[Buildroot] [PATCH 1/9 v5] package/libapparmor: new package

[Buildroot] [PATCH 1/9 v5] package/libapparmor: new package

[Yann E. MORIN]

From: Angelo Compagnucci <angelo@amarulasolutions.com>

The layout of the package is not amenable to building both the library
and the utilities at once, so this package will only install the
libarary.

The other apparmor-related tools however will almost all want to always
link with the static library (it's hard-coded in their Makefiles, like:
AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread), so we also
force the build of the static library.

The kernel headers 3.16 at least are required, for CAP_AUDIT_READ.

We need to force the C standard to gnu99, otherwise:

  - autoconf uses wchar_t in C99 test, so considers it to be missing
    on toolchains without wchar, but wchar is not otherwise needed for
    libapparmor;

  - c99 is not enough, otherwise the build fails with errors like:
        kernel.c:503:15: error: expected declaration specifiers or ?...? before ?(? token
         extern typeof((__change_hat)) __old_change_hat __attribute__((alias ("__change_hat")));
                       ^

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998 at free.fr: strip down the patch to only build the lib]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 DEVELOPERS                           |  1 +
 package/Config.in                    |  1 +
 package/libapparmor/Config.in        | 16 ++++++++++++++++
 package/libapparmor/libapparmor.hash |  4 ++++
 package/libapparmor/libapparmor.mk   | 27 +++++++++++++++++++++++++++
 5 files changed, 49 insertions(+)
 create mode 100644 package/libapparmor/Config.in
 create mode 100644 package/libapparmor/libapparmor.hash
 create mode 100644 package/libapparmor/libapparmor.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index f67ef86e6c..142f3b406d 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -196,6 +196,7 @@ N:	Angelo Compagnucci <angelo.compagnucci@gmail.com>
 F:	package/corkscrew/
 F:	package/fail2ban/
 F:	package/i2c-tools/
+F:	package/libapparmor/
 F:	package/mender/
 F:	package/mender-artifact/
 F:	package/mono/
diff --git a/package/Config.in b/package/Config.in
index 7b73198d50..ae1bc2294d 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1882,6 +1882,7 @@ endif
 endmenu
 
 menu "Security"
+	source "package/libapparmor/Config.in"
 	source "package/libselinux/Config.in"
 	source "package/libsemanage/Config.in"
 	source "package/libsepol/Config.in"
diff --git a/package/libapparmor/Config.in b/package/libapparmor/Config.in
new file mode 100644
index 0000000000..a444a5708b
--- /dev/null
+++ b/package/libapparmor/Config.in
@@ -0,0 +1,16 @@
+config BR2_PACKAGE_LIBAPPARMOR
+	bool "libapparmor"
+	depends on BR2_TOOLCHAIN_HAS_SYNC_4
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_16
+	help
+	  AppArmor is an effective and easy-to-use Linux application
+	  security system. AppArmor proactively protects the operating
+	  system and applications from external or internal threats,
+	  even zero-day attacks, by enforcing good behavior and
+	  preventing even unknown application flaws from being
+	  exploited.
+
+	  This package installs only the library.
+
+	  http://wiki.apparmor.net
diff --git a/package/libapparmor/libapparmor.hash b/package/libapparmor/libapparmor.hash
new file mode 100644
index 0000000000..3bff2bc853
--- /dev/null
+++ b/package/libapparmor/libapparmor.hash
@@ -0,0 +1,4 @@
+# locally computed
+sha256  267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639  apparmor-2.13.3.tar.gz
+sha256  a7e0cdcbea5c14927cedfc600d46526bdcbb1eb0a4d951e2ea53c2a6de159cb4  LICENSE
+sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  libraries/libapparmor/COPYING.LGPL
diff --git a/package/libapparmor/libapparmor.mk b/package/libapparmor/libapparmor.mk
new file mode 100644
index 0000000000..12efd4335a
--- /dev/null
+++ b/package/libapparmor/libapparmor.mk
@@ -0,0 +1,27 @@
+################################################################################
+#
+# libapparmor
+#
+################################################################################
+
+LIBAPPARMOR_VERSION_MAJOR = 2.13
+LIBAPPARMOR_VERSION = $(LIBAPPARMOR_VERSION_MAJOR).3
+LIBAPPARMOR_SOURCE = apparmor-$(LIBAPPARMOR_VERSION).tar.gz
+LIBAPPARMOR_SITE = https://launchpad.net/apparmor/$(LIBAPPARMOR_VERSION_MAJOR)/$(LIBAPPARMOR_VERSION)/+download
+LIBAPPARMOR_LICENSE = LGPL-2.1
+LIBAPPARMOR_LICENSE_FILES = LICENSE libraries/libapparmor/COPYING.LGPL
+
+LIBAPPARMOR_DEPENDENCIES = host-bison host-flex host-pkgconf
+LIBAPPARMOR_SUBDIR = libraries/libapparmor
+LIBAPPARMOR_INSTALL_STAGING = YES
+
+# Most AppArmor tools will want to link to the static lib.
+# ac_cv_prog_cc_c99 is required for BR2_USE_WCHAR=n because the C99 test
+# provided by autoconf relies on wchar_t.
+LIBAPPARMOR_CONF_OPTS = \
+	ac_cv_prog_cc_c99=-std=gnu99 \
+	--enable-static \
+	--enable-man-pages=no \
+	--without-python
+
+$(eval $(autotools-package))
-- 
2.20.1

[Buildroot] [PATCH 2/9 v5] linux: enable AppArmor-related options if needed

[Yann E. MORIN]

From: Angelo Compagnucci <angelo@amarulasolutions.com>

Using AppArmor requires support in the kernel, so do for AppArmor what
we did for SElinux, and enabled the necessary options.

Note that a single LSM can be the default one, so as of today, SELinux
wins, by virtue of being the last to be enabled.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998 at free.fr:
  - don't force DEFAULT_SECURITY_APPARMOR, it does not exist in all
    kernel versions
  - move closer to SELinux
  - split into its own patch, write a commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 linux/linux.mk | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/linux/linux.mk b/linux/linux.mk
index b2ceeecafb..9403612d27 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -408,6 +408,11 @@ define LINUX_KCONFIG_FIXUP_CMDS
 		$(call KCONFIG_ENABLE_OPT,CONFIG_FB,$(@D)/.config)
 		$(call KCONFIG_ENABLE_OPT,CONFIG_LOGO,$(@D)/.config)
 		$(call KCONFIG_ENABLE_OPT,CONFIG_LOGO_LINUX_CLUT224,$(@D)/.config))
+	$(if $(BR2_PACKAGE_LIBAPPARMOR),
+		$(call KCONFIG_ENABLE_OPT,CONFIG_AUDIT,$(@D)/.config)
+		$(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY,$(@D)/.config)
+		$(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_APPARMOR,$(@D)/.config)
+		$(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_SECURITY_APPARMOR,$(@D)/.config))
 	$(if $(BR2_PACKAGE_LIBSELINUX),
 		$(call KCONFIG_ENABLE_OPT,CONFIG_AUDIT,$(@D)/.config)
 		$(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_SECURITY_SELINUX,$(@D)/.config)
-- 
2.20.1

[Buildroot] [PATCH 3/9 v5] package/apparmor: new package

[Yann E. MORIN]

From: Angelo Compagnucci <angelo@amarulasolutions.com>

The various AppArmor utilities are spread in a few sub-directories of
the apparmor source tree. For now, we build only the parser, but we'll
soon introduce support for a few other utilities, so we prepare the
package to be able to build more than just the parser, hence the
slightly convoluted build and install commands, and the use of the
APPARMOR_TOOLS and APPARMOR_MAKE_OPTS variables, which will come handy
in the following commits.

We must ensure the version matches that of libapparmor, but there is not
much we can do to enforce that, so as we do for various other packages,
we just add a comment to that effect.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998 at free.fr:
  - make it a separate package
  - split into its own patch, write a commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 package/Config.in                  |  1 +
 package/apparmor/Config.in         | 19 ++++++++++++
 package/apparmor/apparmor.hash     |  4 +++
 package/apparmor/apparmor.mk       | 48 ++++++++++++++++++++++++++++++
 package/libapparmor/libapparmor.mk |  1 +
 5 files changed, 73 insertions(+)
 create mode 100644 package/apparmor/Config.in
 create mode 100644 package/apparmor/apparmor.hash
 create mode 100644 package/apparmor/apparmor.mk

diff --git a/package/Config.in b/package/Config.in
index ae1bc2294d..759c21f994 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2244,6 +2244,7 @@ menu "Real-Time"
 endmenu
 
