[apparmor] aa-enabled
Tyler Hicks
tyhicks at canonical.com
Wed Dec 16 00:41:48 UTC 2015
John asked that I take a look at this patch in order to see if my
proposed aa-exec rewrite in C should use the binutils/ dir proposed by
this patch.
On 2015-11-28 10:38:34, John Johansen wrote:
> v3
>
> change conflicting/unknown option warning message slightly
> output error string on failure
> add binutils dir
> add manpage
> add makefile
> add pot file
>
> ---
>
> === modified file 'Makefile'
> --- Makefile 2015-01-24 00:01:14 +0000
> +++ Makefile 2015-11-28 17:33:33 +0000
> @@ -11,6 +11,7 @@
> DIRS=parser \
> profiles \
> utils \
> + binutils \
> libraries/libapparmor \
> changehat/mod_apparmor \
> changehat/pam_apparmor \
>
> === added directory 'binutils'
> === added file 'binutils/Makefile'
> --- binutils/Makefile 1970-01-01 00:00:00 +0000
> +++ binutils/Makefile 2015-11-28 18:18:25 +0000
> @@ -0,0 +1,200 @@
> +# ----------------------------------------------------------------------
> +# Copyright (c) 2015
> +# Canonical Ltd. (All rights reserved)
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +# GNU General Public License for more details.
> +# ----------------------------------------------------------------------
> +NAME=aa-binutils
> +all:
> +COMMONDIR=../common/
> +
> +include $(COMMONDIR)/Make.rules
> +
> +DESTDIR=/
> +CONFDIR=/etc/apparmor
> +INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
> +LOCALEDIR=/usr/share/locale
> +MANPAGES=aa-enabled.8
> +
> +WARNINGS = -Wall
> +EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
> +CPP_WARNINGS =
> +ifndef CFLAGS
> +CFLAGS = -g -O2 -pipe
> +
> +ifdef DEBUG
> +CFLAGS += -pg -D DEBUG
> +endif
> +ifdef COVERAGE
> +CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
> +endif
> +endif #CFLAGS
> +
> +EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
> +
> +#INCLUDEDIR = /usr/src/linux/include
> +INCLUDEDIR =
> +
> +ifdef INCLUDEDIR
> + CFLAGS += -I$(INCLUDEDIR)
> +endif
> +
> +# Internationalization support. Define a package and a LOCALEDIR
> +EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"
> +
> +# Compile-time configuration of the location of the config file
> +EXTRA_CFLAGS+=-DSUBDOMAIN_CONFDIR=\"${CONFDIR}\"
> +
> +SRCS = aa-enabled.c
It is nitpicky but the style throughout the code base is that source
files use underscores as separators and the resulting binaries use
hyphens.
> +HDRS =
> +TOOLS = aa-enabled
> +
> +AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
> +
> +ifdef USE_SYSTEM
> + # Using the system libapparmor so Makefile dependencies can't be used
> + LIBAPPARMOR_A =
> + INCLUDE_APPARMOR =
> + APPARMOR_H =
> +else
> + LIBAPPARMOR_SRC = ../libraries/libapparmor/
> + LOCAL_LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include
> + LOCAL_LIBAPPARMOR_LDPATH = $(LIBAPPARMOR_SRC)/src/.libs
> +
> + LIBAPPARMOR_A = $(LOCAL_LIBAPPARMOR_LDPATH)/libapparmor.a
> + INCLUDE_APPARMOR = -I$(LOCAL_LIBAPPARMOR_INCLUDE)
> + APPARMOR_H = $(LOCAL_LIBAPPARMOR_INCLUDE)/sys/apparmor.h
> +endif
> +EXTRA_CFLAGS += $(INCLUDE_APPARMOR)
> +
> +ifdef V
> + VERBOSE = 1
> +endif
> +ifndef VERBOSE
> + VERBOSE = 0
> +endif
> +ifeq ($(VERBOSE),1)
> + BUILD_OUTPUT =
> + Q =
> +else
> + BUILD_OUTPUT = > /dev/null 2>&1
> + Q = @
> +endif
> +export Q VERBOSE BUILD_OUTPUT
> +
> +po/%.pot: %.c
> + $(MAKE) -C po $(@F) NAME=$* SOURCES=$*.c
> +
> +# targets arranged this way so that people who don't want full docs can
> +# pick specific targets they want.
