From c26713ccf7e29f7204d2cfffd37f8dcac5c8f4a0 Mon Sep 17 00:00:00 2001
From: Thom Pol <thom@amsterdamtech.nl>
Date: Fri, 18 Mar 2022 23:34:27 +0100
Subject: [PATCH] Add function to configure AppArmor (needed to allow use of
 /etc/bind for zone files) (#6701)

---
 install/dist/conf/centos52.conf.php      | 3 +++
 install/dist/conf/centos53.conf.php      | 3 +++
 install/dist/conf/centos70.conf.php      | 3 +++
 install/dist/conf/centos72.conf.php      | 3 +++
 install/dist/conf/centos80.conf.php      | 3 +++
 install/dist/conf/debian100.conf.php     | 3 +++
 install/dist/conf/debian110.conf.php     | 3 +++
 install/dist/conf/debian40.conf.php      | 3 +++
 install/dist/conf/debian60.conf.php      | 3 +++
 install/dist/conf/debian90.conf.php      | 3 +++
 install/dist/conf/debiantesting.conf.php | 3 +++
 install/dist/conf/fedora32.conf.php      | 3 +++
 install/dist/conf/fedora33.conf.php      | 3 +++
 install/dist/conf/fedora9.conf.php       | 3 +++
 install/dist/conf/gentoo.conf.php        | 3 +++
 install/dist/conf/opensuse110.conf.php   | 3 +++
 install/dist/conf/opensuse112.conf.php   | 3 +++
 install/dist/conf/ubuntu1604.conf.php    | 3 +++
 install/dist/conf/ubuntu1710.conf.php    | 3 +++
 install/dist/conf/ubuntu1804.conf.php    | 3 +++
 install/dist/conf/ubuntu2004.conf.php    | 3 +++
 install/install.php                      | 6 ++++++
 install/lib/installer_base.lib.php       | 8 ++++++++
 install/tpl/apparmor_usr.sbin.named      | 2 ++
 install/update.php                       | 6 ++++++
 25 files changed, 85 insertions(+)
 create mode 100644 install/tpl/apparmor_usr.sbin.named

diff --git a/install/dist/conf/centos52.conf.php b/install/dist/conf/centos52.conf.php
index 6dff93f65f..9a7e2d0cad 100644
--- a/install/dist/conf/centos52.conf.php
+++ b/install/dist/conf/centos52.conf.php
@@ -221,4 +221,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';
 //* OpenVZ
 $conf['openvz']['installed'] = false;
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/centos53.conf.php b/install/dist/conf/centos53.conf.php
index 6dff93f65f..9a7e2d0cad 100644
--- a/install/dist/conf/centos53.conf.php
+++ b/install/dist/conf/centos53.conf.php
@@ -221,4 +221,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';
 //* OpenVZ
 $conf['openvz']['installed'] = false;
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/centos70.conf.php b/install/dist/conf/centos70.conf.php
index 0465e5618a..efe166e079 100644
--- a/install/dist/conf/centos70.conf.php
+++ b/install/dist/conf/centos70.conf.php
@@ -221,4 +221,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';
 //* OpenVZ
 $conf['openvz']['installed'] = false;
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/centos72.conf.php b/install/dist/conf/centos72.conf.php
index 8bb2ca5239..f4a3c937ba 100644
--- a/install/dist/conf/centos72.conf.php
+++ b/install/dist/conf/centos72.conf.php
@@ -224,4 +224,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';
 //* OpenVZ
 $conf['openvz']['installed'] = false;
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/centos80.conf.php b/install/dist/conf/centos80.conf.php
index 36e85e02d2..1a354d3644 100644
--- a/install/dist/conf/centos80.conf.php
+++ b/install/dist/conf/centos80.conf.php
@@ -224,4 +224,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';
 //* OpenVZ
 $conf['openvz']['installed'] = false;
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/debian100.conf.php b/install/dist/conf/debian100.conf.php
index b6b0dc4135..30f483980a 100644
--- a/install/dist/conf/debian100.conf.php
+++ b/install/dist/conf/debian100.conf.php
@@ -236,4 +236,7 @@ $conf['xmpp']['installed'] = false;
 $conf['xmpp']['init_script'] = 'metronome';
 
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/debian110.conf.php b/install/dist/conf/debian110.conf.php
index 10f57d88a1..ce5bda7170 100644
--- a/install/dist/conf/debian110.conf.php
+++ b/install/dist/conf/debian110.conf.php
@@ -236,4 +236,7 @@ $conf['xmpp']['installed'] = false;
 $conf['xmpp']['init_script'] = 'metronome';
 
