[packages/pure-ftpd.git] / pure-ftpd-apparmor.patch

diff -ur pure-ftpd-1.0.40.org/config.h.in pure-ftpd-1.0.40/config.h.in
--- pure-ftpd-1.0.40.org/config.h.in	2015-06-13 16:45:49.000000000 +0200
+++ pure-ftpd-1.0.40/config.h.in	2015-06-16 13:13:38.628079468 +0200
@@ -3,6 +3,9 @@
 /* Define if building universal (internal helper macro) */
 #undef AC_APPLE_UNIVERSAL_BUILD
 
+/* with apparmor */
+#undef APPARMOR
+
 /* display only boring messages */
 #undef BORING_MODE
 
diff -ur pure-ftpd-1.0.40.org/configure.ac pure-ftpd-1.0.40/configure.ac
--- pure-ftpd-1.0.40.org/configure.ac	2015-06-13 13:59:00.000000000 +0200
+++ pure-ftpd-1.0.40/configure.ac	2015-06-16 13:13:38.628079468 +0200
@@ -792,6 +792,13 @@
     AC_DEFINE(QUOTAS,,[with quotas])
   fi ])
 
+AC_ARG_WITH(apparmor,
+[AS_HELP_STRING(--with-apparmorquotas,Support changing Apparmor Hats)],
+[ if test "x$withval" = "xyes" ; then
+    AC_DEFINE(APPARMOR,,[with apparmor])
+    LIBS="$LIBS -lapparmor"
+  fi ])
+
 AC_ARG_WITH(ftpwho,
 [AS_HELP_STRING(--with-ftpwho,Support for pure-ftpwho)],
 [ if test "x$withval" = "xyes" ; then
diff -ur pure-ftpd-1.0.40.org/pureftpd-mysql.conf pure-ftpd-1.0.40/pureftpd-mysql.conf
--- pure-ftpd-1.0.40.org/pureftpd-mysql.conf	2015-05-21 12:18:58.000000000 +0200
+++ pure-ftpd-1.0.40/pureftpd-mysql.conf	2015-06-16 13:13:38.644746557 +0200
@@ -112,6 +112,9 @@
 # MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L'
 
 
+# Optional : Apparmor Hat to use.
+# MYSQLGetApparmorHat SELECT hat FROM users WHERE User='\L'
+
 # Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS :
 # 1) You know what you are doing.
 # 2) Real and virtual users match.
diff -ur pure-ftpd-1.0.40.org/src/ftpd.c pure-ftpd-1.0.40/src/ftpd.c
--- pure-ftpd-1.0.40.org/src/ftpd.c	2015-06-13 12:26:37.000000000 +0200
+++ pure-ftpd-1.0.40/src/ftpd.c	2015-06-16 13:13:38.644746557 +0200
@@ -18,6 +18,9 @@
 #ifdef QUOTAS
 # include "quotas.h"
 #endif
+#ifdef APPARMOR
+# include <sys/apparmor.h>
+#endif
 #ifdef WITH_DIRALIASES
 # include "diraliases.h"
 #endif
@@ -1544,6 +1547,9 @@
         result.ratio_download = ratio_download;
         result.ratio_ul_changed = result.ratio_dl_changed = 0;
 #endif
+#ifdef APPARMOR
+        result.apparmor_hat = NULL;
+#endif
 #ifdef PER_USER_LIMITS
         result.per_user_max = per_user_max;
 #endif
@@ -1982,6 +1988,16 @@
 # endif
     enablesignals();
 #endif
+
+#ifdef APPARMOR
+    if (authresult.apparmor_hat != NULL) {
+        if (change_hat(authresult.apparmor_hat, zrand()) < 0)
+            die(421, LOG_ERR, MSG_CHROOT_FAILED);
+        logfile(LOG_INFO, MSG_APPARMOR_HAT, account, authresult.apparmor_hat);
+        free(authresult.apparmor_hat);
+    }
+#endif
+
     logfile(LOG_INFO, MSG_IS_NOW_LOGGED_IN, account);
 #ifdef FTPWHO
     if (shm_data_cur != NULL) {
diff -ur pure-ftpd-1.0.40.org/src/ftpd.h pure-ftpd-1.0.40/src/ftpd.h
--- pure-ftpd-1.0.40.org/src/ftpd.h	2015-05-21 10:08:42.000000000 +0200
+++ pure-ftpd-1.0.40/src/ftpd.h	2015-06-16 13:13:38.644746557 +0200
@@ -294,6 +294,9 @@
 #ifdef PER_USER_LIMITS
     unsigned int per_user_max;
 #endif
+#ifdef APPARMOR
+    const char *apparmor_hat;
+#endif
 } AuthResult;
 
 typedef struct PureFileInfo_ {
diff -ur pure-ftpd-1.0.40.org/src/log_extauth.c pure-ftpd-1.0.40/src/log_extauth.c
