[apparmor] aa-enabled
Tyler Hicks
tyhicks at canonical.com
Wed Dec 16 00:43:13 UTC 2015
On 2015-12-15 18:41:48, Tyler Hicks wrote:
> John asked that I take a look at this patch in order to see if my
> proposed aa-exec rewrite in C should use the binutils/ dir proposed by
> this patch.
I forgot to mention that I think binutils/ is fine. I can move my
proposed aa-exec over to binutils/ and reuse a lot of the build
infrastructure that is put in place with this patch.
Tyler
>
> On 2015-11-28 10:38:34, John Johansen wrote:
> > v3
> >
> > change conflicting/unknown option warning message slightly
> > output error string on failure
> > add binutils dir
> > add manpage
> > add makefile
> > add pot file
> >
> > ---
> >
> > === modified file 'Makefile'
> > --- Makefile 2015-01-24 00:01:14 +0000
> > +++ Makefile 2015-11-28 17:33:33 +0000
> > @@ -11,6 +11,7 @@
> > DIRS=parser \
> > profiles \
> > utils \
> > + binutils \
> > libraries/libapparmor \
> > changehat/mod_apparmor \
> > changehat/pam_apparmor \
> >
> > === added directory 'binutils'
> > === added file 'binutils/Makefile'
> > --- binutils/Makefile 1970-01-01 00:00:00 +0000
> > +++ binutils/Makefile 2015-11-28 18:18:25 +0000
> > @@ -0,0 +1,200 @@
> > +# ----------------------------------------------------------------------
> > +# Copyright (c) 2015
> > +# Canonical Ltd. (All rights reserved)
> > +#
> > +# This program is free software; you can redistribute it and/or
> > +# modify it under the terms of version 2 of the GNU General Public
> > +# License published by the Free Software Foundation.
> > +#
> > +# This program is distributed in the hope that it will be useful,
> > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > +# GNU General Public License for more details.
> > +# ----------------------------------------------------------------------
> > +NAME=aa-binutils
> > +all:
> > +COMMONDIR=../common/
> > +
> > +include $(COMMONDIR)/Make.rules
> > +
> > +DESTDIR=/
> > +CONFDIR=/etc/apparmor
> > +INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
> > +LOCALEDIR=/usr/share/locale
> > +MANPAGES=aa-enabled.8
> > +
> > +WARNINGS = -Wall
> > +EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
> > +CPP_WARNINGS =
> > +ifndef CFLAGS
> > +CFLAGS = -g -O2 -pipe
> > +
> > +ifdef DEBUG
> > +CFLAGS += -pg -D DEBUG
> > +endif
> > +ifdef COVERAGE
> > +CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
> > +endif
> > +endif #CFLAGS
> > +
> > +EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
> > +
> > +#INCLUDEDIR = /usr/src/linux/include
> > +INCLUDEDIR =
> > +
> > +ifdef INCLUDEDIR
> > + CFLAGS += -I$(INCLUDEDIR)
> > +endif
> > +
> > +# Internationalization support. Define a package and a LOCALEDIR
> > +EXTRA_CFLAGS+=-DPACKAGE=\"${NAME}\" -DLOCALEDIR=\"${LOCALEDIR}\"
> > +
> > +# Compile-time configuration of the location of the config file
> > +EXTRA_CFLAGS+=-DSUBDOMAIN_CONFDIR=\"${CONFDIR}\"
> > +
> > +SRCS = aa-enabled.c
>
> It is nitpicky but the style throughout the code base is that source
> files use underscores as separators and the resulting binaries use
> hyphens.
