[packages/pure-ftpd.git] / pure-ftpd-apparmor.patch

diff -urN pure-ftpd-1.0.36.org/config.h.in pure-ftpd-1.0.36/config.h.in
--- pure-ftpd-1.0.36.org/config.h.in	2012-03-21 21:18:18.000000000 +0100
+++ pure-ftpd-1.0.36/config.h.in	2013-11-04 13:58:22.321640365 +0100
@@ -3,6 +3,9 @@
 /* Define if building universal (internal helper macro) */
 #undef AC_APPLE_UNIVERSAL_BUILD
 
+/* with apparmor */
+#undef APPARMOR
+
 /* display only boring messages */
 #undef BORING_MODE
 
diff -urN pure-ftpd-1.0.36.org/configure.ac pure-ftpd-1.0.36/configure.ac
--- pure-ftpd-1.0.36.org/configure.ac	2012-03-16 06:28:21.000000000 +0100
+++ pure-ftpd-1.0.36/configure.ac	2013-11-04 13:58:22.321640365 +0100
@@ -770,6 +770,13 @@
     AC_DEFINE(QUOTAS,,[with quotas])
   fi ])
 
+AC_ARG_WITH(apparmor,
+[AS_HELP_STRING(--with-apparmorquotas,Support changing Apparmor Hats)],
+[ if test "x$withval" = "xyes" ; then
+    AC_DEFINE(APPARMOR,,[with apparmor])
+    LIBS="$LIBS -lapparmor"
+  fi ])
+
 AC_ARG_WITH(ftpwho,
 [AS_HELP_STRING(--with-ftpwho,Support for pure-ftpwho)],
 [ if test "x$withval" = "xyes" ; then
diff -urN pure-ftpd-1.0.36.org/pureftpd-mysql.conf pure-ftpd-1.0.36/pureftpd-mysql.conf
--- pure-ftpd-1.0.36.org/pureftpd-mysql.conf	2013-11-04 12:08:09.315380763 +0100
+++ pure-ftpd-1.0.36/pureftpd-mysql.conf	2013-11-04 13:58:22.324973813 +0100
@@ -114,6 +114,9 @@
 # MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User='\L'
 # MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L'
 
+# Optional : Apparmor Hat to use.
+# MYSQLGetApparmorHat SELECT hat FROM users WHERE User='\L'
+
 # Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS :
 # 1) You know what you are doing.
 # 2) Real and virtual users match.
diff -urN pure-ftpd-1.0.36.org/src/ftpd.c pure-ftpd-1.0.36/src/ftpd.c
--- pure-ftpd-1.0.36.org/src/ftpd.c	2013-11-04 12:08:09.322047659 +0100
+++ pure-ftpd-1.0.36/src/ftpd.c	2013-11-04 15:40:16.000000000 +0100
@@ -18,6 +18,9 @@
 #ifdef QUOTAS
 # include "quotas.h"
 #endif
+#ifdef APPARMOR
+# include <sys/apparmor.h>
+#endif
 #ifdef WITH_DIRALIASES
 # include "diraliases.h"
 #endif
@@ -1541,6 +1544,9 @@
         result.ratio_download = ratio_download;
         result.ratio_ul_changed = result.ratio_dl_changed = 0;
 #endif
+#ifdef APPARMOR
+        result.apparmor_hat = NULL;
+#endif
 #ifdef PER_USER_LIMITS
         result.per_user_max = per_user_max;
 #endif
@@ -1986,6 +1992,16 @@
 # endif
     enablesignals();
 #endif
+
+#ifdef APPARMOR
+    if (authresult.apparmor_hat != NULL) {
+        if (change_hat(authresult.apparmor_hat, zrand()) < 0)
+            die(421, LOG_ERR, MSG_CHROOT_FAILED);
+        logfile(LOG_INFO, MSG_APPARMOR_HAT, account, authresult.apparmor_hat);
+        free(authresult.apparmor_hat);
+    }
+#endif
+
     logfile(LOG_INFO, MSG_IS_NOW_LOGGED_IN, account);
 #ifdef FTPWHO
     if (shm_data_cur != NULL) {
diff -urN pure-ftpd-1.0.36.org/src/ftpd.h pure-ftpd-1.0.36/src/ftpd.h