--- pure-ftpd-1.0.40.org/src/log_extauth.c	2015-02-17 19:12:45.000000000 +0100
+++ pure-ftpd-1.0.40/src/log_extauth.c	2015-06-16 13:15:07.670333578 +0200
@@ -215,6 +215,9 @@
     result->uid = (uid_t) 0;
     result->gid = (gid_t) 0;
     result->dir = NULL;
+#ifdef APPARMOR_HAT
+    result->apparmor_hat = NULL;
+#endif
     result->slow_tilde_expansion = 1;
     auth_finalized = 0;
     if ((readnb = safe_read(kindy, line, sizeof line - 1U)) <= (ssize_t) 0) {
diff -ur pure-ftpd-1.0.40.org/src/log_ldap.c pure-ftpd-1.0.40/src/log_ldap.c
--- pure-ftpd-1.0.40.org/src/log_ldap.c	2015-06-11 00:26:19.000000000 +0200
+++ pure-ftpd-1.0.40/src/log_ldap.c	2015-06-16 13:13:38.644746557 +0200
@@ -627,6 +627,9 @@
     if ((result->dir = strdup(pw->pw_dir)) == NULL) {
         return;
     }
+#ifdef APPARMOR
+    result->apparmor_hat = NULL;
+#endif
     result->slow_tilde_expansion = 1;
     result->auth_ok = 1;            /* User found, authentication ok */
 }
diff -ur pure-ftpd-1.0.40.org/src/log_mysql.c pure-ftpd-1.0.40/src/log_mysql.c
--- pure-ftpd-1.0.40.org/src/log_mysql.c	2015-05-21 12:52:57.000000000 +0200
+++ pure-ftpd-1.0.40/src/log_mysql.c	2015-06-16 13:16:21.692207444 +0200
@@ -322,6 +322,9 @@
     const char *bandwidth_ul = NULL;   /* stored bandwidth UL */
     const char *bandwidth_dl = NULL;   /* stored bandwidth DL */
 #endif
+#ifdef APPARMOR
+    const char *apparmor_hat = NULL;    /* Apparmor hat name */
+#endif
     char *escaped_account = NULL;
     char *escaped_ip = NULL;
     char *escaped_port = NULL;
@@ -605,6 +608,15 @@
         }
     }
 #endif
+#ifdef APPARMOR
+    if ((apparmor_hat = pw_mysql_getquery(id_sql_server, sqlreq_getapparmor_hat,
+                                          escaped_account, escaped_ip,
+                                          escaped_port, escaped_peer_ip,
+                                          escaped_decimal_ip)) != NULL) {
+        result->apparmor_hat = apparmor_hat;
+        apparmor_hat = NULL;
+    }
+#endif
     result->slow_tilde_expansion = !tildexp;
     result->auth_ok = -result->auth_ok;
     bye:
@@ -634,6 +646,9 @@
     free((void *) bandwidth_ul);
     free((void *) bandwidth_dl);
 #endif
+#ifdef APPARMOR
+    free((void *) apparmor_hat);
+#endif
     free((void *) escaped_account);
     free((void *) escaped_ip);
     free((void *) escaped_port);
@@ -702,6 +717,9 @@
     ZFREE(sqlreq_getbandwidth_ul);
     ZFREE(sqlreq_getbandwidth_dl);
 #endif
+#ifdef APPARMOR
+    ZFREE(sqlreq_getapparmor_hat);
+#endif
 }
 #else
 extern signed char v6ready;
diff -ur pure-ftpd-1.0.40.org/src/log_mysql_p.h pure-ftpd-1.0.40/src/log_mysql_p.h
--- pure-ftpd-1.0.40.org/src/log_mysql_p.h	2015-02-17 19:12:45.000000000 +0100
+++ pure-ftpd-1.0.40/src/log_mysql_p.h	2015-06-16 13:13:38.648079974 +0200
@@ -38,6 +38,9 @@
 static char *sqlreq_getbandwidth_ul;
 static char *sqlreq_getbandwidth_dl;
 #endif
+#ifdef APPARMOR
+static char *sqlreq_getapparmor_hat;
+#endif
 static signed char server_down;
 
 static ConfigKeywords mysql_config_keywords[] = {
@@ -68,6 +71,9 @@
     { "MYSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
     { "MYSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
 #endif
+#ifdef APPARMOR
+    { "MYSQLGetApparmorHat", &sqlreq_getapparmor_hat },