>
> > +HDRS =
> > +TOOLS = aa-enabled
> > +
> > +AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
> > +
> > +ifdef USE_SYSTEM
> > + # Using the system libapparmor so Makefile dependencies can't be used
> > + LIBAPPARMOR_A =
> > + INCLUDE_APPARMOR =
> > + APPARMOR_H =
> > +else
> > + LIBAPPARMOR_SRC = ../libraries/libapparmor/
> > + LOCAL_LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include
> > + LOCAL_LIBAPPARMOR_LDPATH = $(LIBAPPARMOR_SRC)/src/.libs
> > +
> > + LIBAPPARMOR_A = $(LOCAL_LIBAPPARMOR_LDPATH)/libapparmor.a
> > + INCLUDE_APPARMOR = -I$(LOCAL_LIBAPPARMOR_INCLUDE)
> > + APPARMOR_H = $(LOCAL_LIBAPPARMOR_INCLUDE)/sys/apparmor.h
> > +endif
> > +EXTRA_CFLAGS += $(INCLUDE_APPARMOR)
> > +
> > +ifdef V
> > + VERBOSE = 1
> > +endif
> > +ifndef VERBOSE
> > + VERBOSE = 0
> > +endif
> > +ifeq ($(VERBOSE),1)
> > + BUILD_OUTPUT =
> > + Q =
> > +else
> > + BUILD_OUTPUT = > /dev/null 2>&1
> > + Q = @
> > +endif
> > +export Q VERBOSE BUILD_OUTPUT
> > +
> > +po/%.pot: %.c
> > + $(MAKE) -C po $(@F) NAME=$* SOURCES=$*.c
> > +
> > +# targets arranged this way so that people who don't want full docs can
> > +# pick specific targets they want.
> > +arch: $(TOOLS)
> > +
> > +manpages: $(MANPAGES)
> > +
> > +docs: manpages
> > +
> > +indep: docs
> > + $(Q)$(MAKE) -C po all
> > +
> > +all: arch indep
> > +
> > +.PHONY: coverage
> > +coverage:
> > + $(MAKE) clean aa-enabled COVERAGE=1
> > +
> > +ifndef USE_SYSTEM
> > +$(LIBAPPARMOR_A):
> > + @if [ ! -f $@ ]; then \
> > + echo "error: $@ is missing. Pick one of these possible solutions:" 1>&2; \
> > + echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
> > + echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2;\
> > + return 1; \
> > + fi
> > +endif
> > +
> > +aa-enabled: aa-enabled.c $(LIBAPPARMOR_A)
> > + $(CC) $(LDFLAGS) $(EXTRA_CFLAGS) -o $@ $< $(LIBS) $(AALIB)
> > +
> > +.SILENT: check
> > +.PHONY: check
> > +check: check_pod_files tests
> > +
> > +.SILENT: tests
> > +tests: aa-enabled $(TESTS)
> > + echo "no tests atm"
> > +
> > +.PHONY: install-rhel4
> > +install-rhel4: install-redhat
> > +
> > +.PHONY: install-redhat
> > +install-redhat:
> > +
> > +.PHONY: install-suse
> > +install-suse:
> > +
> > +.PHONY: install-slackware
> > +install-slackware:
> > +
> > +.PHONY: install-debian
> > +install-debian:
> > +
> > +.PHONY: install-unknown
> > +install-unknown:
> > +
> > +INSTALLDEPS=arch
> > +
> > +ifndef DISTRO
> > +DISTRO=$(shell if [ -f /etc/slackware-version ] ; then \
> > + echo slackware ; \
> > + elif [ -f /etc/debian_version ] ; then \
> > + echo debian ;\
> > + elif which rpm > /dev/null ; then \
> > + if [ "$(rpm --eval '0%{?suse_version}')" != "0" ] ; then \
> > + echo suse ;\
> > + elif [ "$(rpm --eval '%{_host_vendor}')" = redhat ] ; then \
> > + echo rhel4 ;\
> > + elif [ "$(rpm --eval '0%{?fedora}')" != "0" ] ; then \
> > + echo rhel4 ;\
> > + else \
> > + echo unknown ;\
> > + fi ;\
> > + else \
> > + echo unknown ;\
> > + fi)
> > +endif
> > +
> > +ifdef DISTRO
> > +INSTALLDEPS+=install-$(DISTRO)
> > +endif
> > +
> > +.PHONY: install
