platform: added support for apparmor and signed kernel

itsManjeet · Jul 29, 2024 · 638b48f · 638b48f
1 parent f089ee0
commit 638b48f
Show file tree

Hide file tree

Showing 6 changed files with 336 additions and 12 deletions.
diff --git a/elements/components/apache.yml b/elements/components/apache.yml
@@ -1,5 +1,5 @@
 id: apache
-version: 2.4.57
+version: 2.4.62
 about: Apache HTTP server version 2.4.x
 
 configure: >
@@ -8,8 +8,8 @@ configure: >
   --enable-mods-shared="all cgi"
   --enable-mpms-shared=all
   --enable-suexec=shared
-  --with-apr=/usr/bin/apr-1-config
-  --with-apr-util=/usr/bin/apu-1-config
+  --with-apr=%{bindir}/apr-1-config
+  --with-apr-util=%{bindir}/apu-1-config
   --with-suexec-bin=/usr/lib/httpd/suexec
   --with-suexec-caller=apache
   --with-suexec-docroot=/srv/www
@@ -19,20 +19,29 @@ configure: >
 
 post-script: |
   install -v -d -m 0755 %{install-root}/run/httpd
-  # mv -v %{install-root}/usr/bin/suexec %{install-root}/usr/lib/httpd/suexec
+  # mv -v %{install-root}%{bindir}/suexec %{install-root}/usr/lib/httpd/suexec
   # chgrp 25 %{install-root}/usr/lib/httpd/suexec
   # chmod 4754 %{install-root}/usr/lib/httpd/suexec
-  install -v -d -m 0755 -o 25 -g 25 %{install-root}/srv/www
+  # install -v -d -m 0755 -o 25 -g 25 %{install-root}/srv/www
   #install -v -D -m 0644 /files/apache/service %{install-root}/usr/lib/systemd/system/httpd.service
 