--- pure-ftpd-1.0.36.org/src/ftpd.h	2012-03-16 02:01:37.000000000 +0100
+++ pure-ftpd-1.0.36/src/ftpd.h	2013-11-04 15:05:10.000000000 +0100
@@ -294,6 +294,9 @@
 #ifdef PER_USER_LIMITS
     unsigned int per_user_max;
 #endif
+#ifdef APPARMOR
+    const char *apparmor_hat;
+#endif
 } AuthResult;
 
 typedef struct PureFileInfo_ {
diff -urN pure-ftpd-1.0.36.org/src/log_extauth.c pure-ftpd-1.0.36/src/log_extauth.c
--- pure-ftpd-1.0.36.org/src/log_extauth.c	2012-03-21 21:16:26.000000000 +0100
+++ pure-ftpd-1.0.36/src/log_extauth.c	2013-11-04 15:05:10.000000000 +0100
@@ -215,6 +215,9 @@
     result->uid = (uid_t) 0;
     result->gid = (gid_t) 0;
     result->dir = NULL;
+#ifdef APPARMOR_HAT
+    result->apparmor_hat = NULL;
+#endif
     result->slow_tilde_expansion = 1;    
     auth_finalized = 0;
     if ((readnb = safe_read(kindy, line, sizeof line - 1U)) <= (ssize_t) 0) {
diff -urN pure-ftpd-1.0.36.org/src/log_ldap.c pure-ftpd-1.0.36/src/log_ldap.c
--- pure-ftpd-1.0.36.org/src/log_ldap.c	2012-03-16 02:01:37.000000000 +0100
+++ pure-ftpd-1.0.36/src/log_ldap.c	2013-11-04 15:05:10.000000000 +0100
@@ -557,6 +557,9 @@
     if ((result->dir = strdup(pw->pw_dir)) == NULL) {
         return;
     }
+#ifdef APPARMOR
+    result->apparmor_hat = NULL;
+#endif
     result->slow_tilde_expansion = 1;
     result->auth_ok = 1;            /* User found, authentication ok */
 }
diff -urN pure-ftpd-1.0.36.org/src/log_mysql.c pure-ftpd-1.0.36/src/log_mysql.c
--- pure-ftpd-1.0.36.org/src/log_mysql.c	2013-11-04 12:08:09.315380763 +0100
+++ pure-ftpd-1.0.36/src/log_mysql.c	2013-11-04 15:05:10.000000000 +0100
@@ -317,6 +317,9 @@
     const char *bandwidth_ul = NULL;   /* stored bandwidth UL */
     const char *bandwidth_dl = NULL;   /* stored bandwidth DL */
 #endif
+#ifdef APPARMOR
+    const char *apparmor_hat = NULL;    /* Apparmor hat name */
+#endif
     char *escaped_account = NULL;
     char *escaped_ip = NULL;
     char *escaped_port = NULL;
@@ -595,6 +598,15 @@
         }
     }
 #endif
+#ifdef APPARMOR
+    if ((apparmor_hat = pw_mysql_getquery(id_sql_server, sqlreq_getapparmor_hat,
+                                          escaped_account, escaped_ip,
+                                          escaped_port, escaped_peer_ip,
+                                          escaped_decimal_ip)) != NULL) {
+        result->apparmor_hat = apparmor_hat;
+        apparmor_hat = NULL;
+    }
+#endif
     result->slow_tilde_expansion = !tildexp;
     result->auth_ok = -result->auth_ok;
     bye:
@@ -624,6 +636,9 @@
     free((void *) bandwidth_ul);
     free((void *) bandwidth_dl);
 #endif    
+#ifdef APPARMOR
+    free((void *) apparmor_hat);
+#endif
     free((void *) escaped_account);
     free((void *) escaped_ip);
     free((void *) escaped_port);
@@ -692,6 +707,9 @@
     ZFREE(sqlreq_getbandwidth_ul);
     ZFREE(sqlreq_getbandwidth_dl);    
 #endif