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/debian40.conf.php b/install/dist/conf/debian40.conf.php
index c04a54e998..653b979a67 100644
--- a/install/dist/conf/debian40.conf.php
+++ b/install/dist/conf/debian40.conf.php
@@ -229,4 +229,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';
 $conf['openvz']['installed'] = false;
 
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/debian60.conf.php b/install/dist/conf/debian60.conf.php
index e7c8f59845..3577869bcd 100644
--- a/install/dist/conf/debian60.conf.php
+++ b/install/dist/conf/debian60.conf.php
@@ -232,4 +232,7 @@ $conf['xmpp']['installed'] = false;
 $conf['xmpp']['init_script'] = 'metronome';
 
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/debian90.conf.php b/install/dist/conf/debian90.conf.php
index b253a31f22..1abbf732a1 100644
--- a/install/dist/conf/debian90.conf.php
+++ b/install/dist/conf/debian90.conf.php
@@ -236,4 +236,7 @@ $conf['xmpp']['installed'] = false;
 $conf['xmpp']['init_script'] = 'metronome';
 
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/debiantesting.conf.php b/install/dist/conf/debiantesting.conf.php
index 3a06dfb86b..6564be0dab 100644
--- a/install/dist/conf/debiantesting.conf.php
+++ b/install/dist/conf/debiantesting.conf.php
@@ -236,4 +236,7 @@ $conf['xmpp']['installed'] = false;
 $conf['xmpp']['init_script'] = 'metronome';
 
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/fedora32.conf.php b/install/dist/conf/fedora32.conf.php
index 6701bb8729..0280959988 100644
--- a/install/dist/conf/fedora32.conf.php
+++ b/install/dist/conf/fedora32.conf.php
@@ -226,4 +226,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';
 //* OpenVZ
 $conf['openvz']['installed'] = false;
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/fedora33.conf.php b/install/dist/conf/fedora33.conf.php
index 873376fa2c..677731c01e 100644
--- a/install/dist/conf/fedora33.conf.php
+++ b/install/dist/conf/fedora33.conf.php
@@ -226,4 +226,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';
 //* OpenVZ
 $conf['openvz']['installed'] = false;
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/fedora9.conf.php b/install/dist/conf/fedora9.conf.php
index 23453ae48f..c05d21a155 100644
--- a/install/dist/conf/fedora9.conf.php
+++ b/install/dist/conf/fedora9.conf.php
@@ -221,4 +221,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';
 //* OpenVZ
 $conf['openvz']['installed'] = false;
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/gentoo.conf.php b/install/dist/conf/gentoo.conf.php
index 23558a164d..057d397796 100644
--- a/install/dist/conf/gentoo.conf.php
+++ b/install/dist/conf/gentoo.conf.php
@@ -238,4 +238,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';
 //* OpenVZ
 $conf['openvz']['installed'] = false;
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/opensuse110.conf.php b/install/dist/conf/opensuse110.conf.php
index 37f5a14d3b..ac4f5a3e18 100644
--- a/install/dist/conf/opensuse110.conf.php
+++ b/install/dist/conf/opensuse110.conf.php
@@ -221,4 +221,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';;
 //* OpenVZ
 $conf['openvz']['installed'] = false;
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/opensuse112.conf.php b/install/dist/conf/opensuse112.conf.php
index 378320a144..eda4879004 100644
--- a/install/dist/conf/opensuse112.conf.php
+++ b/install/dist/conf/opensuse112.conf.php
@@ -221,4 +221,7 @@ $conf['cron']['wget'] = '/usr/bin/wget';
 //* OpenVZ
 $conf['openvz']['installed'] = false;
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/ubuntu1604.conf.php b/install/dist/conf/ubuntu1604.conf.php
index bd8d0bcd1c..1893a93fbf 100644
--- a/install/dist/conf/ubuntu1604.conf.php
+++ b/install/dist/conf/ubuntu1604.conf.php
@@ -232,4 +232,7 @@ $conf['xmpp']['installed'] = false;
 $conf['xmpp']['init_script'] = 'metronome';
 
