1 diff -ur pure-ftpd-1.0.40.org/config.h.in pure-ftpd-1.0.40/config.h.in
2 --- pure-ftpd-1.0.40.org/config.h.in 2015-06-13 16:45:49.000000000 +0200
3 +++ pure-ftpd-1.0.40/config.h.in 2015-06-16 13:13:38.628079468 +0200
5 /* Define if building universal (internal helper macro) */
6 #undef AC_APPLE_UNIVERSAL_BUILD
11 /* display only boring messages */
14 diff -ur pure-ftpd-1.0.40.org/configure.ac pure-ftpd-1.0.40/configure.ac
15 --- pure-ftpd-1.0.40.org/configure.ac 2015-06-13 13:59:00.000000000 +0200
16 +++ pure-ftpd-1.0.40/configure.ac 2015-06-16 13:13:38.628079468 +0200
18 AC_DEFINE(QUOTAS,,[with quotas])
21 +AC_ARG_WITH(apparmor,
22 +[AS_HELP_STRING(--with-apparmorquotas,Support changing Apparmor Hats)],
23 +[ if test "x$withval" = "xyes" ; then
24 + AC_DEFINE(APPARMOR,,[with apparmor])
25 + LIBS="$LIBS -lapparmor"
29 [AS_HELP_STRING(--with-ftpwho,Support for pure-ftpwho)],
30 [ if test "x$withval" = "xyes" ; then
31 diff -ur pure-ftpd-1.0.40.org/pureftpd-mysql.conf pure-ftpd-1.0.40/pureftpd-mysql.conf
32 --- pure-ftpd-1.0.40.org/pureftpd-mysql.conf 2015-05-21 12:18:58.000000000 +0200
33 +++ pure-ftpd-1.0.40/pureftpd-mysql.conf 2015-06-16 13:13:38.644746557 +0200
35 # MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L'
38 +# Optional : Apparmor Hat to use.
39 +# MYSQLGetApparmorHat SELECT hat FROM users WHERE User='\L'
41 # Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS :
42 # 1) You know what you are doing.
43 # 2) Real and virtual users match.
44 diff -ur pure-ftpd-1.0.40.org/src/ftpd.c pure-ftpd-1.0.40/src/ftpd.c
45 --- pure-ftpd-1.0.40.org/src/ftpd.c 2015-06-13 12:26:37.000000000 +0200
46 +++ pure-ftpd-1.0.40/src/ftpd.c 2015-06-16 13:13:38.644746557 +0200
52 +# include <sys/apparmor.h>
54 #ifdef WITH_DIRALIASES
55 # include "diraliases.h"
58 result.ratio_download = ratio_download;
59 result.ratio_ul_changed = result.ratio_dl_changed = 0;
62 + result.apparmor_hat = NULL;
64 #ifdef PER_USER_LIMITS
65 result.per_user_max = per_user_max;
67 @@ -1982,6 +1988,16 @@
73 + if (authresult.apparmor_hat != NULL) {
74 + if (change_hat(authresult.apparmor_hat, zrand()) < 0)
75 + die(421, LOG_ERR, MSG_CHROOT_FAILED);
76 + logfile(LOG_INFO, MSG_APPARMOR_HAT, account, authresult.apparmor_hat);
77 + free(authresult.apparmor_hat);
81 logfile(LOG_INFO, MSG_IS_NOW_LOGGED_IN, account);
83 if (shm_data_cur != NULL) {
84 diff -ur pure-ftpd-1.0.40.org/src/ftpd.h pure-ftpd-1.0.40/src/ftpd.h
85 --- pure-ftpd-1.0.40.org/src/ftpd.h 2015-05-21 10:08:42.000000000 +0200
86 +++ pure-ftpd-1.0.40/src/ftpd.h 2015-06-16 13:13:38.644746557 +0200
88 #ifdef PER_USER_LIMITS
89 unsigned int per_user_max;
92 + const char *apparmor_hat;
96 typedef struct PureFileInfo_ {
97 diff -ur pure-ftpd-1.0.40.org/src/log_extauth.c pure-ftpd-1.0.40/src/log_extauth.c
98 --- pure-ftpd-1.0.40.org/src/log_extauth.c 2015-02-17 19:12:45.000000000 +0100
99 +++ pure-ftpd-1.0.40/src/log_extauth.c 2015-06-16 13:15:07.670333578 +0200
101 result->uid = (uid_t) 0;
102 result->gid = (gid_t) 0;
105 + result->apparmor_hat = NULL;
107 result->slow_tilde_expansion = 1;
109 if ((readnb = safe_read(kindy, line, sizeof line - 1U)) <= (ssize_t) 0) {
110 diff -ur pure-ftpd-1.0.40.org/src/log_ldap.c pure-ftpd-1.0.40/src/log_ldap.c
