From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v2] package/libapparmor: new package
Date: Thu, 26 Mar 2020 19:56:59 +0100 [thread overview]
Message-ID: <20200326185659.GT22325@scaer> (raw)
In-Reply-To: <20200326180115.30643-1-angelo@amarulasolutions.com>
On 2020-03-26 19:01 +0100, Angelo Compagnucci spake thusly:
> From: Angelo Compagnucci <angelo.compagnucci@gmail.com>
>
> This patch adds libapparmor and it's related tools.
*its
> The patch is quite complicated by the layout of the source tree:
>
> * The first step is to compile libraries/libapparmor using the autotools
> infrastructure. Autoreconf is needed due to the attached patches.
> Libapparmor library needs to be installed in staging directory before
> compiling the rest of the tools.
> * The second step is to compile tools and optional components distrubuted
> in sub directories, this is done in POST_INSTALL_STAGING_HOOKS.
I've looked at the .mk, and I don't like it.
Why don't you provide multiple packages:
- libapparmor
- apparmor-utils
Then have apparmor-utils depend on libapparmor.
We don;t care that the two packages share the same source code. You can
even commonalise the local download directory:
APPARMOR_UTILS_DL_SUBDIR = libapparmor
The libapparmor paCkage would then only build and install the library in
staging/, and the apparmor-tools will build everything else (still
protected by the proper conditions, like pam, apache...).
Also, I'd like if you could even split the apprmor-utils in a few
patches:
- apparmor-utils, with just the parser (and binutils?) sub-dirs
- pam
- apache
- python
- profiles
- rules caching
That will help reviewing and applying as many bits as we can.
I've not even looked more at the code than just a cursory look, but
given the above sugegstion, I've marked your patch as changes requested
on patchwork.
Thanks!
> * If python3 is available, swig bindings and python utils are compiled.
> * parser/apparmor.systemd is actually a systemv init script
> * Package will enable profiles cache if the system is writable
> * All Apparmor kernel code is now upstream, so no other patches are
> needed.
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> ---
> Changelog:
>
> v1->v2:
> Using the upstream patches
>
> DEVELOPERS | 1 +
> linux/linux.mk | 6 ++
> package/Config.in | 1 +
> ...el-fixing-for-crosscompiling-environ.patch | 91 +++++++++++++++++++
> ...ng-setup.py-call-when-crosscompiling.patch | 30 ++++++
> package/libapparmor/Config.in | 34 +++++++
> package/libapparmor/libapparmor.hash | 3 +
> package/libapparmor/libapparmor.mk | 87 ++++++++++++++++++
> 8 files changed, 253 insertions(+)
> create mode 100644 package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
> create mode 100644 package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
> create mode 100644 package/libapparmor/Config.in
> create mode 100644 package/libapparmor/libapparmor.hash
> create mode 100644 package/libapparmor/libapparmor.mk
>
> diff --git a/DEVELOPERS b/DEVELOPERS
> index dd44331b85..a96b031def 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -188,6 +188,7 @@ N: Angelo Compagnucci <angelo.compagnucci@gmail.com>
> F: package/corkscrew/
> F: package/fail2ban/
> F: package/i2c-tools/
> +F: package/libapparmor/
> F: package/mender/
> F: package/mender-artifact/
> F: package/mono/
> diff --git a/linux/linux.mk b/linux/linux.mk
> index 4b60f33ff3..5032481069 100644
> --- a/linux/linux.mk
> +++ b/linux/linux.mk
> @@ -359,6 +359,12 @@ define LINUX_KCONFIG_FIXUP_CMDS
> $(if $(BR2_PACKAGE_INTEL_MICROCODE),
> $(call KCONFIG_ENABLE_OPT,CONFIG_MICROCODE,$(@D)/.config)
> $(call KCONFIG_ENABLE_OPT,CONFIG_MICROCODE_INTEL,$(@D)/.config))
> + $(if $(BR2_PACKAGE_LIBAPPARMOR),
> + $(call KCONFIG_ENABLE_OPT,CONFIG_AUDIT,$(@D)/.config)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY,$(@D)/.config)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_APPARMOR,$(@D)/.config)
> + $(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_SECURITY_APPARMOR,$(@D)/.config)
> + $(call KCONFIG_SET_OPT,CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE,1,$(@D)/.config))
> $(if $(BR2_PACKAGE_KTAP),
> $(call KCONFIG_ENABLE_OPT,CONFIG_DEBUG_FS,$(@D)/.config)
> $(call KCONFIG_ENABLE_OPT,CONFIG_ENABLE_DEFAULT_TRACERS,$(@D)/.config)
> diff --git a/package/Config.in b/package/Config.in
> index edf7687ab7..d9ed053b77 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1862,6 +1862,7 @@ endif
> endmenu
>
> menu "Security"
> + source "package/libapparmor/Config.in"
> source "package/libselinux/Config.in"
> source "package/libsemanage/Config.in"
> source "package/libsepol/Config.in"
> diff --git a/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
> new file mode 100644
> index 0000000000..564a7758d7
> --- /dev/null
> +++ b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
> @@ -0,0 +1,91 @@
> +From 64e5c6b23de9c147881680f3daccb995263c34a3 Mon Sep 17 00:00:00 2001
> +From: Angelo Compagnucci <angelo@amarulasolutions.com>
> +Date: Tue, 24 Mar 2020 22:53:37 +0100
> +Subject: [PATCH] m4: ac_python_devel: fixing for crosscompiling environments
> +
> +In a crosscompiling environment it's common to have a python executable
> +running for the host system with a python-config reporting the host
> +configuration and a second python-config reporting the target configuration.
