[arch-commits] Commit in apparmor/repos/extra-x86_64 (6 files)
David Runge
dvzrv at archlinux.org
Thu May 28 11:22:17 UTC 2020
Date: Thursday, May 28, 2020 @ 11:22:17
Author: dvzrv
Revision: 387760
archrelease: copy trunk to extra-x86_64
Added:
apparmor/repos/extra-x86_64/PKGBUILD
(from rev 387759, apparmor/trunk/PKGBUILD)
apparmor/repos/extra-x86_64/apparmor-2.13.4-fix_systemd_userdb.patch
(from rev 387759, apparmor/trunk/apparmor-2.13.4-fix_systemd_userdb.patch)
apparmor/repos/extra-x86_64/apparmor-2.13.4-make4.3.patch
(from rev 387759, apparmor/trunk/apparmor-2.13.4-make4.3.patch)
apparmor/repos/extra-x86_64/apparmor-2.13.4-run_variable.patch
(from rev 387759, apparmor/trunk/apparmor-2.13.4-run_variable.patch)
apparmor/repos/extra-x86_64/apparmor-2.13.4-vim_file.patch
(from rev 387759, apparmor/trunk/apparmor-2.13.4-vim_file.patch)
Deleted:
apparmor/repos/extra-x86_64/PKGBUILD
------------------------------------------+
PKGBUILD | 286 +++++++++++++-------------
apparmor-2.13.4-fix_systemd_userdb.patch | 32 +++
apparmor-2.13.4-make4.3.patch | 308 +++++++++++++++++++++++++++++
apparmor-2.13.4-run_variable.patch | 45 ++++
apparmor-2.13.4-vim_file.patch | 83 +++++++
5 files changed, 611 insertions(+), 143 deletions(-)
Deleted: PKGBUILD
===================================================================
--- PKGBUILD 2020-05-28 11:22:06 UTC (rev 387759)
+++ PKGBUILD 2020-05-28 11:22:17 UTC (rev 387760)
@@ -1,143 +0,0 @@
-# Maintainer: David Runge <dvzrv at archlinux.org>
-
-pkgname=apparmor
-pkgver=2.13.4
-pkgrel=4
-pkgdesc="Mandatory Access Control (MAC) using Linux Security Module (LSM)"
-arch=('x86_64')
-url="https://gitlab.com/apparmor/apparmor"
-license=('GPL2' 'LGPL2.1')
-depends=('audit' 'pam' 'python')
-makedepends=('apache' 'ruby' 'swig')
-checkdepends=('dejagnu' 'perl-locale-gettext' 'python-pyflakes')
-optdepends=('perl: perl bindings'
- 'ruby: ruby bindings')
-provides=('libapparmor.so')
-backup=('etc/apparmor/easyprof.conf'
- 'etc/apparmor/logprof.conf'
- 'etc/apparmor/notify.conf'
- 'etc/apparmor/parser.conf'
- 'etc/apparmor/subdomain.conf'
- 'etc/apparmor/severity.db')
-source=("https://launchpad.net/${pkgname}/${pkgver%.[0-9]}/${pkgver}/+download/${pkgname}-${pkgver}.tar.gz"{,.asc}
- "${pkgname}-2.13.4-make4.3.patch::https://gitlab.com/apparmor/apparmor/-/merge_requests/465.patch"
- "${pkgname}-2.13.4-vim_file.patch::https://gitlab.com/apparmor/apparmor/-/merge_requests/472.patch"
- "${pkgname}-2.13.4-run_variable.patch::https://gitlab.com/apparmor/apparmor/-/commit/454fca7483eae7b7ee613343c2c02abaa20e37e3.patch"
- "${pkgname}-2.13.4-fix_systemd_userdb.patch::https://gitlab.com/apparmor/apparmor/-/commit/d4296d217c888e08e10bec300fe35351c2ef2f81.patch")
-sha512sums=('d42748bf36ae66849f79653a62d499e9d17a97c4d680fb653eb1c379d0593aaa09f7ddfc6f2fa0d2fb468bce05fb25444976f60a5ec24778fdd7ec20d1c13651'
- 'SKIP'
- '8d0eb65624a7dcc7f019974a7ad10ec0b3e2d61e51a3f9771564b4e0ddaaece17e90f78388933e8f9451ad413a51dd16d479b99733ceef73b86eb8308122a335'
- '987d2d0dd1148c28796cbb933ea79a14ef2bdf903253a10f369614f0cbbd0309c9848e28dd2f2aa216d8deaf8412e6dd043e867da34466fe39169fc0e44f07ad'
- '0abe606ad510cc97947152b28750354bd43046b38abcd6b28bbc04916fad39308f78b3626ca8b4a3ec59612fea908bdef2e309376f617595b5fc1aaec2bc6343'
- '0fde84730115b2854b85d1b72fbbd5c54730e887af333bfff917da529a08a429d3494efdae9d1baa1d05891d925b04d69f079d11d4afb0907cbfefbd0f280583')
-# AppArmor Development Team (AppArmor signing key) <apparmor at lists.ubuntu.com>