> +arch: $(TOOLS)
> +
> +manpages: $(MANPAGES)
> +
> +docs: manpages
> +
> +indep: docs
> + $(Q)$(MAKE) -C po all
> +
> +all: arch indep
> +
> +.PHONY: coverage
> +coverage:
> + $(MAKE) clean aa-enabled COVERAGE=1
> +
> +ifndef USE_SYSTEM
> +$(LIBAPPARMOR_A):
> + @if [ ! -f $@ ]; then \
> + echo "error: $@ is missing. Pick one of these possible solutions:" 1>&2; \
> + echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
> + echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2;\
> + return 1; \
> + fi
> +endif
> +
> +aa-enabled: aa-enabled.c $(LIBAPPARMOR_A)
> + $(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
> +
> +.SILENT: check
> +.PHONY: check
> +check: check_pod_files tests
> +
> +.SILENT: tests
> +tests: aa-enabled $(TESTS)
> + echo "no tests atm"
> +
> +.PHONY: install-rhel4
> +install-rhel4: install-redhat
> +
> +.PHONY: install-redhat
> +install-redhat:
> +
> +.PHONY: install-suse
> +install-suse:
> +
> +.PHONY: install-slackware
> +install-slackware:
> +
> +.PHONY: install-debian
> +install-debian:
> +
> +.PHONY: install-unknown
> +install-unknown:
> +
> +INSTALLDEPS=arch
> +
> +ifndef DISTRO
> +DISTRO=$(shell if [ -f /etc/slackware-version ] ; then \
> + echo slackware ; \
> + elif [ -f /etc/debian_version ] ; then \
> + echo debian ;\
> + elif which rpm > /dev/null ; then \
> + if [ "$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
> + echo suse ;\
> + elif [ "$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
> + echo rhel4 ;\
> + elif [ "$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
> + echo rhel4 ;\
> + else \
> + echo unknown ;\
> + fi ;\
> + else \
> + echo unknown ;\
> + fi)
> +endif
> +
> +ifdef DISTRO
> +INSTALLDEPS+=install-$(DISTRO)
> +endif
> +
> +.PHONY: install
> +install: install-indep install-arch
> +
> +.PHONY: install-arch
> +install-arch: $(INSTALLDEPS)
> + install -m 755 -d $(DESTDIR)/sbin
> + install -m 755 ${TOOLS} $(DESTDIR)/sbin
> +
> +.PHONY: install-indep
> +install-indep:
> + $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
> + $(MAKE) install_manpages DESTDIR=${DESTDIR}
> +
> +ifndef VERBOSE
> +.SILENT: clean
> +endif
> +.PHONY: clean
> +clean: pod_clean
> + rm -f core core.* *.o *.s *.a *~ *.gcda *.gcno
> + rm -f gmon.out
> + rm -f $(TOOLS) $(TESTS)
> + rm -f $(NAME)*.tar.gz $(NAME)*.tgz
> + $(MAKE) -s -C po clean
> +
>
> === added file 'binutils/aa-enabled.c'
> --- binutils/aa-enabled.c 1970-01-01 00:00:00 +0000
> +++ binutils/aa-enabled.c 2015-11-28 17:34:45 +0000
> @@ -0,0 +1,89 @@
> +/*
> + * Copyright (C) 2015 Canonical Ltd.
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of version 2 of the GNU General Public
> + * License published by the Free Software Foundation.