 menu "Security"
+	source "package/apparmor/Config.in"
 	source "package/checkpolicy/Config.in"
 	source "package/ima-evm-utils/Config.in"
 	source "package/optee-benchmark/Config.in"
diff --git a/package/apparmor/Config.in b/package/apparmor/Config.in
new file mode 100644
index 0000000000..d35740ca73
--- /dev/null
+++ b/package/apparmor/Config.in
@@ -0,0 +1,19 @@
+config BR2_PACKAGE_APPARMOR
+	bool "apparmor"
+	depends on BR2_USE_MMU # fork()
+	depends on BR2_INSTALL_LIBSTDCPP
+	depends on BR2_TOOLCHAIN_HAS_SYNC_4 # libapparmor
+	depends on BR2_TOOLCHAIN_HAS_THREADS # libapparmor
+	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_16 # libapparmor
+	select BR2_PACKAGE_LIBAPPARMOR
+	help
+	  AppArmor is an effective and easy-to-use Linux application
+	  security system. AppArmor proactively protects the operating
+	  system and applications from external or internal threats,
+	  even zero-day attacks, by enforcing good behavior and
+	  preventing even unknown application flaws from being
+	  exploited.
+
+	  This package builds the parser (which can load profiles).
+
+	  http://wiki.apparmor.net
diff --git a/package/apparmor/apparmor.hash b/package/apparmor/apparmor.hash
new file mode 100644
index 0000000000..91ab51f6ab
--- /dev/null
+++ b/package/apparmor/apparmor.hash
@@ -0,0 +1,4 @@
+# locally computed
+sha256  267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639  apparmor-2.13.3.tar.gz
+sha256  a7e0cdcbea5c14927cedfc600d46526bdcbb1eb0a4d951e2ea53c2a6de159cb4  LICENSE
+sha256  dd54950fa69a3096fe907a466a454d217ccca9bca77398d5232704766d5a0040  parser/COPYING.GPL
diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
new file mode 100644
index 0000000000..cab37d06a6
--- /dev/null
+++ b/package/apparmor/apparmor.mk
@@ -0,0 +1,48 @@
+################################################################################
+#
+# apparmor
+#
+################################################################################
+
+# When updating the version here, please also update the libapparmor package
+APPARMOR_VERSION_MAJOR = 2.13
+APPARMOR_VERSION = $(APPARMOR_VERSION_MAJOR).3
+APPARMOR_SITE = https://launchpad.net/apparmor/$(APPARMOR_VERSION_MAJOR)/$(APPARMOR_VERSION)/+download
+APPARMOR_DL_SUBDIR = libapparmor
+APPARMOR_LICENSE = GPL-2.0
+APPARMOR_LICENSE_FILES = LICENSE parser/COPYING.GPL
+
+APPARMOR_DEPENDENCIES = libapparmor
+
+APPARMOR_TOOLS = parser
+APPARMOR_MAKE_OPTS = USE_SYSTEM=1
+
+define APPARMOR_BUILD_CMDS
+	$(foreach tool,$(APPARMOR_TOOLS),\
+		$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
+		$(MAKE) -C $(@D)/$(tool) $(APPARMOR_MAKE_OPTS)
+	)
+endef
+
+define APPARMOR_INSTALL_TARGET_CMDS
+	$(foreach tool,$(APPARMOR_TOOLS),\
+		$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
+		$(MAKE) -C $(@D)/$(tool) $(APPARMOR_MAKE_OPTS) \
+			DESTDIR=$(TARGET_DIR) install
+	)
+endef
+
+# Despite its name, apparmor.systemd is a sysv-init compatible startup script
+define APPARMOR_INSTALL_INIT_SYSV
+	$(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
+		$(TARGET_DIR)/etc/init.d/S00apparmor
+endef
+
+define APPARMOR_INSTALL_INIT_SYSTEMD
+	$(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
+		$(TARGET_DIR)/lib/apparmor/apparmor.systemd
+	$(INSTALL) -D -m 0755 $(@D)/parser/apparmor.service \
+		$(TARGET_DIR)/usr/lib/systemd/system/apparmor.service
+endef
+
+$(eval $(generic-package))
diff --git a/package/libapparmor/libapparmor.mk b/package/libapparmor/libapparmor.mk
index 12efd4335a..8173d138d6 100644
--- a/package/libapparmor/libapparmor.mk
+++ b/package/libapparmor/libapparmor.mk
@@ -4,6 +4,7 @@
 #
 ################################################################################
 
+# When updating the version here, please also update the apparmor package
 LIBAPPARMOR_VERSION_MAJOR = 2.13
 LIBAPPARMOR_VERSION = $(LIBAPPARMOR_VERSION_MAJOR).3
 LIBAPPARMOR_SOURCE = apparmor-$(LIBAPPARMOR_VERSION).tar.gz
-- 
2.20.1

[Buildroot] [PATCH 4/9 v5] package/apparmor: add option to install binutils

[Yann E. MORIN]

From: Angelo Compagnucci <angelo@amarulasolutions.com>

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998 at free.fr: split off to its own patch]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 package/apparmor/Config.in   | 10 ++++++++++
 package/apparmor/apparmor.mk |  4 ++++
 2 files changed, 14 insertions(+)

diff --git a/package/apparmor/Config.in b/package/apparmor/Config.in
index d35740ca73..d3941200c6 100644
--- a/package/apparmor/Config.in
+++ b/package/apparmor/Config.in
@@ -17,3 +17,13 @@ config BR2_PACKAGE_APPARMOR
 	  This package builds the parser (which can load profiles).
 
 	  http://wiki.apparmor.net
+
+if BR2_PACKAGE_APPARMOR
+
+config BR2_PACKAGE_APPARMOR_BINUTILS
+	bool "binutils"
+	help
+	  A set of utilities (written in C):
+	    aa-enabled    aa-exec
+
+endif
diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
index cab37d06a6..9ee5304a16 100644
--- a/package/apparmor/apparmor.mk
+++ b/package/apparmor/apparmor.mk
@@ -17,6 +17,10 @@ APPARMOR_DEPENDENCIES = libapparmor
 APPARMOR_TOOLS = parser
 APPARMOR_MAKE_OPTS = USE_SYSTEM=1
 
+ifeq ($(BR2_PACKAGE_APPARMOR_BINUTILS),y)
+APPARMOR_TOOLS += binutils
+endif
+
 define APPARMOR_BUILD_CMDS
 	$(foreach tool,$(APPARMOR_TOOLS),\
 		$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
-- 
2.20.1

[Buildroot] [PATCH 5/9 v5] package/apparmor: add options to install utils

[Yann E. MORIN]

Most utilities are written in python3, except a few that are written in
a mixture of POSIX shell, bash, perl and awk.

The Makefile does not allow isntalling parts of it, but requiring all of
python3, bash, and perl to install the utils is too much of a
requirement.

Instead, we split the set in two, on one hand the puthin ones, which we
install when python3 is enabled, and on the other hand, the rest of the
script which we call 'extras', and which we install when all the extra
requirements (bash, perl, and busybox or gawk) are met; if not, then we
remove these extras utils as a post-install hook.

Note about the order of the comments: they are in reverse-order of the
associated config symbols, so that they are properly displayed.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998 at free.fr:
  - split into its own patch
  - re-arrange the conditions
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 package/apparmor/Config.in   | 36 ++++++++++++++++++++++++++++++++++++
 package/apparmor/apparmor.mk | 14 ++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/package/apparmor/Config.in b/package/apparmor/Config.in
index d3941200c6..714888c583 100644
--- a/package/apparmor/Config.in
+++ b/package/apparmor/Config.in
@@ -26,4 +26,40 @@ config BR2_PACKAGE_APPARMOR_BINUTILS
 	  A set of utilities (written in C):
 	    aa-enabled    aa-exec
 
+config BR2_PACKAGE_APPARMOR_UTILS
+	bool "utils"
+	depends on BR2_PACKAGE_PYTHON3
+	select BR2_PACKAGE_PYTHON3_READLINE
+	help
+	  A set of utilities (written in pyhon):
+	    aa-audit          aa-disable      aa-logprof
+	    aa-autodep        aa-easyprof     aa-mergeprof
+	    aa-cleanprof      aa-enforce      aa-status
+	    aa-complain       aa-genprof      aa-unconfined
+
+config BR2_PACKAGE_APPARMOR_UTILS_EXTRA
+	bool "utils (extras)"
+	depends on BR2_PACKAGE_APPARMOR_UTILS
+	depends on BR2_PACKAGE_BUSYBOX || BR2_PACKAGE_GAWK
+	depends on BR2_PACKAGE_BASH
+	depends on BR2_PACKAGE_PERL
+	help
+	  An extra set of utilities (written in a mixture of sh,
+	  bash, perl, and awk):
+	    aa-decode          (bash + perl)
+	    aa-notify          (perl)
+	    aa-remove-unknown  (sh + awk)
+
+comment "utils (extras) need bash and perl, and busybox or gawk"
+	depends on BR2_PACKAGE_APPARMOR_UTILS
+	depends on !BR2_PACKAGE_BASH || !BR2_PACKAGE_PERL \
+		|| !(BR2_PACKAGE_BUSYBOX || BR2_PACKAGE_GAWK)
+
+comment "utils need python3"
+	depends on BR2_USE_MMU
+	depends on BR2_USE_WCHAR
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on !BR2_STATIC_LIBS
+	depends on !BR2_PACKAGE_PYTHON3
+
 endif
diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
index 9ee5304a16..1805628de4 100644
--- a/package/apparmor/apparmor.mk
+++ b/package/apparmor/apparmor.mk
@@ -21,6 +21,20 @@ ifeq ($(BR2_PACKAGE_APPARMOR_BINUTILS),y)
 APPARMOR_TOOLS += binutils
 endif
 
+ifeq ($(BR2_PACKAGE_APPARMOR_UTILS),y)
+APPARMOR_DEPENDENCIES += $(BR2_PYTHON3_HOST_DEPENDENCY) python3
+APPARMOR_TOOLS += utils
+APPARMOR_MAKE_OPTS += PYTHON=$(HOST_DIR)/bin/python3
+
+ifeq ($(BR2_PACKAGE_APPARMOR_UTILS_EXTRA),)
+define APPARMOR_UTILS_NO_EXTRA
+	$(Q)rm -f $(addprefix $(TARGET_DIR)/usr/sbin/,aa-decode aa-notify aa-remove-unknown)
+endef
+APPARMOR_POST_INSTALL_TARGET_HOOKS += APPARMOR_UTILS_NO_EXTRA
+endif # BR2_PACKAGE_APPARMOR_UTILS_EXTRA
+
+endif # BR2_PACKAGE_APPARMOR_UTILS
+
 define APPARMOR_BUILD_CMDS
 	$(foreach tool,$(APPARMOR_TOOLS),\
 		$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
-- 
2.20.1

[Buildroot] [PATCH 0/9 v5] package/apparmor: new package (branch yem/apparmor)

[Yann E. MORIN]

Hello All!

