[apparmor] [2 patches] was (Re: [patch 0/3] Separate out libapparmor headers)

Seth Arnold seth.arnold at canonical.com
Thu Jan 9 19:41:16 UTC 2014


On Tue, Jan 07, 2014 at 02:49:24PM -0800, Steve Beattie wrote:
> On Tue, Dec 24, 2013 at 12:59:32PM -0800, Steve Beattie wrote:
> > This patch series:
> > 
> >   1) moves the publicly visible libapparmor headers into a separate
> >      location in the libapparmor source tree, which can be included by
> >      source files in other parts of our tree without worrying about
> >      libapparmor internals or conflicting header names.
> > 
> >   2) updates the parser patch from Tyler Hicks to use the new header
> >      location as part of the include paths when building against in-tree
> >      libapparmor.
> > 
> >   3) updates the previous patch I submitted for the regression tests
> >      to build against in-tree libapparmor to also use the new header
> >      location.
> 
> Sigh, in putting these together I managed to break the build by
> overlooking the mod_apparmor and pam_apparmor directories. The first
> patch adds support for the USE_SYSTEM make flag and adjusts search
> paths for mod_apparmor and pam_apparmor, as well as fixing up a
> couple of the (probably ought to be deprecated) tomcat locations
> where apparmor.h is included.

Yeah, that tomcat work is mighty old at this point and none of us really
know how to even use tomcat at this point. Probably that tomcat version is
useless, too.

> The second patch is on top of the first. By raising an error for being
> unable to find libapparmor any time a make command is run, we break
> things like make clean and other targets that don't strictly depend on
> libapparmor existing (note that Tyler's implementation for the parser
> did not do this). The second patch fixes this for the regression tests,
> mod_apparmor and pam_apparmor by making a separate libapparmor_check
> target that looks to see if an error message should be generated.

Both patches look good to me, thanks.