+#endif
     { NULL, NULL }
 };
 
diff -ur pure-ftpd-1.0.40.org/src/log_pam.c pure-ftpd-1.0.40/src/log_pam.c
--- pure-ftpd-1.0.40.org/src/log_pam.c	2015-02-17 19:12:45.000000000 +0100
+++ pure-ftpd-1.0.40/src/log_pam.c	2015-06-16 13:13:38.654746809 +0200
@@ -202,6 +202,9 @@
     (void) pam_close_session(pamh, PAM_SILENT);   /* It doesn't matter if it fails */
 #endif
     result->dir = dir;
+#ifdef APPARMOR
+    result->apparmor_hat = NULL;
+#endif
     dir = NULL;
     result->uid = pw.pw_uid;
     result->gid = pw.pw_gid;
diff -ur pure-ftpd-1.0.40.org/src/log_pgsql.c pure-ftpd-1.0.40/src/log_pgsql.c
--- pure-ftpd-1.0.40.org/src/log_pgsql.c	2015-05-22 16:29:27.000000000 +0200
+++ pure-ftpd-1.0.40/src/log_pgsql.c	2015-06-16 13:18:14.645066852 +0200
@@ -402,6 +402,9 @@
     const char *bandwidth_ul = NULL;   /* stored bandwidth UL */
     const char *bandwidth_dl = NULL;   /* stored bandwidth DL */
 #endif
+#ifdef APPARMOR
+    const char *apparmor_hat = NULL;   /* Apparmor hat name */
+#endif
     char *escaped_account = NULL;
     char *escaped_ip = NULL;
     char *escaped_port = NULL;
@@ -651,6 +654,15 @@
         }
     }
 #endif
+#ifdef APPARMOR
+    if ((apparmor_hat = pw_pgsql_getquery(id_sql_server, sqlreq_getapparmor_hat,
+                escaped_account, escaped_ip,
+                escaped_port, escaped_peer_ip,
+                escaped_decimal_ip)) != NULL) {
+        result->apparmor_hat = apparmor_hat;
+        apparmor_hat = NULL;
+    }
+#endif
     result->slow_tilde_expansion = 1;
     result->auth_ok = -result->auth_ok;
     bye:
@@ -681,6 +693,9 @@
     free((void *) bandwidth_ul);
     free((void *) bandwidth_dl);
 #endif
+#ifdef APPARMOR
+    free((void *) apparmor_hat);
+#endif
     free((void *) escaped_account);
     free((void *) escaped_ip);
     free((void *) escaped_port);
@@ -735,6 +750,9 @@
     ZFREE(sqlreq_getbandwidth_ul);
     ZFREE(sqlreq_getbandwidth_dl);
 #endif
+#ifdef APPARMOR
+    ZFREE(sqlreq_getapparmor_hat);
+#endif
 }
 #else
 extern signed char v6ready;
diff -ur pure-ftpd-1.0.40.org/src/log_pgsql_p.h pure-ftpd-1.0.40/src/log_pgsql_p.h
--- pure-ftpd-1.0.40.org/src/log_pgsql_p.h	2015-02-17 19:12:45.000000000 +0100
+++ pure-ftpd-1.0.40/src/log_pgsql_p.h	2015-06-16 13:13:38.658080227 +0200
@@ -28,6 +28,9 @@
 static char *sqlreq_getbandwidth_ul;
 static char *sqlreq_getbandwidth_dl;
 #endif
+#ifdef APPARMOR
+static char *sqlreq_getapparmor_hat;
+#endif
 static signed char server_down;
 
 static ConfigKeywords pgsql_config_keywords[] = {
@@ -55,6 +58,9 @@
     { "PGSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
     { "PGSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
 #endif
+#ifdef APPARMOR
+    { "PGSQLGetApparmorHat", &sqlreq_getapparmor_hat },
+#endif
     { NULL, NULL }
 };
 
diff -ur pure-ftpd-1.0.40.org/src/log_puredb.c pure-ftpd-1.0.40/src/log_puredb.c
--- pure-ftpd-1.0.40.org/src/log_puredb.c	2015-05-21 12:51:56.000000000 +0200
+++ pure-ftpd-1.0.40/src/log_puredb.c	2015-06-16 13:13:38.658080227 +0200
@@ -333,6 +333,9 @@
         result->user_quota_size = strtoull(line, NULL, 10);
     }
 #endif
+#ifdef APPARMOR
+    result->apparmor_hat = NULL;
+#endif
     if ((line = my_strtok2(NULL, *PW_LINE_SEP)) == NULL) {   /* allowed local ip */