This series is reworked of the previous work from Angelo:
    http://lists.busybox.net/pipermail/buildroot/2020-March/278308.html
    http://lists.busybox.net/pipermail/buildroot/2020-March/278307.html

Fundamentally, (almost) all the code is from Angelo, and it has jsut
been spread across two packages.

The way the apparmor package is laid out is not very amenable at doing a
single package that builds everything: all the tools and utils depend on
libapparmor, and that is better installed before the build of the tools
is attempted.

So, we split the packaging in two:

  - libapparmor, which is siolely responsible for installing
    libapparmor and its python3 bindings,

  - apparmor per-se, which is responsible for installing all the tools
    and utilities.

To be noted: most of the tools' Makefiles hard-code linking to the
static libapparmor (without explanations), so rather than go against the
tide, we just enforce building the static library (note also that we do
not forbid building the shared one).

The only major part that was dropped from the initial series, is support
for writign the cache on read-write filesystems. The codition was based
on BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW, but that does not prevent
building an actually read-only filesystem at all (e.g. squashfs). So,
more thoughts will have to be poured into this caching feature in a
subsequent series.

Chage v4 -> v5:  (adopted by Yann)
  - split in two packages, one for the lib, ione for the utils
  - reword all the commit logs
  - fix dependencies (threads, mmu...)
  - re-organise the conditions to install utils (python3 vs others)
  - drop the cache writing for read-write filesystems


Regards,
Yann E. MORIN.


The following changes since commit d0f5a5551ab86f6272f13deaa16dcdf4b07a524f

  package/sysstat: bump to version 12.2.1 (2020-03-29 15:50:36 +0200)


are available in the git repository at:

  git://git.buildroot.org/~ymorin/git/buildroot.git

for you to fetch changes up to 8b4415dad37fa81cf2d4adb09b27119b233bcd8a

  package/apparmor: enable apache integration (2020-03-29 16:01:18 +0200)


----------------------------------------------------------------
Angelo Compagnucci (4):
      package/libapparmor: new package
      linux: enable AppArmor-related options if needed
      package/apparmor: new package
      package/apparmor: add option to install binutils

Yann E. MORIN (5):
      package/apparmor: add options to install utils
      package/apparmor: add option to install generic profiles
      package/libapparmor: enable python bindings
      package/apparmor: enable PAM integration
      package/apparmor: enable apache integration

 DEVELOPERS                                         |  1 +
 linux/linux.mk                                     |  5 ++
 package/Config.in                                  |  2 +
 package/apparmor/Config.in                         | 71 ++++++++++++++++
 package/apparmor/apparmor.hash                     |  4 +
 package/apparmor/apparmor.mk                       | 81 ++++++++++++++++++
 ...n_devel-fixing-for-crosscompiling-environ.patch | 96 ++++++++++++++++++++++
 ...-fixing-setup.py-call-when-crosscompiling.patch | 30 +++++++
 package/libapparmor/Config.in                      | 16 ++++
 package/libapparmor/libapparmor.hash               |  4 +
 package/libapparmor/libapparmor.mk                 | 41 +++++++++
 11 files changed, 351 insertions(+)
 create mode 100644 package/apparmor/Config.in
 create mode 100644 package/apparmor/apparmor.hash
 create mode 100644 package/apparmor/apparmor.mk
 create mode 100644 package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
 create mode 100644 package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
 create mode 100644 package/libapparmor/Config.in
 create mode 100644 package/libapparmor/libapparmor.hash
 create mode 100644 package/libapparmor/libapparmor.mk

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 6/9 v5] package/apparmor: add option to install generic profiles

[Yann E. MORIN]

The apparmor packages comes with a set of profiles for a class of usual,
mostly server-class programs and daemons.

Even though an embedded device will mostly require custom profiles, the
generic ones may come handy, as they also provide "abstractions", that
can serve as templates for custom profiles.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998 at free.fr: split off into its own patch]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 package/apparmor/Config.in   | 6 ++++++
 package/apparmor/apparmor.mk | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/package/apparmor/Config.in b/package/apparmor/Config.in
index 714888c583..77a20f6faa 100644
--- a/package/apparmor/Config.in
+++ b/package/apparmor/Config.in
@@ -62,4 +62,10 @@ comment "utils need python3"
 	depends on !BR2_STATIC_LIBS
 	depends on !BR2_PACKAGE_PYTHON3
 
+config BR2_PACKAGE_APPARMOR_PROFILES
+	bool "profiles"
+	help
+	  Installs server-class profiles for a wide range of
+	  usual programs and daemons.
+
 endif
diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
index 1805628de4..26a09d2ff5 100644
--- a/package/apparmor/apparmor.mk
+++ b/package/apparmor/apparmor.mk
@@ -35,6 +35,10 @@ endif # BR2_PACKAGE_APPARMOR_UTILS_EXTRA
 
 endif # BR2_PACKAGE_APPARMOR_UTILS
 
+ifeq ($(BR2_PACKAGE_APPARMOR_PROFILES),y)
+APPARMOR_TOOLS += profiles
+endif
+
 define APPARMOR_BUILD_CMDS
 	$(foreach tool,$(APPARMOR_TOOLS),\
 		$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
-- 
2.20.1

[Buildroot] [PATCH 7/9 v5] package/libapparmor: enable python bindings

[Yann E. MORIN]

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998 at free.fr: split off into its own patch]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 ...el-fixing-for-crosscompiling-environ.patch | 96 +++++++++++++++++++
 ...ng-setup.py-call-when-crosscompiling.patch | 30 ++++++
 package/libapparmor/libapparmor.mk            | 17 +++-
 3 files changed, 141 insertions(+), 2 deletions(-)
 create mode 100644 package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
 create mode 100644 package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch

diff --git a/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
new file mode 100644
index 0000000000..7b902d5970
--- /dev/null
+++ b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
@@ -0,0 +1,96 @@
+From 235ce271f3fee53b918317ebb73a47b3c6a7ae03 Mon Sep 17 00:00:00 2001
+From: Angelo Compagnucci <angelo@amarulasolutions.com>
+Date: Tue, 24 Mar 2020 22:53:37 +0100
+Subject: [PATCH] m4: ac_python_devel: fixing for crosscompiling environments
+
+In a crosscompiling environment it's common to have a python executable
+running for the host system with a python-config reporting the host
+configuration and a second python-config reporting the target configuration.
+In such cases, relying on the default oython-config is wrong and breaks
+the cross compilation.
+
+This patch adds a PYTHON_CONFIG variable that can be pointed to the second
+python-config and fixes the rest of the m4 accordingly.
+
+Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
+---
+ libraries/libapparmor/m4/ac_python_devel.m4 | 25 ++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/libraries/libapparmor/m4/ac_python_devel.m4 b/libraries/libapparmor/m4/ac_python_devel.m4
+index 2ea7dc77..6454e2d8 100644
+--- a/libraries/libapparmor/m4/ac_python_devel.m4
++++ b/libraries/libapparmor/m4/ac_python_devel.m4
+@@ -13,6 +13,11 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
+            PYTHON_VERSION=""
+         fi
+ 
++        AC_PATH_PROG([PYTHON_CONFIG],[`basename [$PYTHON]-config`])
++        if test -z "$PYTHON_CONFIG"; then
++           AC_MSG_ERROR([Cannot find python$PYTHON_VERSION-config in your system path])
++        fi
++
+         #
+         # Check for a version of Python >= 2.1.0
+         #
+@@ -79,8 +84,8 @@ $ac_distutils_result])
+         # Check for Python include path
+         #
+         AC_MSG_CHECKING([for Python include path])
+-        if type $PYTHON-config; then
+-                PYTHON_CPPFLAGS=`$PYTHON-config --includes`
++        if type $PYTHON_CONFIG; then
++                PYTHON_CPPFLAGS=`$PYTHON_CONFIG --includes`
+         fi
+         if test -z "$PYTHON_CPPFLAGS"; then
+                 python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
+@@ -97,8 +102,8 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
+         # Check for Python library path
+         #
+         AC_MSG_CHECKING([for Python library path])
+-        if type $PYTHON-config; then
+-                PYTHON_LDFLAGS=`$PYTHON-config --ldflags`
++        if type $PYTHON_CONFIG; then
++                PYTHON_LDFLAGS=`$PYTHON_CONFIG --ldflags`
+         fi
+         if test -z "$PYTHON_LDFLAGS"; then
+                 # (makes two attempts to ensure we've got a version number
+@@ -136,10 +141,14 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
+         # libraries which must be linked in when embedding
+         #
+         AC_MSG_CHECKING(python extra libraries)
++        if type $PYTHON_CONFIG; then
++                PYTHON_EXTRA_LIBS=`$PYTHON_CONFIG --libs --embed` || \
++                        PYTHON_EXTRA_LIBS=''
++        fi
+         if test -z "$PYTHON_EXTRA_LIBS"; then
+            PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
+ conf = distutils.sysconfig.get_config_var; \
+-sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
++sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf('LIBS')))"`
+         fi
+         AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
+         AC_SUBST(PYTHON_EXTRA_LIBS)
+@@ -148,6 +157,10 @@ sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
+         # linking flags needed when embedding
+         #
+         AC_MSG_CHECKING(python extra linking flags)
++        if type $PYTHON_CONFIG; then
++                PYTHON_EXTRA_LDFLAGS=`$PYTHON_CONFIG --ldflags --embed` || \
++                        PYTHON_EXTRA_LDFLAGS=''
++        fi
+         if test -z "$PYTHON_EXTRA_LDFLAGS"; then
+                 PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import sys; import distutils.sysconfig; \
+ conf = distutils.sysconfig.get_config_var; \
+@@ -164,7 +177,7 @@ sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
+         # save current global flags
+         ac_save_LIBS="$LIBS"
+         ac_save_CPPFLAGS="$CPPFLAGS"
+-        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
++        LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
+         CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+         AC_TRY_LINK([
+                 #include <Python.h>
+-- 
+2.17.1
+
diff --git a/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
new file mode 100644
index 0000000000..8d6ca86e47
--- /dev/null
+++ b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
@@ -0,0 +1,30 @@
+From cf61d1257b9a5f12fdf6f4dd6a2746f77b23a8a0 Mon Sep 17 00:00:00 2001
+From: Angelo Compagnucci <angelo@amarulasolutions.com>
+Date: Tue, 24 Mar 2020 23:02:08 +0100
+Subject: [PATCH] libapparmor: fixing setup.py call when crosscompiling
+
+When crosscompiling, setupy.py should be called passing the settings
+discovered by ac_python_devel.m4 and not using the default system
+settings.
+
+Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
+---
+ libraries/libapparmor/swig/python/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/libapparmor/swig/python/Makefile.am b/libraries/libapparmor/swig/python/Makefile.am
+index 421acba9..6c60181e 100644
+--- a/libraries/libapparmor/swig/python/Makefile.am
++++ b/libraries/libapparmor/swig/python/Makefile.am
+@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
+ 
+ all-local: libapparmor_wrap.c setup.py
+ 	if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
+-	$(PYTHON) setup.py build
++	CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS)" $(PYTHON) setup.py build
+ 
+ install-exec-local:
+ 	$(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"
+-- 
+2.17.1
+
diff --git a/package/libapparmor/libapparmor.mk b/package/libapparmor/libapparmor.mk
index 8173d138d6..4d6bb6d82b 100644
--- a/package/libapparmor/libapparmor.mk
+++ b/package/libapparmor/libapparmor.mk
@@ -16,13 +16,26 @@ LIBAPPARMOR_DEPENDENCIES = host-bison host-flex host-pkgconf
 LIBAPPARMOR_SUBDIR = libraries/libapparmor
 LIBAPPARMOR_INSTALL_STAGING = YES
 
