Package: apparmor / 2.13.4-3

upstream-mr-465-fix-build-with-make-4.3.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
From: intrigeri <intrigeri@boum.org>
Date: Mon, 25 May 2020 08:15:50 +0000
Subject: Fix build with make 4.3

---
 common/Make.rules                | 34 ----------------------------------
 common/list_af_names.sh          | 19 +++++++++++++++++++
 common/list_capabilities.sh      | 14 ++++++++++++++
 parser/Makefile                  | 15 ++++++---------
 utils/Makefile                   |  2 +-
 utils/test/test-network.py       |  2 +-
 utils/vim/create-apparmor.vim.py |  6 +++---
 7 files changed, 44 insertions(+), 48 deletions(-)
 create mode 100755 common/list_af_names.sh
 create mode 100755 common/list_capabilities.sh

diff --git a/common/Make.rules b/common/Make.rules
index d2149fc..ecc6181 100644
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -74,40 +74,6 @@ endif
 pod_clean:
 	-rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
 
-# =====================
-# generate list of capabilities based on
-# /usr/include/linux/capabilities.h for use in multiple locations in
-# the source tree
-# =====================
-
-# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
-CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort)
-
-.PHONY: list_capabilities
-list_capabilities: /usr/include/linux/capability.h
-	@echo "$(CAPABILITIES)"
-
-# =====================
-# generate list of network protocols based on
-# sys/socket.h for use in multiple locations in
-# the source tree
-# =====================
-
-# These are the families that it doesn't make sense for apparmor
-# to mediate. We use PF_ here since that is what is required in
-# bits/socket.h, but we will rewrite these as AF_.
-
-FILTER_FAMILIES=PF_UNIX
-
-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
-
-# emits the AF names in a "AF_NAME NUMBER," pattern
-AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
-
-.PHONY: list_af_names
-list_af_names:
-	@echo "$(AF_NAMES)"
-
 # =====================
 # manpages
 # =====================
diff --git a/common/list_af_names.sh b/common/list_af_names.sh
new file mode 100755
index 0000000..d798753
--- /dev/null
+++ b/common/list_af_names.sh
@@ -0,0 +1,19 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of network protocols based on
+# sys/socket.h for use in multiple locations in
+# the source tree
+# =====================
+
+# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search
+# for "PF_" constants since that is what is required in bits/socket.h, but
+# rewrite as "AF_".
+
+echo "#include <sys/socket.h>" | \
+  cpp -dM | \
+  LC_ALL=C sed -n \
+    -e '/PF_UNIX/d' \
+    -e 's/PF_LOCAL/PF_UNIX/' \
+    -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \
+  sort -n -k2
diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh
new file mode 100755
index 0000000..4e37cda
--- /dev/null
+++ b/common/list_capabilities.sh
@@ -0,0 +1,14 @@
+#!/bin/bash -e
+
+# =====================
+# generate list of capabilities based on
+# /usr/include/linux/capabilities.h for use in multiple locations in
+# the source tree
+# =====================
+
+echo "#include <linux/capability.h>" | \
+  cpp -dM | \
+  LC_ALL=C sed -n \
+    -e '/CAP_EMPTY_SET/d' \
+    -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \
+  LC_ALL=C sort
diff --git a/parser/Makefile b/parser/Makefile
index 558d961..ea71faf 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -278,14 +278,13 @@ parser_version.h: Makefile
 # as well as the filtering that occurs for network protocols that
 # apparmor should not mediate.
 
-.PHONY: af_names.h
-af_names.h:
-	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
-	echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
+af_names.h: ../common/list_af_names.sh
+	../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g'  -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n#  define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@
+	../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@
 	# cat $@
 
 cap_names.h: /usr/include/linux/capability.h
-	echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
+	../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
 
 tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
 	$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
@@ -301,10 +300,7 @@ tests: apparmor_parser ${TESTS}
 	sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
 	$(Q)$(MAKE) -s -C tst tests
 
-# always need to rebuild.
-.SILENT: $(AAREOBJECT)
-.PHONY: $(AAREOBJECT)
-$(AAREOBJECT):
+$(AAREOBJECT): FORCE
 	$(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
 
 .PHONY: install-rhel4
@@ -404,3 +400,4 @@ clean: pod_clean
 	$(MAKE) -s -C po clean
 	$(MAKE) -s -C tst clean
 
+FORCE:
diff --git a/utils/Makefile b/utils/Makefile
index 68f8c37..ea9e060 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -80,7 +80,7 @@ clean: pod_clean
 .SILENT: check_severity_db
 check_severity_db: /usr/include/linux/capability.h severity.db
 	# The sed statement is based on the one in the parser's makefile
-	RC=0 ; for cap in ${CAPABILITIES} ; do \
+	RC=0 ; for cap in $(shell ../common/list_capabilities.sh) ; do \
 	    if !  grep -q -w $${cap} severity.db ; then \
 		echo "Warning! capability $${cap} not found in severity.db" ; \
 		RC=1 ; \
diff --git a/utils/test/test-network.py b/utils/test/test-network.py
index 8605786..73a6b9d 100644
--- a/utils/test/test-network.py
+++ b/utils/test/test-network.py
@@ -31,7 +31,7 @@ exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
 
 class NetworkKeywordsTest(AATest):
     def test_network_keyword_list(self):
-        rc, output = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+        rc, output = cmd('../../common/list_af_names.sh')
         self.assertEqual(rc, 0)
 
         af_names = []
diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
index 10bd5b8..b5df957 100644
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -45,19 +45,19 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s
     return [sp.returncode, out + outerr]
 
 # get capabilities list
-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
+(rc, output) = cmd(['../../common/list_capabilities.sh'])
 if rc != 0:
     sys.stderr.write("make list_capabilities failed: " + output)
     exit(rc)
 
-capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
+capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n')
 benign_caps = []
 for cap in capabilities:
     if cap not in danger_caps:
         benign_caps.append(cap)
 
 # get network protos list
-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
+(rc, output) = cmd(['../../common/list_af_names.sh'])
 if rc != 0:
     sys.stderr.write("make list_af_names failed: " + output)
     exit(rc)