1 diff -ur pure-ftpd-1.0.49.org/config.h.in pure-ftpd-1.0.49/config.h.in
2 --- pure-ftpd-1.0.49.org/config.h.in 2019-03-25 18:00:47.000000000 +0100
3 +++ pure-ftpd-1.0.49/config.h.in 2023-06-27 13:52:05.846355280 +0200
5 /* Define if building universal (internal helper macro) */
6 #undef AC_APPLE_UNIVERSAL_BUILD
11 /* display only boring messages */
14 diff -ur pure-ftpd-1.0.49.org/configure.ac pure-ftpd-1.0.49/configure.ac
15 --- pure-ftpd-1.0.49.org/configure.ac 2019-04-03 12:41:30.000000000 +0200
16 +++ pure-ftpd-1.0.49/configure.ac 2023-06-27 13:52:05.849688614 +0200
18 AC_DEFINE(QUOTAS,,[with quotas])
21 +AC_ARG_WITH(apparmor,
22 +[AS_HELP_STRING(--with-apparmorquotas,Support changing Apparmor Hats)],
23 +[ if test "x$withval" = "xyes" ; then
24 + AC_DEFINE(APPARMOR,,[with apparmor])
25 + LIBS="$LIBS -lapparmor"
29 [AS_HELP_STRING(--with-ftpwho,Support for pure-ftpwho)],
30 [ if test "x$withval" = "xyes" ; then
31 diff -ur pure-ftpd-1.0.49.org/pureftpd-mysql.conf pure-ftpd-1.0.49/pureftpd-mysql.conf
32 --- pure-ftpd-1.0.49.org/pureftpd-mysql.conf 2018-01-04 13:13:36.000000000 +0100
33 +++ pure-ftpd-1.0.49/pureftpd-mysql.conf 2023-06-27 13:52:05.849688614 +0200
35 # MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L'
38 +# Optional : Apparmor Hat to use.
39 +# MYSQLGetApparmorHat SELECT hat FROM users WHERE User='\L'
41 # Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS :
42 # 1) You know what you are doing.
43 # 2) Real and virtual users match.
44 diff -ur pure-ftpd-1.0.49.org/README.Authentication-Modules pure-ftpd-1.0.49/README.Authentication-Modules
45 --- pure-ftpd-1.0.49.org/README.Authentication-Modules 2019-03-25 18:10:06.000000000 +0100
46 +++ pure-ftpd-1.0.49/README.Authentication-Modules 2023-06-27 13:52:05.849688614 +0200
49 The maximal authorized number of concurrent sessions.
51 +* apparmor_hat:xxx (optional)
55 ------------------------ EXAMPLE ------------------------
57 diff -ur pure-ftpd-1.0.49.org/src/ftpd.c pure-ftpd-1.0.49/src/ftpd.c
58 --- pure-ftpd-1.0.49.org/src/ftpd.c 2019-04-02 16:00:40.000000000 +0200
59 +++ pure-ftpd-1.0.49/src/ftpd.c 2023-06-27 13:52:26.496355278 +0200
65 +# include <sys/apparmor.h>
67 #ifdef WITH_DIRALIASES
68 # include "diraliases.h"
71 result.ratio_download = ratio_download;
72 result.ratio_ul_changed = result.ratio_dl_changed = 0;
75 + result.apparmor_hat = NULL;
77 #ifdef PER_USER_LIMITS
78 result.per_user_max = per_user_max;
80 @@ -1944,6 +1950,16 @@
86 + if (authresult.apparmor_hat != NULL) {
87 + logfile(LOG_INFO, MSG_APPARMOR_HAT, account, authresult.apparmor_hat);
88 + if (change_hat(authresult.apparmor_hat, zrand()) < 0)
89 + die(421, LOG_ERR, MSG_APPARMOR_FAILED);
90 + free(authresult.apparmor_hat);
94 logfile(LOG_INFO, MSG_IS_NOW_LOGGED_IN, account);
96 if (shm_data_cur != NULL) {
97 diff -ur pure-ftpd-1.0.49.org/src/ftpd.h pure-ftpd-1.0.49/src/ftpd.h
98 --- pure-ftpd-1.0.49.org/src/ftpd.h 2019-03-25 16:48:42.000000000 +0100
99 +++ pure-ftpd-1.0.49/src/ftpd.h 2023-06-27 13:52:05.849688614 +0200
101 #ifdef PER_USER_LIMITS
