Accepting request 876389 from Base:System

OBS-URL: https://build.opensuse.org/request/show/876389
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/hostapd?expand=0&rev=40

apparmor-usr.sbin.hostapd

@@ -0,0 +1,31 @@
+abi <abi/3.0>,
+
+#include <tunables/global>
+
+profile hostapd /usr/sbin/hostapd {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability net_admin,
+  capability net_raw,
+  network packet,
+  network raw,
+
+  # for RADIUS
+  network inet dgram,
+  network inet6 dgram,
+
+  # grant read access to config files
+  /etc/hostapd.* r,
+
+  /etc/libnl/classid r,
+
+  #/proc/*/net/psched r,
+
+  # grant access to RFKILL control device
+  /dev/rfkill rw,
+
+  /run/hostapd/ rw,
+  /run/hostapd/* rw,
+
+}

hostapd.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Feb 23 19:33:56 UTC 2021 - Michael Ströder <michael@stroeder.com>
+
+- added AppArmor profile (source apparmor-usr.sbin.hostapd)
+
 -------------------------------------------------------------------
 Tue Sep 29 12:52:10 UTC 2020 - Clemens Famulla-Conrad <cfamullaconrad@suse.com>
 

hostapd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package hostapd
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,6 +16,8 @@
 #
 
 
+%bcond_without  apparmor
+
 Name:           hostapd
 Version:        2.9
 Release:        0
@@ -29,6 +31,7 @@ Source1:        https://w1.fi/releases/hostapd-%{version}.tar.gz.asc
 Source2:        %{name}.keyring
 Source3:        config
 Source4:        hostapd.service
+Source5:        apparmor-usr.sbin.hostapd
 Patch1:         CVE-2019-16275.patch
 Patch2:         CVE-2020-12695.patch
 BuildRequires:  libnl3-devel
@@ -38,6 +41,11 @@ BuildRequires:  sqlite3-devel
 BuildRequires:  pkgconfig(libnl-3.0) >= 3.0
 BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
+%if %{with apparmor}
+BuildRequires:  apparmor-abstractions
+BuildRequires:  apparmor-rpm-macros
+Recommends:     apparmor-abstractions
+%endif
 
 %description
 hostapd is a user space daemon for access point and authentication
@@ -74,12 +82,20 @@ install -m 644 hostapd.vlan %{buildroot}%{_sysconfdir}
 install -m 600 hostapd.wpa_psk %{buildroot}%{_sysconfdir}
 install -m 644 hostapd.8 %{buildroot}/%{_mandir}/man8
 install -D -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/hostapd.service
+%if %{with apparmor}
+# AppArmor profile
+mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d
+install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/apparmor.d/usr.sbin.hostapd
+%endif
 
 %pre
 %service_add_pre hostapd.service
 
 %post
 %service_add_post hostapd.service
+%if %{with apparmor}
+%apparmor_reload %{_sysconfdir}/apparmor.d/usr.sbin.hostapd
+%endif
 
 %preun
 %service_del_preun hostapd.service
@@ -89,6 +105,10 @@ install -D -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/hostapd.service
 
 %files
 %config(noreplace) %{_sysconfdir}/hostapd.*
+%if %{with apparmor}
+%dir %{_sysconfdir}/apparmor.d
+%config %{_sysconfdir}/apparmor.d/usr.sbin.hostapd
+%endif
 %{_sbindir}/*
 %license COPYING
 %doc hostapd/ChangeLog hostapd/README hostapd/wired.conf hostapd/hostapd.conf