111 --- pure-ftpd-1.0.40.org/src/log_ldap.c 2015-06-11 00:26:19.000000000 +0200
112 +++ pure-ftpd-1.0.40/src/log_ldap.c 2015-06-16 13:13:38.644746557 +0200
114 if ((result->dir = strdup(pw->pw_dir)) == NULL) {
118 + result->apparmor_hat = NULL;
120 result->slow_tilde_expansion = 1;
121 result->auth_ok = 1; /* User found, authentication ok */
123 diff -ur pure-ftpd-1.0.40.org/src/log_mysql.c pure-ftpd-1.0.40/src/log_mysql.c
124 --- pure-ftpd-1.0.40.org/src/log_mysql.c 2015-05-21 12:52:57.000000000 +0200
125 +++ pure-ftpd-1.0.40/src/log_mysql.c 2015-06-16 13:16:21.692207444 +0200
127 const char *bandwidth_ul = NULL; /* stored bandwidth UL */
128 const char *bandwidth_dl = NULL; /* stored bandwidth DL */
131 + const char *apparmor_hat = NULL; /* Apparmor hat name */
133 char *escaped_account = NULL;
134 char *escaped_ip = NULL;
135 char *escaped_port = NULL;
141 + if ((apparmor_hat = pw_mysql_getquery(id_sql_server, sqlreq_getapparmor_hat,
142 + escaped_account, escaped_ip,
143 + escaped_port, escaped_peer_ip,
144 + escaped_decimal_ip)) != NULL) {
145 + result->apparmor_hat = apparmor_hat;
146 + apparmor_hat = NULL;
149 result->slow_tilde_expansion = !tildexp;
150 result->auth_ok = -result->auth_ok;
153 free((void *) bandwidth_ul);
154 free((void *) bandwidth_dl);
157 + free((void *) apparmor_hat);
159 free((void *) escaped_account);
160 free((void *) escaped_ip);
161 free((void *) escaped_port);
163 ZFREE(sqlreq_getbandwidth_ul);
164 ZFREE(sqlreq_getbandwidth_dl);
167 + ZFREE(sqlreq_getapparmor_hat);
171 extern signed char v6ready;
172 diff -ur pure-ftpd-1.0.40.org/src/log_mysql_p.h pure-ftpd-1.0.40/src/log_mysql_p.h
173 --- pure-ftpd-1.0.40.org/src/log_mysql_p.h 2015-02-17 19:12:45.000000000 +0100
174 +++ pure-ftpd-1.0.40/src/log_mysql_p.h 2015-06-16 13:13:38.648079974 +0200
176 static char *sqlreq_getbandwidth_ul;
177 static char *sqlreq_getbandwidth_dl;
180 +static char *sqlreq_getapparmor_hat;
182 static signed char server_down;
184 static ConfigKeywords mysql_config_keywords[] = {
186 { "MYSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
187 { "MYSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
190 + { "MYSQLGetApparmorHat", &sqlreq_getapparmor_hat },
195 diff -ur pure-ftpd-1.0.40.org/src/log_pam.c pure-ftpd-1.0.40/src/log_pam.c
196 --- pure-ftpd-1.0.40.org/src/log_pam.c 2015-02-17 19:12:45.000000000 +0100
197 +++ pure-ftpd-1.0.40/src/log_pam.c 2015-06-16 13:13:38.654746809 +0200
199 (void) pam_close_session(pamh, PAM_SILENT); /* It doesn't matter if it fails */
203 + result->apparmor_hat = NULL;
206 result->uid = pw.pw_uid;
207 result->gid = pw.pw_gid;
208 diff -ur pure-ftpd-1.0.40.org/src/log_pgsql.c pure-ftpd-1.0.40/src/log_pgsql.c
209 --- pure-ftpd-1.0.40.org/src/log_pgsql.c 2015-05-22 16:29:27.000000000 +0200
210 +++ pure-ftpd-1.0.40/src/log_pgsql.c 2015-06-16 13:18:14.645066852 +0200
212 const char *bandwidth_ul = NULL; /* stored bandwidth UL */
213 const char *bandwidth_dl = NULL; /* stored bandwidth DL */
216 + const char *apparmor_hat = NULL; /* Apparmor hat name */
218 char *escaped_account = NULL;
219 char *escaped_ip = NULL;
220 char *escaped_port = NULL;