Acked-by: Seth Arnold <seth.arnold at canonical.com>

> -- 
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/

> Subject: mod_apparmor/pam_apparmor: fix libapparmor search path and add
>   USE_SYSTEM support
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>
> ---
>  changehat/mod_apparmor/Makefile                                 |   31 +++++++--
>  changehat/mod_apparmor/mod_apparmor.c                           |    2 
>  changehat/pam_apparmor/Makefile                                 |   34 +++++++++-
>  changehat/pam_apparmor/pam_apparmor.c                           |    2 
>  changehat/tomcat_apparmor/tomcat_5_0/src/jni_src/JNIChangeHat.c |    2 
>  changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c |    2 
>  6 files changed, 62 insertions(+), 11 deletions(-)
> 
> Index: b/changehat/mod_apparmor/mod_apparmor.c
> ===================================================================
> --- a/changehat/mod_apparmor/mod_apparmor.c
> +++ b/changehat/mod_apparmor/mod_apparmor.c
> @@ -23,7 +23,7 @@
>  #include "apr_strings.h"
>  #include "apr_lib.h"
>  
> -#include <apparmor.h>
> +#include <sys/apparmor.h>
>  #include <unistd.h>
>  
>  /* #define DEBUG */
> Index: b/changehat/mod_apparmor/Makefile
> ===================================================================
> --- a/changehat/mod_apparmor/Makefile
> +++ b/changehat/mod_apparmor/Makefile
> @@ -41,10 +41,33 @@ APXS:=$(shell if [ -x "/usr/sbin/apxs2"
>  	      fi ) 
>  APXS_INSTALL_DIR=$(shell ${APXS} -q LIBEXECDIR)
>  DESTDIR=
> -# Need to pass -Wl twice here to get past both apxs2 and libtool, as
> -# libtool will add the path to the RPATH of the library if passed -L/some/path
> -LIBAPPARMOR_FLAGS=-I../../libraries/libapparmor/src -Wl,-Wl,-L../../libraries/libapparmor/src/.libs
> -LDLIBS=-lapparmor
> +ifdef USE_SYSTEM
> +  LIBAPPARMOR = $(shell if pkg-config --exists libapparmor ; then \
> +                                pkg-config --silence-errors --libs libapparmor ; \
> +                        elif ldconfig -p | grep -q libapparmor\.so$$ ; then \
> +                                echo -lapparmor ; \
> +                        fi )
> +  ifeq ($(strip $(LIBAPPARMOR)),)
> +    $(error Unable to find libapparmor installed on this system; either \
> +            install libapparmor devel packages, set the LIBAPPARMOR variable \
> +            manually, or build against in-tree libapparmor)
> +  endif # LIBAPPARMOR not set
> +  LDLIBS += $(LIBAPPARMOR)
> +else
> +  LIBAPPARMOR_SRC := ../../libraries/libapparmor/
> +  LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include
> +  LIBAPPARMOR_PATH := $(LIBAPPARMOR_SRC)/src/.libs/
> +    ifeq ($(realpath $(LIBAPPARMOR_PATH)/libapparmor.a),)
> +        $(error $(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against \
> +                the in-tree libapparmor by building it first and then trying again \
> +                (see the top-level README for help) or build against the system \
> +                libapparmor by adding USE_SYSTEM=1 to your make command.)
> +    endif
> +  # Need to pass -Wl twice here to get past both apxs2 and libtool, as
> +  # libtool will add the path to the RPATH of the library if passed -L/some/path
> +  LIBAPPARMOR_FLAGS = -I$(LIBAPPARMOR_INCLUDE) -Wl,-Wl,-L$(LIBAPPARMOR_PATH)
> +  LDLIBS = -lapparmor
> +endif
>  
>  all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
>  
> Index: b/changehat/pam_apparmor/Makefile
> ===================================================================