-validpgpkeys=('3ECDCBA5FB34D254961CC53F6689E64E3D3664BB')
-_core_perl="/usr/bin/core_perl"
-
-prepare() {
- cd "${pkgname}-${pkgver}"
- # fix problems in Makefile (header inclusion):
- # https://gitlab.com/apparmor/apparmor/-/issues/74
- patch -Np1 -i "../${pkgname}-2.13.4-make4.3.patch"
- # fix generating of apparmor.vim:
- # https://bugs.archlinux.org/task/65450
- patch -Np1 -i "../${pkgname}-2.13.4-vim_file.patch"
- # fix problems with /run/systemd/userdb access
- # https://bugs.archlinux.org/task/65777
- # https://gitlab.com/apparmor/apparmor/-/issues/82
- patch -Np1 -i "../${pkgname}-2.13.4-run_variable.patch"
- patch -Np1 -i "../${pkgname}-2.13.4-fix_systemd_userdb.patch"
- # fix PYTHONPATH and add LD_LIBRARY_PATH for aa-logprof based check:
- # https://gitlab.com/apparmor/apparmor/issues/39
- local _py3_ver=$(python --version | cut -d " " -f2)
- local path="${PWD}/libraries/libapparmor/swig/python/build/lib.linux-${CARCH}-${_py3_ver%"."*}/LibAppArmor"
- local libs="${PWD}/libraries/libapparmor/src/.libs"
- sed -e "/PYTHONPATH/ s|utils\ |utils:$path\ LD_LIBRARY_PATH=$libs\ |" \
- -i profiles/Makefile
- (
- cd libraries/libapparmor/
- autoreconf -vfi
- )
-}
-
-build() {
- cd "${pkgname}-${pkgver}"
- # export required perl executable locations
- export MAKEFLAGS+=" POD2MAN=${_core_perl}/pod2man"
- export MAKEFLAGS+=" POD2HTML=${_core_perl}/pod2html"
- export MAKEFLAGS+=" PODCHECKER=${_core_perl}/podchecker"
- export MAKEFLAGS+=" PROVE=${_core_perl}/prove"
- (
- cd "libraries/libapparmor/"
- ./configure --prefix=/usr \
- --sbindir=/usr/bin \
- --with-perl \
- --with-python \
- --with-ruby
- make
- )
- make -C binutils
- make -C parser
- make -C profiles
- make -C utils
- make -C changehat/pam_apparmor
- make -C changehat/mod_apparmor
- make -C utils/vim
-}
-
-check() {
- cd "$pkgname-$pkgver"
- echo "INFO: Running check: libraries/libapparmor"
- make -C libraries/libapparmor check
- echo "INFO: Running check binutils"
- make -C binutils check
- echo "INFO: Running check parser"
- make -C parser check
-
- # check-logprof (included in check) fails:
- # https://gitlab.com/apparmor/apparmor/issues/36
- # echo "INFO: Running check-logprof profiles"
- # make -C profiles check-logprof
-
- echo "INFO: Running check-parser profiles"
- make -C profiles check-parser
- echo "INFO: Running check utils"
- make -C utils check
-}
-
-package() {
- cd "$pkgname-$pkgver"
- make -C libraries/libapparmor DESTDIR="${pkgdir}" install
- make -C changehat/pam_apparmor DESTDIR="${pkgdir}/usr" install
- make -C changehat/mod_apparmor DESTDIR="${pkgdir}" install
- make -C binutils DESTDIR="${pkgdir}" install
- make -C parser -j1 DESTDIR="${pkgdir}" \
- SBINDIR="${pkgdir}/usr/bin" \
- USR_SBINDIR="${pkgdir}/usr/bin" \
- APPARMOR_BIN_PREFIX="${pkgdir}/usr/lib/apparmor" \
- install install-systemd
- make -C profiles DESTDIR="${pkgdir}" install
- make -C utils DESTDIR="${pkgdir}" \
- BINDIR="${pkgdir}/usr/bin" \
- VIM_INSTALL_PATH="${pkgdir}/usr/share/vim/vimfiles/syntax" \
- install
-
- # set file mode to allow the perl library to be stripped:
- # https://gitlab.com/apparmor/apparmor/issues/34
- find "${pkgdir}/usr/lib/perl5/" \
- -type f -iname "*.so" \
- -exec chmod 755 {} \;
-
- # removing empty core_perl directory:
- # https://gitlab.com/apparmor/apparmor/issues/40
- rm -rv "${pkgdir}"/usr/lib/perl5/*/core_perl
- # move ruby bindings to vendor_ruby:
- # https://gitlab.com/apparmor/apparmor/issues/35