226 + if ((apparmor_hat = pw_pgsql_getquery(id_sql_server, sqlreq_getapparmor_hat,
227 + escaped_account, escaped_ip,
228 + escaped_port, escaped_peer_ip,
229 + escaped_decimal_ip)) != NULL) {
230 + result->apparmor_hat = apparmor_hat;
231 + apparmor_hat = NULL;
234 result->slow_tilde_expansion = 1;
235 result->auth_ok = -result->auth_ok;
238 free((void *) bandwidth_ul);
239 free((void *) bandwidth_dl);
242 + free((void *) apparmor_hat);
244 free((void *) escaped_account);
245 free((void *) escaped_ip);
246 free((void *) escaped_port);
248 ZFREE(sqlreq_getbandwidth_ul);
249 ZFREE(sqlreq_getbandwidth_dl);
252 + ZFREE(sqlreq_getapparmor_hat);
256 extern signed char v6ready;
257 diff -ur pure-ftpd-1.0.40.org/src/log_pgsql_p.h pure-ftpd-1.0.40/src/log_pgsql_p.h
258 --- pure-ftpd-1.0.40.org/src/log_pgsql_p.h 2015-02-17 19:12:45.000000000 +0100
259 +++ pure-ftpd-1.0.40/src/log_pgsql_p.h 2015-06-16 13:13:38.658080227 +0200
261 static char *sqlreq_getbandwidth_ul;
262 static char *sqlreq_getbandwidth_dl;
265 +static char *sqlreq_getapparmor_hat;
267 static signed char server_down;
269 static ConfigKeywords pgsql_config_keywords[] = {
271 { "PGSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
272 { "PGSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
275 + { "PGSQLGetApparmorHat", &sqlreq_getapparmor_hat },
280 diff -ur pure-ftpd-1.0.40.org/src/log_puredb.c pure-ftpd-1.0.40/src/log_puredb.c
281 --- pure-ftpd-1.0.40.org/src/log_puredb.c 2015-05-21 12:51:56.000000000 +0200
282 +++ pure-ftpd-1.0.40/src/log_puredb.c 2015-06-16 13:13:38.658080227 +0200
284 result->user_quota_size = strtoull(line, NULL, 10);
288 + result->apparmor_hat = NULL;
290 if ((line = my_strtok2(NULL, *PW_LINE_SEP)) == NULL) { /* allowed local ip */
293 diff -ur pure-ftpd-1.0.40.org/src/log_unix.c pure-ftpd-1.0.40/src/log_unix.c
294 --- pure-ftpd-1.0.40.org/src/log_unix.c 2015-05-21 12:51:38.000000000 +0200
295 +++ pure-ftpd-1.0.40/src/log_unix.c 2015-06-16 13:13:38.658080227 +0200
297 result->uid = pw.pw_uid;
298 result->gid = pw.pw_gid;
301 + result->apparmor_hat = NULL;
303 result->slow_tilde_expansion = 0;
304 result->auth_ok = -result->auth_ok;
306 diff -ur pure-ftpd-1.0.40.org/src/Makefile.am pure-ftpd-1.0.40/src/Makefile.am
307 --- pure-ftpd-1.0.40.org/src/Makefile.am 2015-05-21 16:25:39.000000000 +0200
308 +++ pure-ftpd-1.0.40/src/Makefile.am 2015-06-16 13:13:38.658080227 +0200
312 ../puredb/src/libpuredb_read.a \
314 @LDAP_SSL_LIBS@ @GETLOADAVG_LIBS@ @BONJOUR_LDADD@
316 pure_ftpd_SOURCES = \
317 diff -ur pure-ftpd-1.0.40.org/src/messages_en.h pure-ftpd-1.0.40/src/messages_en.h
318 --- pure-ftpd-1.0.40.org/src/messages_en.h 2015-05-20 16:23:20.000000000 +0200
319 +++ pure-ftpd-1.0.40/src/messages_en.h 2015-06-16 13:13:38.658080227 +0200
321 #define MSG_CURRENT_DIR_IS "OK. Current directory is %s"
322 #define MSG_CURRENT_RESTRICTED_DIR_IS "OK. Current restricted directory is %s"
323 #define MSG_IS_NOW_LOGGED_IN "%s is now logged in"
324 +#define MSG_APPARMOR_HAT "User %s apparmor hat is %s"
325 #define MSG_CANT_CHANGE_DIR "Can't change directory to %s"
326 #define MSG_PATH_TOO_LONG "Path too long"
327 #define MSG_CANT_PASV "You cannot use PASV on IPv6 connections. Use EPSV instead."