+#ifdef APPARMOR
+    ZFREE(sqlreq_getapparmor_hat);
+#endif
 }
 #else
 extern signed char v6ready;
diff -urN pure-ftpd-1.0.36.org/src/log_mysql_p.h pure-ftpd-1.0.36/src/log_mysql_p.h
--- pure-ftpd-1.0.36.org/src/log_mysql_p.h	2011-04-17 17:24:58.000000000 +0200
+++ pure-ftpd-1.0.36/src/log_mysql_p.h	2013-11-04 15:05:10.000000000 +0100
@@ -38,6 +38,9 @@
 static char *sqlreq_getbandwidth_ul;
 static char *sqlreq_getbandwidth_dl;
 #endif
+#ifdef APPARMOR
+static char *sqlreq_getapparmor_hat;
+#endif
 static signed char server_down;
 
 static ConfigKeywords mysql_config_keywords[] = {
@@ -68,6 +71,9 @@
     { "MYSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
     { "MYSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
 #endif
+#ifdef APPARMOR
+    { "MYSQLGetApparmorHat", &sqlreq_getapparmor_hat },
+#endif
     { NULL, NULL }
 };
 
diff -urN pure-ftpd-1.0.36.org/src/log_pam.c pure-ftpd-1.0.36/src/log_pam.c
--- pure-ftpd-1.0.36.org/src/log_pam.c	2011-04-17 17:05:54.000000000 +0200
+++ pure-ftpd-1.0.36/src/log_pam.c	2013-11-04 15:05:10.000000000 +0100
@@ -202,6 +202,9 @@
     (void) pam_close_session(pamh, PAM_SILENT);   /* It doesn't matter if it fails */
 #endif
     result->dir = dir;
+#ifdef APPARMOR
+    result->apparmor_hat = NULL;
+#endif
     dir = NULL;
     result->uid = pw.pw_uid;
     result->gid = pw.pw_gid;
diff -urN pure-ftpd-1.0.36.org/src/log_pgsql.c pure-ftpd-1.0.36/src/log_pgsql.c
--- pure-ftpd-1.0.36.org/src/log_pgsql.c	2013-11-04 12:08:09.318714211 +0100
+++ pure-ftpd-1.0.36/src/log_pgsql.c	2013-11-04 15:05:10.000000000 +0100
@@ -397,6 +397,9 @@
     const char *bandwidth_ul = NULL;   /* stored bandwidth UL */
     const char *bandwidth_dl = NULL;   /* stored bandwidth DL */
 #endif
+#ifdef APPARMOR
+    const char *apparmor_hat = NULL;   /* Apparmor hat name */
+#endif
     char *escaped_account = NULL;
     char *escaped_ip = NULL;
     char *escaped_port = NULL;
@@ -639,6 +642,16 @@
         }
     }
 #endif    
+#ifdef APPARMOR
+    if ((apparmor_hat = pw_pgsql_getquery(id_sql_server, sqlreq_getapparmor_hat,
+                                          escaped_account, escaped_ip,
+                                          escaped_port, escaped_peer_ip,
+                                          escaped_decimal_ip)) != NULL) {
+        result->apparmor_hat = apparmor_hat;
+        apparmor_hat = NULL;
+    }
+#endif
+
     result->slow_tilde_expansion = 1;
     result->auth_ok = -result->auth_ok;
     bye:
@@ -668,7 +681,10 @@
 #ifdef THROTTLING
     free((void *) bandwidth_ul);
     free((void *) bandwidth_dl);
-#endif    
+#endif  
+#ifdef APPARMOR
+    free((void *) apparmor_hat);
+#endif  
     free((void *) escaped_account);
     free((void *) escaped_ip);
     free((void *) escaped_port);
@@ -723,6 +739,9 @@
     ZFREE(sqlreq_getbandwidth_ul);
     ZFREE(sqlreq_getbandwidth_dl);    
 #endif
+#ifdef APPARMOR