> --- a/changehat/pam_apparmor/Makefile
> +++ b/changehat/pam_apparmor/Makefile
> @@ -26,9 +26,37 @@ common/Make.rules: $(COMMONDIR)/Make.rul
>  	ln -sf $(COMMONDIR) .
>  endif
>  
> -EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall -I../../libraries/libapparmor/src/
> -LINK_FLAGS=-Xlinker -x -L../../libraries/libapparmor/src/.libs
> -LIBS=-lpam -lapparmor
> +ifdef USE_SYSTEM
> +  LIBAPPARMOR = $(shell if pkg-config --exists libapparmor ; then \
> +                                pkg-config --silence-errors --libs libapparmor ; \
> +                        elif ldconfig -p | grep -q libapparmor\.so$$ ; then \
> +                                echo -lapparmor ; \
> +                        fi )
> +  ifeq ($(strip $(LIBAPPARMOR)),)
> +    $(error Unable to find libapparmor installed on this system; either \
> +            install libapparmor devel packages, set the LIBAPPARMOR variable \
> +            manually, or build against in-tree libapparmor)
> +  endif
> +  LIBAPPARMOR_INCLUDE =
> +  AA_LDLIBS = $(LIBAPPARMOR)
> +  AA_LINK_FLAGS =
> +else
> +  LIBAPPARMOR_SRC := ../../libraries/libapparmor/
> +  LIBAPPARMOR_INCLUDE_PATH = $(LIBAPPARMOR_SRC)/include
> +  LIBAPPARMOR_PATH := $(LIBAPPARMOR_SRC)/src/.libs/
> +    ifeq ($(realpath $(LIBAPPARMOR_PATH)/libapparmor.a),)
> +        $(error $(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against \
> +                the in-tree libapparmor by building it first and then trying again \
> +                (see the top-level README for help) or build against the system \
> +                libapparmor by adding USE_SYSTEM=1 to your make command.)
> +    endif
> +  LIBAPPARMOR_INCLUDE = -I$(LIBAPPARMOR_INCLUDE_PATH)
> +  AA_LINK_FLAGS = -L$(LIBAPPARMOR_PATH)
> +  AA_LDLIBS = -lapparmor
> +endif
> +EXTRA_CFLAGS=$(CFLAGS) -fPIC -shared -Wall $(LIBAPPARMOR_INCLUDE)
> +LINK_FLAGS=-Xlinker -x $(AA_LINK_FLAGS)
> +LIBS=-lpam $(AA_LDLIBS)
>  OBJECTS=${NAME}.o get_options.o
>  
>  all: $(NAME).so
> Index: b/changehat/pam_apparmor/pam_apparmor.c
> ===================================================================
> --- a/changehat/pam_apparmor/pam_apparmor.c
> +++ b/changehat/pam_apparmor/pam_apparmor.c
> @@ -27,7 +27,7 @@
>  #include <grp.h>
>  #include <syslog.h>
>  #include <errno.h>
> -#include <apparmor.h>
> +#include <sys/apparmor.h>
>  #include <security/pam_ext.h>
>  #include <security/pam_modutil.h>
>  
> Index: b/changehat/tomcat_apparmor/tomcat_5_0/src/jni_src/JNIChangeHat.c
> ===================================================================
> --- a/changehat/tomcat_apparmor/tomcat_5_0/src/jni_src/JNIChangeHat.c
> +++ b/changehat/tomcat_apparmor/tomcat_5_0/src/jni_src/JNIChangeHat.c
> @@ -13,7 +13,7 @@
>  
>  #include "jni.h"
>  #include <errno.h>
> -#include "sys/apparmor.h"
> +#include <sys/apparmor.h>
>  #include "com_novell_apparmor_JNIChangeHat.h"
>  
>  /* c intermediate lib call for Java -> JNI -> c library execution of the change_hat call */
> Index: b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
> ===================================================================
> --- a/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
> +++ b/changehat/tomcat_apparmor/tomcat_5_5/src/jni_src/JNIChangeHat.c
> @@ -13,7 +13,7 @@
>  
>  #include "jni.h"
>  #include <errno.h>
> -#include <apparmor.h>
> +#include <sys/apparmor.h>
>  #include "com_novell_apparmor_JNIChangeHat.h"
>  
>  /* c intermediate lib call for Java -> JNI -> c library execution of the change_hat call */