         return 0;
     }
diff -ur pure-ftpd-1.0.40.org/src/log_unix.c pure-ftpd-1.0.40/src/log_unix.c
--- pure-ftpd-1.0.40.org/src/log_unix.c	2015-05-21 12:51:38.000000000 +0200
+++ pure-ftpd-1.0.40/src/log_unix.c	2015-06-16 13:13:38.658080227 +0200
@@ -81,6 +81,9 @@
     result->uid = pw.pw_uid;
     result->gid = pw.pw_gid;
     result->dir = dir;
+#ifdef APPARMOR
+    result->apparmor_hat = NULL;
+#endif
     result->slow_tilde_expansion = 0;
     result->auth_ok = -result->auth_ok;
     return;
diff -ur pure-ftpd-1.0.40.org/src/Makefile.am pure-ftpd-1.0.40/src/Makefile.am
--- pure-ftpd-1.0.40.org/src/Makefile.am	2015-05-21 16:25:39.000000000 +0200
+++ pure-ftpd-1.0.40/src/Makefile.am	2015-06-16 13:13:38.658080227 +0200
@@ -136,6 +136,7 @@
 pure_ftpd_LDADD = \
 	libpureftpd.a \
 	../puredb/src/libpuredb_read.a \
+	-lapparmor \
 	@LDAP_SSL_LIBS@ @GETLOADAVG_LIBS@ @BONJOUR_LDADD@
 
 pure_ftpd_SOURCES = \
diff -ur pure-ftpd-1.0.40.org/src/messages_en.h pure-ftpd-1.0.40/src/messages_en.h
--- pure-ftpd-1.0.40.org/src/messages_en.h	2015-05-20 16:23:20.000000000 +0200
+++ pure-ftpd-1.0.40/src/messages_en.h	2015-06-16 13:13:38.658080227 +0200
@@ -57,6 +57,7 @@
 #define MSG_CURRENT_DIR_IS "OK. Current directory is %s"
 #define MSG_CURRENT_RESTRICTED_DIR_IS "OK. Current restricted directory is %s"
 #define MSG_IS_NOW_LOGGED_IN "%s is now logged in"
+#define MSG_APPARMOR_HAT "User %s apparmor hat is %s"
 #define MSG_CANT_CHANGE_DIR "Can't change directory to %s"
 #define MSG_PATH_TOO_LONG "Path too long"
 #define MSG_CANT_PASV "You cannot use PASV on IPv6 connections. Use EPSV instead."
Commit	Line	Data
f129099d AM	1	diff -ur pure-ftpd-1.0.40.org/config.h.in pure-ftpd-1.0.40/config.h.in
	2	--- pure-ftpd-1.0.40.org/config.h.in 2015-06-13 16:45:49.000000000 +0200
	3	+++ pure-ftpd-1.0.40/config.h.in 2015-06-16 13:13:38.628079468 +0200
4b1c459f AM	4	@@ -3,6 +3,9 @@
	5	/* Define if building universal (internal helper macro) */
	6	#undef AC_APPLE_UNIVERSAL_BUILD
	7
	8	+/* with apparmor */
	9	+#undef APPARMOR
	10	+
	11	/* display only boring messages */
	12	#undef BORING_MODE
	13
f129099d AM	14	diff -ur pure-ftpd-1.0.40.org/configure.ac pure-ftpd-1.0.40/configure.ac
	15	--- pure-ftpd-1.0.40.org/configure.ac 2015-06-13 13:59:00.000000000 +0200
	16	+++ pure-ftpd-1.0.40/configure.ac 2015-06-16 13:13:38.628079468 +0200
	17	@@ -792,6 +792,13 @@
4b1c459f AM	18	AC_DEFINE(QUOTAS,,[with quotas])
	19	fi ])
	20
	21	+AC_ARG_WITH(apparmor,
	22	+[AS_HELP_STRING(--with-apparmorquotas,Support changing Apparmor Hats)],
	23	+[ if test "x$withval" = "xyes" ; then
	24	+ AC_DEFINE(APPARMOR,,[with apparmor])
	25	+ LIBS="$LIBS -lapparmor"
	26	+ fi ])
	27	+
	28	AC_ARG_WITH(ftpwho,
	29	[AS_HELP_STRING(--with-ftpwho,Support for pure-ftpwho)],
	30	[ if test "x$withval" = "xyes" ; then
f129099d AM	31	diff -ur pure-ftpd-1.0.40.org/pureftpd-mysql.conf pure-ftpd-1.0.40/pureftpd-mysql.conf
	32	--- pure-ftpd-1.0.40.org/pureftpd-mysql.conf 2015-05-21 12:18:58.000000000 +0200
	33	+++ pure-ftpd-1.0.40/pureftpd-mysql.conf 2015-06-16 13:13:38.644746557 +0200
	34	@@ -112,6 +112,9 @@
4b1c459f AM	35	# MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L'
4b1c459f AM	36
f129099d	37
4b1c459f AM	38	+# Optional : Apparmor Hat to use.
