]>
Commit | Line | Data |
---|---|---|
4b1c459f AM |
1 | diff -urN pure-ftpd-1.0.36.org/config.h.in pure-ftpd-1.0.36/config.h.in |
2 | --- pure-ftpd-1.0.36.org/config.h.in 2012-03-21 21:18:18.000000000 +0100 | |
3 | +++ pure-ftpd-1.0.36/config.h.in 2013-11-04 13:58:22.321640365 +0100 | |
4 | @@ -3,6 +3,9 @@ | |
5 | /* Define if building universal (internal helper macro) */ | |
6 | #undef AC_APPLE_UNIVERSAL_BUILD | |
7 | ||
8 | +/* with apparmor */ | |
9 | +#undef APPARMOR | |
10 | + | |
11 | /* display only boring messages */ | |
12 | #undef BORING_MODE | |
13 | ||
14 | diff -urN pure-ftpd-1.0.36.org/configure.ac pure-ftpd-1.0.36/configure.ac | |
15 | --- pure-ftpd-1.0.36.org/configure.ac 2012-03-16 06:28:21.000000000 +0100 | |
16 | +++ pure-ftpd-1.0.36/configure.ac 2013-11-04 13:58:22.321640365 +0100 | |
17 | @@ -770,6 +770,13 @@ | |
18 | AC_DEFINE(QUOTAS,,[with quotas]) | |
19 | fi ]) | |
20 | ||
21 | +AC_ARG_WITH(apparmor, | |
22 | +[AS_HELP_STRING(--with-apparmorquotas,Support changing Apparmor Hats)], | |
23 | +[ if test "x$withval" = "xyes" ; then | |
24 | + AC_DEFINE(APPARMOR,,[with apparmor]) | |
25 | + LIBS="$LIBS -lapparmor" | |
26 | + fi ]) | |
27 | + | |
28 | AC_ARG_WITH(ftpwho, | |
29 | [AS_HELP_STRING(--with-ftpwho,Support for pure-ftpwho)], | |
30 | [ if test "x$withval" = "xyes" ; then | |
31 | diff -urN pure-ftpd-1.0.36.org/pureftpd-mysql.conf pure-ftpd-1.0.36/pureftpd-mysql.conf | |
32 | --- pure-ftpd-1.0.36.org/pureftpd-mysql.conf 2013-11-04 12:08:09.315380763 +0100 | |
33 | +++ pure-ftpd-1.0.36/pureftpd-mysql.conf 2013-11-04 13:58:22.324973813 +0100 | |
34 | @@ -114,6 +114,9 @@ | |
35 | # MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User='\L' | |
36 | # MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L' | |
37 | ||
38 | +# Optional : Apparmor Hat to use. | |
39 | +# MYSQLGetApparmorHat SELECT hat FROM users WHERE User='\L' | |
40 | + | |
41 | # Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS : | |
42 | # 1) You know what you are doing. | |
43 | # 2) Real and virtual users match. | |
44 | diff -urN pure-ftpd-1.0.36.org/src/ftpd.c pure-ftpd-1.0.36/src/ftpd.c | |
45 | --- pure-ftpd-1.0.36.org/src/ftpd.c 2013-11-04 12:08:09.322047659 +0100 | |
46 | +++ pure-ftpd-1.0.36/src/ftpd.c 2013-11-04 15:40:16.000000000 +0100 | |
47 | @@ -18,6 +18,9 @@ | |
48 | #ifdef QUOTAS | |
49 | # include "quotas.h" | |
50 | #endif | |
51 | +#ifdef APPARMOR | |
52 | +# include <sys/apparmor.h> | |
53 | +#endif | |
54 | #ifdef WITH_DIRALIASES | |
55 | # include "diraliases.h" | |
56 | #endif | |
57 | @@ -1541,6 +1544,9 @@ | |
58 | result.ratio_download = ratio_download; | |
59 | result.ratio_ul_changed = result.ratio_dl_changed = 0; | |
60 | #endif | |
61 | +#ifdef APPARMOR | |
62 | + result.apparmor_hat = NULL; | |
