir)/; \ + else \ +- cd $(top_srcdir)/docs/manual && cp -rp * $(DESTDIR)$(manualdir); \ ++ cd $(top_srcdir)/docs/manual && cp -r * $(DESTDIR)$(manualdir); \ + cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ + fi + +diff -Naur a/support/apachectl.in b/support/apachectl.in +--- a/support/apachectl.in 2012-02-01 04:47:28.000000000 +0100 ++++ b/support/apachectl.in 2022-03-19 10:58:09.204098361 +0100 +@@ -45,8 +45,8 @@ + HTTPD='@exp_sbindir@/@progname@' + # + # pick up any necessary environment variables +-if test -f @exp_sbindir@/envvars; then +- . @exp_sbindir@/envvars ++if test -f @exp_sysconfdir@/envvars; then ++ . @exp_sysconfdir@/envvars + fi + # + # a command that outputs a formatted text version of the HTML at the +diff -Naur a/support/Makefile.in b/support/Makefile.in +--- a/support/Makefile.in 2018-02-09 11:17:30.000000000 +0100 ++++ b/support/Makefile.in 2022-03-19 11:10:11.799345130 +0100 +@@ -16,23 +16,23 @@ + @test -d $(DESTDIR)$(bindir) || $(MKINSTALLDIRS) $(DESTDIR)$(bindir) + @test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir) + @test -d $(DESTDIR)$(libexecdir) || $(MKINSTALLDIRS) $(DESTDIR)$(libexecdir) +- @cp -p $(top_builddir)/server/httpd.exp $(DESTDIR)$(libexecdir) ++ @test -d $(DESTDIR)$(sysconfdir) || $(MKINSTALLDIRS) $(DESTDIR)$(sysconfdir) ++ @test -d $(DESTDIR)$(installbuilddir) || $(MKINSTALLDIRS) $(DESTDIR)$(installbuilddir) ++ @install -m644 $(top_builddir)/server/httpd.exp $(DESTDIR)$(libexecdir) + @for i in apxs dbmmanage; do \ + if test -f "$(builddir)/$$i"; then \ +- cp -p $$i $(DESTDIR)$(bindir); \ +- chmod 755 $(DESTDIR)$(bindir)/$$i; \ ++ install -m755 $$i $(DESTDIR)$(bindir);\ + fi ; \ + done + @for i in apachectl; do \ + if test -f "$(builddir)/$$i"; then \ +- cp -p $$i $(DESTDIR)$(sbindir); \ +- chmod 755 $(DESTDIR)$(sbindir)/$$i; \ ++ install -m755 $$i $(DESTDIR)$(sbindir);\ + fi ; \ + done + @if test -f "$(builddir)/envvars-std"; then \ +- cp -p envvars-std $(DESTDIR)$(sbindir); \ +- if test ! -f $(DESTDIR)$(sbindir)/envvars; then \ +- cp -p envvars-std $(DESTDIR)$(sbindir)/envvars ; \ ++ install -m644 envvars-std $(DESTDIR)$(installbuilddir); \ ++ if test ! -f $(DESTDIR)$(sysconfdir)/envvars; then \ ++ install -m644 envvars-std $(DESTDIR)$(sysconfdir)/envvars; \ + fi ; \ + fi +