- mv -v "${pkgdir}/usr/lib/ruby/site_ruby/" \
- "${pkgdir}/usr/lib/ruby/vendor_ruby/"
- # adding files below /etc/apparmor.d to backup array
- cd "${pkgdir}"
- # tricking extract_function_variable() in makepkg into not detecting the
- # backup array modification and adding remaining configuration files
- [[ /usr/bin/true ]] && backup=( ${backup[@]} $(find "etc/${pkgname}.d/" -type f) )
-}
Copied: apparmor/repos/extra-x86_64/PKGBUILD (from rev 387759, apparmor/trunk/PKGBUILD)
===================================================================
--- PKGBUILD (rev 0)
+++ PKGBUILD 2020-05-28 11:22:17 UTC (rev 387760)
@@ -0,0 +1,143 @@
+# Maintainer: David Runge <dvzrv at archlinux.org>
+
+pkgname=apparmor
+pkgver=2.13.4
+pkgrel=5
+pkgdesc="Mandatory Access Control (MAC) using Linux Security Module (LSM)"
+arch=('x86_64')
+url="https://gitlab.com/apparmor/apparmor"
+license=('GPL2' 'LGPL2.1')
+depends=('audit' 'pam' 'python')
+makedepends=('apache' 'ruby' 'swig')
+checkdepends=('dejagnu' 'perl-locale-gettext' 'python-pyflakes')
+optdepends=('perl: perl bindings'
+ 'ruby: ruby bindings')
+provides=('libapparmor.so')
+backup=('etc/apparmor/easyprof.conf'
+ 'etc/apparmor/logprof.conf'
+ 'etc/apparmor/notify.conf'
+ 'etc/apparmor/parser.conf'
+ 'etc/apparmor/subdomain.conf'
+ 'etc/apparmor/severity.db')
+source=("https://launchpad.net/${pkgname}/${pkgver%.[0-9]}/${pkgver}/+download/${pkgname}-${pkgver}.tar.gz"{,.asc}
+ "${pkgname}-2.13.4-make4.3.patch"
+ "${pkgname}-2.13.4-vim_file.patch"
+ "${pkgname}-2.13.4-run_variable.patch"
+ "${pkgname}-2.13.4-fix_systemd_userdb.patch")
+sha512sums=('d42748bf36ae66849f79653a62d499e9d17a97c4d680fb653eb1c379d0593aaa09f7ddfc6f2fa0d2fb468bce05fb25444976f60a5ec24778fdd7ec20d1c13651'
+ 'SKIP'
+ '8d0eb65624a7dcc7f019974a7ad10ec0b3e2d61e51a3f9771564b4e0ddaaece17e90f78388933e8f9451ad413a51dd16d479b99733ceef73b86eb8308122a335'
+ '987d2d0dd1148c28796cbb933ea79a14ef2bdf903253a10f369614f0cbbd0309c9848e28dd2f2aa216d8deaf8412e6dd043e867da34466fe39169fc0e44f07ad'
+ '0abe606ad510cc97947152b28750354bd43046b38abcd6b28bbc04916fad39308f78b3626ca8b4a3ec59612fea908bdef2e309376f617595b5fc1aaec2bc6343'
+ 'acc76fa492429cd014f5ebc8ae2f8399912513183d634283db124156bca407ba7166fca9ecd74a8b2a334d37da06ea80805e5afc687511baf687bf5298becd4a')
+# AppArmor Development Team (AppArmor signing key) <apparmor at lists.ubuntu.com>
+validpgpkeys=('3ECDCBA5FB34D254961CC53F6689E64E3D3664BB')
+_core_perl="/usr/bin/core_perl"
+
+prepare() {
+ cd "${pkgname}-${pkgver}"
+ # fix problems in Makefile (header inclusion):
+ # https://gitlab.com/apparmor/apparmor/-/issues/74
+ patch -Np1 -i "../${pkgname}-2.13.4-make4.3.patch"
+ # fix generating of apparmor.vim:
+ # https://bugs.archlinux.org/task/65450
+ patch -Np1 -i "../${pkgname}-2.13.4-vim_file.patch"
+ # fix problems with /run/systemd/userdb access
+ # https://bugs.archlinux.org/task/65777
+ # https://gitlab.com/apparmor/apparmor/-/issues/82
+ patch -Np1 -i "../${pkgname}-2.13.4-run_variable.patch"
+ patch -Np1 -i "../${pkgname}-2.13.4-fix_systemd_userdb.patch"
+ # fix PYTHONPATH and add LD_LIBRARY_PATH for aa-logprof based check:
+ # https://gitlab.com/apparmor/apparmor/issues/39
+ local _py3_ver=$(python --version | cut -d " " -f2)
+ local path="${PWD}/libraries/libapparmor/swig/python/build/lib.linux-${CARCH}-${_py3_ver%"."*}/LibAppArmor"
+ local libs="${PWD}/libraries/libapparmor/src/.libs"
+ sed -e "/PYTHONPATH/ s|utils\ |utils:$path\ LD_LIBRARY_PATH=$libs\ |" \
+ -i profiles/Makefile