63 | +#endif | |
64 | #ifdef PER_USER_LIMITS | |
65 | result.per_user_max = per_user_max; | |
66 | #endif | |
67 | @@ -1986,6 +1992,16 @@ | |
68 | # endif | |
69 | enablesignals(); | |
70 | #endif | |
71 | + | |
72 | +#ifdef APPARMOR | |
73 | + if (authresult.apparmor_hat != NULL) { | |
74 | + if (change_hat(authresult.apparmor_hat, zrand()) < 0) | |
75 | + die(421, LOG_ERR, MSG_CHROOT_FAILED); | |
76 | + logfile(LOG_INFO, MSG_APPARMOR_HAT, account, authresult.apparmor_hat); | |
77 | + free(authresult.apparmor_hat); | |
78 | + } | |
79 | +#endif | |
80 | + | |
81 | logfile(LOG_INFO, MSG_IS_NOW_LOGGED_IN, account); | |
82 | #ifdef FTPWHO | |
83 | if (shm_data_cur != NULL) { | |
84 | diff -urN pure-ftpd-1.0.36.org/src/ftpd.h pure-ftpd-1.0.36/src/ftpd.h | |
85 | --- pure-ftpd-1.0.36.org/src/ftpd.h 2012-03-16 02:01:37.000000000 +0100 | |
86 | +++ pure-ftpd-1.0.36/src/ftpd.h 2013-11-04 15:05:10.000000000 +0100 | |
87 | @@ -294,6 +294,9 @@ | |
88 | #ifdef PER_USER_LIMITS | |
89 | unsigned int per_user_max; | |
90 | #endif | |
91 | +#ifdef APPARMOR | |
92 | + const char *apparmor_hat; | |
93 | +#endif | |
94 | } AuthResult; | |
95 | ||
96 | typedef struct PureFileInfo_ { | |
97 | diff -urN pure-ftpd-1.0.36.org/src/log_extauth.c pure-ftpd-1.0.36/src/log_extauth.c | |
98 | --- pure-ftpd-1.0.36.org/src/log_extauth.c 2012-03-21 21:16:26.000000000 +0100 | |
99 | +++ pure-ftpd-1.0.36/src/log_extauth.c 2013-11-04 15:05:10.000000000 +0100 | |
100 | @@ -215,6 +215,9 @@ | |
101 | result->uid = (uid_t) 0; | |
102 | result->gid = (gid_t) 0; | |
103 | result->dir = NULL; | |
104 | +#ifdef APPARMOR_HAT | |
105 | + result->apparmor_hat = NULL; | |
106 | +#endif | |
107 | result->slow_tilde_expansion = 1; | |
108 | auth_finalized = 0; | |
109 | if ((readnb = safe_read(kindy, line, sizeof line - 1U)) <= (ssize_t) 0) { | |
110 | diff -urN pure-ftpd-1.0.36.org/src/log_ldap.c pure-ftpd-1.0.36/src/log_ldap.c | |
111 | --- pure-ftpd-1.0.36.org/src/log_ldap.c 2012-03-16 02:01:37.000000000 +0100 | |
112 | +++ pure-ftpd-1.0.36/src/log_ldap.c 2013-11-04 15:05:10.000000000 +0100 | |
113 | @@ -557,6 +557,9 @@ | |
114 | if ((result->dir = strdup(pw->pw_dir)) == NULL) { | |
115 | return; | |
116 | } | |
117 | +#ifdef APPARMOR | |
118 | + result->apparmor_hat = NULL; | |
119 | +#endif | |
120 | result->slow_tilde_expansion = 1; | |
121 | result->auth_ok = 1; /* User found, authentication ok */ | |
122 | } | |
123 | diff -urN pure-ftpd-1.0.36.org/src/log_mysql.c pure-ftpd-1.0.36/src/log_mysql.c | |
124 | --- pure-ftpd-1.0.36.org/src/log_mysql.c 2013-11-04 12:08:09.315380763 +0100 | |
125 | +++ pure-ftpd-1.0.36/src/log_mysql.c 2013-11-04 15:05:10.000000000 +0100 | |
126 | @@ -317,6 +317,9 @@ | |
127 | const char *bandwidth_ul = NULL; /* stored bandwidth UL */ | |