+# Patches 0001 and 0002 touch Makefile.am and an m4 file
+LIBAPPARMOR_AUTORECONF = YES
+
 # Most AppArmor tools will want to link to the static lib.
 # ac_cv_prog_cc_c99 is required for BR2_USE_WCHAR=n because the C99 test
 # provided by autoconf relies on wchar_t.
 LIBAPPARMOR_CONF_OPTS = \
 	ac_cv_prog_cc_c99=-std=gnu99 \
 	--enable-static \
-	--enable-man-pages=no \
-	--without-python
+	--enable-man-pages=no
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+LIBAPPARMOR_DEPENDENCIES += host-python3 host-swig python3
+LIBAPPARMOR_CONF_OPTS += \
+	--with-python \
+	PYTHON=$(HOST_DIR)/usr/bin/python3 \
+	PYTHON_CONFIG=$(STAGING_DIR)/usr/bin/python3-config \
+	SWIG=$(SWIG)
+else
+LIBAPPARMOR_CONF_OPTS += --without-python
+endif
 
 $(eval $(autotools-package))
-- 
2.20.1

[Buildroot] [PATCH 8/9 v5] package/apparmor: enable PAM integration

[Yann E. MORIN]

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998 at free.fr: split off to its own patch]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 package/apparmor/apparmor.mk | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
index 26a09d2ff5..8a25cd4466 100644
--- a/package/apparmor/apparmor.mk
+++ b/package/apparmor/apparmor.mk
@@ -39,6 +39,11 @@ ifeq ($(BR2_PACKAGE_APPARMOR_PROFILES),y)
 APPARMOR_TOOLS += profiles
 endif
 
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+APPARMOR_DEPENDENCIES += linux-pam
+APPARMOR_TOOLS += changehat/pam_apparmor
+endif
+
 define APPARMOR_BUILD_CMDS
 	$(foreach tool,$(APPARMOR_TOOLS),\
 		$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
-- 
2.20.1

[Buildroot] [PATCH 9/9 v5] package/apparmor: enable apache integration

[Yann E. MORIN]

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998 at free.fr: split off to its own patch]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 package/apparmor/apparmor.mk | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
index 8a25cd4466..a4900397f2 100644
--- a/package/apparmor/apparmor.mk
+++ b/package/apparmor/apparmor.mk
@@ -44,6 +44,12 @@ APPARMOR_DEPENDENCIES += linux-pam
 APPARMOR_TOOLS += changehat/pam_apparmor
 endif
 
+ifeq ($(BR2_PACKAGE_APACHE),y)
+APPARMOR_DEPENDENCIES += apache
+APPARMOR_TOOLS += changehat/mod_apparmor
+APPARMOR_MAKE_OPTS += APXS=$(STAGING_DIR)/usr/bin/apxs
+endif
+
 define APPARMOR_BUILD_CMDS
 	$(foreach tool,$(APPARMOR_TOOLS),\
 		$(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
-- 
2.20.1

[Buildroot] [PATCH 0/9 v5] package/apparmor: new package (branch yem/apparmor)

[Yann E. MORIN]

Angelo, All,

On 2020-03-29 16:01 +0200, Yann E. MORIN spake thusly:
> This series is reworked of the previous work from Angelo:
>     http://lists.busybox.net/pipermail/buildroot/2020-March/278308.html
>     http://lists.busybox.net/pipermail/buildroot/2020-March/278307.html

Angelo, did you have the opportunity to have a look at this series?

Regards,
Yann E. MORIN.

> Fundamentally, (almost) all the code is from Angelo, and it has jsut
> been spread across two packages.
> 
> The way the apparmor package is laid out is not very amenable at doing a
> single package that builds everything: all the tools and utils depend on
> libapparmor, and that is better installed before the build of the tools
> is attempted.
> 
> So, we split the packaging in two:
> 
>   - libapparmor, which is siolely responsible for installing
>     libapparmor and its python3 bindings,
> 
>   - apparmor per-se, which is responsible for installing all the tools
>     and utilities.
> 
> To be noted: most of the tools' Makefiles hard-code linking to the
> static libapparmor (without explanations), so rather than go against the
> tide, we just enforce building the static library (note also that we do
> not forbid building the shared one).
> 
> The only major part that was dropped from the initial series, is support
> for writign the cache on read-write filesystems. The codition was based
> on BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW, but that does not prevent
> building an actually read-only filesystem at all (e.g. squashfs). So,
> more thoughts will have to be poured into this caching feature in a
> subsequent series.
> 
> Chage v4 -> v5:  (adopted by Yann)
>   - split in two packages, one for the lib, ione for the utils
>   - reword all the commit logs
>   - fix dependencies (threads, mmu...)
>   - re-organise the conditions to install utils (python3 vs others)
>   - drop the cache writing for read-write filesystems
> 
> 
> Regards,
> Yann E. MORIN.
> 
> 
> The following changes since commit d0f5a5551ab86f6272f13deaa16dcdf4b07a524f
> 
>   package/sysstat: bump to version 12.2.1 (2020-03-29 15:50:36 +0200)
> 
> 
> are available in the git repository at:
> 
>   git://git.buildroot.org/~ymorin/git/buildroot.git
> 
> for you to fetch changes up to 8b4415dad37fa81cf2d4adb09b27119b233bcd8a
> 
>   package/apparmor: enable apache integration (2020-03-29 16:01:18 +0200)
> 
> 
> ----------------------------------------------------------------
> Angelo Compagnucci (4):
>       package/libapparmor: new package
>       linux: enable AppArmor-related options if needed
>       package/apparmor: new package
>       package/apparmor: add option to install binutils
> 
> Yann E. MORIN (5):
>       package/apparmor: add options to install utils
>       package/apparmor: add option to install generic profiles
>       package/libapparmor: enable python bindings
>       package/apparmor: enable PAM integration
>       package/apparmor: enable apache integration
> 
>  DEVELOPERS                                         |  1 +
>  linux/linux.mk                                     |  5 ++
>  package/Config.in                                  |  2 +
>  package/apparmor/Config.in                         | 71 ++++++++++++++++
>  package/apparmor/apparmor.hash                     |  4 +
>  package/apparmor/apparmor.mk                       | 81 ++++++++++++++++++
>  ...n_devel-fixing-for-crosscompiling-environ.patch | 96 ++++++++++++++++++++++
>  ...-fixing-setup.py-call-when-crosscompiling.patch | 30 +++++++
>  package/libapparmor/Config.in                      | 16 ++++
>  package/libapparmor/libapparmor.hash               |  4 +
>  package/libapparmor/libapparmor.mk                 | 41 +++++++++
>  11 files changed, 351 insertions(+)
>  create mode 100644 package/apparmor/Config.in
>  create mode 100644 package/apparmor/apparmor.hash
>  create mode 100644 package/apparmor/apparmor.mk
>  create mode 100644 package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
>  create mode 100644 package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
>  create mode 100644 package/libapparmor/Config.in
>  create mode 100644 package/libapparmor/libapparmor.hash
>  create mode 100644 package/libapparmor/libapparmor.mk
> 
> -- 
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/9 v5] package/libapparmor: new package

[Angelo Compagnucci]