	39	+# MYSQLGetApparmorHat SELECT hat FROM users WHERE User='\L'
	40	+
	41	# Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS :
	42	# 1) You know what you are doing.
	43	# 2) Real and virtual users match.
f129099d AM	44	diff -ur pure-ftpd-1.0.40.org/src/ftpd.c pure-ftpd-1.0.40/src/ftpd.c
	45	--- pure-ftpd-1.0.40.org/src/ftpd.c 2015-06-13 12:26:37.000000000 +0200
	46	+++ pure-ftpd-1.0.40/src/ftpd.c 2015-06-16 13:13:38.644746557 +0200
4b1c459f AM	47	@@ -18,6 +18,9 @@
	48	#ifdef QUOTAS
	49	# include "quotas.h"
	50	#endif
	51	+#ifdef APPARMOR
	52	+# include <sys/apparmor.h>
	53	+#endif
	54	#ifdef WITH_DIRALIASES
	55	# include "diraliases.h"
	56	#endif
f129099d	57	@@ -1544,6 +1547,9 @@
4b1c459f AM	58	result.ratio_download = ratio_download;
	59	result.ratio_ul_changed = result.ratio_dl_changed = 0;
	60	#endif
	61	+#ifdef APPARMOR
	62	+ result.apparmor_hat = NULL;
	63	+#endif
	64	#ifdef PER_USER_LIMITS
	65	result.per_user_max = per_user_max;
	66	#endif
f129099d	67	@@ -1982,6 +1988,16 @@
4b1c459f AM	68	# endif
	69	enablesignals();
	70	#endif
	71	+
	72	+#ifdef APPARMOR
	73	+ if (authresult.apparmor_hat != NULL) {
	74	+ if (change_hat(authresult.apparmor_hat, zrand()) < 0)
	75	+ die(421, LOG_ERR, MSG_CHROOT_FAILED);
	76	+ logfile(LOG_INFO, MSG_APPARMOR_HAT, account, authresult.apparmor_hat);
	77	+ free(authresult.apparmor_hat);
	78	+ }
	79	+#endif
	80	+
	81	logfile(LOG_INFO, MSG_IS_NOW_LOGGED_IN, account);
	82	#ifdef FTPWHO
	83	if (shm_data_cur != NULL) {
f129099d AM	84	diff -ur pure-ftpd-1.0.40.org/src/ftpd.h pure-ftpd-1.0.40/src/ftpd.h
	85	--- pure-ftpd-1.0.40.org/src/ftpd.h 2015-05-21 10:08:42.000000000 +0200
	86	+++ pure-ftpd-1.0.40/src/ftpd.h 2015-06-16 13:13:38.644746557 +0200
4b1c459f AM	87	@@ -294,6 +294,9 @@
	88	#ifdef PER_USER_LIMITS
	89	unsigned int per_user_max;
	90	#endif
	91	+#ifdef APPARMOR
	92	+ const char *apparmor_hat;
	93	+#endif
	94	} AuthResult;
	95
	96	typedef struct PureFileInfo_ {
f129099d AM	97	diff -ur pure-ftpd-1.0.40.org/src/log_extauth.c pure-ftpd-1.0.40/src/log_extauth.c
	98	--- pure-ftpd-1.0.40.org/src/log_extauth.c 2015-02-17 19:12:45.000000000 +0100
	99	+++ pure-ftpd-1.0.40/src/log_extauth.c 2015-06-16 13:15:07.670333578 +0200
4b1c459f AM	100	@@ -215,6 +215,9 @@
	101	result->uid = (uid_t) 0;
	102	result->gid = (gid_t) 0;
	103	result->dir = NULL;
	104	+#ifdef APPARMOR_HAT
	105	+ result->apparmor_hat = NULL;
	106	+#endif
f129099d	107	result->slow_tilde_expansion = 1;
4b1c459f AM	108	auth_finalized = 0;
4b1c459f AM	109	if ((readnb = safe_read(kindy, line, sizeof line - 1U)) <= (ssize_t) 0) {
f129099d AM	110	diff -ur pure-ftpd-1.0.40.org/src/log_ldap.c pure-ftpd-1.0.40/src/log_ldap.c
	111	--- pure-ftpd-1.0.40.org/src/log_ldap.c 2015-06-11 00:26:19.000000000 +0200
	112	+++ pure-ftpd-1.0.40/src/log_ldap.c 2015-06-16 13:13:38.644746557 +0200