+    ZFREE(sqlreq_getapparmor_hat);
+#endif
 }
 #else
 extern signed char v6ready;
diff -urN pure-ftpd-1.0.36.org/src/log_pgsql_p.h pure-ftpd-1.0.36/src/log_pgsql_p.h
--- pure-ftpd-1.0.36.org/src/log_pgsql_p.h	2011-04-17 17:05:54.000000000 +0200
+++ pure-ftpd-1.0.36/src/log_pgsql_p.h	2013-11-04 15:05:10.000000000 +0100
@@ -28,6 +28,9 @@
 static char *sqlreq_getbandwidth_ul;
 static char *sqlreq_getbandwidth_dl;
 #endif
+#ifdef APPARMOR
+static char *sqlreq_getapparmor_hat;
+#endif
 static signed char server_down;
 
 static ConfigKeywords pgsql_config_keywords[] = {
@@ -55,6 +58,9 @@
     { "PGSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
     { "PGSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
 #endif
+#ifdef APPARMOR
+    { "PGSQLGetApparmorHat", &sqlreq_getapparmor_hat },
+#endif
     { NULL, NULL }
 };
 
diff -urN pure-ftpd-1.0.36.org/src/log_puredb.c pure-ftpd-1.0.36/src/log_puredb.c
--- pure-ftpd-1.0.36.org/src/log_puredb.c	2012-03-16 02:01:37.000000000 +0100
+++ pure-ftpd-1.0.36/src/log_puredb.c	2013-11-04 15:05:10.000000000 +0100
@@ -305,6 +305,9 @@
         result->user_quota_size = strtoull(line, NULL, 10);
     }
 #endif
+#ifdef APPARMOR
+    result->apparmor_hat = NULL;
+#endif
     if ((line = my_strtok2(NULL, *PW_LINE_SEP)) == NULL) {   /* allowed local ip */
         return 0;
     }
diff -urN pure-ftpd-1.0.36.org/src/log_unix.c pure-ftpd-1.0.36/src/log_unix.c
--- pure-ftpd-1.0.36.org/src/log_unix.c	2011-04-17 17:05:54.000000000 +0200
+++ pure-ftpd-1.0.36/src/log_unix.c	2013-11-04 15:05:10.000000000 +0100
@@ -80,6 +80,9 @@
     result->uid = pw.pw_uid;
     result->gid = pw.pw_gid;
     result->dir = dir;
+#ifdef APPARMOR
+    result->apparmor_hat = NULL;
+#endif
     result->slow_tilde_expansion = 0;
     result->auth_ok = -result->auth_ok;
     return;
diff -urN pure-ftpd-1.0.36.org/src/Makefile.am pure-ftpd-1.0.36/src/Makefile.am
--- pure-ftpd-1.0.36.org/src/Makefile.am	2012-03-16 02:01:37.000000000 +0100
+++ pure-ftpd-1.0.36/src/Makefile.am	2013-11-04 13:58:22.324973813 +0100
@@ -133,6 +133,7 @@
 pure_ftpd_LDADD = \
 	libpureftpd.a \
 	../puredb/src/libpuredb_read.a \
+	-lapparmor \
 	@LDAP_SSL_LIBS@ @GETLOADAVG_LIBS@ @BONJOUR_LDADD@
 
 pure_ftpd_SOURCES = \
diff -urN pure-ftpd-1.0.36.org/src/messages_en.h pure-ftpd-1.0.36/src/messages_en.h
--- pure-ftpd-1.0.36.org/src/messages_en.h	2012-03-16 02:01:37.000000000 +0100
+++ pure-ftpd-1.0.36/src/messages_en.h	2013-11-04 15:05:10.000000000 +0100
@@ -57,6 +57,7 @@
 #define MSG_CURRENT_DIR_IS "OK. Current directory is %s"
 #define MSG_CURRENT_RESTRICTED_DIR_IS "OK. Current restricted directory is %s"
 #define MSG_IS_NOW_LOGGED_IN "%s is now logged in"
+#define MSG_APPARMOR_HAT "User %s apparmor hat is %s"
 #define MSG_CANT_CHANGE_DIR "Can't change directory to %s"
 #define MSG_PATH_TOO_LONG "Path too long"
 #define MSG_CANT_PASV "You cannot use PASV on IPv6 connections. Use EPSV instead."