128 | const char *bandwidth_dl = NULL; /* stored bandwidth DL */ | |
129 | #endif | |
130 | +#ifdef APPARMOR | |
131 | + const char *apparmor_hat = NULL; /* Apparmor hat name */ | |
132 | +#endif | |
133 | char *escaped_account = NULL; | |
134 | char *escaped_ip = NULL; | |
135 | char *escaped_port = NULL; | |
136 | @@ -595,6 +598,15 @@ | |
137 | } | |
138 | } | |
139 | #endif | |
140 | +#ifdef APPARMOR | |
141 | + if ((apparmor_hat = pw_mysql_getquery(id_sql_server, sqlreq_getapparmor_hat, | |
142 | + escaped_account, escaped_ip, | |
143 | + escaped_port, escaped_peer_ip, | |
144 | + escaped_decimal_ip)) != NULL) { | |
145 | + result->apparmor_hat = apparmor_hat; | |
146 | + apparmor_hat = NULL; | |
147 | + } | |
148 | +#endif | |
149 | result->slow_tilde_expansion = !tildexp; | |
150 | result->auth_ok = -result->auth_ok; | |
151 | bye: | |
152 | @@ -624,6 +636,9 @@ | |
153 | free((void *) bandwidth_ul); | |
154 | free((void *) bandwidth_dl); | |
155 | #endif | |
156 | +#ifdef APPARMOR | |
157 | + free((void *) apparmor_hat); | |
158 | +#endif | |
159 | free((void *) escaped_account); | |
160 | free((void *) escaped_ip); | |
161 | free((void *) escaped_port); | |
162 | @@ -692,6 +707,9 @@ | |
163 | ZFREE(sqlreq_getbandwidth_ul); | |
164 | ZFREE(sqlreq_getbandwidth_dl); | |
165 | #endif | |
166 | +#ifdef APPARMOR | |
167 | + ZFREE(sqlreq_getapparmor_hat); | |
168 | +#endif | |
169 | } | |
170 | #else | |
171 | extern signed char v6ready; | |
172 | diff -urN pure-ftpd-1.0.36.org/src/log_mysql_p.h pure-ftpd-1.0.36/src/log_mysql_p.h | |
173 | --- pure-ftpd-1.0.36.org/src/log_mysql_p.h 2011-04-17 17:24:58.000000000 +0200 | |
174 | +++ pure-ftpd-1.0.36/src/log_mysql_p.h 2013-11-04 15:05:10.000000000 +0100 | |
175 | @@ -38,6 +38,9 @@ | |
176 | static char *sqlreq_getbandwidth_ul; | |
177 | static char *sqlreq_getbandwidth_dl; | |
178 | #endif | |
179 | +#ifdef APPARMOR | |
180 | +static char *sqlreq_getapparmor_hat; | |
181 | +#endif | |
182 | static signed char server_down; | |
183 | ||
184 | static ConfigKeywords mysql_config_keywords[] = { | |
185 | @@ -68,6 +71,9 @@ | |
186 | { "MYSQLGetBandwidthUL", &sqlreq_getbandwidth_ul }, | |
187 | { "MYSQLGetBandwidthDL", &sqlreq_getbandwidth_dl }, | |
188 | #endif | |
189 | +#ifdef APPARMOR | |
190 | + { "MYSQLGetApparmorHat", &sqlreq_getapparmor_hat }, | |
191 | +#endif | |
192 | { NULL, NULL } | |
193 | }; | |
194 | ||
195 | diff -urN pure-ftpd-1.0.36.org/src/log_pam.c pure-ftpd-1.0.36/src/log_pam.c | |
196 | --- pure-ftpd-1.0.36.org/src/log_pam.c 2011-04-17 17:05:54.000000000 +0200 | |
197 | +++ pure-ftpd-1.0.36/src/log_pam.c 2013-11-04 15:05:10.000000000 +0100 | |
198 | @@ -202,6 +202,9 @@ | |
199 | (void) pam_close_session(pamh, PAM_SILENT); /* It doesn't matter if it fails */ | |