	113	@@ -627,6 +627,9 @@
4b1c459f AM	114	if ((result->dir = strdup(pw->pw_dir)) == NULL) {
	115	return;
	116	}
	117	+#ifdef APPARMOR
	118	+ result->apparmor_hat = NULL;
	119	+#endif
	120	result->slow_tilde_expansion = 1;
	121	result->auth_ok = 1; /* User found, authentication ok */
	122	}
f129099d AM	123	diff -ur pure-ftpd-1.0.40.org/src/log_mysql.c pure-ftpd-1.0.40/src/log_mysql.c
	124	--- pure-ftpd-1.0.40.org/src/log_mysql.c 2015-05-21 12:52:57.000000000 +0200
	125	+++ pure-ftpd-1.0.40/src/log_mysql.c 2015-06-16 13:16:21.692207444 +0200
	126	@@ -322,6 +322,9 @@
4b1c459f AM	127	const char bandwidth_ul = NULL; / stored bandwidth UL */
	128	const char bandwidth_dl = NULL; / stored bandwidth DL */
	129	#endif
	130	+#ifdef APPARMOR
	131	+ const char apparmor_hat = NULL; / Apparmor hat name */
	132	+#endif
	133	char *escaped_account = NULL;
	134	char *escaped_ip = NULL;
	135	char *escaped_port = NULL;
f129099d	136	@@ -605,6 +608,15 @@
4b1c459f AM	137	}
	138	}
	139	#endif
	140	+#ifdef APPARMOR
	141	+ if ((apparmor_hat = pw_mysql_getquery(id_sql_server, sqlreq_getapparmor_hat,
	142	+ escaped_account, escaped_ip,
	143	+ escaped_port, escaped_peer_ip,
	144	+ escaped_decimal_ip)) != NULL) {
	145	+ result->apparmor_hat = apparmor_hat;
	146	+ apparmor_hat = NULL;
	147	+ }
	148	+#endif
	149	result->slow_tilde_expansion = !tildexp;
	150	result->auth_ok = -result->auth_ok;
	151	bye:
f129099d	152	@@ -634,6 +646,9 @@
4b1c459f AM	153	free((void *) bandwidth_ul);
4b1c459f AM	154	free((void *) bandwidth_dl);
f129099d	155	#endif
4b1c459f AM	156	+#ifdef APPARMOR
	157	+ free((void *) apparmor_hat);
	158	+#endif
	159	free((void *) escaped_account);
	160	free((void *) escaped_ip);
	161	free((void *) escaped_port);
f129099d	162	@@ -702,6 +717,9 @@
4b1c459f	163	ZFREE(sqlreq_getbandwidth_ul);
f129099d	164	ZFREE(sqlreq_getbandwidth_dl);
4b1c459f AM	165	#endif
	166	+#ifdef APPARMOR
	167	+ ZFREE(sqlreq_getapparmor_hat);
	168	+#endif
	169	}
	170	#else
	171	extern signed char v6ready;
f129099d AM	172	diff -ur pure-ftpd-1.0.40.org/src/log_mysql_p.h pure-ftpd-1.0.40/src/log_mysql_p.h
	173	--- pure-ftpd-1.0.40.org/src/log_mysql_p.h 2015-02-17 19:12:45.000000000 +0100
	174	+++ pure-ftpd-1.0.40/src/log_mysql_p.h 2015-06-16 13:13:38.648079974 +0200
4b1c459f AM	175	@@ -38,6 +38,9 @@
	176	static char *sqlreq_getbandwidth_ul;
	177	static char *sqlreq_getbandwidth_dl;
	178	#endif
	179	+#ifdef APPARMOR
	180	+static char *sqlreq_getapparmor_hat;
	181	+#endif
	182	static signed char server_down;
	183
	184	static ConfigKeywords mysql_config_keywords[] = {
	185	@@ -68,6 +71,9 @@
	186	{ "MYSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
	187	{ "MYSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
	188	#endif
	189	+#ifdef APPARMOR
	190	+ { "MYSQLGetApparmorHat", &sqlreq_getapparmor_hat },