+ (
+ cd libraries/libapparmor/
+ autoreconf -vfi
+ )
+}
+
+build() {
+ cd "${pkgname}-${pkgver}"
+ # export required perl executable locations
+ export MAKEFLAGS+=" POD2MAN=${_core_perl}/pod2man"
+ export MAKEFLAGS+=" POD2HTML=${_core_perl}/pod2html"
+ export MAKEFLAGS+=" PODCHECKER=${_core_perl}/podchecker"
+ export MAKEFLAGS+=" PROVE=${_core_perl}/prove"
+ (
+ cd "libraries/libapparmor/"
+ ./configure --prefix=/usr \
+ --sbindir=/usr/bin \
+ --with-perl \
+ --with-python \
+ --with-ruby
+ make
+ )
+ make -C binutils
+ make -C parser
+ make -C profiles
+ make -C utils
+ make -C changehat/pam_apparmor
+ make -C changehat/mod_apparmor
+ make -C utils/vim
+}
+
+check() {
+ cd "$pkgname-$pkgver"
+ echo "INFO: Running check: libraries/libapparmor"
+ make -C libraries/libapparmor check
+ echo "INFO: Running check binutils"
+ make -C binutils check
+ echo "INFO: Running check parser"
+ make -C parser check
+
+ # check-logprof (included in check) fails:
+ # https://gitlab.com/apparmor/apparmor/issues/36
+ # echo "INFO: Running check-logprof profiles"
+ # make -C profiles check-logprof
+
+ echo "INFO: Running check-parser profiles"
+ make -C profiles check-parser
+ echo "INFO: Running check utils"
+ make -C utils check
+}
+
+package() {
+ cd "$pkgname-$pkgver"
+ make -C libraries/libapparmor DESTDIR="${pkgdir}" install
+ make -C changehat/pam_apparmor DESTDIR="${pkgdir}/usr" install
+ make -C changehat/mod_apparmor DESTDIR="${pkgdir}" install
+ make -C binutils DESTDIR="${pkgdir}" install
+ make -C parser -j1 DESTDIR="${pkgdir}" \
+ SBINDIR="${pkgdir}/usr/bin" \
+ USR_SBINDIR="${pkgdir}/usr/bin" \
+ APPARMOR_BIN_PREFIX="${pkgdir}/usr/lib/apparmor" \
+ install install-systemd
+ make -C profiles DESTDIR="${pkgdir}" install
+ make -C utils DESTDIR="${pkgdir}" \
+ BINDIR="${pkgdir}/usr/bin" \
+ VIM_INSTALL_PATH="${pkgdir}/usr/share/vim/vimfiles/syntax" \
+ install
+
+ # set file mode to allow the perl library to be stripped:
+ # https://gitlab.com/apparmor/apparmor/issues/34
+ find "${pkgdir}/usr/lib/perl5/" \
+ -type f -iname "*.so" \
+ -exec chmod 755 {} \;
+
+ # removing empty core_perl directory:
+ # https://gitlab.com/apparmor/apparmor/issues/40
+ rm -rv "${pkgdir}"/usr/lib/perl5/*/core_perl
+ # move ruby bindings to vendor_ruby:
+ # https://gitlab.com/apparmor/apparmor/issues/35
+ mv -v "${pkgdir}/usr/lib/ruby/site_ruby/" \
+ "${pkgdir}/usr/lib/ruby/vendor_ruby/"
+ # adding files below /etc/apparmor.d to backup array
+ cd "${pkgdir}"
+ # tricking extract_function_variable() in makepkg into not detecting the
+ # backup array modification and adding remaining configuration files
+ [[ /usr/bin/true ]] && backup=( ${backup[@]} $(find "etc/${pkgname}.d/" -type f) )
+}
Copied: apparmor/repos/extra-x86_64/apparmor-2.13.4-fix_systemd_userdb.patch (from rev 387759, apparmor/trunk/apparmor-2.13.4-fix_systemd_userdb.patch)
===================================================================
--- apparmor-2.13.4-fix_systemd_userdb.patch (rev 0)
+++ apparmor-2.13.4-fix_systemd_userdb.patch 2020-05-28 11:22:17 UTC (rev 387760)
@@ -0,0 +1,32 @@
+From 16f9f6885aff84123c0b52197f435e40d656c0e4 Mon Sep 17 00:00:00 2001
+From: nl6720 <nl6720 at gmail.com>
+Date: Thu, 19 Mar 2020 12:05:44 +0200
+Subject: [PATCH] abstractions/nameservice: allow accessing
+ /run/systemd/userdb/
+
+On systems with systemd 245, nss-systemd additionally queries NSS records from systemd-userdbd.service. See https://systemd.io/USER_GROUP_API/ .
