--- /dev/null
+diff -urN pure-ftpd-1.0.36.org/config.h.in pure-ftpd-1.0.36/config.h.in
+--- pure-ftpd-1.0.36.org/config.h.in 2012-03-21 21:18:18.000000000 +0100
++++ pure-ftpd-1.0.36/config.h.in 2013-11-04 13:58:22.321640365 +0100
+@@ -3,6 +3,9 @@
+ /* Define if building universal (internal helper macro) */
+ #undef AC_APPLE_UNIVERSAL_BUILD
+
++/* with apparmor */
++#undef APPARMOR
++
+ /* display only boring messages */
+ #undef BORING_MODE
+
+diff -urN pure-ftpd-1.0.36.org/configure.ac pure-ftpd-1.0.36/configure.ac
+--- pure-ftpd-1.0.36.org/configure.ac 2012-03-16 06:28:21.000000000 +0100
++++ pure-ftpd-1.0.36/configure.ac 2013-11-04 13:58:22.321640365 +0100
+@@ -770,6 +770,13 @@
+ AC_DEFINE(QUOTAS,,[with quotas])
+ fi ])
+
++AC_ARG_WITH(apparmor,
++[AS_HELP_STRING(--with-apparmorquotas,Support changing Apparmor Hats)],
++[ if test "x$withval" = "xyes" ; then
++ AC_DEFINE(APPARMOR,,[with apparmor])
++ LIBS="$LIBS -lapparmor"
++ fi ])
++
+ AC_ARG_WITH(ftpwho,
+ [AS_HELP_STRING(--with-ftpwho,Support for pure-ftpwho)],
+ [ if test "x$withval" = "xyes" ; then
+diff -urN pure-ftpd-1.0.36.org/pureftpd-mysql.conf pure-ftpd-1.0.36/pureftpd-mysql.conf
+--- pure-ftpd-1.0.36.org/pureftpd-mysql.conf 2013-11-04 12:08:09.315380763 +0100
++++ pure-ftpd-1.0.36/pureftpd-mysql.conf 2013-11-04 13:58:22.324973813 +0100
+@@ -114,6 +114,9 @@
+ # MySQLGetBandwidthUL SELECT ULBandwidth FROM users WHERE User='\L'
+ # MySQLGetBandwidthDL SELECT DLBandwidth FROM users WHERE User='\L'
+
++# Optional : Apparmor Hat to use.
++# MYSQLGetApparmorHat SELECT hat FROM users WHERE User='\L'
++
+ # Enable ~ expansion. NEVER ENABLE THIS BLINDLY UNLESS :
+ # 1) You know what you are doing.
+ # 2) Real and virtual users match.
+diff -urN pure-ftpd-1.0.36.org/src/ftpd.c pure-ftpd-1.0.36/src/ftpd.c
+--- pure-ftpd-1.0.36.org/src/ftpd.c 2013-11-04 12:08:09.322047659 +0100
++++ pure-ftpd-1.0.36/src/ftpd.c 2013-11-04 15:40:16.000000000 +0100
+@@ -18,6 +18,9 @@
+ #ifdef QUOTAS
+ # include "quotas.h"
+ #endif
++#ifdef APPARMOR
++# include <sys/apparmor.h>
++#endif
+ #ifdef WITH_DIRALIASES
+ # include "diraliases.h"
+ #endif
+@@ -1541,6 +1544,9 @@
+ result.ratio_download = ratio_download;
+ result.ratio_ul_changed = result.ratio_dl_changed = 0;
+ #endif
++#ifdef APPARMOR
++ result.apparmor_hat = NULL;
++#endif
+ #ifdef PER_USER_LIMITS
+ result.per_user_max = per_user_max;
+ #endif
+@@ -1986,6 +1992,16 @@
+ # endif
+ enablesignals();
+ #endif
++
++#ifdef APPARMOR
++ if (authresult.apparmor_hat != NULL) {
++ if (change_hat(authresult.apparmor_hat, zrand()) < 0)
++ die(421, LOG_ERR, MSG_CHROOT_FAILED);
++ logfile(LOG_INFO, MSG_APPARMOR_HAT, account, authresult.apparmor_hat);
++ free(authresult.apparmor_hat);
++ }
++#endif
++
+ logfile(LOG_INFO, MSG_IS_NOW_LOGGED_IN, account);
+ #ifdef FTPWHO