On Sun, Mar 29, 2020 at 4:01 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> From: Angelo Compagnucci <angelo@amarulasolutions.com>
>
> The layout of the package is not amenable to building both the library
> and the utilities at once, so this package will only install the
> libarary.
>
> The other apparmor-related tools however will almost all want to always
> link with the static library (it's hard-coded in their Makefiles, like:
> AALIB = -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread), so we also
> force the build of the static library.
>
> The kernel headers 3.16 at least are required, for CAP_AUDIT_READ.
>
> We need to force the C standard to gnu99, otherwise:
>
>   - autoconf uses wchar_t in C99 test, so considers it to be missing
>     on toolchains without wchar, but wchar is not otherwise needed for
>     libapparmor;
>
>   - c99 is not enough, otherwise the build fails with errors like:
>         kernel.c:503:15: error: expected declaration specifiers or ?...? before ?(? token
>          extern typeof((__change_hat)) __old_change_hat __attribute__((alias ("__change_hat")));
>                        ^
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> [yann.morin.1998 at free.fr: strip down the patch to only build the lib]
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> ---
>  DEVELOPERS                           |  1 +
>  package/Config.in                    |  1 +
>  package/libapparmor/Config.in        | 16 ++++++++++++++++
>  package/libapparmor/libapparmor.hash |  4 ++++
>  package/libapparmor/libapparmor.mk   | 27 +++++++++++++++++++++++++++
>  5 files changed, 49 insertions(+)
>  create mode 100644 package/libapparmor/Config.in
>  create mode 100644 package/libapparmor/libapparmor.hash
>  create mode 100644 package/libapparmor/libapparmor.mk
>
> diff --git a/DEVELOPERS b/DEVELOPERS
> index f67ef86e6c..142f3b406d 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -196,6 +196,7 @@ N:  Angelo Compagnucci <angelo.compagnucci@gmail.com>
>  F:     package/corkscrew/
>  F:     package/fail2ban/
>  F:     package/i2c-tools/
> +F:     package/libapparmor/
>  F:     package/mender/
>  F:     package/mender-artifact/
>  F:     package/mono/
> diff --git a/package/Config.in b/package/Config.in
> index 7b73198d50..ae1bc2294d 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1882,6 +1882,7 @@ endif
>  endmenu
>
>  menu "Security"
> +       source "package/libapparmor/Config.in"
>         source "package/libselinux/Config.in"
>         source "package/libsemanage/Config.in"
>         source "package/libsepol/Config.in"
> diff --git a/package/libapparmor/Config.in b/package/libapparmor/Config.in
> new file mode 100644
> index 0000000000..a444a5708b
> --- /dev/null
> +++ b/package/libapparmor/Config.in
> @@ -0,0 +1,16 @@
> +config BR2_PACKAGE_LIBAPPARMOR
> +       bool "libapparmor"
> +       depends on BR2_TOOLCHAIN_HAS_SYNC_4
> +       depends on BR2_TOOLCHAIN_HAS_THREADS
> +       depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_16
> +       help
> +         AppArmor is an effective and easy-to-use Linux application
> +         security system. AppArmor proactively protects the operating
> +         system and applications from external or internal threats,
> +         even zero-day attacks, by enforcing good behavior and
> +         preventing even unknown application flaws from being
> +         exploited.
> +
> +         This package installs only the library.
> +
> +         http://wiki.apparmor.net
> diff --git a/package/libapparmor/libapparmor.hash b/package/libapparmor/libapparmor.hash
> new file mode 100644
> index 0000000000..3bff2bc853
> --- /dev/null
> +++ b/package/libapparmor/libapparmor.hash
> @@ -0,0 +1,4 @@
> +# locally computed
> +sha256  267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639  apparmor-2.13.3.tar.gz
> +sha256  a7e0cdcbea5c14927cedfc600d46526bdcbb1eb0a4d951e2ea53c2a6de159cb4  LICENSE
> +sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  libraries/libapparmor/COPYING.LGPL
> diff --git a/package/libapparmor/libapparmor.mk b/package/libapparmor/libapparmor.mk
> new file mode 100644
> index 0000000000..12efd4335a
> --- /dev/null
> +++ b/package/libapparmor/libapparmor.mk
> @@ -0,0 +1,27 @@
> +################################################################################
> +#
> +# libapparmor
> +#
> +################################################################################
> +
> +LIBAPPARMOR_VERSION_MAJOR = 2.13
> +LIBAPPARMOR_VERSION = $(LIBAPPARMOR_VERSION_MAJOR).3
> +LIBAPPARMOR_SOURCE = apparmor-$(LIBAPPARMOR_VERSION).tar.gz
> +LIBAPPARMOR_SITE = https://launchpad.net/apparmor/$(LIBAPPARMOR_VERSION_MAJOR)/$(LIBAPPARMOR_VERSION)/+download
> +LIBAPPARMOR_LICENSE = LGPL-2.1
> +LIBAPPARMOR_LICENSE_FILES = LICENSE libraries/libapparmor/COPYING.LGPL
> +
> +LIBAPPARMOR_DEPENDENCIES = host-bison host-flex host-pkgconf
> +LIBAPPARMOR_SUBDIR = libraries/libapparmor
> +LIBAPPARMOR_INSTALL_STAGING = YES
> +
> +# Most AppArmor tools will want to link to the static lib.
> +# ac_cv_prog_cc_c99 is required for BR2_USE_WCHAR=n because the C99 test
> +# provided by autoconf relies on wchar_t.
> +LIBAPPARMOR_CONF_OPTS = \
> +       ac_cv_prog_cc_c99=-std=gnu99 \
> +       --enable-static \
> +       --enable-man-pages=no \
> +       --without-python
> +
> +$(eval $(autotools-package))
> --
> 2.20.1
>

[Buildroot] [PATCH 2/9 v5] linux: enable AppArmor-related options if needed

[Angelo Compagnucci]

On Sun, Mar 29, 2020 at 4:01 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> From: Angelo Compagnucci <angelo@amarulasolutions.com>
>
> Using AppArmor requires support in the kernel, so do for AppArmor what
> we did for SElinux, and enabled the necessary options.
>
> Note that a single LSM can be the default one, so as of today, SELinux
> wins, by virtue of being the last to be enabled.
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> [yann.morin.1998 at free.fr:
>   - don't force DEFAULT_SECURITY_APPARMOR, it does not exist in all
>     kernel versions
>   - move closer to SELinux
>   - split into its own patch, write a commit log
> ]
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> ---
>  linux/linux.mk | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/linux/linux.mk b/linux/linux.mk
> index b2ceeecafb..9403612d27 100644
> --- a/linux/linux.mk
> +++ b/linux/linux.mk
> @@ -408,6 +408,11 @@ define LINUX_KCONFIG_FIXUP_CMDS
>                 $(call KCONFIG_ENABLE_OPT,CONFIG_FB,$(@D)/.config)
>                 $(call KCONFIG_ENABLE_OPT,CONFIG_LOGO,$(@D)/.config)
>                 $(call KCONFIG_ENABLE_OPT,CONFIG_LOGO_LINUX_CLUT224,$(@D)/.config))
> +       $(if $(BR2_PACKAGE_LIBAPPARMOR),
> +               $(call KCONFIG_ENABLE_OPT,CONFIG_AUDIT,$(@D)/.config)
> +               $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY,$(@D)/.config)
> +               $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_APPARMOR,$(@D)/.config)
> +               $(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_SECURITY_APPARMOR,$(@D)/.config))
>         $(if $(BR2_PACKAGE_LIBSELINUX),
>                 $(call KCONFIG_ENABLE_OPT,CONFIG_AUDIT,$(@D)/.config)
>                 $(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_SECURITY_SELINUX,$(@D)/.config)
> --
> 2.20.1
>

[Buildroot] [PATCH 3/9 v5] package/apparmor: new package

[Angelo Compagnucci]