	191	+#endif
	192	{ NULL, NULL }
	193	};
	194
f129099d AM	195	diff -ur pure-ftpd-1.0.40.org/src/log_pam.c pure-ftpd-1.0.40/src/log_pam.c
	196	--- pure-ftpd-1.0.40.org/src/log_pam.c 2015-02-17 19:12:45.000000000 +0100
	197	+++ pure-ftpd-1.0.40/src/log_pam.c 2015-06-16 13:13:38.654746809 +0200
4b1c459f AM	198	@@ -202,6 +202,9 @@
	199	(void) pam_close_session(pamh, PAM_SILENT); /* It doesn't matter if it fails */
	200	#endif
	201	result->dir = dir;
	202	+#ifdef APPARMOR
	203	+ result->apparmor_hat = NULL;
	204	+#endif
	205	dir = NULL;
	206	result->uid = pw.pw_uid;
	207	result->gid = pw.pw_gid;
f129099d AM	208	diff -ur pure-ftpd-1.0.40.org/src/log_pgsql.c pure-ftpd-1.0.40/src/log_pgsql.c
	209	--- pure-ftpd-1.0.40.org/src/log_pgsql.c 2015-05-22 16:29:27.000000000 +0200
	210	+++ pure-ftpd-1.0.40/src/log_pgsql.c 2015-06-16 13:18:14.645066852 +0200
	211	@@ -402,6 +402,9 @@
4b1c459f AM	212	const char bandwidth_ul = NULL; / stored bandwidth UL */
	213	const char bandwidth_dl = NULL; / stored bandwidth DL */
	214	#endif
	215	+#ifdef APPARMOR
	216	+ const char apparmor_hat = NULL; / Apparmor hat name */
	217	+#endif
	218	char *escaped_account = NULL;
	219	char *escaped_ip = NULL;
	220	char *escaped_port = NULL;
f129099d	221	@@ -651,6 +654,15 @@
4b1c459f AM	222	}
4b1c459f AM	223	}
f129099d	224	#endif
4b1c459f AM	225	+#ifdef APPARMOR
4b1c459f AM	226	+ if ((apparmor_hat = pw_pgsql_getquery(id_sql_server, sqlreq_getapparmor_hat,
f129099d AM	227	+ escaped_account, escaped_ip,
	228	+ escaped_port, escaped_peer_ip,
	229	+ escaped_decimal_ip)) != NULL) {
4b1c459f AM	230	+ result->apparmor_hat = apparmor_hat;
	231	+ apparmor_hat = NULL;
	232	+ }
	233	+#endif
4b1c459f AM	234	result->slow_tilde_expansion = 1;
	235	result->auth_ok = -result->auth_ok;
	236	bye:
f129099d	237	@@ -681,6 +693,9 @@
4b1c459f AM	238	free((void *) bandwidth_ul);
4b1c459f AM	239	free((void *) bandwidth_dl);
f129099d	240	#endif
4b1c459f AM	241	+#ifdef APPARMOR
4b1c459f AM	242	+ free((void *) apparmor_hat);
f129099d	243	+#endif
4b1c459f AM	244	free((void *) escaped_account);
	245	free((void *) escaped_ip);
	246	free((void *) escaped_port);
f129099d	247	@@ -735,6 +750,9 @@
4b1c459f	248	ZFREE(sqlreq_getbandwidth_ul);
f129099d	249	ZFREE(sqlreq_getbandwidth_dl);
4b1c459f AM	250	#endif
	251	+#ifdef APPARMOR
	252	+ ZFREE(sqlreq_getapparmor_hat);
	253	+#endif
	254	}
	255	#else
	256	extern signed char v6ready;
f129099d AM	257	diff -ur pure-ftpd-1.0.40.org/src/log_pgsql_p.h pure-ftpd-1.0.40/src/log_pgsql_p.h
	258	--- pure-ftpd-1.0.40.org/src/log_pgsql_p.h 2015-02-17 19:12:45.000000000 +0100
	259	+++ pure-ftpd-1.0.40/src/log_pgsql_p.h 2015-06-16 13:13:38.658080227 +0200
4b1c459f AM	260	@@ -28,6 +28,9 @@
	261	static char *sqlreq_getbandwidth_ul;
	262	static char *sqlreq_getbandwidth_dl;