+ if (shm_data_cur != NULL) {
+diff -urN pure-ftpd-1.0.36.org/src/ftpd.h pure-ftpd-1.0.36/src/ftpd.h
+--- pure-ftpd-1.0.36.org/src/ftpd.h 2012-03-16 02:01:37.000000000 +0100
++++ pure-ftpd-1.0.36/src/ftpd.h 2013-11-04 15:05:10.000000000 +0100
+@@ -294,6 +294,9 @@
+ #ifdef PER_USER_LIMITS
+ unsigned int per_user_max;
+ #endif
++#ifdef APPARMOR
++ const char *apparmor_hat;
++#endif
+ } AuthResult;
+
+ typedef struct PureFileInfo_ {
+diff -urN pure-ftpd-1.0.36.org/src/log_extauth.c pure-ftpd-1.0.36/src/log_extauth.c
+--- pure-ftpd-1.0.36.org/src/log_extauth.c 2012-03-21 21:16:26.000000000 +0100
++++ pure-ftpd-1.0.36/src/log_extauth.c 2013-11-04 15:05:10.000000000 +0100
+@@ -215,6 +215,9 @@
+ result->uid = (uid_t) 0;
+ result->gid = (gid_t) 0;
+ result->dir = NULL;
++#ifdef APPARMOR_HAT
++ result->apparmor_hat = NULL;
++#endif
+ result->slow_tilde_expansion = 1;
+ auth_finalized = 0;
+ if ((readnb = safe_read(kindy, line, sizeof line - 1U)) <= (ssize_t) 0) {
+diff -urN pure-ftpd-1.0.36.org/src/log_ldap.c pure-ftpd-1.0.36/src/log_ldap.c
+--- pure-ftpd-1.0.36.org/src/log_ldap.c 2012-03-16 02:01:37.000000000 +0100
++++ pure-ftpd-1.0.36/src/log_ldap.c 2013-11-04 15:05:10.000000000 +0100
+@@ -557,6 +557,9 @@
+ if ((result->dir = strdup(pw->pw_dir)) == NULL) {
+ return;
+ }
++#ifdef APPARMOR
++ result->apparmor_hat = NULL;
++#endif
+ result->slow_tilde_expansion = 1;
+ result->auth_ok = 1; /* User found, authentication ok */
+ }
+diff -urN pure-ftpd-1.0.36.org/src/log_mysql.c pure-ftpd-1.0.36/src/log_mysql.c
+--- pure-ftpd-1.0.36.org/src/log_mysql.c 2013-11-04 12:08:09.315380763 +0100
++++ pure-ftpd-1.0.36/src/log_mysql.c 2013-11-04 15:05:10.000000000 +0100
+@@ -317,6 +317,9 @@
+ const char *bandwidth_ul = NULL; /* stored bandwidth UL */
+ const char *bandwidth_dl = NULL; /* stored bandwidth DL */
+ #endif
++#ifdef APPARMOR
++ const char *apparmor_hat = NULL; /* Apparmor hat name */
++#endif
+ char *escaped_account = NULL;
+ char *escaped_ip = NULL;
+ char *escaped_port = NULL;
+@@ -595,6 +598,15 @@
+ }
+ }
+ #endif
++#ifdef APPARMOR
++ if ((apparmor_hat = pw_mysql_getquery(id_sql_server, sqlreq_getapparmor_hat,
++ escaped_account, escaped_ip,
++ escaped_port, escaped_peer_ip,
++ escaped_decimal_ip)) != NULL) {
++ result->apparmor_hat = apparmor_hat;
++ apparmor_hat = NULL;
++ }
++#endif
+ result->slow_tilde_expansion = !tildexp;
+ result->auth_ok = -result->auth_ok;
+ bye:
+@@ -624,6 +636,9 @@
+ free((void *) bandwidth_ul);
+ free((void *) bandwidth_dl);
+ #endif
++#ifdef APPARMOR
++ free((void *) apparmor_hat);
++#endif
+ free((void *) escaped_account);
+ free((void *) escaped_ip);
+ free((void *) escaped_port);
+@@ -692,6 +707,9 @@
+ ZFREE(sqlreq_getbandwidth_ul);
+ ZFREE(sqlreq_getbandwidth_dl);
+ #endif
++#ifdef APPARMOR
++ ZFREE(sqlreq_getapparmor_hat);