On Sun, Mar 29, 2020 at 4:01 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> From: Angelo Compagnucci <angelo@amarulasolutions.com>
>
> The various AppArmor utilities are spread in a few sub-directories of
> the apparmor source tree. For now, we build only the parser, but we'll
> soon introduce support for a few other utilities, so we prepare the
> package to be able to build more than just the parser, hence the
> slightly convoluted build and install commands, and the use of the
> APPARMOR_TOOLS and APPARMOR_MAKE_OPTS variables, which will come handy
> in the following commits.
>
> We must ensure the version matches that of libapparmor, but there is not
> much we can do to enforce that, so as we do for various other packages,
> we just add a comment to that effect.
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> [yann.morin.1998 at free.fr:
>   - make it a separate package
>   - split into its own patch, write a commit log
> ]
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> ---
>  package/Config.in                  |  1 +
>  package/apparmor/Config.in         | 19 ++++++++++++
>  package/apparmor/apparmor.hash     |  4 +++
>  package/apparmor/apparmor.mk       | 48 ++++++++++++++++++++++++++++++
>  package/libapparmor/libapparmor.mk |  1 +
>  5 files changed, 73 insertions(+)
>  create mode 100644 package/apparmor/Config.in
>  create mode 100644 package/apparmor/apparmor.hash
>  create mode 100644 package/apparmor/apparmor.mk
>
> diff --git a/package/Config.in b/package/Config.in
> index ae1bc2294d..759c21f994 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2244,6 +2244,7 @@ menu "Real-Time"
>  endmenu
>
>  menu "Security"
> +       source "package/apparmor/Config.in"
>         source "package/checkpolicy/Config.in"
>         source "package/ima-evm-utils/Config.in"
>         source "package/optee-benchmark/Config.in"
> diff --git a/package/apparmor/Config.in b/package/apparmor/Config.in
> new file mode 100644
> index 0000000000..d35740ca73
> --- /dev/null
> +++ b/package/apparmor/Config.in
> @@ -0,0 +1,19 @@
> +config BR2_PACKAGE_APPARMOR
> +       bool "apparmor"
> +       depends on BR2_USE_MMU # fork()
> +       depends on BR2_INSTALL_LIBSTDCPP
> +       depends on BR2_TOOLCHAIN_HAS_SYNC_4 # libapparmor
> +       depends on BR2_TOOLCHAIN_HAS_THREADS # libapparmor
> +       depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_16 # libapparmor
> +       select BR2_PACKAGE_LIBAPPARMOR
> +       help
> +         AppArmor is an effective and easy-to-use Linux application
> +         security system. AppArmor proactively protects the operating
> +         system and applications from external or internal threats,
> +         even zero-day attacks, by enforcing good behavior and
> +         preventing even unknown application flaws from being
> +         exploited.
> +
> +         This package builds the parser (which can load profiles).
> +
> +         http://wiki.apparmor.net
> diff --git a/package/apparmor/apparmor.hash b/package/apparmor/apparmor.hash
> new file mode 100644
> index 0000000000..91ab51f6ab
> --- /dev/null
> +++ b/package/apparmor/apparmor.hash
> @@ -0,0 +1,4 @@
> +# locally computed
> +sha256  267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639  apparmor-2.13.3.tar.gz
> +sha256  a7e0cdcbea5c14927cedfc600d46526bdcbb1eb0a4d951e2ea53c2a6de159cb4  LICENSE
> +sha256  dd54950fa69a3096fe907a466a454d217ccca9bca77398d5232704766d5a0040  parser/COPYING.GPL
> diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
> new file mode 100644
> index 0000000000..cab37d06a6
> --- /dev/null
> +++ b/package/apparmor/apparmor.mk
> @@ -0,0 +1,48 @@
> +################################################################################
> +#
> +# apparmor
> +#
> +################################################################################
> +
> +# When updating the version here, please also update the libapparmor package
> +APPARMOR_VERSION_MAJOR = 2.13
> +APPARMOR_VERSION = $(APPARMOR_VERSION_MAJOR).3
> +APPARMOR_SITE = https://launchpad.net/apparmor/$(APPARMOR_VERSION_MAJOR)/$(APPARMOR_VERSION)/+download
> +APPARMOR_DL_SUBDIR = libapparmor
> +APPARMOR_LICENSE = GPL-2.0
> +APPARMOR_LICENSE_FILES = LICENSE parser/COPYING.GPL
> +
> +APPARMOR_DEPENDENCIES = libapparmor
> +
> +APPARMOR_TOOLS = parser
> +APPARMOR_MAKE_OPTS = USE_SYSTEM=1
> +
> +define APPARMOR_BUILD_CMDS
> +       $(foreach tool,$(APPARMOR_TOOLS),\
> +               $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> +               $(MAKE) -C $(@D)/$(tool) $(APPARMOR_MAKE_OPTS)
> +       )
> +endef
> +
> +define APPARMOR_INSTALL_TARGET_CMDS
> +       $(foreach tool,$(APPARMOR_TOOLS),\
> +               $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> +               $(MAKE) -C $(@D)/$(tool) $(APPARMOR_MAKE_OPTS) \
> +                       DESTDIR=$(TARGET_DIR) install
> +       )
> +endef
> +
> +# Despite its name, apparmor.systemd is a sysv-init compatible startup script
> +define APPARMOR_INSTALL_INIT_SYSV
> +       $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
> +               $(TARGET_DIR)/etc/init.d/S00apparmor
> +endef
> +
> +define APPARMOR_INSTALL_INIT_SYSTEMD
> +       $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.systemd \
> +               $(TARGET_DIR)/lib/apparmor/apparmor.systemd
> +       $(INSTALL) -D -m 0755 $(@D)/parser/apparmor.service \
> +               $(TARGET_DIR)/usr/lib/systemd/system/apparmor.service
> +endef
> +
> +$(eval $(generic-package))
> diff --git a/package/libapparmor/libapparmor.mk b/package/libapparmor/libapparmor.mk
> index 12efd4335a..8173d138d6 100644
> --- a/package/libapparmor/libapparmor.mk
> +++ b/package/libapparmor/libapparmor.mk
> @@ -4,6 +4,7 @@
>  #
>  ################################################################################
>
> +# When updating the version here, please also update the apparmor package
>  LIBAPPARMOR_VERSION_MAJOR = 2.13
>  LIBAPPARMOR_VERSION = $(LIBAPPARMOR_VERSION_MAJOR).3
>  LIBAPPARMOR_SOURCE = apparmor-$(LIBAPPARMOR_VERSION).tar.gz
> --
> 2.20.1
>

[Buildroot] [PATCH 4/9 v5] package/apparmor: add option to install binutils

[Angelo Compagnucci]

On Sun, Mar 29, 2020 at 4:01 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> From: Angelo Compagnucci <angelo@amarulasolutions.com>
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> [yann.morin.1998 at free.fr: split off to its own patch]
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> ---
>  package/apparmor/Config.in   | 10 ++++++++++
>  package/apparmor/apparmor.mk |  4 ++++
>  2 files changed, 14 insertions(+)
>
> diff --git a/package/apparmor/Config.in b/package/apparmor/Config.in
> index d35740ca73..d3941200c6 100644
> --- a/package/apparmor/Config.in
> +++ b/package/apparmor/Config.in
> @@ -17,3 +17,13 @@ config BR2_PACKAGE_APPARMOR
>           This package builds the parser (which can load profiles).
>
>           http://wiki.apparmor.net
> +
> +if BR2_PACKAGE_APPARMOR
> +
> +config BR2_PACKAGE_APPARMOR_BINUTILS
> +       bool "binutils"
> +       help
> +         A set of utilities (written in C):
> +           aa-enabled    aa-exec
> +
> +endif
> diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
> index cab37d06a6..9ee5304a16 100644
> --- a/package/apparmor/apparmor.mk
> +++ b/package/apparmor/apparmor.mk
> @@ -17,6 +17,10 @@ APPARMOR_DEPENDENCIES = libapparmor
>  APPARMOR_TOOLS = parser
>  APPARMOR_MAKE_OPTS = USE_SYSTEM=1
>
> +ifeq ($(BR2_PACKAGE_APPARMOR_BINUTILS),y)
> +APPARMOR_TOOLS += binutils
> +endif
> +
>  define APPARMOR_BUILD_CMDS
>         $(foreach tool,$(APPARMOR_TOOLS),\
>                 $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> --
> 2.20.1
>

[Buildroot] [PATCH 5/9 v5] package/apparmor: add options to install utils

[Angelo Compagnucci]

On Sun, Mar 29, 2020 at 4:01 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> Most utilities are written in python3, except a few that are written in
> a mixture of POSIX shell, bash, perl and awk.
>
> The Makefile does not allow isntalling

installing

> parts of it, but requiring all of
> python3, bash, and perl to install the utils is too much of a
> requirement.
>
> Instead, we split the set in two, on one hand the puthin

python

> ones, which we
> install when python3 is enabled, and on the other hand, the rest of the
> script which we call 'extras', and which we install when all the extra
> requirements (bash, perl, and busybox or gawk) are met; if not, then we
> remove these extras utils as a post-install hook.
>
> Note about the order of the comments: they are in reverse-order of the
> associated config symbols, so that they are properly displayed.
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> [yann.morin.1998 at free.fr:
>   - split into its own patch
>   - re-arrange the conditions
> ]
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> ---
>  package/apparmor/Config.in   | 36 ++++++++++++++++++++++++++++++++++++
>  package/apparmor/apparmor.mk | 14 ++++++++++++++
>  2 files changed, 50 insertions(+)
>
> diff --git a/package/apparmor/Config.in b/package/apparmor/Config.in
> index d3941200c6..714888c583 100644
> --- a/package/apparmor/Config.in
> +++ b/package/apparmor/Config.in
> @@ -26,4 +26,40 @@ config BR2_PACKAGE_APPARMOR_BINUTILS
>           A set of utilities (written in C):
>             aa-enabled    aa-exec
>
> +config BR2_PACKAGE_APPARMOR_UTILS
> +       bool "utils"
> +       depends on BR2_PACKAGE_PYTHON3
> +       select BR2_PACKAGE_PYTHON3_READLINE
> +       help
> +         A set of utilities (written in pyhon):
> +           aa-audit          aa-disable      aa-logprof
> +           aa-autodep        aa-easyprof     aa-mergeprof
> +           aa-cleanprof      aa-enforce      aa-status
> +           aa-complain       aa-genprof      aa-unconfined
> +
> +config BR2_PACKAGE_APPARMOR_UTILS_EXTRA
> +       bool "utils (extras)"
> +       depends on BR2_PACKAGE_APPARMOR_UTILS
> +       depends on BR2_PACKAGE_BUSYBOX || BR2_PACKAGE_GAWK
> +       depends on BR2_PACKAGE_BASH
> +       depends on BR2_PACKAGE_PERL
> +       help
> +         An extra set of utilities (written in a mixture of sh,
> +         bash, perl, and awk):
> +           aa-decode          (bash + perl)
> +           aa-notify          (perl)
> +           aa-remove-unknown  (sh + awk)
> +
> +comment "utils (extras) need bash and perl, and busybox or gawk"
> +       depends on BR2_PACKAGE_APPARMOR_UTILS
> +       depends on !BR2_PACKAGE_BASH || !BR2_PACKAGE_PERL \
> +               || !(BR2_PACKAGE_BUSYBOX || BR2_PACKAGE_GAWK)
> +
> +comment "utils need python3"
> +       depends on BR2_USE_MMU
> +       depends on BR2_USE_WCHAR
> +       depends on BR2_TOOLCHAIN_HAS_THREADS
> +       depends on !BR2_STATIC_LIBS
> +       depends on !BR2_PACKAGE_PYTHON3
> +
>  endif
> diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
> index 9ee5304a16..1805628de4 100644
> --- a/package/apparmor/apparmor.mk
> +++ b/package/apparmor/apparmor.mk
> @@ -21,6 +21,20 @@ ifeq ($(BR2_PACKAGE_APPARMOR_BINUTILS),y)
>  APPARMOR_TOOLS += binutils
>  endif
>
> +ifeq ($(BR2_PACKAGE_APPARMOR_UTILS),y)
> +APPARMOR_DEPENDENCIES += $(BR2_PYTHON3_HOST_DEPENDENCY) python3
> +APPARMOR_TOOLS += utils
> +APPARMOR_MAKE_OPTS += PYTHON=$(HOST_DIR)/bin/python3
> +
> +ifeq ($(BR2_PACKAGE_APPARMOR_UTILS_EXTRA),)
> +define APPARMOR_UTILS_NO_EXTRA
> +       $(Q)rm -f $(addprefix $(TARGET_DIR)/usr/sbin/,aa-decode aa-notify aa-remove-unknown)
> +endef
> +APPARMOR_POST_INSTALL_TARGET_HOOKS += APPARMOR_UTILS_NO_EXTRA
> +endif # BR2_PACKAGE_APPARMOR_UTILS_EXTRA
> +
> +endif # BR2_PACKAGE_APPARMOR_UTILS
> +
>  define APPARMOR_BUILD_CMDS
>         $(foreach tool,$(APPARMOR_TOOLS),\
>                 $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> --
> 2.20.1
>