> + */
> +
> +#include <errno.h>
> +#include <locale.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <libintl.h>
> +#define _(s) gettext(s)
> +
> +#include <sys/apparmor.h>
> +
> +#ifndef PACKAGE
> +#define PACKAGE ""
> +#define LOCALEDIR ""
> +#endif
> +
> +void print_help(const char *command)
> +{
> + printf(_("%s: [options]\n"
> + " options:\n"
> + " -q | --quiet Don't print out any messages\n"
> + " -h | --help Print help\n"),
> + command);
> + exit(1);
> +}
> +
> +int main(int argc, char **argv)
> +{
> + int enabled;
> + int quiet = 0;
> + int err = 0;
> +
> + setlocale(LC_MESSAGES, "");
> + bindtextdomain(PACKAGE, LOCALEDIR);
> + textdomain(PACKAGE);
> +
> + if (argc > 2) {
> + printf(_("unknown or incompatible options\n"));
> + print_help(argv[0]);
> + } else if (argc == 2) {
> + if (strcmp(argv[1], "--quiet") == 0 ||
> + strcmp(argv[1], "-q") == 0) {
> + quiet = 1;
> + } else if (strcmp(argv[1], "--help") == 0 ||
> + strcmp(argv[1], "-h") == 0) {
> + print_help(argv[0]);
> + } else {
> + printf(_("unknown option '%s'\n"), argv[1]);
> + print_help(argv[0]);
> + }
> + }
> +
> + enabled = aa_is_enabled();
> + err = errno;
> + if (enabled) {
> + if (!quiet)
> + printf(_("Yes\n"));
> + return 0;
> + }
> +
> + if (!quiet) {
> + switch(err) {
> + case ENOSYS:
> + printf(_("No - not available on this system.\n"));
> + break;
> + case ECANCELED:
> + printf(_("No - disabled at boot.\n"));
> + break;
> + case ENOENT:
> + printf(_("Maybe - policy interface not available.\n"));
> + break;
> + case EPERM:
> + case EACCES:
> + printf(_("Maybe - insufficient permissions to determine availability.\n"));
> + break;
> + default:
> + printf(_("Error - '%s'\n"), strerror(err));
> + }
> + }
> +
> + return err;
Do we really want to return an errno value here? Why not just
EXIT_FAILURE?
> +}
>
> === added file 'binutils/aa-enabled.pod'
> --- binutils/aa-enabled.pod 1970-01-01 00:00:00 +0000
> +++ binutils/aa-enabled.pod 2015-11-25 10:30:22 +0000
> @@ -0,0 +1,62 @@
> +# This publication is intellectual property of Canonical Ltd. Its contents
> +# can be duplicated, either in part or in whole, provided that a copyright
> +# label is visibly located on each copy.
> +#
> +# All information found in this book has been compiled with utmost
> +# attention to detail. However, this does not guarantee complete accuracy.
> +# Neither Canonical Ltd, the authors, nor the translators shall be held
> +# liable for possible errors or the consequences thereof.
> +#
> +# Many of the software and hardware descriptions cited in this book
> +# are registered trademarks. All trade names are subject to copyright
> +# restrictions and may be registered trade marks. Canonical Ltd
> +# essentially adheres to the manufacturer's spelling.
> +#
> +# Names of products and trademarks appearing in this book (with or without
> +# specific notation) are likewise subject to trademark and trade protection
> +# laws and may thus fall under copyright restrictions.
> +#
> +
> +
> +=pod
> +
> +=head1 NAME
> +
> +aa-enabled - test whether apparmor is enabled
s/apparmor/AppArmor/g
> +
> +=head1 SYNOPSIS
> +
> +B<aa-enabled> [options]
> +
> +=head1 DESCRIPTION
> +
> +B<aa-enabled> is used to determine if apparmor is enabled and enforcing
> +policy.
> +
> +=head1 OPTIONS
> +B<aa-enabled> accepts the following arguments:
> +
> +=over 4
> +
> +=item -h, --help
> +
> +Display a brief usage guide.
> +
> +=item -q, --quiet
> +
> +Do not output anything to stdout. This option is intended to be used by
> +scripts that can test use the exit code to determine if apparmor is
s/can test use/can use/
> +enabled.
> +
> +=back
> +
> +=head1 BUGS
> +
> +If you find any bugs, please report them at
> +L<https://bugs.launchpad.net/apparmor/+filebug>.
> +
> +=head1 SEE ALSO
> +
> +apparmor(7), apparmor.d(5), and L<http://wiki.apparmor.net>.
aa_is_enabled(2) is probably useful to mention.
Tyler
> +
> +=cut
>
> === added directory 'binutils/po'
> === added file 'binutils/po/Makefile'
> --- binutils/po/Makefile 1970-01-01 00:00:00 +0000
> +++ binutils/po/Makefile 2015-11-28 18:20:34 +0000
> @@ -0,0 +1,19 @@
> +# ----------------------------------------------------------------------
> +# Copyright (C) 2015 Canonical Ltd.