++#endif
+ }
+ #else
+ extern signed char v6ready;
+diff -urN pure-ftpd-1.0.36.org/src/log_mysql_p.h pure-ftpd-1.0.36/src/log_mysql_p.h
+--- pure-ftpd-1.0.36.org/src/log_mysql_p.h 2011-04-17 17:24:58.000000000 +0200
++++ pure-ftpd-1.0.36/src/log_mysql_p.h 2013-11-04 15:05:10.000000000 +0100
+@@ -38,6 +38,9 @@
+ static char *sqlreq_getbandwidth_ul;
+ static char *sqlreq_getbandwidth_dl;
+ #endif
++#ifdef APPARMOR
++static char *sqlreq_getapparmor_hat;
++#endif
+ static signed char server_down;
+
+ static ConfigKeywords mysql_config_keywords[] = {
+@@ -68,6 +71,9 @@
+ { "MYSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
+ { "MYSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
+ #endif
++#ifdef APPARMOR
++ { "MYSQLGetApparmorHat", &sqlreq_getapparmor_hat },
++#endif
+ { NULL, NULL }
+ };
+
+diff -urN pure-ftpd-1.0.36.org/src/log_pam.c pure-ftpd-1.0.36/src/log_pam.c
+--- pure-ftpd-1.0.36.org/src/log_pam.c 2011-04-17 17:05:54.000000000 +0200
++++ pure-ftpd-1.0.36/src/log_pam.c 2013-11-04 15:05:10.000000000 +0100
+@@ -202,6 +202,9 @@
+ (void) pam_close_session(pamh, PAM_SILENT); /* It doesn't matter if it fails */
+ #endif
+ result->dir = dir;
++#ifdef APPARMOR
++ result->apparmor_hat = NULL;
++#endif
+ dir = NULL;
+ result->uid = pw.pw_uid;
+ result->gid = pw.pw_gid;
+diff -urN pure-ftpd-1.0.36.org/src/log_pgsql.c pure-ftpd-1.0.36/src/log_pgsql.c
+--- pure-ftpd-1.0.36.org/src/log_pgsql.c 2013-11-04 12:08:09.318714211 +0100
++++ pure-ftpd-1.0.36/src/log_pgsql.c 2013-11-04 15:05:10.000000000 +0100
+@@ -397,6 +397,9 @@
+ const char *bandwidth_ul = NULL; /* stored bandwidth UL */
+ const char *bandwidth_dl = NULL; /* stored bandwidth DL */
+ #endif
++#ifdef APPARMOR
++ const char *apparmor_hat = NULL; /* Apparmor hat name */
++#endif
+ char *escaped_account = NULL;
+ char *escaped_ip = NULL;
+ char *escaped_port = NULL;
+@@ -639,6 +642,16 @@
+ }
+ }
+ #endif
++#ifdef APPARMOR
++ if ((apparmor_hat = pw_pgsql_getquery(id_sql_server, sqlreq_getapparmor_hat,
++ escaped_account, escaped_ip,
++ escaped_port, escaped_peer_ip,
++ escaped_decimal_ip)) != NULL) {
++ result->apparmor_hat = apparmor_hat;
++ apparmor_hat = NULL;
++ }
++#endif
++
+ result->slow_tilde_expansion = 1;
+ result->auth_ok = -result->auth_ok;
+ bye:
+@@ -668,7 +681,10 @@
+ #ifdef THROTTLING
+ free((void *) bandwidth_ul);
+ free((void *) bandwidth_dl);
+-#endif
++#endif
++#ifdef APPARMOR
++ free((void *) apparmor_hat);
++#endif
+ free((void *) escaped_account);
+ free((void *) escaped_ip);
+ free((void *) escaped_port);
+@@ -723,6 +739,9 @@
+ ZFREE(sqlreq_getbandwidth_ul);
+ ZFREE(sqlreq_getbandwidth_dl);
+ #endif
++#ifdef APPARMOR
++ ZFREE(sqlreq_getapparmor_hat);
++#endif
+ }
+ #else
+ extern signed char v6ready;
+diff -urN pure-ftpd-1.0.36.org/src/log_pgsql_p.h pure-ftpd-1.0.36/src/log_pgsql_p.h
