From 95efdafd3d07b30d7fdd462f45f132443f48a848 Mon Sep 17 00:00:00 2001
From: Kienan Stewart <kienan@koumbit.org>
Date: Tue, 17 Dec 2019 14:27:14 -0500
Subject: [PATCH] Modify bind9 apparmor profile on installation

If the apparmor configuration file is there, an extra include will be added
and the install/app/usr.sbin.named-alternc file deployed to the apparmor local
configuration directory.

This allows bind to work with AlternC and apparmor enabled out of the box on
Debian Buster.
---
 debian/alternc.postinst                 | 21 +++++++++++++++++++++
 debian/alternc.postrm                   | 10 ++++++++++
 install/apparmor/usr.sbin.named-alternc |  2 ++
 3 files changed, 33 insertions(+)
 create mode 100644 install/apparmor/usr.sbin.named-alternc

diff --git a/debian/alternc.postinst b/debian/alternc.postinst
index 73e436d0..50f667e6 100644
--- a/debian/alternc.postinst
+++ b/debian/alternc.postinst
@@ -253,8 +253,29 @@ NFS_QUOTA=no" >> $CONFIGFILE
     chown root:bind /var/lib/alternc/bind/automatic.conf /var/lib/alternc/bind/slaveip.conf
     chmod 640       /var/lib/alternc/bind/automatic.conf /var/lib/alternc/bind/slaveip.conf
     mkdir -p /run/alternc && chown alterncpanel:alterncpanel /run/alternc
+    # Bind Apparmor Override, required by default on >= Buster
+    if [ -f '/etc/apparmor.d/usr.sbin.named' ] ; then
+        if ! grep -q 'usr.sbin.named-alternc' /etc/apparmor.d/usr.sbin.named ; then
+            sed -i 's/\(#include <local\/usr.sbin.named>\)/\1\n  #include <local\/usr.sbin.named-alternc>/' /etc/apparmor.d/usr.sbin.named
+        fi
+        # This section is based on the fragment generated by dh_apparmor:
+        # $> dh_apparmor --profile=usr.sbin.named-alternc -p alternc
+        # Add the local/ include
+        LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.sbin.named-alternc"
+
+        test -e "$LOCAL_APP_PROFILE" || {
+            mkdir -p `dirname "$LOCAL_APP_PROFILE"`
+            install --mode 644 /usr/share/alternc/install/apparmor/usr.sbin.named-alternc "$LOCAL_APP_PROFILE"
+        }
+
+        # Reload the profile, including any abstraction updates
+        if aa-enabled --quiet 2>/dev/null; then
+            apparmor_parser -r -T -W "usr.sbin.named" || true
+        fi
+    fi
     touch /run/alternc/refresh_slave
     /usr/lib/alternc/slave_dns
+
     # Apache will not start without this file
     touch /var/lib/alternc/apache-vhost/vhosts_all.conf
 
diff --git a/debian/alternc.postrm b/debian/alternc.postrm
index 7d4b0212..0ae28a94 100644
--- a/debian/alternc.postrm
+++ b/debian/alternc.postrm
@@ -57,6 +57,16 @@ case "$1" in
     #  rm -rf /var/alternc/mail
     #fi
 
+    # Remove bind apparmor additions
+    if [ -f '/etc/apparmor.d/usr.sbin.named' ] ; then
+        sed -i '/#include <local\/usr.sbin.named-alternc>/d' /etc/apparmor.d/usr.sbin.named
+    fi
+    rm -f /etc/apparmor.d/local/usr.sbin.named-alternc
+    # Reload the profile, including any abstraction updates
+    if aa-enabled --quiet 2>/dev/null; then
+        apparmor_parser -r -T -W "usr.sbin.named" || true
+    fi
+
     #rm -rf /var/alternc/apacheconf /var/alternc/cgi-bin /var/alternc/bureau /var/alternc/exec.usr /var/alternc/mla /var/alternc/redir /var/alternc/tmp /var/log/alternc
     rm -f /etc/apache*/conf.d/override_php.conf /etc/apache*/conf.d/alternc-ssl.conf /etc/apache*/conf.d/alternc.conf
     rm -f /etc/php*/conf.d/alternc.ini
diff --git a/install/apparmor/usr.sbin.named-alternc b/install/apparmor/usr.sbin.named-alternc
new file mode 100644
index 00000000..2b0ff4cf
--- /dev/null
+++ b/install/apparmor/usr.sbin.named-alternc
@@ -0,0 +1,2 @@
+/var/lib/alternc/bind/** rw,
+/var/lib/alternc/bind/ rw,
\ No newline at end of file