> +In such cases, relying on the default oython-config is wrong and breaks
> +the cross compilation.
> +
> +This patch adds a PYTHON_CONFIG variable that can be pointed to the second
> +python-config and fixes the rest of the m4 accordingly.
> +
> +Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> +---
> + libraries/libapparmor/m4/ac_python_devel.m4 | 23 ++++++++++++++++-----
> + 1 file changed, 18 insertions(+), 5 deletions(-)
> +
> +diff --git a/libraries/libapparmor/m4/ac_python_devel.m4 b/libraries/libapparmor/m4/ac_python_devel.m4
> +index 29cf090d..6454e2d8 100644
> +--- a/libraries/libapparmor/m4/ac_python_devel.m4
> ++++ b/libraries/libapparmor/m4/ac_python_devel.m4
> +@@ -13,6 +13,11 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
> + PYTHON_VERSION=""
> + fi
> +
> ++ AC_PATH_PROG([PYTHON_CONFIG],[`basename [$PYTHON]-config`])
> ++ if test -z "$PYTHON_CONFIG"; then
> ++ AC_MSG_ERROR([Cannot find python$PYTHON_VERSION-config in your system path])
> ++ fi
> ++
> + #
> + # Check for a version of Python >= 2.1.0
> + #
> +@@ -79,8 +84,8 @@ $ac_distutils_result])
> + # Check for Python include path
> + #
> + AC_MSG_CHECKING([for Python include path])
> +- if type $PYTHON-config; then
> +- PYTHON_CPPFLAGS=`$PYTHON-config --includes`
> ++ if type $PYTHON_CONFIG; then
> ++ PYTHON_CPPFLAGS=`$PYTHON_CONFIG --includes`
> + fi
> + if test -z "$PYTHON_CPPFLAGS"; then
> + python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
> +@@ -97,8 +102,8 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
> + # Check for Python library path
> + #
> + AC_MSG_CHECKING([for Python library path])
> +- if type $PYTHON-config; then
> +- PYTHON_LDFLAGS=`$PYTHON-config --ldflags`
> ++ if type $PYTHON_CONFIG; then
> ++ PYTHON_LDFLAGS=`$PYTHON_CONFIG --ldflags`
> + fi
> + if test -z "$PYTHON_LDFLAGS"; then
> + # (makes two attempts to ensure we've got a version number
> +@@ -136,6 +141,10 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
> + # libraries which must be linked in when embedding
> + #
> + AC_MSG_CHECKING(python extra libraries)
> ++ if type $PYTHON_CONFIG; then
> ++ PYTHON_EXTRA_LIBS=`$PYTHON_CONFIG --libs --embed` || \
> ++ PYTHON_EXTRA_LIBS=''
> ++ fi
> + if test -z "$PYTHON_EXTRA_LIBS"; then
> + PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
> + conf = distutils.sysconfig.get_config_var; \
> +@@ -148,6 +157,10 @@ sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf(
> + # linking flags needed when embedding
> + #
> + AC_MSG_CHECKING(python extra linking flags)
> ++ if type $PYTHON_CONFIG; then
> ++ PYTHON_EXTRA_LDFLAGS=`$PYTHON_CONFIG --ldflags --embed` || \
> ++ PYTHON_EXTRA_LDFLAGS=''
> ++ fi
> + if test -z "$PYTHON_EXTRA_LDFLAGS"; then
> + PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import sys; import distutils.sysconfig; \
> + conf = distutils.sysconfig.get_config_var; \
> +@@ -164,7 +177,7 @@ sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
> + # save current global flags
> + ac_save_LIBS="$LIBS"
> + ac_save_CPPFLAGS="$CPPFLAGS"
> +- LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LIBS"
> ++ LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
> + CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
> + AC_TRY_LINK([
> + #include <Python.h>
> +--
> +2.17.1
> +
> diff --git a/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
> new file mode 100644
> index 0000000000..ce550d3f34
> --- /dev/null
> +++ b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
> @@ -0,0 +1,30 @@
> +From 88c81d7b73e657240314ef868e6a75bbeb444cc0 Mon Sep 17 00:00:00 2001
> +From: Angelo Compagnucci <angelo@amarulasolutions.com>
> +Date: Tue, 24 Mar 2020 23:02:08 +0100
> +Subject: [PATCH] libapparmor: fixing setup.py call when crosscompiling
> +
> +When crosscompiling, setupy.py should be called passing the settings
> +discovered by ac_python_devel.m4 and not using the default system
> +settings.
