[apparmor] [PATCH] parser: Add make variable to build against local or system libapparmor

Tyler Hicks tyhicks at canonical.com
Tue Dec 10 22:15:41 UTC 2013 

On 2013-12-10 13:36:10, Seth Arnold wrote:
> On Fri, Dec 06, 2013 at 08:57:57PM -0800, Tyler Hicks wrote:
> > By default, statically link against the in-tree libapparmor. If the
> > in-tree libapparmor is not yet built, print a helpful error message. To
> > build against the system libapparmor, the SYSTEM_LIBAPPARMOR make
> > variable can be set on the command line like so:
> > 
> >   $ make SYSTEM_LIBAPPARMOR=1
> > 
> > This patch also fixes issues around the inclusion of the apparmor.h
> > header. Previously, the in-tree apparmor.h was always being included
> > even if the parser was being linked against the system libapparmor.
> > Parser source files should no longer include apparmor.h as the Makefile
> > includes the correct header at build time using the pre-processor's
> > -include option.
> > 
> > This is fragile and definitely not ideal, but there is a valid reason
> > for doing it this way. -I../libraries/libapparmor/src/ was previously
> > used, but that is incorrect because there are header file collisions in
> > libraries/libapparmor/src/ and parser/. For example, a parser.h exists
> > in both directories.
> > 
> > Per-target modification of EXTRA_CXXFLAGS is performed for source files
> > needing to include apparmor.h. Those targets were also updated to depend
> > on the local apparmor.h when building against the in-tree libapparmor.
> > When building against the system libapparmor, the variable used in the
> > dependency list is empty. Likewise, a libapparmor.la dependency is added
> > to the apparmor_parser target when building against the in-tree
> > apparmor.
> > 
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > ---
> > 
> > This turned out being much uglier than I initially expected. This patch should
> > be fine to merge, but I'd love for someone to suggest something cleaner. I
> > particularly don't like including apparmor.h through a pre-processor option.
> 
> Thanks for tackling this, it had the potential to be a gigantic disaster
> for someone.
> 
> I don't particularly love the design but have nothing better to suggest.
> 
> Is building against the in-tree version the "best" default?

Steve obviously thinks it is and JJ signed off on defaulting to the
in-tree libapparmor in #apparmor last week, so that's what I went with.
However, I haven't convinced myself one way or the other.

> 
> The actual implementation of the idea looked good to me.
> 
> Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks!

> (Though probably it'd be best to wait for Steve's feedback before
> committing -- he's thought about our build system a lot more than I have.)

Yeah, I'm definitely waiting for Steve's (n)ack on this one.

Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131210/8d674f22/attachment.pgp>

More information about the AppArmor mailing list