Commit	Line	Data
4b1c459f AM	1	diff -urN pure-ftpd-1.0.36.org/config.h.in pure-ftpd-1.0.36/config.h.in
	2	--- pure-ftpd-1.0.36.org/config.h.in 2012-03-21 21:18:18.000000000 +0100
	3	+++ pure-ftpd-1.0.36/config.h.in 2013-11-04 13:58:22.321640365 +0100
	4	@@ -3,6 +3,9 @@
	5	/* Define if building universal (internal helper macro) */
	6	#undef AC_APPLE_UNIVERSAL_BUILD
	7
	8	+/* with apparmor */
	9	+#undef APPARMOR
	10	+
	11	/* display only boring messages */
	12	#undef BORING_MODE
	13
	14	diff -urN pure-ftpd-1.0.36.org/configure.ac pure-ftpd-1.0.36/configure.ac
	15	--- pure-ftpd-1.0.36.org/configure.ac 2012-03-16 06:28:21.000000000 +0100
	16	+++ pure-ftpd-1.0.36/configure.ac 2013-11-04 13:58:22.321640365 +0100
	17	@@ -770,6 +770,13 @@
	18	AC_DEFINE(QUOTAS,,[with quotas])
	19	fi ])
	20
	21	+AC_ARG_WITH(apparmor,
	22	+[AS_HELP_STRING(--with-apparmorquotas,Support changing Apparmor Hats)],
	23	+[ if test "x$withval" = "xyes" ; then
	24	+ AC_DEFINE(APPARMOR,,[with apparmor])
	25	+ LIBS="$LIBS -lapparmor"
	26	+ fi ])
	27	+
	28	AC_ARG_WITH(ftpwho,
	29	[AS_HELP_STRING(--with-ftpwho,Support for pure-ftpwho)],
	30	[ if test "x$withval" = "xyes" ; then
	31	diff -urN pure-ftpd-1.0.36.org/pureftpd-mysql.conf pure-ftpd-1.0.36/pureftpd-mysql.conf
	32	--- pure-ftpd-1.0.36.org/pureftpd-mysql.conf 2013-11-04 12:08:09.315380763 +0100
	33	+++ pure-ftpd-1.0.36/pureftpd-mysql.conf 2013-11-04 13:58:22.324973813 +0100
	34	@@ -114,6 +114,9 @@
	35	# MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User='\L'
	36	# MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L'
	37
	38	+# Optional : Apparmor Hat to use.
	39	+# MYSQLGetApparmorHat SELECT hat FROM users WHERE User='\L'
	40	+
	41	# Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS :
	42	# 1) You know what you are doing.
	43	# 2) Real and virtual users match.
	44	diff -urN pure-ftpd-1.0.36.org/src/ftpd.c pure-ftpd-1.0.36/src/ftpd.c
	45	--- pure-ftpd-1.0.36.org/src/ftpd.c 2013-11-04 12:08:09.322047659 +0100
	46	+++ pure-ftpd-1.0.36/src/ftpd.c 2013-11-04 15:40:16.000000000 +0100
	47	@@ -18,6 +18,9 @@
	48	#ifdef QUOTAS
	49	# include "quotas.h"
	50	#endif
	51	+#ifdef APPARMOR
	52	+# include <sys/apparmor.h>
	53	+#endif
	54	#ifdef WITH_DIRALIASES
	55	# include "diraliases.h"
	56	#endif
	57	@@ -1541,6 +1544,9 @@
	58	result.ratio_download = ratio_download;
	59	result.ratio_ul_changed = result.ratio_dl_changed = 0;
	60	#endif
	61	+#ifdef APPARMOR
	62	+ result.apparmor_hat = NULL;
	63	+#endif
	64	#ifdef PER_USER_LIMITS
65	result.per_user_max = per_user_max;
66	#endif
67	@@ -1986,6 +1992,16 @@
68	# endif
69	enablesignals();
70	#endif
71	+
72	+#ifdef APPARMOR
73	+ if (authresult.apparmor_hat != NULL) {
74	+ if (change_hat(authresult.apparmor_hat, zrand()) < 0)
75	+ die(421, LOG_ERR, MSG_CHROOT_FAILED);
76	+ logfile(LOG_INFO, MSG_APPARMOR_HAT, account, authresult.apparmor_hat);
77	+ free(authresult.apparmor_hat);
78	+ }
79	+#endif
80	+
81	logfile(LOG_INFO, MSG_IS_NOW_LOGGED_IN, account);
82	#ifdef FTPWHO
