1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
#!/usr/bin/make -f
include /usr/share/dpkg/architecture.mk
include /usr/share/dpkg/pkg-info.mk
export DEB_BUILD_MAINT_OPTIONS = hardening=+bindnow optimize=+lto
export PERL_VENDORARCH := $(shell perl -MConfig -e 'print substr($$Config{vendorarch},1)' )
export PYTHON=/usr/bin/python3
export PYTHON_VERSION=3
export PYTHON_VERSIONS=python3
ifneq ($(DEB_BUILD_ARCH),$(DEB_HOST_ARCH))
export _PYTHON_SYSCONFIGDATA_NAME=_sysconfigdata__$(DEB_HOST_ARCH_OS)_$(DEB_HOST_MULTIARCH)
endif
%:
dh $@ --with=python3,apache2
override_dh_auto_configure:
cd libraries/libapparmor && sh ./autogen.sh
dh_auto_configure -D libraries/libapparmor --
override_dh_auto_build:
# Replace #VERSION# placeholder in dh_apparmor
sed -i --regexp-extended \
-e "s,^#VERSION#,our \$$VERSION = \"$(DEB_VERSION)\";," \
debian/debhelper/dh_apparmor
# Build library
dh_auto_build -D libraries/libapparmor
# Build pythons
set -e; for py in $(shell py3versions -s) ; do \
cp -a $(CURDIR)/libraries/libapparmor $(CURDIR)/libraries/libapparmor.$$py ; \
PYTHON=/usr/bin/$$py dh_auto_configure \
-D libraries/libapparmor.$$py -- --with-python ; \
PYTHON=/usr/bin/$$py dh_auto_build \
-D libraries/libapparmor.$$py; \
done
# Don't run '$(MAKE) check' because of too many perl dependencies
# and various apparmor files installed on the system
# Build pythons
cd utils && $(MAKE)
for py in $(shell py3versions -s) ; do \
cp -a $(CURDIR)/utils $(CURDIR)/utils.$$py && \
(cd utils.$$py && PYTHON=/usr/bin/$$py $(MAKE)) ; \
done
ifneq (,$(filter $(DEB_HOST_ARCH_OS), kfreebsd knetbsd hurd ))
cd binutils && $(MAKE) indep
cd parser && $(MAKE) indep
else
dh_auto_build --sourcedirectory=binutils -- V=1
dh_auto_build --sourcedirectory=parser -- V=1
endif
cd profiles && $(MAKE)
dh_auto_build --sourcedirectory=changehat/pam_apparmor
override_dh_auto_test:
ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
dh_auto_test -Dlibraries/libapparmor -- V=1
# Doesn't make sense to run utils tests without Python version
#dh_auto_test -Dutils -- V=1
# Utils test needs to set PYTHON_VERSIONS and PYTHON
# Hacky workaround since utils make check uses a version of pyalldo
# and we need to specify a different libapparmor CPython module for each
# Also set APPARMOR_NOTIFY to use our Python version
set -e; for py in $(shell py3versions -s) ; do \
PYTHON=/usr/bin/$$py dh_auto_test \
-D libraries/libapparmor.$$py -- PYTHON=/usr/bin/$$py; \
LIBAPPARMOR_BASEDIR=../../libraries/libapparmor.$$py\
PYTHON_VERSIONS=$$py PYTHON=/usr/bin/$$py\
dh_auto_test \
-D utils.$$py/ -- LIBAPPARMOR_BASEDIR=../../libraries/libapparmor.$$py\
PYTHON_VERSIONS=$$py PYTHON=/usr/bin/$$py;\
done
ifeq (,$(filter $(DEB_HOST_ARCH_OS), kfreebsd knetbsd hurd ))
dh_auto_test -Dbinutils -- V=1
dh_auto_test -Dparser -- V=1
endif
endif
override_dh_auto_clean:
# Clean up from an autogen'd build.
cd $(CURDIR)/libraries/libapparmor && \
[ ! -f Makefile ] || $(MAKE) distclean
# Clean up rest of build.
set -e; for i in binutils utils parser profiles changehat/mod_apparmor \
changehat/pam_apparmor ; do \
[ ! -f $$i/Makefile ] || $(MAKE) -C $$i clean; \
rm -f $$i/common; \
done
# Remove the python build dirs
rm -rf $(CURDIR)/libraries/libapparmor.python*
rm -rf $(CURDIR)/utils.python*
# Try to clean up from an autogen'd build
cd libraries/libapparmor && [ ! -f Makefile ] || $(MAKE) distclean
# Remove generated debhelper documentation.
rm -f $(CURDIR)/debian/debhelper/dh_apparmor.1
# Remove autoconf build cruft.
rm -f $(CURDIR)/libraries/libapparmor/test-driver
override_dh_auto_install:
# Utils
cd utils && $(MAKE) \
DESTDIR=$(CURDIR)/debian/tmp \
install
set -e; for py in $(shell py3versions -s) ; do \
(cd utils.$$py && PYTHON=/usr/bin/$$py $(MAKE) \
DESTDIR=$(CURDIR)/debian/tmp \
install) ; \
done
# Parser
ifneq (,$(filter $(DEB_HOST_ARCH_OS), kfreebsd knetbsd hurd ))
cd binutils && $(MAKE) \
DESTDIR=$(CURDIR)/debian/tmp \
install-indep
install -D -m 755 $(CURDIR)/debian/non-linux/fake_apparmor_util \
$(CURDIR)/debian/tmp/usr/sbin/apparmor_parser
install -D -m 755 $(CURDIR)/debian/non-linux/fake_apparmor_util \
$(CURDIR)/debian/tmp/usr/bin/aa-enabled
install -D -m 755 $(CURDIR)/debian/non-linux/fake_apparmor_util \
$(CURDIR)/debian/tmp/usr/bin/aa-exec
cd parser && $(MAKE) \
DESTDIR=$(CURDIR)/debian/tmp \
install-indep
else
cd binutils && $(MAKE) \
DESTDIR=$(CURDIR)/debian/tmp \
install
cd parser && $(MAKE) \
DESTDIR=$(CURDIR)/debian/tmp \
SBINDIR=$(CURDIR)/debian/tmp/usr/sbin \
APPARMOR_BIN_PREFIX=$(CURDIR)/debian/tmp/usr/lib/apparmor \
install
endif
# Changehat via libapparmor
cd libraries/libapparmor && $(MAKE) \
DESTDIR=$(CURDIR)/debian/tmp \
install
# Install python swig modules
set -e; for py in $(shell py3versions -s); do \
PYTHON=/usr/bin/$$py \
$(MAKE) -C libraries/libapparmor.$$py \
DESTDIR=$(CURDIR)/debian/tmp install; \
done
# Changehat via mod_apparmor
cd changehat/mod_apparmor && $(MAKE) \
DESTDIR=$(CURDIR)/debian/tmp \
install
# Fix rpath in mod_apparmor.so
chrpath -d $(CURDIR)/debian/tmp/usr/lib/apache2/modules/mod_apparmor.so
# Changehat via libpam-apparmor
cd changehat/pam_apparmor && $(MAKE) \
DESTDIR=$(CURDIR)/debian/tmp \
SECDIR=$(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/security \
install
# Fix rpath in pam_apparmor.so
chrpath -d $(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/security/pam_apparmor.so
# Profiles
# We'd like to keep site.local from being a conffile
rm ./profiles/apparmor.d/tunables/xdg-user-dirs.d/site.local
cd profiles && $(MAKE) \
DESTDIR=$(CURDIR)/debian/tmp \
install
# set all profiles in apparmor-profiles to complain mode
cd $(CURDIR)/debian/tmp && sh $(CURDIR)/debian/put-all-profiles-in-complain-mode.sh
# Build debhelper documentation.
pod2man -c Debhelper -r "$(DEB_VERSION)" $(CURDIR)/debian/debhelper/dh_apparmor $(CURDIR)/debian/debhelper/dh_apparmor.1
override_dh_installinit:
dh_installinit --no-start --no-stop-on-upgrade --error-handler=true
override_dh_installsystemd:
dh_installsystemd --no-start --no-stop-on-upgrade
override_dh_compress:
dh_compress -Xextras
override_dh_apache2:
dh_apache2 --noenable
override_dh_install-indep:
set -e; for profile in $(shell grep ^etc/apparmor.d/ $(CURDIR)/debian/apparmor-profiles.install | \
cut -d/ -f3- | grep -v /); do \
DH_AUTOSCRIPTDIR=debian/debhelper/ perl debian/debhelper/dh_apparmor --profile-name=$$profile -papparmor-profiles; \
done
sed -i -e 's,usr/lib/perl5,$(PERL_VENDORARCH),g' \
$(CURDIR)/debian/tmp/etc/apparmor/logprof.conf \
$(CURDIR)/debian/tmp/etc/apparmor/severity.db
dh_install
override_dh_install-arch:
set -e; for profile in lsb_release nvidia_modprobe; do \
DH_AUTOSCRIPTDIR=debian/debhelper/ perl debian/debhelper/dh_apparmor --profile-name=$$profile -papparmor; \
done
# See #1039668
rm $(CURDIR)/debian/tmp/etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser
dh_install
# Fix permissions so that aa-teardown can execute this file
chmod 0755 $(CURDIR)/debian/apparmor/usr/lib/apparmor/apparmor.systemd
|