> > +install: install-indep install-arch
> > +
> > +.PHONY: install-arch
> > +install-arch: $(INSTALLDEPS)
> > + install -m 755 -d $(DESTDIR)/sbin
> > + install -m 755 ${TOOLS} $(DESTDIR)/sbin
> > +
> > +.PHONY: install-indep
> > +install-indep:
> > + $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
> > + $(MAKE) install_manpages DESTDIR=${DESTDIR}
> > +
> > +ifndef VERBOSE
> > +.SILENT: clean
> > +endif
> > +.PHONY: clean
> > +clean: pod_clean
> > + rm -f core core.* *.o *.s *.a *~ *.gcda *.gcno
> > + rm -f gmon.out
> > + rm -f $(TOOLS) $(TESTS)
> > + rm -f $(NAME)*.tar.gz $(NAME)*.tgz
> > + $(MAKE) -s -C po clean
> > +
> >
> > === added file 'binutils/aa-enabled.c'
> > --- binutils/aa-enabled.c 1970-01-01 00:00:00 +0000
> > +++ binutils/aa-enabled.c 2015-11-28 17:34:45 +0000
> > @@ -0,0 +1,89 @@
> > +/*
> > + * Copyright (C) 2015 Canonical Ltd.
> > + *
> > + * This program is free software; you can redistribute it and/or
> > + * modify it under the terms of version 2 of the GNU General Public
> > + * License published by the Free Software Foundation.
> > + */
> > +
> > +#include <errno.h>
> > +#include <locale.h>
> > +#include <stdio.h>
> > +#include <stdlib.h>
> > +#include <string.h>
> > +#include <libintl.h>
> > +#define _(s) gettext(s)
> > +
> > +#include <sys/apparmor.h>
> > +
> > +#ifndef PACKAGE
> > +#define PACKAGE ""
> > +#define LOCALEDIR ""
> > +#endif
> > +
> > +void print_help(const char *command)
> > +{
> > + printf(_("%s: [options]\n"
> > + " options:\n"
> > + " -q | --quiet Don't print out any messages\n"
> > + " -h | --help Print help\n"),
> > + command);
> > + exit(1);
> > +}
> > +
> > +int main(int argc, char **argv)
> > +{
> > + int enabled;
> > + int quiet = 0;
> > + int err = 0;
> > +
> > + setlocale(LC_MESSAGES, "");
> > + bindtextdomain(PACKAGE, LOCALEDIR);
> > + textdomain(PACKAGE);
> > +
> > + if (argc > 2) {
> > + printf(_("unknown or incompatible options\n"));
> > + print_help(argv[0]);
> > + } else if (argc == 2) {
> > + if (strcmp(argv[1], "--quiet") == 0 ||
> > + strcmp(argv[1], "-q") == 0) {
> > + quiet = 1;
> > + } else if (strcmp(argv[1], "--help") == 0 ||
> > + strcmp(argv[1], "-h") == 0) {
> > + print_help(argv[0]);
> > + } else {
> > + printf(_("unknown option '%s'\n"), argv[1]);
> > + print_help(argv[0]);
> > + }
> > + }
> > +
> > + enabled = aa_is_enabled();
> > + err = errno;
> > + if (enabled) {
> > + if (!quiet)
> > + printf(_("Yes\n"));
> > + return 0;
> > + }
> > +
> > + if (!quiet) {
> > + switch(err) {
> > + case ENOSYS:
> > + printf(_("No - not available on this system.\n"));
> > + break;
> > + case ECANCELED:
> > + printf(_("No - disabled at boot.\n"));
> > + break;
> > + case ENOENT:
> > + printf(_("Maybe - policy interface not available.\n"));
> > + break;
> > + case EPERM:
> > + case EACCES:
> > + printf(_("Maybe - insufficient permissions to determine availability.\n"));
> > + break;
> > + default:
> > + printf(_("Error - '%s'\n"), strerror(err));
> > + }
> > + }
> > +
> > + return err;
>
> Do we really want to return an errno value here? Why not just
> EXIT_FAILURE?
