commit golang-github-lusitaniae-apache_exporter for openSUSE:Factory

Sat, 01 Oct 2022 08:44:44 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package 
golang-github-lusitaniae-apache_exporter for openSUSE:Factory checked in at 
2022-10-01 17:44:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/golang-github-lusitaniae-apache_exporter 
(Old)
 and      
/work/SRC/openSUSE:Factory/.golang-github-lusitaniae-apache_exporter.new.2275 
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "golang-github-lusitaniae-apache_exporter"

Sat Oct  1 17:44:01 2022 rev:9 rq:1007414 version:0.11.0

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/golang-github-lusitaniae-apache_exporter/golang-github-lusitaniae-apache_exporter.changes
        2022-09-22 18:21:19.641852984 +0200
+++ 
/work/SRC/openSUSE:Factory/.golang-github-lusitaniae-apache_exporter.new.2275/golang-github-lusitaniae-apache_exporter.changes
      2022-10-01 17:44:27.213811663 +0200
@@ -1,0 +2,11 @@
+Sun Sep 25 14:12:03 UTC 2022 - Michael Str??der <[email protected]>
+
+- corrected comment in AppArmor profile
+
+-------------------------------------------------------------------
+Thu Sep 22 17:25:32 UTC 2022 - Michael Str??der <[email protected]>
+
+- added AppArmor profile
+- added sandboxing options to systemd service unit
+
+-------------------------------------------------------------------

New:
----
  apparmor-usr.bin.prometheus-apache_exporter

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ golang-github-lusitaniae-apache_exporter.spec ++++++
--- /var/tmp/diff_new_pack.iGupTP/_old  2022-10-01 17:44:27.689812529 +0200
+++ /var/tmp/diff_new_pack.iGupTP/_new  2022-10-01 17:44:27.693812536 +0200
@@ -23,6 +23,8 @@
 %undefine _missing_build_ids_terminate_build
 %endif
 
+%bcond_without  apparmor
+
 # Templating vars to simplify and standardize Prometheus exporters spec files
 %define        githubrepo    github.com/lusitaniae/apache_exporter
 %define        upstreamname  apache_exporter
@@ -39,6 +41,7 @@
 Source:         %{upstreamname}-%{version}.tar.gz
 Source1:        vendor.tar.gz
 Source2:        %{targetname}.service
+Source3:        apparmor-usr.bin.%{targetname}
 BuildRequires:  fdupes
 BuildRequires:  golang-packaging
 BuildRequires:  xz
@@ -49,6 +52,11 @@
 BuildRequires:  golang(API) = 1.15
 Requires(pre):  shadow
 %endif
+%if %{with apparmor}
+BuildRequires:  apparmor-abstractions
+BuildRequires:  apparmor-rpm-macros
+Recommends:     apparmor-abstractions
+%endif
 ExcludeArch:    s390
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{?systemd_requires}
@@ -69,6 +77,11 @@
 install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}
 install -d -m 0755 %{buildroot}%{_sbindir}
 ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rc%{targetname}
+%if %{with apparmor}
+# AppArmor profile
+mkdir -p %{buildroot}%{_sysconfdir}/apparmor.d
+install -m 0644 %{SOURCE3} 
%{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{targetname}
+%endif
 
 %check
 %if 0%{?rhel}
@@ -89,6 +102,9 @@
 %else
 %service_add_post %{targetname}.service
 %endif
+%if %{with apparmor}
+%apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.%{targetname}
+%endif
 
 %preun
 %if 0%{?rhel}
@@ -111,5 +127,9 @@
 %{_bindir}/%{targetname}
 %{_unitdir}/%{targetname}.service
 %{_sbindir}/rc%{targetname}
+%if %{with apparmor}
+%dir %{_sysconfdir}/apparmor.d
+%config %{_sysconfdir}/apparmor.d/usr.bin.%{targetname}
+%endif
 
 %changelog

++++++ apparmor-usr.bin.prometheus-apache_exporter ++++++
# AppArmor profile for prometheus apache-exporter

#include <tunables/global>

profile /usr/bin/prometheus-apache_exporter flags=(attach_disconnected) {

  #include <abstractions/base>

  network inet  stream,
  network inet6 stream,

  /etc/ld.so.cache r,
  /etc/nsswitch.conf r,
  /etc/passwd r,

  @{PROC}/sys/net/core/somaxconn r,
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pid}/{stat,limits} r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  # grant read access to mtail executable
  /usr/bin/prometheus-apache_exporter r,
  
}

++++++ prometheus-apache_exporter.service ++++++
--- /var/tmp/diff_new_pack.iGupTP/_old  2022-10-01 17:44:27.741812623 +0200
+++ /var/tmp/diff_new_pack.iGupTP/_new  2022-10-01 17:44:27.745812630 +0200
@@ -11,6 +11,39 @@
 TimeoutStopSec=20s
 SendSIGKILL=no
 
+# various hardening options
+CapabilityBoundingSet=
+AmbientCapabilities=
+StandardInput=null
+UMask=0077
+PrivateUsers=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectProc=invisible
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectClock=yes
+NoNewPrivileges=yes
+MountFlags=private
+LockPersonality=yes
+KeyringMode=private
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+DevicePolicy=closed
+PrivateIPC=yes
+RemoveIPC=yes
+MemoryDenyWriteExecute=yes
+ProcSubset=pid
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+SystemCallArchitectures=native
+SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount 
@raw-io @reboot @swap @obsolete splice @resources @chown @privileged @pkey 
@setuid @timer
+
 [Install]
 WantedBy=multi-user.target

Reply via email to