200 | #endif | |
201 | result->dir = dir; | |
202 | +#ifdef APPARMOR | |
203 | + result->apparmor_hat = NULL; | |
204 | +#endif | |
205 | dir = NULL; | |
206 | result->uid = pw.pw_uid; | |
207 | result->gid = pw.pw_gid; | |
208 | diff -urN pure-ftpd-1.0.36.org/src/log_pgsql.c pure-ftpd-1.0.36/src/log_pgsql.c | |
209 | --- pure-ftpd-1.0.36.org/src/log_pgsql.c 2013-11-04 12:08:09.318714211 +0100 | |
210 | +++ pure-ftpd-1.0.36/src/log_pgsql.c 2013-11-04 15:05:10.000000000 +0100 | |
211 | @@ -397,6 +397,9 @@ | |
212 | const char *bandwidth_ul = NULL; /* stored bandwidth UL */ | |
213 | const char *bandwidth_dl = NULL; /* stored bandwidth DL */ | |
214 | #endif | |
215 | +#ifdef APPARMOR | |
216 | + const char *apparmor_hat = NULL; /* Apparmor hat name */ | |
217 | +#endif | |
218 | char *escaped_account = NULL; | |
219 | char *escaped_ip = NULL; | |
220 | char *escaped_port = NULL; | |
221 | @@ -639,6 +642,16 @@ | |
222 | } | |
223 | } | |
224 | #endif | |
225 | +#ifdef APPARMOR | |
226 | + if ((apparmor_hat = pw_pgsql_getquery(id_sql_server, sqlreq_getapparmor_hat, | |
227 | + escaped_account, escaped_ip, | |
228 | + escaped_port, escaped_peer_ip, | |
229 | + escaped_decimal_ip)) != NULL) { | |
230 | + result->apparmor_hat = apparmor_hat; | |
231 | + apparmor_hat = NULL; | |
232 | + } | |
233 | +#endif | |
234 | + | |
235 | result->slow_tilde_expansion = 1; | |
236 | result->auth_ok = -result->auth_ok; | |
237 | bye: | |
238 | @@ -668,7 +681,10 @@ | |
239 | #ifdef THROTTLING | |
240 | free((void *) bandwidth_ul); | |
241 | free((void *) bandwidth_dl); | |
242 | -#endif | |
243 | +#endif | |
244 | +#ifdef APPARMOR | |
245 | + free((void *) apparmor_hat); | |
246 | +#endif | |
247 | free((void *) escaped_account); | |
248 | free((void *) escaped_ip); | |
249 | free((void *) escaped_port); | |
250 | @@ -723,6 +739,9 @@ | |
251 | ZFREE(sqlreq_getbandwidth_ul); | |
252 | ZFREE(sqlreq_getbandwidth_dl); | |
253 | #endif | |
254 | +#ifdef APPARMOR | |
255 | + ZFREE(sqlreq_getapparmor_hat); | |
256 | +#endif | |
257 | } | |
258 | #else | |
259 | extern signed char v6ready; | |
260 | diff -urN pure-ftpd-1.0.36.org/src/log_pgsql_p.h pure-ftpd-1.0.36/src/log_pgsql_p.h | |
261 | --- pure-ftpd-1.0.36.org/src/log_pgsql_p.h 2011-04-17 17:05:54.000000000 +0200 | |
262 | +++ pure-ftpd-1.0.36/src/log_pgsql_p.h 2013-11-04 15:05:10.000000000 +0100 | |
263 | @@ -28,6 +28,9 @@ | |
264 | static char *sqlreq_getbandwidth_ul; | |
265 | static char *sqlreq_getbandwidth_dl; | |
266 | #endif | |
267 | +#ifdef APPARMOR | |
268 | +static char *sqlreq_getapparmor_hat; | |
269 | +#endif | |
270 | static signed char server_down; | |
271 | ||
272 | static ConfigKeywords pgsql_config_keywords[] = { | |
273 | @@ -55,6 +58,9 @@ | |