>
> > +}
> >
> > === added file 'binutils/aa-enabled.pod'
> > --- binutils/aa-enabled.pod 1970-01-01 00:00:00 +0000
> > +++ binutils/aa-enabled.pod 2015-11-25 10:30:22 +0000
> > @@ -0,0 +1,62 @@
> > +# This publication is intellectual property of Canonical Ltd. Its contents
> > +# can be duplicated, either in part or in whole, provided that a copyright
> > +# label is visibly located on each copy.
> > +#
> > +# All information found in this book has been compiled with utmost
> > +# attention to detail. However, this does not guarantee complete accuracy.
> > +# Neither Canonical Ltd, the authors, nor the translators shall be held
> > +# liable for possible errors or the consequences thereof.
> > +#
> > +# Many of the software and hardware descriptions cited in this book
> > +# are registered trademarks. All trade names are subject to copyright
> > +# restrictions and may be registered trade marks. Canonical Ltd
> > +# essentially adheres to the manufacturer's spelling.
> > +#
> > +# Names of products and trademarks appearing in this book (with or without
> > +# specific notation) are likewise subject to trademark and trade protection
> > +# laws and may thus fall under copyright restrictions.
> > +#
> > +
> > +
> > +=pod
> > +
> > +=head1 NAME
> > +
> > +aa-enabled - test whether apparmor is enabled
>
> s/apparmor/AppArmor/g
>
> > +
> > +=head1 SYNOPSIS
> > +
> > +B<aa-enabled> [options]
> > +
> > +=head1 DESCRIPTION
> > +
> > +B<aa-enabled> is used to determine if apparmor is enabled and enforcing
> > +policy.
> > +
> > +=head1 OPTIONS
> > +B<aa-enabled> accepts the following arguments:
> > +
> > +=over 4
> > +
> > +=item -h, --help
> > +
> > +Display a brief usage guide.
> > +
> > +=item -q, --quiet
> > +
> > +Do not output anything to stdout. This option is intended to be used by
> > +scripts that can test use the exit code to determine if apparmor is
>
> s/can test use/can use/
>
> > +enabled.
> > +
> > +=back
> > +
> > +=head1 BUGS
> > +
> > +If you find any bugs, please report them at
> > +L<https://bugs.launchpad.net/apparmor/+filebug>.
> > +
> > +=head1 SEE ALSO
> > +
> > +apparmor(7), apparmor.d(5), and L<http://wiki.apparmor.net>.
>
> aa_is_enabled(2) is probably useful to mention.
>
> Tyler
>
> > +
> > +=cut
> >
> > === added directory 'binutils/po'
> > === added file 'binutils/po/Makefile'
> > --- binutils/po/Makefile 1970-01-01 00:00:00 +0000
> > +++ binutils/po/Makefile 2015-11-28 18:20:34 +0000
> > @@ -0,0 +1,19 @@
> > +# ----------------------------------------------------------------------
> > +# Copyright (C) 2015 Canonical Ltd.
> > +#
> > +# This program is free software; you can redistribute it and/or
> > +# modify it under the terms of version 2 of the GNU General Public
> > +# License published by the Free Software Foundation.
> > +# ----------------------------------------------------------------------
> > +all:
> > +
> > +# As translations get added, they will automatically be included, unless
> > +# the lang is explicitly added to DISABLED_LANGS; e.g. DISABLED_LANGS=en es
> > +
> > +DISABLED_LANGS=
> > +
> > +COMMONDIR=../../common
> > +include $(COMMONDIR)/Make-po.rules
> > +
> > +XGETTEXT_ARGS+=--language=C --keyword=_ $(shell if [ -f ${NAME}.pot ] ; then echo -n -j ; fi)
> > +
> >
> > === added file 'binutils/po/aa-enabled.pot'
> > --- binutils/po/aa-enabled.pot 1970-01-01 00:00:00 +0000
> > +++ binutils/po/aa-enabled.pot 2015-11-28 18:23:11 +0000
> > @@ -0,0 +1,67 @@
> > +# SOME DESCRIPTIVE TITLE.
