[apparmor] [patch 2/6] abstract out cap and net proto generation to common/Make.rules

John Johansen john.johansen at canonical.com
Thu Mar 22 18:36:04 UTC 2012 

On 03/22/2012 10:06 AM, Steve Beattie wrote:
> This patch abstracts out the generation of the lists of capabilities
> and network protocol names to the common Make.rules file that is
> included in most locations in the build tree, to allow it to be
> re-used in the utils/ tree and possibly elsewhere.
> 
> It provides the lists in both make variables and as make targets.
> 
> It also sorts the resulting lists, which causes it to output differently
> than the before case. I did confirm that the results for the generated
> files used in the parser build were the same after taking the sorting
> into account.
> 

Well I can wish that the ordering of af_names was the same to make the
comparison easier but it looks good.  So

Acked-by: John Johansen <john.johansen at canonical.com>


> ---
>  common/Make.rules |   34 ++++++++++++++++++++++++++++++++++
>  parser/Makefile   |   16 ++++++----------
>  2 files changed, 40 insertions(+), 10 deletions(-)
> 
> Index: b/common/Make.rules
> ===================================================================
> --- a/common/Make.rules
> +++ b/common/Make.rules
> @@ -151,6 +151,40 @@ _clean:
>  	-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
>  
>  # =====================
> +# generate list of capabilities based on
> +# /usr/include/sys/capabilities.h for use in multiple locations in
> +# the source tree
> +# =====================
> +
> +# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
> +CAPABILITIES=$(shell echo "\#include <sys/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | sort)
> +
> +.PHONY: list_capabilities
> +list_capabilities: /usr/include/linux/capability.h
> +	@echo "$(CAPABILITIES)"
> +
> +# =====================
> +# generate list of network protocols based on
> +# sys/socket.h for use in multiple locations in
> +# the source tree
> +# =====================
> +
> +# These are the families that it doesn't make sense for apparmor
> +# to mediate. We use PF_ here since that is what is required in
> +# bits/socket.h, but we will rewrite these as AF_.
> +
> +FILTER_FAMILIES=PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
> +
> +__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
> +
> +# emits the AF names in a "AF_NAME NUMBER," pattern
> +AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
> +
> +.PHONY: list_af_names
> +list_af_names:
> +	@echo "$(AF_NAMES)"
> +
> +# =====================
>  # manpages
>  # =====================
>  
> Index: b/parser/Makefile
> ===================================================================
> --- a/parser/Makefile
> +++ b/parser/Makefile
> @@ -207,22 +207,18 @@ parser_version.h: Makefile
>  	@echo \#define PARSER_VERSION \"$(VERSION)\" > .ver
>  	@mv -f .ver $@
>  
> -# These are the families that it doesn't make sense for apparmor to mediate.
> -# We use PF_ here since that is what is required in bits/socket.h, but we will
> -# rewrite these as AF_.
> -FILTER_FAMILIES=PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
> -
> -
> -__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
> +# af_names and capabilities generation has moved to common/Make.rules,
> +# as well as the filtering that occurs for network protocols that
> +# apparmor should not mediate.
>  
>  .PHONY: af_names.h
>  af_names.h:
> -	echo "#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n#  define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" > $@
> -	echo "#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)\\+.*/#define AA_AF_MAX \\1\n/p" >> $@
> +	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
> +	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
>  	# cat $@
>  
>  cap_names.h: /usr/include/linux/capability.h
> -	LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
> +	echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
>  
>  tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS})
>  	$(CC) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS)
> 
> 
> -- AppArmor mailing list AppArmor at lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>

More information about the AppArmor mailing list