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/ubuntu1710.conf.php b/install/dist/conf/ubuntu1710.conf.php
index d365388549..b37c91291f 100644
--- a/install/dist/conf/ubuntu1710.conf.php
+++ b/install/dist/conf/ubuntu1710.conf.php
@@ -232,4 +232,7 @@ $conf['xmpp']['installed'] = false;
 $conf['xmpp']['init_script'] = 'metronome';
 
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/ubuntu1804.conf.php b/install/dist/conf/ubuntu1804.conf.php
index fa96f7a5ca..9c27211413 100644
--- a/install/dist/conf/ubuntu1804.conf.php
+++ b/install/dist/conf/ubuntu1804.conf.php
@@ -232,4 +232,7 @@ $conf['xmpp']['installed'] = false;
 $conf['xmpp']['init_script'] = 'metronome';
 
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/dist/conf/ubuntu2004.conf.php b/install/dist/conf/ubuntu2004.conf.php
index 28d4bf3c14..72bf90d45e 100644
--- a/install/dist/conf/ubuntu2004.conf.php
+++ b/install/dist/conf/ubuntu2004.conf.php
@@ -232,4 +232,7 @@ $conf['xmpp']['installed'] = false;
 $conf['xmpp']['init_script'] = 'metronome';
 
 
+// AppArmor
+$conf['apparmor']['installed'] = false;
+
 ?>
diff --git a/install/install.php b/install/install.php
index b94c1c7f6f..9cc6bb5fa7 100644
--- a/install/install.php
+++ b/install/install.php
@@ -500,6 +500,12 @@ if($force) {
 	swriteln('Configuring OpenVZ');
 }
 
+// Configure AppArmor
+if($conf['apparmor']['installed']){
+  swriteln('Configuring AppArmor');
+  $inst->configure_apparmor();
+}
+
 if($install_mode == 'standard' || strtolower($inst->simple_query('Configure Firewall Server', array('y', 'n'), 'y','configure_firewall')) == 'y') {
 	//* Check for Firewall
 	if(!$conf['ufw']['installed'] && !$conf['firewall']['installed']) {
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index dc45f209b4..bb5fd5d409 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -226,6 +226,7 @@ class installer_base {
 		if(is_installed('named') || is_installed('bind') || is_installed('bind9')) $conf['bind']['installed'] = true;
 		if(is_installed('squid')) $conf['squid']['installed'] = true;
 		if(is_installed('nginx')) $conf['nginx']['installed'] = true;
+		if(is_installed('apparmor_status')) $conf['apparmor']['installed'] = true;
 		if(is_installed('iptables') && is_installed('ufw')) {
 			$conf['ufw']['installed'] = true;
 		} elseif(is_installed('iptables')) {
@@ -2478,6 +2479,13 @@ class installer_base {
 		exec('chown root:root '.$conf["squid"]["config_dir"].'/'.$configfile);
 	}
 
+	public function configure_apparmor() {
+		$configfile = 'apparmor_usr.sbin.named';
+		if(is_file('/etc/apparmor.d/local/usr.sbin.named')) copy('/etc/apparmor.d/local/usr.sbin.named', '/etc/apparmor.d/local/usr.sbin.named~');
+		$content = rf("tpl/".$configfile.".master");
+		wf('/etc/apparmor.d/local/usr.sbin.named', $content);
+	}
+
 	public function configure_ufw_firewall()
 	{
 		if($this->is_update == false) {
diff --git a/install/tpl/apparmor_usr.sbin.named b/install/tpl/apparmor_usr.sbin.named
new file mode 100644
index 0000000000..38a30ffc87
--- /dev/null
+++ b/install/tpl/apparmor_usr.sbin.named
@@ -0,0 +1,2 @@
+/etc/bind/slave/** lrw,
+/etc/bind/slave/ rw,
diff --git a/install/update.php b/install/update.php
index ef2e1fcfe3..56316546ac 100644
--- a/install/update.php
+++ b/install/update.php
@@ -512,6 +512,12 @@ if($reconfigure_services_answer == 'yes' || $reconfigure_services_answer == 'sel
 	$inst->configure_xmpp('dont-create-certs');
 	}
 
+  // Configure AppArmor
+  if($conf['apparmor']['installed']){
+    swriteln('Configuring AppArmor');
+    $inst->configure_apparmor();
+  }
+
 	if($conf['services']['firewall'] && $inst->reconfigure_app('Firewall', $reconfigure_services_answer)) {
 		if($conf['ufw']['installed'] == true) {
 			//* Configure Ubuntu Firewall
-- 
GitLab