83	if (shm_data_cur != NULL) {
84	diff -urN pure-ftpd-1.0.36.org/src/ftpd.h pure-ftpd-1.0.36/src/ftpd.h
85	--- pure-ftpd-1.0.36.org/src/ftpd.h 2012-03-16 02:01:37.000000000 +0100
86	+++ pure-ftpd-1.0.36/src/ftpd.h 2013-11-04 15:05:10.000000000 +0100
87	@@ -294,6 +294,9 @@
88	#ifdef PER_USER_LIMITS
89	unsigned int per_user_max;
90	#endif
91	+#ifdef APPARMOR
92	+ const char *apparmor_hat;
93	+#endif
94	} AuthResult;
95
96	typedef struct PureFileInfo_ {
97	diff -urN pure-ftpd-1.0.36.org/src/log_extauth.c pure-ftpd-1.0.36/src/log_extauth.c
98	--- pure-ftpd-1.0.36.org/src/log_extauth.c 2012-03-21 21:16:26.000000000 +0100
99	+++ pure-ftpd-1.0.36/src/log_extauth.c 2013-11-04 15:05:10.000000000 +0100
100	@@ -215,6 +215,9 @@
101	result->uid = (uid_t) 0;
102	result->gid = (gid_t) 0;
103	result->dir = NULL;
104	+#ifdef APPARMOR_HAT
105	+ result->apparmor_hat = NULL;
106	+#endif
107	result->slow_tilde_expansion = 1;
108	auth_finalized = 0;
109	if ((readnb = safe_read(kindy, line, sizeof line - 1U)) <= (ssize_t) 0) {
110	diff -urN pure-ftpd-1.0.36.org/src/log_ldap.c pure-ftpd-1.0.36/src/log_ldap.c
111	--- pure-ftpd-1.0.36.org/src/log_ldap.c 2012-03-16 02:01:37.000000000 +0100
112	+++ pure-ftpd-1.0.36/src/log_ldap.c 2013-11-04 15:05:10.000000000 +0100
113	@@ -557,6 +557,9 @@
114	if ((result->dir = strdup(pw->pw_dir)) == NULL) {
115	return;
116	}
117	+#ifdef APPARMOR
118	+ result->apparmor_hat = NULL;
119	+#endif
120	result->slow_tilde_expansion = 1;
121	result->auth_ok = 1; /* User found, authentication ok */
122	}
123	diff -urN pure-ftpd-1.0.36.org/src/log_mysql.c pure-ftpd-1.0.36/src/log_mysql.c
124	--- pure-ftpd-1.0.36.org/src/log_mysql.c 2013-11-04 12:08:09.315380763 +0100
125	+++ pure-ftpd-1.0.36/src/log_mysql.c 2013-11-04 15:05:10.000000000 +0100
126	@@ -317,6 +317,9 @@
127	const char bandwidth_ul = NULL; / stored bandwidth UL */
128	const char bandwidth_dl = NULL; / stored bandwidth DL */
129	#endif
130	+#ifdef APPARMOR
131	+ const char apparmor_hat = NULL; / Apparmor hat name */
132	+#endif
133	char *escaped_account = NULL;
134	char *escaped_ip = NULL;
135	char *escaped_port = NULL;
136	@@ -595,6 +598,15 @@
137	}
138	}
139	#endif
140	+#ifdef APPARMOR
141	+ if ((apparmor_hat = pw_mysql_getquery(id_sql_server, sqlreq_getapparmor_hat,
142	+ escaped_account, escaped_ip,
143	+ escaped_port, escaped_peer_ip,
144	+ escaped_decimal_ip)) != NULL) {
145	+ result->apparmor_hat = apparmor_hat;
146	+ apparmor_hat = NULL;
147	+ }
148	+#endif
149	result->slow_tilde_expansion = !tildexp;
150	result->auth_ok = -result->auth_ok;
151	bye:
152	@@ -624,6 +636,9 @@
153	free((void *) bandwidth_ul);
154	free((void *) bandwidth_dl);
155	#endif
156	+#ifdef APPARMOR
157	+ free((void *) apparmor_hat);
158	+#endif
159	free((void *) escaped_account);
160	free((void *) escaped_ip);
161	free((void *) escaped_port);
162	@@ -692,6 +707,9 @@
163	ZFREE(sqlreq_getbandwidth_ul);
164	ZFREE(sqlreq_getbandwidth_dl);
165	#endif
166	+#ifdef APPARMOR
167	+ ZFREE(sqlreq_getapparmor_hat);