> Subject: Convert make errors to only occur when building
> 
> By raising an error for being unable to find libapparmor any time
> a make command is run, we break things like make clean and other
> targets that don't strictly depend on libapparmor existing (note that
> Tyler's implementation for the parser did not do this). This patch
> fixes this for the regression tests, mod_apparmor and pam_apparmor
> by making a separate libapparmor_check target that looks to see if
> an error message should be generated.
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>
> ---
>  changehat/mod_apparmor/Makefile    |   14 +++++++++++---
>  changehat/pam_apparmor/Makefile    |   14 +++++++++++---
>  tests/regression/apparmor/Makefile |   14 +++++++++++---
>  3 files changed, 33 insertions(+), 9 deletions(-)
> 
> Index: b/changehat/pam_apparmor/Makefile
> ===================================================================
> --- a/changehat/pam_apparmor/Makefile
> +++ b/changehat/pam_apparmor/Makefile
> @@ -33,7 +33,7 @@ ifdef USE_SYSTEM
>                                  echo -lapparmor ; \
>                          fi )
>    ifeq ($(strip $(LIBAPPARMOR)),)
> -    $(error Unable to find libapparmor installed on this system; either \
> +    ERROR_MESSAGE = Unable to find libapparmor installed on this system; either \
>              install libapparmor devel packages, set the LIBAPPARMOR variable \
>              manually, or build against in-tree libapparmor)
>    endif
> @@ -45,7 +45,7 @@ else
>    LIBAPPARMOR_INCLUDE_PATH = $(LIBAPPARMOR_SRC)/include
>    LIBAPPARMOR_PATH := $(LIBAPPARMOR_SRC)/src/.libs/
>      ifeq ($(realpath $(LIBAPPARMOR_PATH)/libapparmor.a),)
> -        $(error $(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against \
> +        ERROR_MESSAGE = $(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against \
>                  the in-tree libapparmor by building it first and then trying again \
>                  (see the top-level README for help) or build against the system \
>                  libapparmor by adding USE_SYSTEM=1 to your make command.)
> @@ -59,7 +59,15 @@ LINK_FLAGS=-Xlinker -x $(AA_LINK_FLAGS)
>  LIBS=-lpam $(AA_LDLIBS)
>  OBJECTS=${NAME}.o get_options.o
>  
> -all: $(NAME).so
> +.PHONY: libapparmor_check
> +.SILENT: libapparmor_check
> +libapparmor_check:
> +	 @if [ -n "$(ERROR_MESSAGE)" ] ; then \
> +	 	echo "$(ERROR_MESSAGE)" 1>&2 ; \
> +		return 1 ; \
> +	fi
> +
> +all: libapparmor_check $(NAME).so
>  
>  $(NAME).so: ${OBJECTS}
>  	$(CC) $(EXTRA_CFLAGS) $(LINK_FLAGS) -o $@ ${OBJECTS} $(LIBS)
> Index: b/changehat/mod_apparmor/Makefile
> ===================================================================
> --- a/changehat/mod_apparmor/Makefile
> +++ b/changehat/mod_apparmor/Makefile
> @@ -48,7 +48,7 @@ ifdef USE_SYSTEM
>                                  echo -lapparmor ; \
>                          fi )
>    ifeq ($(strip $(LIBAPPARMOR)),)
> -    $(error Unable to find libapparmor installed on this system; either \
> +    ERROR_MESSAGE = Unable to find libapparmor installed on this system; either \
>              install libapparmor devel packages, set the LIBAPPARMOR variable \
>              manually, or build against in-tree libapparmor)
>    endif # LIBAPPARMOR not set
> @@ -58,7 +58,7 @@ else
>    LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include
>    LIBAPPARMOR_PATH := $(LIBAPPARMOR_SRC)/src/.libs/
>      ifeq ($(realpath $(LIBAPPARMOR_PATH)/libapparmor.a),)
> -        $(error $(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against \
> +        ERROR_MESSAGE = $(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against \
>                  the in-tree libapparmor by building it first and then trying again \
>                  (see the top-level README for help) or build against the system \
>                  libapparmor by adding USE_SYSTEM=1 to your make command.)
> @@ -69,7 +69,15 @@ else
>    LDLIBS = -lapparmor
>  endif
>  
> -all: $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
> +.PHONY: libapparmor_check
> +.SILENT: libapparmor_check
> +libapparmor_check:
> +	@if [ -n "$(ERROR_MESSAGE)" ] ; then \
> +		echo "$(ERROR_MESSAGE)" 1>&2 ; \
> +		return 1 ; \
> +	fi
> +
> +all: libapparmor_check $(TARGET) ${MANPAGES} ${HTMLMANPAGES}
>  
>  %.so: %.c
>  	${APXS} ${LIBAPPARMOR_FLAGS} -c $< ${LDLIBS}
> Index: b/tests/regression/apparmor/Makefile
> ===================================================================
> --- a/tests/regression/apparmor/Makefile
> +++ b/tests/regression/apparmor/Makefile
> @@ -14,7 +14,7 @@ ifdef USE_SYSTEM
>  				echo -lapparmor ; \
>  			fi )
>    ifeq ($(strip $(LIBAPPARMOR)),)
> -    $(error Unable to find libapparmor installed on this system; either \
> +    ERROR_MESSAGE = Unable to find libapparmor installed on this system; either \
>  	    install libapparmor devel packages, set the LIBAPPARMOR variable \
>  	    manually, or build against in-tree libapparmor)
>    endif # LIBAPPARMOR not set
> @@ -26,7 +26,7 @@ else # !USE_SYSTEM
>    LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include
>    LIBAPPARMOR_PATH := $(LIBAPPARMOR_SRC)/src/.libs/
>    ifeq ($(realpath $(LIBAPPARMOR_PATH)/libapparmor.a),)
> -    $(error $(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against \
> +    ERROR_MESSAGE = $(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against \
>  	    the in-tree libapparmor by building it first and then trying again \
>  	    (see the top-level README for help) or build against the system \
>  	    libapparmor by adding USE_SYSTEM=1 to your make command.)
> @@ -172,7 +172,15 @@ TESTS=access \
>  # Tests that can crash the kernel should be placed here
>  RISKY_TESTS=
>  
> -all: $(EXEC) changehat.h
> +.PHONY: libapparmor_check
> +.SILENT: libapparmor_check
> +libapparmor_check:
> +	@if [ -n "$(ERROR_MESSAGE)" ] ; then \
> +		echo "$(ERROR_MESSAGE)" 1>&2 ; \
> +		return 1 ; \
> +	fi
> +
> +all: libapparmor_check $(EXEC) changehat.h
>  
>  changehat_pthread: changehat_pthread.c changehat.h
>  	${CC} ${CFLAGS} ${LDFLAGS} $< -o $@ ${LDLIBS} -pthread

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140109/46f29884/attachment.pgp>


More information about the AppArmor mailing list