[Buildroot] [PATCH 6/9 v5] package/apparmor: add option to install generic profiles

[Angelo Compagnucci]

On Sun, Mar 29, 2020 at 4:01 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> The apparmor packages come

come

> with a set of profiles for a class of usual,
> mostly server-class programs and daemons.
>
> Even though an embedded device will mostly require custom profiles, the
> generic ones may come handy, as they also provide "abstractions", that
> can serve as templates for custom profiles.
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> [yann.morin.1998 at free.fr: split off into its own patch]
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> ---
>  package/apparmor/Config.in   | 6 ++++++
>  package/apparmor/apparmor.mk | 4 ++++
>  2 files changed, 10 insertions(+)
>
> diff --git a/package/apparmor/Config.in b/package/apparmor/Config.in
> index 714888c583..77a20f6faa 100644
> --- a/package/apparmor/Config.in
> +++ b/package/apparmor/Config.in
> @@ -62,4 +62,10 @@ comment "utils need python3"
>         depends on !BR2_STATIC_LIBS
>         depends on !BR2_PACKAGE_PYTHON3
>
> +config BR2_PACKAGE_APPARMOR_PROFILES
> +       bool "profiles"
> +       help
> +         Installs server-class profiles for a wide range of
> +         usual programs and daemons.
> +
>  endif
> diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
> index 1805628de4..26a09d2ff5 100644
> --- a/package/apparmor/apparmor.mk
> +++ b/package/apparmor/apparmor.mk
> @@ -35,6 +35,10 @@ endif # BR2_PACKAGE_APPARMOR_UTILS_EXTRA
>
>  endif # BR2_PACKAGE_APPARMOR_UTILS
>
> +ifeq ($(BR2_PACKAGE_APPARMOR_PROFILES),y)
> +APPARMOR_TOOLS += profiles
> +endif
> +
>  define APPARMOR_BUILD_CMDS
>         $(foreach tool,$(APPARMOR_TOOLS),\
>                 $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> --
> 2.20.1
>

[Buildroot] [PATCH 7/9 v5] package/libapparmor: enable python bindings

[Angelo Compagnucci]

On Sun, Mar 29, 2020 at 4:01 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> [yann.morin.1998 at free.fr: split off into its own patch]
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> ---
>  ...el-fixing-for-crosscompiling-environ.patch | 96 +++++++++++++++++++
>  ...ng-setup.py-call-when-crosscompiling.patch | 30 ++++++
>  package/libapparmor/libapparmor.mk            | 17 +++-
>  3 files changed, 141 insertions(+), 2 deletions(-)
>  create mode 100644 package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
>  create mode 100644 package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
>
> diff --git a/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
> new file mode 100644
> index 0000000000..7b902d5970
> --- /dev/null
> +++ b/package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
> @@ -0,0 +1,96 @@
> +From 235ce271f3fee53b918317ebb73a47b3c6a7ae03 Mon Sep 17 00:00:00 2001
> +From: Angelo Compagnucci <angelo@amarulasolutions.com>
> +Date: Tue, 24 Mar 2020 22:53:37 +0100
> +Subject: [PATCH] m4: ac_python_devel: fixing for crosscompiling environments
> +
> +In a crosscompiling environment it's common to have a python executable
> +running for the host system with a python-config reporting the host
> +configuration and a second python-config reporting the target configuration.
> +In such cases, relying on the default oython-config is wrong and breaks
> +the cross compilation.
> +
> +This patch adds a PYTHON_CONFIG variable that can be pointed to the second
> +python-config and fixes the rest of the m4 accordingly.
> +
> +Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> +---
> + libraries/libapparmor/m4/ac_python_devel.m4 | 25 ++++++++++++++++-----
> + 1 file changed, 19 insertions(+), 6 deletions(-)
> +
> +diff --git a/libraries/libapparmor/m4/ac_python_devel.m4 b/libraries/libapparmor/m4/ac_python_devel.m4
> +index 2ea7dc77..6454e2d8 100644
> +--- a/libraries/libapparmor/m4/ac_python_devel.m4
> ++++ b/libraries/libapparmor/m4/ac_python_devel.m4
> +@@ -13,6 +13,11 @@ AC_DEFUN([AC_PYTHON_DEVEL],[
> +            PYTHON_VERSION=""
> +         fi
> +
> ++        AC_PATH_PROG([PYTHON_CONFIG],[`basename [$PYTHON]-config`])
> ++        if test -z "$PYTHON_CONFIG"; then
> ++           AC_MSG_ERROR([Cannot find python$PYTHON_VERSION-config in your system path])
> ++        fi
> ++
> +         #
> +         # Check for a version of Python >= 2.1.0
> +         #
> +@@ -79,8 +84,8 @@ $ac_distutils_result])
> +         # Check for Python include path
> +         #
> +         AC_MSG_CHECKING([for Python include path])
> +-        if type $PYTHON-config; then
> +-                PYTHON_CPPFLAGS=`$PYTHON-config --includes`
> ++        if type $PYTHON_CONFIG; then
> ++                PYTHON_CPPFLAGS=`$PYTHON_CONFIG --includes`
> +         fi
> +         if test -z "$PYTHON_CPPFLAGS"; then
> +                 python_path=`$PYTHON -c "import sys; import distutils.sysconfig;\
> +@@ -97,8 +102,8 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_inc());"`
> +         # Check for Python library path
> +         #
> +         AC_MSG_CHECKING([for Python library path])
> +-        if type $PYTHON-config; then
> +-                PYTHON_LDFLAGS=`$PYTHON-config --ldflags`
> ++        if type $PYTHON_CONFIG; then
> ++                PYTHON_LDFLAGS=`$PYTHON_CONFIG --ldflags`
> +         fi
> +         if test -z "$PYTHON_LDFLAGS"; then
> +                 # (makes two attempts to ensure we've got a version number
> +@@ -136,10 +141,14 @@ sys.stdout.write('%s\n' % distutils.sysconfig.get_python_lib(0,0));"`
> +         # libraries which must be linked in when embedding
> +         #
> +         AC_MSG_CHECKING(python extra libraries)
> ++        if type $PYTHON_CONFIG; then
> ++                PYTHON_EXTRA_LIBS=`$PYTHON_CONFIG --libs --embed` || \
> ++                        PYTHON_EXTRA_LIBS=''
> ++        fi
> +         if test -z "$PYTHON_EXTRA_LIBS"; then
> +            PYTHON_EXTRA_LIBS=`$PYTHON -c "import sys; import distutils.sysconfig; \
> + conf = distutils.sysconfig.get_config_var; \
> +-sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
> ++sys.stdout.write('%s %s %s\n' % (conf('BLDLIBRARY'), conf('LOCALMODLIBS'), conf('LIBS')))"`
> +         fi
> +         AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
> +         AC_SUBST(PYTHON_EXTRA_LIBS)
> +@@ -148,6 +157,10 @@ sys.stdout.write('%s %s\n' % (conf('LOCALMODLIBS'), conf('LIBS')))"`
> +         # linking flags needed when embedding
> +         #
> +         AC_MSG_CHECKING(python extra linking flags)
> ++        if type $PYTHON_CONFIG; then
> ++                PYTHON_EXTRA_LDFLAGS=`$PYTHON_CONFIG --ldflags --embed` || \
> ++                        PYTHON_EXTRA_LDFLAGS=''
> ++        fi
> +         if test -z "$PYTHON_EXTRA_LDFLAGS"; then
> +                 PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import sys; import distutils.sysconfig; \
> + conf = distutils.sysconfig.get_config_var; \
> +@@ -164,7 +177,7 @@ sys.stdout.write('%s\n' % conf('LINKFORSHARED'))"`
> +         # save current global flags
> +         ac_save_LIBS="$LIBS"
> +         ac_save_CPPFLAGS="$CPPFLAGS"
> +-        LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
> ++        LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
> +         CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
> +         AC_TRY_LINK([
> +                 #include <Python.h>
> +--
> +2.17.1
> +
> diff --git a/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
> new file mode 100644
> index 0000000000..8d6ca86e47
> --- /dev/null
> +++ b/package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
> @@ -0,0 +1,30 @@
> +From cf61d1257b9a5f12fdf6f4dd6a2746f77b23a8a0 Mon Sep 17 00:00:00 2001
> +From: Angelo Compagnucci <angelo@amarulasolutions.com>
> +Date: Tue, 24 Mar 2020 23:02:08 +0100
> +Subject: [PATCH] libapparmor: fixing setup.py call when crosscompiling
> +
> +When crosscompiling, setupy.py should be called passing the settings
> +discovered by ac_python_devel.m4 and not using the default system
> +settings.
> +
> +Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> +---
> + libraries/libapparmor/swig/python/Makefile.am | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/libraries/libapparmor/swig/python/Makefile.am b/libraries/libapparmor/swig/python/Makefile.am
> +index 421acba9..6c60181e 100644
> +--- a/libraries/libapparmor/swig/python/Makefile.am
> ++++ b/libraries/libapparmor/swig/python/Makefile.am
> +@@ -11,7 +11,7 @@ MOSTLYCLEANFILES=libapparmor_wrap.c LibAppArmor.py
> +
> + all-local: libapparmor_wrap.c setup.py
> +       if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
> +-      $(PYTHON) setup.py build
> ++      CC="$(CC)" CFLAGS="$(PYTHON_CPPFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(PYTHON_LDFLAGS)" $(PYTHON) setup.py build
> +
> + install-exec-local:
> +       $(PYTHON) setup.py install --root="/$(DESTDIR)" --prefix="$(prefix)"
> +--
> +2.17.1
> +
> diff --git a/package/libapparmor/libapparmor.mk b/package/libapparmor/libapparmor.mk
> index 8173d138d6..4d6bb6d82b 100644
> --- a/package/libapparmor/libapparmor.mk
> +++ b/package/libapparmor/libapparmor.mk
> @@ -16,13 +16,26 @@ LIBAPPARMOR_DEPENDENCIES = host-bison host-flex host-pkgconf
>  LIBAPPARMOR_SUBDIR = libraries/libapparmor
>  LIBAPPARMOR_INSTALL_STAGING = YES
>
> +# Patches 0001 and 0002 touch Makefile.am and an m4 file
> +LIBAPPARMOR_AUTORECONF = YES
> +
>  # Most AppArmor tools will want to link to the static lib.
>  # ac_cv_prog_cc_c99 is required for BR2_USE_WCHAR=n because the C99 test
>  # provided by autoconf relies on wchar_t.
>  LIBAPPARMOR_CONF_OPTS = \
>         ac_cv_prog_cc_c99=-std=gnu99 \
>         --enable-static \
> -       --enable-man-pages=no \
> -       --without-python
> +       --enable-man-pages=no
> +
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +LIBAPPARMOR_DEPENDENCIES += host-python3 host-swig python3
> +LIBAPPARMOR_CONF_OPTS += \
> +       --with-python \
> +       PYTHON=$(HOST_DIR)/usr/bin/python3 \
> +       PYTHON_CONFIG=$(STAGING_DIR)/usr/bin/python3-config \
> +       SWIG=$(SWIG)
> +else
> +LIBAPPARMOR_CONF_OPTS += --without-python
> +endif
>
>  $(eval $(autotools-package))
> --
> 2.20.1
>