168	+#endif
169	}
170	#else
171	extern signed char v6ready;
172	diff -urN pure-ftpd-1.0.36.org/src/log_mysql_p.h pure-ftpd-1.0.36/src/log_mysql_p.h
173	--- pure-ftpd-1.0.36.org/src/log_mysql_p.h 2011-04-17 17:24:58.000000000 +0200
174	+++ pure-ftpd-1.0.36/src/log_mysql_p.h 2013-11-04 15:05:10.000000000 +0100
175	@@ -38,6 +38,9 @@
176	static char *sqlreq_getbandwidth_ul;
177	static char *sqlreq_getbandwidth_dl;
178	#endif
179	+#ifdef APPARMOR
180	+static char *sqlreq_getapparmor_hat;
181	+#endif
182	static signed char server_down;
183
184	static ConfigKeywords mysql_config_keywords[] = {
185	@@ -68,6 +71,9 @@
186	{ "MYSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
187	{ "MYSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
188	#endif
189	+#ifdef APPARMOR
190	+ { "MYSQLGetApparmorHat", &sqlreq_getapparmor_hat },
191	+#endif
192	{ NULL, NULL }
193	};
194
195	diff -urN pure-ftpd-1.0.36.org/src/log_pam.c pure-ftpd-1.0.36/src/log_pam.c
196	--- pure-ftpd-1.0.36.org/src/log_pam.c 2011-04-17 17:05:54.000000000 +0200
197	+++ pure-ftpd-1.0.36/src/log_pam.c 2013-11-04 15:05:10.000000000 +0100
198	@@ -202,6 +202,9 @@
199	(void) pam_close_session(pamh, PAM_SILENT); /* It doesn't matter if it fails */
200	#endif
201	result->dir = dir;
202	+#ifdef APPARMOR
203	+ result->apparmor_hat = NULL;
204	+#endif
205	dir = NULL;
206	result->uid = pw.pw_uid;
207	result->gid = pw.pw_gid;
208	diff -urN pure-ftpd-1.0.36.org/src/log_pgsql.c pure-ftpd-1.0.36/src/log_pgsql.c
209	--- pure-ftpd-1.0.36.org/src/log_pgsql.c 2013-11-04 12:08:09.318714211 +0100
210	+++ pure-ftpd-1.0.36/src/log_pgsql.c 2013-11-04 15:05:10.000000000 +0100
211	@@ -397,6 +397,9 @@
212	const char bandwidth_ul = NULL; / stored bandwidth UL */
213	const char bandwidth_dl = NULL; / stored bandwidth DL */
214	#endif
215	+#ifdef APPARMOR
216	+ const char apparmor_hat = NULL; / Apparmor hat name */
217	+#endif
218	char *escaped_account = NULL;
219	char *escaped_ip = NULL;
220	char *escaped_port = NULL;
221	@@ -639,6 +642,16 @@
222	}
223	}
224	#endif
225	+#ifdef APPARMOR
226	+ if ((apparmor_hat = pw_pgsql_getquery(id_sql_server, sqlreq_getapparmor_hat,
227	+ escaped_account, escaped_ip,
228	+ escaped_port, escaped_peer_ip,
229	+ escaped_decimal_ip)) != NULL) {
230	+ result->apparmor_hat = apparmor_hat;
231	+ apparmor_hat = NULL;
232	+ }
233	+#endif
234	+
235	result->slow_tilde_expansion = 1;
236	result->auth_ok = -result->auth_ok;
237	bye:
238	@@ -668,7 +681,10 @@
239	#ifdef THROTTLING
240	free((void *) bandwidth_ul);
241	free((void *) bandwidth_dl);
242	-#endif
243	+#endif
244	+#ifdef APPARMOR
245	+ free((void *) apparmor_hat);
246	+#endif
247	free((void *) escaped_account);
248	free((void *) escaped_ip);
249	free((void *) escaped_port);
250	@@ -723,6 +739,9 @@
251	ZFREE(sqlreq_getbandwidth_ul);
252	ZFREE(sqlreq_getbandwidth_dl);
253	#endif
254	+#ifdef APPARMOR
255	+ ZFREE(sqlreq_getapparmor_hat);
256	+#endif
257	}
258	#else
259	extern signed char v6ready;