> > +# Copyright (C) YEAR Canonical Ltd
> > +# This file is distributed under the same license as the PACKAGE package.
> > +# FIRST AUTHOR <EMAIL at ADDRESS>, YEAR.
> > +#
> > +#, fuzzy
> > +msgid ""
> > +msgstr ""
> > +"Project-Id-Version: PACKAGE VERSION\n"
> > +"Report-Msgid-Bugs-To: apparmor at lists.ubuntu.com\n"
> > +"POT-Creation-Date: 2015-11-28 10:23-0800\n"
> > +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
> > +"Last-Translator: FULL NAME <EMAIL at ADDRESS>\n"
> > +"Language-Team: LANGUAGE <LL at li.org>\n"
> > +"Language: \n"
> > +"MIME-Version: 1.0\n"
> > +"Content-Type: text/plain; charset=CHARSET\n"
> > +"Content-Transfer-Encoding: 8bit\n"
> > +
> > +#: ../aa-enabled.c:26
> > +#, c-format
> > +msgid ""
> > +"%s: [options]\n"
> > +" options:\n"
> > +" -q | --quiet Don't print out any messages\n"
> > +" -h | --help Print help\n"
> > +msgstr ""
> > +
> > +#: ../aa-enabled.c:45
> > +#, c-format
> > +msgid "unknown or incompatible options\n"
> > +msgstr ""
> > +
> > +#: ../aa-enabled.c:55
> > +#, c-format
> > +msgid "unknown option '%s'\n"
> > +msgstr ""
> > +
> > +#: ../aa-enabled.c:64
> > +#, c-format
> > +msgid "Yes\n"
> > +msgstr ""
> > +
> > +#: ../aa-enabled.c:71
> > +#, c-format
> > +msgid "No - not available on this system.\n"
> > +msgstr ""
> > +
> > +#: ../aa-enabled.c:74
> > +#, c-format
> > +msgid "No - disabled at boot.\n"
> > +msgstr ""
> > +
> > +#: ../aa-enabled.c:77
> > +#, c-format
> > +msgid "Maybe - policy interface not available.\n"
> > +msgstr ""
> > +
> > +#: ../aa-enabled.c:81
> > +#, c-format
> > +msgid "Maybe - insufficient permissions to determine availability.\n"
> > +msgstr ""
> > +
> > +#: ../aa-enabled.c:84
> > +#, c-format
> > +msgid "Error - '%s'\n"
> > +msgstr ""
> >
> > === modified file 'common/Make-po.rules'
> > --- common/Make-po.rules 2011-05-20 20:34:29 +0000
> > +++ common/Make-po.rules 2015-11-28 18:22:58 +0000
> > @@ -1,7 +1,7 @@
> > # ------------------------------------------------------------------
> > #
> > # Copyright (c) 1999-2008 NOVELL (All rights reserved)
> > -# Copyright 2009-2010 Canonical Ltd.
> > +# Copyright 2009-2015 Canonical Ltd.
> > #
> > # This program is free software; you can redistribute it and/or
> > # modify it under the terms of version 2 of the GNU General Public
> > @@ -21,7 +21,7 @@
> > # exist
> > LOCALEDIR=/usr/share/locale
> >
> > -XGETTEXT_ARGS=--copyright-holder="NOVELL, Inc." --msgid-bugs-address=apparmor at lists.ubuntu.com -d ${NAME}
> > +XGETTEXT_ARGS=--copyright-holder="Canonical Ltd" --msgid-bugs-address=apparmor at lists.ubuntu.com -d ${NAME}
> >
> > # When making the .pot file, it's expected that the parent Makefile will
> > # pass in the list of sources in the SOURCES variable
> >
> >
> >
> >
> > --
> > AppArmor mailing list
> > AppArmor at lists.ubuntu.com
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151215/42166a95/attachment.pgp>
More information about the AppArmor
mailing list