 depends:
   - components/apr.yml
-  # - components/apr-utils.yml
+  - components/apr-util.yml
   - components/pcre.yml
   - components/openssl.yml
   - components/libxml2.yml
 sources:
-  - https://downloads.apache.org/httpd/httpd-%{version}.tar.gz
+  - https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
+  - patches/apache/httpd-%{version}-RLXOS_layout-1.patch
 pre-script: |
-  patch -Np1 -i /files/apache/layout-%{version}.patch
+  patch -Np1 -i httpd-%{version}-RLXOS_layout-1.patch
   sed '/dir.*CFG_PREFIX/s@^@#@' -i support/apxs.in
+
+  sed -e '/HTTPD_ROOT/s:${ap_prefix}:/etc/httpd:'       \
+      -e '/SERVER_CONFIG_FILE/s:${rel_sysconfdir}/::'   \
+      -e '/AP_TYPES_CONFIG_FILE/s:${rel_sysconfdir}/::' \
+      -i configure
+
+  sed -e '/encoding.h/a # include <libxml/xmlstring.h>' \
+      -i modules/filters/mod_xml2enc.c 
diff --git a/elements/components/apparmor.yml b/elements/components/apparmor.yml
@@ -0,0 +1,39 @@
+id: apparmor
+version: 3.1.7
+about: Mandatory Access Control (MAC) using Linux Security Module (LSM)
+
+script: |-
+  (
+    cd libraries/libapparmor
+    ./configure --prefix=%{prefix} --sbindir=%{bindir} --with-python
+    make $MAKEFLAGS
+  )
+
+  for target in binutils parser profiles utils changehat/pam_apparmor changehat/mod_apparmor utils/vim ; do
+    make -C $target
+  done
+
+  make -C libraries/libapparmor DESTDIR="%{install-root}" install
+  make -C changehat/pam_apparmor DESTDIR="%{install-root}%{prefix}" install
+  make -C changehat/mod_apparmor DESTDIR="%{install-root}" install
+  make -C binutils DESTDIR="%{install-root}" SBINDIR="%{install-root}%{bindir}" USR_SBINDIR="%{install-root}%{bindir}" install
+  make -C parser -j1 DESTDIR="%{install-root}" SBINDIR="%{install-root}%{bindir}" USR_SBINDIR="%{install-root}%{bindir}" APPARMOR_BIN_PREFIX="%{install-root}%{libdir}/apparmor" install install-systemd
+  make -C profiles DESTDIR="%{install-root}" install
+  make -C utils DESTDIR="%{install-root}" SBINDIR="%{install-root}%{bindir}" USR_SBINDIR="%{install-root}%{bindir}" BINDIR="%{install-root}%{bindir}" VIM_INSTALL_PATH="%{install-root}%{datadir}/vim/vimfiles/syntax" install
+
+
+depends:
+  - components/audit.yml
+  - components/bash.yml
+  - components/libgcc.yml
+  - components/pam.yml
+  - components/python.yml
+  - components/py/py-notify2.yml
+  - components/py/py-psutil.yml
+
+build-depends:
+  - components/apache.yml
+  - components/py/py-setuptools.yml
+
+sources:
+  - https://launchpad.net/apparmor/%{version:2}/%{version}/+download/apparmor-%{version}.tar.gz
diff --git a/elements/components/apr.yml b/elements/components/apr.yml
@@ -13,4 +13,4 @@ depends:
   - components/gdbm.yml
   - components/sqlite.yml
 sources:
-  - http://www.apache.org/dist/apr/apr-%{version}.tar.bz2
+  - https://archive.apache.org/dist/apr/apr-%{version}.tar.bz2
diff --git a/elements/components/py/py-notify2.yml b/elements/components/py/py-notify2.yml
@@ -0,0 +1,13 @@
+id: py-notify2
+version: 0.3.1
+about: Python interface to DBus notifications
+
+depends:
+  - components/python.yml
+  - components/py/py-dbus.yml
+
+build-depends:
+  - components/py/py-setuptools.yml
+
+sources:
+  - https://files.pythonhosted.org/packages/source/n/notify2/notify2-%{version}.tar.gz
diff --git a/elements/kernel/linux.yml b/elements/kernel/linux.yml
@@ -834,10 +834,11 @@ script: |-
   enable MODULES
   enable MODULE_UNLOAD
 
-  enable MODULE_SIG_FORMAT
+  
   enable MODULE_SIG
   remove MODULE_SIG_ALL
   enable MODULE_SIG_SHA512
+  enable MODULE_SIG_FORMAT
   value_str MODULE_SIG_HASH "sha512"
   enable MODULE_COMPRESS_NONE
   value_str MODPROBE_PATH "/usr/sbin/modprobe"
@@ -7788,6 +7789,8 @@ script: |-
   value SECURITY_SELINUX_SIDTAB_HASH_BITS 9
   value SECURITY_SELINUX_SID2STR_CACHE_SIZE 256
   enable SECURITY_YAMA
+  enable SECURITY_APPARMOR
+
   enable SECURITY_LOCKDOWN_LSM
   enable SECURITY_LOCKDOWN_LSM_EARLY
   enable LOCK_DOWN_KERNEL_FORCE_NONE
@@ -7819,7 +7822,7 @@ script: |-
   enable EVM
   enable EVM_ATTR_FSUUID
   enable DEFAULT_SECURITY_SELINUX
-  value_str LSM "lockdown,yama,integrity,selinux,bpf,landlock"
+  value_str LSM "lockdown,lockdown,yama,integrity,apparmor,bpf"
 
   #
   # Kernel hardening options
@@ -8078,7 +8081,8 @@ script: |-
   #
   # Certificates for signature checking
   #
-  value_str MODULE_SIG_KEY ""
+  value_str MODULE_SIG_KEY "/files/sign-keys/linux-module-cert.key"
+  enable MODULE_SIG_KEY_TYPE_ECDSA
   enable SYSTEM_TRUSTED_KEYRING
   value_str SYSTEM_TRUSTED_KEYS "/files/sign-keys/linux-module-cert.crt"
   enable SYSTEM_EXTRA_CERTIFICATE