260	diff -urN pure-ftpd-1.0.36.org/src/log_pgsql_p.h pure-ftpd-1.0.36/src/log_pgsql_p.h
261	--- pure-ftpd-1.0.36.org/src/log_pgsql_p.h 2011-04-17 17:05:54.000000000 +0200
262	+++ pure-ftpd-1.0.36/src/log_pgsql_p.h 2013-11-04 15:05:10.000000000 +0100
263	@@ -28,6 +28,9 @@
264	static char *sqlreq_getbandwidth_ul;
265	static char *sqlreq_getbandwidth_dl;
266	#endif
267	+#ifdef APPARMOR
268	+static char *sqlreq_getapparmor_hat;
269	+#endif
270	static signed char server_down;
271
272	static ConfigKeywords pgsql_config_keywords[] = {
273	@@ -55,6 +58,9 @@
274	{ "PGSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
275	{ "PGSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
276	#endif
277	+#ifdef APPARMOR
278	+ { "PGSQLGetApparmorHat", &sqlreq_getapparmor_hat },
279	+#endif
280	{ NULL, NULL }
281	};
282
283	diff -urN pure-ftpd-1.0.36.org/src/log_puredb.c pure-ftpd-1.0.36/src/log_puredb.c
284	--- pure-ftpd-1.0.36.org/src/log_puredb.c 2012-03-16 02:01:37.000000000 +0100
285	+++ pure-ftpd-1.0.36/src/log_puredb.c 2013-11-04 15:05:10.000000000 +0100
286	@@ -305,6 +305,9 @@
287	result->user_quota_size = strtoull(line, NULL, 10);
288	}
289	#endif
290	+#ifdef APPARMOR
291	+ result->apparmor_hat = NULL;
292	+#endif
293	if ((line = my_strtok2(NULL, PW_LINE_SEP)) == NULL) { / allowed local ip */
294	return 0;
295	}
296	diff -urN pure-ftpd-1.0.36.org/src/log_unix.c pure-ftpd-1.0.36/src/log_unix.c
297	--- pure-ftpd-1.0.36.org/src/log_unix.c 2011-04-17 17:05:54.000000000 +0200
298	+++ pure-ftpd-1.0.36/src/log_unix.c 2013-11-04 15:05:10.000000000 +0100
299	@@ -80,6 +80,9 @@
300	result->uid = pw.pw_uid;
301	result->gid = pw.pw_gid;
302	result->dir = dir;
303	+#ifdef APPARMOR
304	+ result->apparmor_hat = NULL;
305	+#endif
306	result->slow_tilde_expansion = 0;
307	result->auth_ok = -result->auth_ok;
308	return;
309	diff -urN pure-ftpd-1.0.36.org/src/Makefile.am pure-ftpd-1.0.36/src/Makefile.am
310	--- pure-ftpd-1.0.36.org/src/Makefile.am 2012-03-16 02:01:37.000000000 +0100
311	+++ pure-ftpd-1.0.36/src/Makefile.am 2013-11-04 13:58:22.324973813 +0100
312	@@ -133,6 +133,7 @@
313	pure_ftpd_LDADD = \
314	libpureftpd.a \
315	../puredb/src/libpuredb_read.a \
316	+ -lapparmor \
317	@LDAP_SSL_LIBS@ @GETLOADAVG_LIBS@ @BONJOUR_LDADD@
318
319	pure_ftpd_SOURCES = \
320	diff -urN pure-ftpd-1.0.36.org/src/messages_en.h pure-ftpd-1.0.36/src/messages_en.h
321	--- pure-ftpd-1.0.36.org/src/messages_en.h 2012-03-16 02:01:37.000000000 +0100
322	+++ pure-ftpd-1.0.36/src/messages_en.h 2013-11-04 15:05:10.000000000 +0100
323	@@ -57,6 +57,7 @@
324	#define MSG_CURRENT_DIR_IS "OK. Current directory is %s"
325	#define MSG_CURRENT_RESTRICTED_DIR_IS "OK. Current restricted directory is %s"
326	#define MSG_IS_NOW_LOGGED_IN "%s is now logged in"
327	+#define MSG_APPARMOR_HAT "User %s apparmor hat is %s"
328	#define MSG_CANT_CHANGE_DIR "Can't change directory to %s"
329	#define MSG_PATH_TOO_LONG "Path too long"
330	#define MSG_CANT_PASV "You cannot use PASV on IPv6 connections. Use EPSV instead."