+--- pure-ftpd-1.0.36.org/src/log_pgsql_p.h 2011-04-17 17:05:54.000000000 +0200
++++ pure-ftpd-1.0.36/src/log_pgsql_p.h 2013-11-04 15:05:10.000000000 +0100
+@@ -28,6 +28,9 @@
+ static char *sqlreq_getbandwidth_ul;
+ static char *sqlreq_getbandwidth_dl;
+ #endif
++#ifdef APPARMOR
++static char *sqlreq_getapparmor_hat;
++#endif
+ static signed char server_down;
+
+ static ConfigKeywords pgsql_config_keywords[] = {
+@@ -55,6 +58,9 @@
+ { "PGSQLGetBandwidthUL", &sqlreq_getbandwidth_ul },
+ { "PGSQLGetBandwidthDL", &sqlreq_getbandwidth_dl },
+ #endif
++#ifdef APPARMOR
++ { "PGSQLGetApparmorHat", &sqlreq_getapparmor_hat },
++#endif
+ { NULL, NULL }
+ };
+
+diff -urN pure-ftpd-1.0.36.org/src/log_puredb.c pure-ftpd-1.0.36/src/log_puredb.c
+--- pure-ftpd-1.0.36.org/src/log_puredb.c 2012-03-16 02:01:37.000000000 +0100
++++ pure-ftpd-1.0.36/src/log_puredb.c 2013-11-04 15:05:10.000000000 +0100
+@@ -305,6 +305,9 @@
+ result->user_quota_size = strtoull(line, NULL, 10);
+ }
+ #endif
++#ifdef APPARMOR
++ result->apparmor_hat = NULL;
++#endif
+ if ((line = my_strtok2(NULL, *PW_LINE_SEP)) == NULL) { /* allowed local ip */
+ return 0;
+ }
+diff -urN pure-ftpd-1.0.36.org/src/log_unix.c pure-ftpd-1.0.36/src/log_unix.c
+--- pure-ftpd-1.0.36.org/src/log_unix.c 2011-04-17 17:05:54.000000000 +0200
++++ pure-ftpd-1.0.36/src/log_unix.c 2013-11-04 15:05:10.000000000 +0100
+@@ -80,6 +80,9 @@
+ result->uid = pw.pw_uid;
+ result->gid = pw.pw_gid;
+ result->dir = dir;
++#ifdef APPARMOR
++ result->apparmor_hat = NULL;
++#endif
+ result->slow_tilde_expansion = 0;
+ result->auth_ok = -result->auth_ok;
+ return;
+diff -urN pure-ftpd-1.0.36.org/src/Makefile.am pure-ftpd-1.0.36/src/Makefile.am
+--- pure-ftpd-1.0.36.org/src/Makefile.am 2012-03-16 02:01:37.000000000 +0100
++++ pure-ftpd-1.0.36/src/Makefile.am 2013-11-04 13:58:22.324973813 +0100
+@@ -133,6 +133,7 @@
+ pure_ftpd_LDADD = \
+ libpureftpd.a \
+ ../puredb/src/libpuredb_read.a \
++ -lapparmor \
+ @LDAP_SSL_LIBS@ @GETLOADAVG_LIBS@ @BONJOUR_LDADD@
+
+ pure_ftpd_SOURCES = \
+diff -urN pure-ftpd-1.0.36.org/src/messages_en.h pure-ftpd-1.0.36/src/messages_en.h
+--- pure-ftpd-1.0.36.org/src/messages_en.h 2012-03-16 02:01:37.000000000 +0100
++++ pure-ftpd-1.0.36/src/messages_en.h 2013-11-04 15:05:10.000000000 +0100
+@@ -57,6 +57,7 @@
+ #define MSG_CURRENT_DIR_IS "OK. Current directory is %s"
+ #define MSG_CURRENT_RESTRICTED_DIR_IS "OK. Current restricted directory is %s"
+ #define MSG_IS_NOW_LOGGED_IN "%s is now logged in"
++#define MSG_APPARMOR_HAT "User %s apparmor hat is %s"
+ #define MSG_CANT_CHANGE_DIR "Can't change directory to %s"
+ #define MSG_PATH_TOO_LONG "Path too long"
+ #define MSG_CANT_PASV "You cannot use PASV on IPv6 connections. Use EPSV instead."
projects / packages / pure-ftpd.git / commitdiff