> +
> +Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> +---
> + libraries/libapparmor/swig/python/Makefile.am | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/libraries/libapparmor/swig/python/Makefile.am b/libraries/libapparmor/swig/python/Makefile.am
> +index 421acba9..6c60181e 100644
> +--- a/libraries/libapparmor/swig/python/Makefile.am
> ++++ b/libraries/libapparmor/swig/python/Makefile.am
> +@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
> +
> + all-local: libapparmor_wrap.c setup.py
> + if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
> +- $(PYTHON) setup.py build
> ++ CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS)" $(PYTHON) setup.py build
> +
> + install-exec-local:
> + $(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"
> +--
> +2.17.1
> +
> diff --git a/package/libapparmor/Config.in b/package/libapparmor/Config.in
> new file mode 100644
> index 0000000000..c93199cf37
> --- /dev/null
> +++ b/package/libapparmor/Config.in
> @@ -0,0 +1,34 @@
> +config BR2_PACKAGE_LIBAPPARMOR
> + bool "libapparmor"
> + depends on BR2_USE_WCHAR
> + select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
> + select BR2_PACKAGE_GREP
> + select BR2_PACKAGE_PYTHON3_READLINE if BR2_PACKAGE_PYTHON3
> + help
> + AppArmor is an effective and easy-to-use Linux application
> + security system. AppArmor proactively protects the operating
> + system and applications from external or internal threats,
> + even zero-day attacks, by enforcing good behavior and
> + preventing even unknown application flaws from being exploited.
> + AppArmor security policies completely define what system
> + resources individual applications can access, and with what
> + privileges. A number of default policies are included with
> + AppArmor, and using a combination of advanced static analysis
> + and learning-based tools, AppArmor policies for even very
> + complex applications can be deployed successfully in a
> + matter of hours.
> +
> + http://wiki.apparmor.net
> +
> +if BR2_PACKAGE_LIBAPPARMOR
> +
> +config BR2_PACKAGE_LIBAPPARMOR_PROFILES
> + bool "install profiles"
> + default y
> + help
> + This option install Apparmor default profiles
> +
> +endif
> +
> +comment "AppArmor needs needs a toolchain w/ wchar"
> + depends on !BR2_USE_WCHAR
> diff --git a/package/libapparmor/libapparmor.hash b/package/libapparmor/libapparmor.hash
> new file mode 100644
> index 0000000000..e5ae65d91c
> --- /dev/null
> +++ b/package/libapparmor/libapparmor.hash
> @@ -0,0 +1,3 @@
> +# locally computed
> +sha256 267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639 apparmor-2.13.3.tar.gz
> +sha256 a7e0cdcbea5c14927cedfc600d46526bdcbb1eb0a4d951e2ea53c2a6de159cb4 LICENSE
> diff --git a/package/libapparmor/libapparmor.mk b/package/libapparmor/libapparmor.mk
> new file mode 100644
> index 0000000000..3935f3435a
> --- /dev/null
> +++ b/package/libapparmor/libapparmor.mk
> @@ -0,0 +1,87 @@
> +################################################################################
> +#
> +# libapparmor
> +#
> +################################################################################
> +
> +LIBAPPARMOR_BASE_VERSION = 2.13
> +LIBAPPARMOR_VERSION = $(LIBAPPARMOR_BASE_VERSION).3
> +LIBAPPARMOR_SOURCE = apparmor-$(LIBAPPARMOR_VERSION).tar.gz
> +LIBAPPARMOR_SITE = https://launchpad.net/apparmor/$(LIBAPPARMOR_BASE_VERSION)/$(LIBAPPARMOR_VERSION)/+download