274 | { "PGSQLGetBandwidthUL", &sqlreq_getbandwidth_ul }, | |
275 | { "PGSQLGetBandwidthDL", &sqlreq_getbandwidth_dl }, | |
276 | #endif | |
277 | +#ifdef APPARMOR | |
278 | + { "PGSQLGetApparmorHat", &sqlreq_getapparmor_hat }, | |
279 | +#endif | |
280 | { NULL, NULL } | |
281 | }; | |
282 | ||
283 | diff -urN pure-ftpd-1.0.36.org/src/log_puredb.c pure-ftpd-1.0.36/src/log_puredb.c | |
284 | --- pure-ftpd-1.0.36.org/src/log_puredb.c 2012-03-16 02:01:37.000000000 +0100 | |
285 | +++ pure-ftpd-1.0.36/src/log_puredb.c 2013-11-04 15:05:10.000000000 +0100 | |
286 | @@ -305,6 +305,9 @@ | |
287 | result->user_quota_size = strtoull(line, NULL, 10); | |
288 | } | |
289 | #endif | |
290 | +#ifdef APPARMOR | |
291 | + result->apparmor_hat = NULL; | |
292 | +#endif | |
293 | if ((line = my_strtok2(NULL, *PW_LINE_SEP)) == NULL) { /* allowed local ip */ | |
294 | return 0; | |
295 | } | |
296 | diff -urN pure-ftpd-1.0.36.org/src/log_unix.c pure-ftpd-1.0.36/src/log_unix.c | |
297 | --- pure-ftpd-1.0.36.org/src/log_unix.c 2011-04-17 17:05:54.000000000 +0200 | |
298 | +++ pure-ftpd-1.0.36/src/log_unix.c 2013-11-04 15:05:10.000000000 +0100 | |
299 | @@ -80,6 +80,9 @@ | |
300 | result->uid = pw.pw_uid; | |
301 | result->gid = pw.pw_gid; | |
302 | result->dir = dir; | |
303 | +#ifdef APPARMOR | |
304 | + result->apparmor_hat = NULL; | |
305 | +#endif | |
306 | result->slow_tilde_expansion = 0; | |
307 | result->auth_ok = -result->auth_ok; | |
308 | return; | |
309 | diff -urN pure-ftpd-1.0.36.org/src/Makefile.am pure-ftpd-1.0.36/src/Makefile.am | |
310 | --- pure-ftpd-1.0.36.org/src/Makefile.am 2012-03-16 02:01:37.000000000 +0100 | |
311 | +++ pure-ftpd-1.0.36/src/Makefile.am 2013-11-04 13:58:22.324973813 +0100 | |
312 | @@ -133,6 +133,7 @@ | |
313 | pure_ftpd_LDADD = \ | |
314 | libpureftpd.a \ | |
315 | ../puredb/src/libpuredb_read.a \ | |
316 | + -lapparmor \ | |
317 | @LDAP_SSL_LIBS@ @GETLOADAVG_LIBS@ @BONJOUR_LDADD@ | |
318 | ||
319 | pure_ftpd_SOURCES = \ | |
320 | diff -urN pure-ftpd-1.0.36.org/src/messages_en.h pure-ftpd-1.0.36/src/messages_en.h | |
321 | --- pure-ftpd-1.0.36.org/src/messages_en.h 2012-03-16 02:01:37.000000000 +0100 | |
322 | +++ pure-ftpd-1.0.36/src/messages_en.h 2013-11-04 15:05:10.000000000 +0100 | |
323 | @@ -57,6 +57,7 @@ | |
324 | #define MSG_CURRENT_DIR_IS "OK. Current directory is %s" | |
325 | #define MSG_CURRENT_RESTRICTED_DIR_IS "OK. Current restricted directory is %s" | |
326 | #define MSG_IS_NOW_LOGGED_IN "%s is now logged in" | |
327 | +#define MSG_APPARMOR_HAT "User %s apparmor hat is %s" | |
328 | #define MSG_CANT_CHANGE_DIR "Can't change directory to %s" | |
329 | #define MSG_PATH_TOO_LONG "Path too long" | |
330 | #define MSG_CANT_PASV "You cannot use PASV on IPv6 connections. Use EPSV instead." |