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +# ----------------------------------------------------------------------
> +all:
> +
> +# As translations get added, they will automatically be included, unless
> +# the lang is explicitly added to DISABLED_LANGS; e.g. DISABLED_LANGS=en es
> +
> +DISABLED_LANGS=
> +
> +COMMONDIR=../../common
> +include $(COMMONDIR)/Make-po.rules
> +
> +XGETTEXT_ARGS+=--language=C --keyword=_ $(shell if [ -f ${NAME}.pot ] ; then echo -n -j ; fi)
> +
>
> === added file 'binutils/po/aa-enabled.pot'
> --- binutils/po/aa-enabled.pot 1970-01-01 00:00:00 +0000
> +++ binutils/po/aa-enabled.pot 2015-11-28 18:23:11 +0000
> @@ -0,0 +1,67 @@
> +# SOME DESCRIPTIVE TITLE.
> +# Copyright (C) YEAR Canonical Ltd
> +# This file is distributed under the same license as the PACKAGE package.
> +# FIRST AUTHOR <EMAIL at ADDRESS>, YEAR.
> +#
> +#, fuzzy
> +msgid ""
> +msgstr ""
> +"Project-Id-Version: PACKAGE VERSION\n"
> +"Report-Msgid-Bugs-To: apparmor at lists.ubuntu.com\n"
> +"POT-Creation-Date: 2015-11-28 10:23-0800\n"
> +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
> +"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
> +"Language-Team: LANGUAGE <LL at li.org>\n"
> +"Language: \n"
> +"MIME-Version: 1.0\n"
> +"Content-Type: text/plain; charset=CHARSET\n"
> +"Content-Transfer-Encoding: 8bit\n"
> +
> +#: ../aa-enabled.c:26
> +#, c-format
> +msgid ""
> +"%s: [options]\n"
> +" options:\n"
> +" -q | --quiet Don't print out any messages\n"
> +" -h | --help Print help\n"
> +msgstr ""
> +
> +#: ../aa-enabled.c:45
> +#, c-format
> +msgid "unknown or incompatible options\n"
> +msgstr ""
> +
> +#: ../aa-enabled.c:55
> +#, c-format
> +msgid "unknown option '%s'\n"
> +msgstr ""
> +
> +#: ../aa-enabled.c:64
> +#, c-format
> +msgid "Yes\n"
> +msgstr ""
> +
> +#: ../aa-enabled.c:71
> +#, c-format
> +msgid "No - not available on this system.\n"
> +msgstr ""
> +
> +#: ../aa-enabled.c:74
> +#, c-format
> +msgid "No - disabled at boot.\n"
> +msgstr ""
> +
> +#: ../aa-enabled.c:77
> +#, c-format
> +msgid "Maybe - policy interface not available.\n"
> +msgstr ""
> +
> +#: ../aa-enabled.c:81
> +#, c-format
> +msgid "Maybe - insufficient permissions to determine availability.\n"
> +msgstr ""
> +
> +#: ../aa-enabled.c:84
> +#, c-format
> +msgid "Error - '%s'\n"
> +msgstr ""
>
> === modified file 'common/Make-po.rules'
> --- common/Make-po.rules 2011-05-20 20:34:29 +0000
> +++ common/Make-po.rules 2015-11-28 18:22:58 +0000
> @@ -1,7 +1,7 @@
> # ------------------------------------------------------------------
> #
> # Copyright (c) 1999-2008 NOVELL (All rights reserved)
> -# Copyright 2009-2010 Canonical Ltd.
> +# Copyright 2009-2015 Canonical Ltd.
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of version 2 of the GNU General Public
> @@ -21,7 +21,7 @@
> # exist
> LOCALEDIR=/usr/share/locale
>
> -XGETTEXT_ARGS=--copyright-holder="NOVELL, Inc." --msgid-bugs-address=apparmor at lists.ubuntu.com -d ${NAME}
> +XGETTEXT_ARGS=--copyright-holder="Canonical Ltd" --msgid-bugs-address=apparmor at lists.ubuntu.com -d ${NAME}
>
> # When making the .pot file, it's expected that the parent Makefile will
> # pass in the list of sources in the SOURCES variable
>
>
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151215/70efa7f3/attachment-0001.pgp>
More information about the AppArmor
mailing list