> +LIBAPPARMOR_LICENSE = GPL-2.0
> +LIBAPPARMOR_LICENSE_FILES = LICENSE
> +LIBAPPARMOR_SUBDIR = libraries/libapparmor
> +LIBAPPARMOR_AUTORECONF = YES
> +LIBAPPARMOR_INSTALL_STAGING = YES
> +LIBAPPARMOR_CONF_OPTS = --enable-static --enable-man-pages=no
> +
> +LIBAPPARMOR_SUBDIRS = parser binutils
> +
> +ifeq ($(BR2_PACKAGE_LIBAPPARMOR_PROFILES),y)
> +LIBAPPARMOR_SUBDIRS += profiles
> +endif
> +
> +ifeq ($(BR2_PACKAGE_APACHE),y)
> +LIBAPPARMOR_DEPENDENCIES += apache
> +LIBAPPARMOR_SUBDIRS += changehat/mod_apparmor
> +LIBAPPARMOR_SUBDIRS_BUILD_OPTS += APXS=$(STAGING_DIR)/usr/bin/apxs
> +endif
> +
> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
> +LIBAPPARMOR_DEPENDENCIES += linux-pam
> +LIBAPPARMOR_SUBDIRS += changehat/pam_apparmor
> +endif
> +
> +LIBAPPARMOR_SUBDIRS_BUILD_OPTS = USE_SYSTEM=1
> +
> +LIBAPPARMOR_SUBDIRS_BUILD_CMD = $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> + $(MAKE) $(LIBAPPARMOR_SUBDIRS_BUILD_OPTS) -C $(@D)/$(d)
> +
> +# libapparmor source code is in libraries/libapparmor and needs to be compiled
> +# and installed in staging before actually compiling subdirs components
> +define LIBAPPARMOR_SUBDIRS_BUILD_CMDS
> + $(foreach d,$(LIBAPPARMOR_SUBDIRS), \
> + $(LIBAPPARMOR_SUBDIRS_BUILD_CMD)
> + )
> +endef
> +LIBAPPARMOR_POST_INSTALL_STAGING_HOOKS += LIBAPPARMOR_SUBDIRS_BUILD_CMDS
> +
> +define LIBAPPARMOR_SUBDIRS_INSTALL_TARGET_CMDS
> + $(foreach d,$(LIBAPPARMOR_SUBDIRS), \
> + $(LIBAPPARMOR_SUBDIRS_BUILD_CMD) DESTDIR=$(TARGET_DIR) install
> + )
> +endef
> +LIBAPPARMOR_POST_INSTALL_TARGET_HOOKS += LIBAPPARMOR_SUBDIRS_INSTALL_TARGET_CMDS
> +
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +
> +LIBAPPARMOR_CONF_OPTS += --with-python PYTHON=$(HOST_DIR)/usr/bin/python3 \
> + PYTHON_CONFIG=$(STAGING_DIR)/usr/bin/python3-config \
> + SWIG=$(HOST_DIR)/usr/bin/swig
> +LIBAPPARMOR_DEPENDENCIES += host-python3 host-swig python3
> +LIBAPPARMOR_SUBDIRS += utils
> +LIBAPPARMOR_SUBDIRS_BUILD_CMD += PYTHON=$(HOST_DIR)/usr/bin/python3
> +
> +endif
> +
> +# Enabling rules caching if the system is mounted R/W
> +ifeq ($(BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW),y)
> +define LIBAPPARMOR_ENABLE_PROFILE_CACHE
> + $(SED) '/^#write-cache/c\write-cache' $(TARGET_DIR)/etc/apparmor/parser.conf
> +endef
> +LIBAPPARMOR_POST_INSTALL_TARGET_HOOKS += LIBAPPARMOR_ENABLE_PROFILE_CACHE
> +endif
> +
> +define LIBAPPARMOR_INSTALL_INIT_SYSV
> + $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
> + $(TARGET_DIR)/etc/init.d/S10apparmor
> +endef
> +
> +define LIBAPPARMOR_INSTALL_INIT_SYSTEMD
> + $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
> + $(TARGET_DIR)/lib/apparmor/apparmor.systemd
> + $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.service \
> + $(TARGET_DIR)/usr/lib/systemd/system/apparmor.service
> +endef
> +
> +$(eval $(autotools-package))
> --
> 2.17.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2020-03-26 18:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-26 18:01 [Buildroot] [PATCH v2] package/libapparmor: new package Angelo Compagnucci
2020-03-26 18:56 ` Yann E. MORIN [this message]
2020-03-26 20:34 ` Angelo Compagnucci
2020-03-26 20:56 ` Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200326185659.GT22325@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.