102 unsigned int per_user_max;
105 + const char *apparmor_hat;
109 typedef struct PureFileInfo_ {
110 diff -ur pure-ftpd-1.0.49.org/src/log_extauth.c pure-ftpd-1.0.49/src/log_extauth.c
111 --- pure-ftpd-1.0.49.org/src/log_extauth.c 2019-04-03 12:38:36.000000000 +0200
112 +++ pure-ftpd-1.0.49/src/log_extauth.c 2023-06-27 13:52:05.849688614 +0200
117 +static void callback_reply_apparmor_hat(const char *str, AuthResult * const result)
121 + free((void *) (result->apparmor_hat));
122 + result->apparmor_hat = strdup(str);
130 static void callback_reply_end(const char *str, AuthResult * const result)
134 result->uid = (uid_t) 0;
135 result->gid = (gid_t) 0;
138 + result->apparmor_hat = NULL;
140 result->slow_tilde_expansion = 1;
142 if ((readnb = safe_read(kindy, line, sizeof line - 1U)) <= (ssize_t) 0) {
143 diff -ur pure-ftpd-1.0.49.org/src/log_extauth.h pure-ftpd-1.0.49/src/log_extauth.h
144 --- pure-ftpd-1.0.49.org/src/log_extauth.h 2019-03-25 18:11:33.000000000 +0100
145 +++ pure-ftpd-1.0.49/src/log_extauth.h 2023-06-27 13:52:05.849688614 +0200
147 #define EXTAUTH_REPLY_RATIO_UPLOAD "ratio_upload" EXTAUTH_KEYWORD_SEP
148 #define EXTAUTH_REPLY_RATIO_DOWNLOAD "ratio_download" EXTAUTH_KEYWORD_SEP
149 #define EXTAUTH_REPLY_PER_USER_MAX "per_user_max" EXTAUTH_KEYWORD_SEP
150 +#define EXTAUTH_REPLY_APPARMOR_HAT "apparmor_hat" EXTAUTH_KEYWORD_SEP
151 #define EXTAUTH_REPLY_END "end"
154 diff -ur pure-ftpd-1.0.49.org/src/log_extauth_p.h pure-ftpd-1.0.49/src/log_extauth_p.h
155 --- pure-ftpd-1.0.49.org/src/log_extauth_p.h 2018-09-19 23:53:06.000000000 +0200
156 +++ pure-ftpd-1.0.49/src/log_extauth_p.h 2023-06-27 13:52:05.849688614 +0200
158 static void callback_reply_ratio_upload(const char *str, AuthResult * const result);
159 static void callback_reply_ratio_download(const char *str, AuthResult * const result);
160 static void callback_reply_per_user_max(const char *str, AuthResult * const result);
161 +static void callback_reply_apparmor_hat(const char *str, AuthResult * const result);
162 static void callback_reply_end(const char *str, AuthResult * const result);
164 static ExtauthCallBack extauth_callbacks[] = {
166 { EXTAUTH_REPLY_RATIO_UPLOAD, callback_reply_ratio_upload },
167 { EXTAUTH_REPLY_RATIO_DOWNLOAD, callback_reply_ratio_download },
168 { EXTAUTH_REPLY_PER_USER_MAX, callback_reply_per_user_max },
169 + { EXTAUTH_REPLY_APPARMOR_HAT, callback_reply_apparmor_hat },
170 { EXTAUTH_REPLY_END, callback_reply_end },
171 { NULL, callback_reply_end }
173 diff -ur pure-ftpd-1.0.49.org/src/log_ldap.c pure-ftpd-1.0.49/src/log_ldap.c
174 --- pure-ftpd-1.0.49.org/src/log_ldap.c 2019-04-02 16:00:40.000000000 +0200
175 +++ pure-ftpd-1.0.49/src/log_ldap.c 2023-06-27 13:52:05.849688614 +0200
177 if ((result->dir = strdup(pw->pw_dir)) == NULL) {
181 + result->apparmor_hat = NULL;
183 result->slow_tilde_expansion = 1;
184 result->auth_ok = 1; /* User found, authentication ok */
186 diff -ur pure-ftpd-1.0.49.org/src/log_mysql.c pure-ftpd-1.0.49/src/log_mysql.c
187 --- pure-ftpd-1.0.49.org/src/log_mysql.c 2019-04-02 16:00:40.000000000 +0200