[Buildroot] [PATCH 8/9 v5] package/apparmor: enable PAM integration

[Angelo Compagnucci]

On Sun, Mar 29, 2020 at 4:01 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> [yann.morin.1998 at free.fr: split off to its own patch]
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> ---
>  package/apparmor/apparmor.mk | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
> index 26a09d2ff5..8a25cd4466 100644
> --- a/package/apparmor/apparmor.mk
> +++ b/package/apparmor/apparmor.mk
> @@ -39,6 +39,11 @@ ifeq ($(BR2_PACKAGE_APPARMOR_PROFILES),y)
>  APPARMOR_TOOLS += profiles
>  endif
>
> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
> +APPARMOR_DEPENDENCIES += linux-pam
> +APPARMOR_TOOLS += changehat/pam_apparmor
> +endif
> +
>  define APPARMOR_BUILD_CMDS
>         $(foreach tool,$(APPARMOR_TOOLS),\
>                 $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> --
> 2.20.1
>

[Buildroot] [PATCH 9/9 v5] package/apparmor: enable apache integration

[Angelo Compagnucci]

On Sun, Mar 29, 2020 at 4:01 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> [yann.morin.1998 at free.fr: split off to its own patch]
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> ---
>  package/apparmor/apparmor.mk | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/package/apparmor/apparmor.mk b/package/apparmor/apparmor.mk
> index 8a25cd4466..a4900397f2 100644
> --- a/package/apparmor/apparmor.mk
> +++ b/package/apparmor/apparmor.mk
> @@ -44,6 +44,12 @@ APPARMOR_DEPENDENCIES += linux-pam
>  APPARMOR_TOOLS += changehat/pam_apparmor
>  endif
>
> +ifeq ($(BR2_PACKAGE_APACHE),y)
> +APPARMOR_DEPENDENCIES += apache
> +APPARMOR_TOOLS += changehat/mod_apparmor
> +APPARMOR_MAKE_OPTS += APXS=$(STAGING_DIR)/usr/bin/apxs
> +endif
> +
>  define APPARMOR_BUILD_CMDS
>         $(foreach tool,$(APPARMOR_TOOLS),\
>                 $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> --
> 2.20.1
>

[Buildroot] [PATCH 0/9 v5] package/apparmor: new package (branch yem/apparmor)

[Yann E. MORIN]

Angelo, All,

On 2020-03-29 16:01 +0200, Yann E. MORIN spake thusly:
> This series is reworked of the previous work from Angelo:
>     http://lists.busybox.net/pipermail/buildroot/2020-March/278308.html
>     http://lists.busybox.net/pipermail/buildroot/2020-March/278307.html

Series applied to master, after doign a few fixes noticed by Thomas P.
on IRC. Thanks!

Regards,
Yann E. MORIN.

> been spread across two packages.
> 
> The way the apparmor package is laid out is not very amenable at doing a
> single package that builds everything: all the tools and utils depend on
> libapparmor, and that is better installed before the build of the tools
> is attempted.
> 
> So, we split the packaging in two:
> 
>   - libapparmor, which is siolely responsible for installing
>     libapparmor and its python3 bindings,
> 
>   - apparmor per-se, which is responsible for installing all the tools
>     and utilities.
> 
> To be noted: most of the tools' Makefiles hard-code linking to the
> static libapparmor (without explanations), so rather than go against the
> tide, we just enforce building the static library (note also that we do
> not forbid building the shared one).
> 
> The only major part that was dropped from the initial series, is support
> for writign the cache on read-write filesystems. The codition was based
> on BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW, but that does not prevent
> building an actually read-only filesystem at all (e.g. squashfs). So,
> more thoughts will have to be poured into this caching feature in a
> subsequent series.
> 
> Chage v4 -> v5:  (adopted by Yann)
>   - split in two packages, one for the lib, ione for the utils
>   - reword all the commit logs
>   - fix dependencies (threads, mmu...)
>   - re-organise the conditions to install utils (python3 vs others)
>   - drop the cache writing for read-write filesystems
> 
> 
> Regards,
> Yann E. MORIN.
> 
> 
> The following changes since commit d0f5a5551ab86f6272f13deaa16dcdf4b07a524f
> 
>   package/sysstat: bump to version 12.2.1 (2020-03-29 15:50:36 +0200)
> 
> 
> are available in the git repository at:
> 
>   git://git.buildroot.org/~ymorin/git/buildroot.git
> 
> for you to fetch changes up to 8b4415dad37fa81cf2d4adb09b27119b233bcd8a
> 
>   package/apparmor: enable apache integration (2020-03-29 16:01:18 +0200)
> 
> 
> ----------------------------------------------------------------
> Angelo Compagnucci (4):
>       package/libapparmor: new package
>       linux: enable AppArmor-related options if needed
>       package/apparmor: new package
>       package/apparmor: add option to install binutils
> 
> Yann E. MORIN (5):
>       package/apparmor: add options to install utils
>       package/apparmor: add option to install generic profiles
>       package/libapparmor: enable python bindings
>       package/apparmor: enable PAM integration
>       package/apparmor: enable apache integration
> 
>  DEVELOPERS                                         |  1 +
>  linux/linux.mk                                     |  5 ++
>  package/Config.in                                  |  2 +
>  package/apparmor/Config.in                         | 71 ++++++++++++++++
>  package/apparmor/apparmor.hash                     |  4 +
>  package/apparmor/apparmor.mk                       | 81 ++++++++++++++++++
>  ...n_devel-fixing-for-crosscompiling-environ.patch | 96 ++++++++++++++++++++++
>  ...-fixing-setup.py-call-when-crosscompiling.patch | 30 +++++++
>  package/libapparmor/Config.in                      | 16 ++++
>  package/libapparmor/libapparmor.hash               |  4 +
>  package/libapparmor/libapparmor.mk                 | 41 +++++++++
>  11 files changed, 351 insertions(+)
>  create mode 100644 package/apparmor/Config.in
>  create mode 100644 package/apparmor/apparmor.hash
>  create mode 100644 package/apparmor/apparmor.mk
>  create mode 100644 package/libapparmor/0001-m4-ac_python_devel-fixing-for-crosscompiling-environ.patch
>  create mode 100644 package/libapparmor/0002-libapparmor-fixing-setup.py-call-when-crosscompiling.patch
>  create mode 100644 package/libapparmor/Config.in
>  create mode 100644 package/libapparmor/libapparmor.hash
>  create mode 100644 package/libapparmor/libapparmor.mk
> 
> -- 
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'