	263	#endif
	264	+#ifdef APPARMOR
	265	+static char *sqlreq_getapparmor_hat;
	266	+#endif
	267	static signed char server_down;
	268
	269	static ConfigKeywords pgsql_config_keywords[] = {
	270	@@ -55,6 +58,9 @@
	271	{ "PGSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
	272	{ "PGSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
	273	#endif
	274	+#ifdef APPARMOR
	275	+ { "PGSQLGetApparmorHat", &sqlreq_getapparmor_hat },
	276	+#endif
	277	{ NULL, NULL }
	278	};
	279
f129099d AM	280	diff -ur pure-ftpd-1.0.40.org/src/log_puredb.c pure-ftpd-1.0.40/src/log_puredb.c
	281	--- pure-ftpd-1.0.40.org/src/log_puredb.c 2015-05-21 12:51:56.000000000 +0200
	282	+++ pure-ftpd-1.0.40/src/log_puredb.c 2015-06-16 13:13:38.658080227 +0200
	283	@@ -333,6 +333,9 @@
4b1c459f AM	284	result->user_quota_size = strtoull(line, NULL, 10);
	285	}
	286	#endif
	287	+#ifdef APPARMOR
	288	+ result->apparmor_hat = NULL;
	289	+#endif
	290	if ((line = my_strtok2(NULL, PW_LINE_SEP)) == NULL) { / allowed local ip */
	291	return 0;
	292	}
f129099d AM	293	diff -ur pure-ftpd-1.0.40.org/src/log_unix.c pure-ftpd-1.0.40/src/log_unix.c
	294	--- pure-ftpd-1.0.40.org/src/log_unix.c 2015-05-21 12:51:38.000000000 +0200
	295	+++ pure-ftpd-1.0.40/src/log_unix.c 2015-06-16 13:13:38.658080227 +0200
	296	@@ -81,6 +81,9 @@
4b1c459f AM	297	result->uid = pw.pw_uid;
	298	result->gid = pw.pw_gid;
	299	result->dir = dir;
	300	+#ifdef APPARMOR
	301	+ result->apparmor_hat = NULL;
	302	+#endif
	303	result->slow_tilde_expansion = 0;
	304	result->auth_ok = -result->auth_ok;
	305	return;
f129099d AM	306	diff -ur pure-ftpd-1.0.40.org/src/Makefile.am pure-ftpd-1.0.40/src/Makefile.am
	307	--- pure-ftpd-1.0.40.org/src/Makefile.am 2015-05-21 16:25:39.000000000 +0200
	308	+++ pure-ftpd-1.0.40/src/Makefile.am 2015-06-16 13:13:38.658080227 +0200
	309	@@ -136,6 +136,7 @@
4b1c459f AM	310	pure_ftpd_LDADD = \
	311	libpureftpd.a \
	312	../puredb/src/libpuredb_read.a \
	313	+ -lapparmor \
	314	@LDAP_SSL_LIBS@ @GETLOADAVG_LIBS@ @BONJOUR_LDADD@
	315
	316	pure_ftpd_SOURCES = \
f129099d AM	317	diff -ur pure-ftpd-1.0.40.org/src/messages_en.h pure-ftpd-1.0.40/src/messages_en.h
	318	--- pure-ftpd-1.0.40.org/src/messages_en.h 2015-05-20 16:23:20.000000000 +0200
	319	+++ pure-ftpd-1.0.40/src/messages_en.h 2015-06-16 13:13:38.658080227 +0200
4b1c459f AM	320	@@ -57,6 +57,7 @@
	321	#define MSG_CURRENT_DIR_IS "OK. Current directory is %s"
	322	#define MSG_CURRENT_RESTRICTED_DIR_IS "OK. Current restricted directory is %s"
	323	#define MSG_IS_NOW_LOGGED_IN "%s is now logged in"
	324	+#define MSG_APPARMOR_HAT "User %s apparmor hat is %s"
	325	#define MSG_CANT_CHANGE_DIR "Can't change directory to %s"
	326	#define MSG_PATH_TOO_LONG "Path too long"
	327	#define MSG_CANT_PASV "You cannot use PASV on IPv6 connections. Use EPSV instead."