188 +++ pure-ftpd-1.0.49/src/log_mysql.c 2023-06-27 13:52:05.853021947 +0200
190 const char *bandwidth_ul = NULL; /* stored bandwidth UL */
191 const char *bandwidth_dl = NULL; /* stored bandwidth DL */
194 + const char *apparmor_hat = NULL; /* Apparmor hat name */
196 char *escaped_account = NULL;
197 char *escaped_ip = NULL;
198 char *escaped_port = NULL;
204 + if ((apparmor_hat = pw_mysql_getquery(id_sql_server, sqlreq_getapparmor_hat,
205 + escaped_account, escaped_ip,
206 + escaped_port, escaped_peer_ip,
207 + escaped_decimal_ip)) != NULL) {
208 + result->apparmor_hat = apparmor_hat;
209 + apparmor_hat = NULL;
212 result->slow_tilde_expansion = !tildexp;
213 result->auth_ok = -result->auth_ok;
216 free((void *) bandwidth_ul);
217 free((void *) bandwidth_dl);
220 + free((void *) apparmor_hat);
222 free((void *) escaped_account);
223 free((void *) escaped_ip);
224 free((void *) escaped_port);
226 ZFREE(sqlreq_getbandwidth_ul);
227 ZFREE(sqlreq_getbandwidth_dl);
230 + ZFREE(sqlreq_getapparmor_hat);
234 extern signed char v6ready;
235 diff -ur pure-ftpd-1.0.49.org/src/log_mysql_p.h pure-ftpd-1.0.49/src/log_mysql_p.h
236 --- pure-ftpd-1.0.49.org/src/log_mysql_p.h 2018-09-19 23:53:06.000000000 +0200
237 +++ pure-ftpd-1.0.49/src/log_mysql_p.h 2023-06-27 13:52:05.853021947 +0200
239 static char *sqlreq_getbandwidth_ul;
240 static char *sqlreq_getbandwidth_dl;
243 +static char *sqlreq_getapparmor_hat;
245 static signed char server_down;
247 static ConfigKeywords mysql_config_keywords[] = {
249 { "MYSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
250 { "MYSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
253 + { "MYSQLGetApparmorHat", &sqlreq_getapparmor_hat },
258 diff -ur pure-ftpd-1.0.49.org/src/log_pam.c pure-ftpd-1.0.49/src/log_pam.c
259 --- pure-ftpd-1.0.49.org/src/log_pam.c 2019-04-02 16:00:40.000000000 +0200
260 +++ pure-ftpd-1.0.49/src/log_pam.c 2023-06-27 13:52:05.853021947 +0200
262 (void) pam_close_session(pamh, PAM_SILENT); /* It doesn't matter if it fails */
266 + result->apparmor_hat = NULL;
269 result->uid = pw.pw_uid;
270 result->gid = pw.pw_gid;
271 diff -ur pure-ftpd-1.0.49.org/src/log_pgsql.c pure-ftpd-1.0.49/src/log_pgsql.c
272 --- pure-ftpd-1.0.49.org/src/log_pgsql.c 2019-04-02 16:00:40.000000000 +0200
273 +++ pure-ftpd-1.0.49/src/log_pgsql.c 2023-06-27 13:52:05.853021947 +0200
275 const char *bandwidth_ul = NULL; /* stored bandwidth UL */
276 const char *bandwidth_dl = NULL; /* stored bandwidth DL */
279 + const char *apparmor_hat = NULL; /* Apparmor hat name */
281 char *escaped_account = NULL;
282 char *escaped_ip = NULL;
283 char *escaped_port = NULL;
289 + if ((apparmor_hat = pw_pgsql_getquery(id_sql_server, sqlreq_getapparmor_hat,
290 + escaped_account, escaped_ip,
291 + escaped_port, escaped_peer_ip,
292 + escaped_decimal_ip)) != NULL) {
293 + result->apparmor_hat = apparmor_hat;
294 + apparmor_hat = NULL;
297 result->slow_tilde_expansion = 1;
298 result->auth_ok = -result->auth_ok;
301 free((void *) bandwidth_ul);
302 free((void *) bandwidth_dl);
305 + free((void *) apparmor_hat);
307 free((void *) escaped_account);
308 free((void *) escaped_ip);
309 free((void *) escaped_port);
311 ZFREE(sqlreq_getbandwidth_ul);
312 ZFREE(sqlreq_getbandwidth_dl);
315 + ZFREE(sqlreq_getapparmor_hat);
319 extern signed char v6ready;
320 diff -ur pure-ftpd-1.0.49.org/src/log_pgsql_p.h pure-ftpd-1.0.49/src/log_pgsql_p.h
321 --- pure-ftpd-1.0.49.org/src/log_pgsql_p.h 2018-09-19 23:53:06.000000000 +0200
322 +++ pure-ftpd-1.0.49/src/log_pgsql_p.h 2023-06-27 13:52:05.853021947 +0200
324 static char *sqlreq_getbandwidth_ul;
325 static char *sqlreq_getbandwidth_dl;
328 +static char *sqlreq_getapparmor_hat;
330 static signed char server_down;
332 static ConfigKeywords pgsql_config_keywords[] = {
334 { "PGSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
335 { "PGSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
338 + { "PGSQLGetApparmorHat", &sqlreq_getapparmor_hat },
343 diff -ur pure-ftpd-1.0.49.org/src/log_puredb.c pure-ftpd-1.0.49/src/log_puredb.c
344 --- pure-ftpd-1.0.49.org/src/log_puredb.c 2019-04-02 16:00:40.000000000 +0200
345 +++ pure-ftpd-1.0.49/src/log_puredb.c 2023-06-27 13:52:05.853021947 +0200
347 result->user_quota_size = strtoull(line, NULL, 10);
351 + result->apparmor_hat = NULL;
353 if ((line = my_strtok2(NULL, *PW_LINE_SEP)) == NULL) { /* allowed local ip */
356 diff -ur pure-ftpd-1.0.49.org/src/log_unix.c pure-ftpd-1.0.49/src/log_unix.c
357 --- pure-ftpd-1.0.49.org/src/log_unix.c 2019-04-02 16:00:40.000000000 +0200
358 +++ pure-ftpd-1.0.49/src/log_unix.c 2023-06-27 13:52:05.853021947 +0200
360 result->uid = pw.pw_uid;
361 result->gid = pw.pw_gid;
364 + result->apparmor_hat = NULL;
366 result->slow_tilde_expansion = 0;
367 result->auth_ok = -result->auth_ok;
369 diff -ur pure-ftpd-1.0.49.org/src/Makefile.am pure-ftpd-1.0.49/src/Makefile.am
370 --- pure-ftpd-1.0.49.org/src/Makefile.am 2019-03-25 16:48:42.000000000 +0100
371 +++ pure-ftpd-1.0.49/src/Makefile.am 2023-06-27 13:52:05.853021947 +0200
375 ../puredb/src/libpuredb_read.a \
377 @LDAP_SSL_LIBS@ @GETLOADAVG_LIBS@ @BONJOUR_LDADD@
379 pure_ftpd_SOURCES = \
380 diff -ur pure-ftpd-1.0.49.org/src/messages_en.h pure-ftpd-1.0.49/src/messages_en.h
381 --- pure-ftpd-1.0.49.org/src/messages_en.h 2019-03-25 16:48:42.000000000 +0100
382 +++ pure-ftpd-1.0.49/src/messages_en.h 2023-06-27 13:52:50.413021941 +0200
384 #define MSG_FXP_SUPPORT "This server supports FXP transfers"
385 #define MSG_RATIO "You must respect a %u:%u (UL/DL) ratio"
386 #define MSG_CHROOT_FAILED "Unable to set up a secure chroot() jail"
387 +#define MSG_APPARMOR_FAILED "Unable to set up security policies"
388 #define MSG_CURRENT_DIR_IS "OK. Current directory is %s"
389 #define MSG_CURRENT_RESTRICTED_DIR_IS "OK. Current restricted directory is %s"
390 #define MSG_IS_NOW_LOGGED_IN "%s is now logged in"
391 +#define MSG_APPARMOR_HAT "User %s apparmor hat is %s"
392 #define MSG_CANT_CHANGE_DIR "Can't change directory to %s"
393 #define MSG_PATH_TOO_LONG "Path too long"
394 #define MSG_CANT_PASV "You cannot use PASV on IPv6 connections. Use EPSV instead."