+
+Signed-off-by: nl6720 <nl6720 at gmail.com>
+---
+ profiles/apparmor.d/abstractions/nameservice | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/profiles/apparmor.d/abstractions/nameservice b/profiles/apparmor.d/abstractions/nameservice
+index 760e449e..2f3b1d15 100644
+--- a/profiles/apparmor.d/abstractions/nameservice
++++ b/profiles/apparmor.d/abstractions/nameservice
+@@ -29,6 +29,11 @@
+ /var/lib/extrausers/group r,
+ /var/lib/extrausers/passwd r,
+
++ # NSS records from systemd-userdbd.service
++ @{run}/systemd/userdb/ r,
++ @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
++ @{PROC}/sys/kernel/random/boot_id r,
++
+ # When using sssd, the passwd and group files are stored in an alternate path
+ # and the nss plugin also needs to talk to a pipe
+ /var/lib/sss/mc/group r,
+--
+2.26.2
+
Copied: apparmor/repos/extra-x86_64/apparmor-2.13.4-make4.3.patch (from rev 387759, apparmor/trunk/apparmor-2.13.4-make4.3.patch)
===================================================================
--- apparmor-2.13.4-make4.3.patch (rev 0)
+++ apparmor-2.13.4-make4.3.patch 2020-05-28 11:22:17 UTC (rev 387760)
@@ -0,0 +1,308 @@
+From fc2beaca9d642fb93736066f26e3588ad30ec7a4 Mon Sep 17 00:00:00 2001
+From: Eric Chiang <ericchiang at google.com>
+Date: Thu, 17 Jan 2019 11:02:57 -0800
+Subject: [PATCH 1/4] *: ensure make apparmor_parser is cached
+
+This change updates parser/Makefile to respect target dependencies and
+not rebuild apparmor_parser if nothing's changed. The goal is to allow
+cross-compiled tests #17 to run on a target system without the tests
+attempting to rebuild the parser.
+
+Two changes were made:
+
+* Generate af_names.h in a script so the script timestamp is compared.
+* Use FORCE instead of PHONY for libapparmor_re/libapparmor_re.a
+
+Changes to list_af_names are intended to exactly replicate the old
+behavior.
+
+Signed-off-by: Eric Chiang <ericchiang at google.com>
+(cherry picked from commit cb8c3377babfed4600446d1f60d53d8e2a581578)
+---
+ common/Make.rules | 21 ---------------------
+ common/list_af_names.sh | 19 +++++++++++++++++++
+ parser/Makefile | 13 +++++--------
+ utils/vim/create-apparmor.vim.py | 2 +-
+ 4 files changed, 25 insertions(+), 30 deletions(-)
+ create mode 100755 common/list_af_names.sh
+
+diff --git a/common/Make.rules b/common/Make.rules
+index d2149fcd..357bdec8 100644
+--- a/common/Make.rules
++++ b/common/Make.rules
+@@ -87,27 +87,6 @@ CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C
+ list_capabilities: /usr/include/linux/capability.h
+ @echo "$(CAPABILITIES)"
+
+-# =====================
+-# generate list of network protocols based on
+-# sys/socket.h for use in multiple locations in
+-# the source tree
+-# =====================
+-
+-# These are the families that it doesn't make sense for apparmor
+-# to mediate. We use PF_ here since that is what is required in
+-# bits/socket.h, but we will rewrite these as AF_.
+-
+-FILTER_FAMILIES=PF_UNIX
+-
+-__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
+-
+-# emits the AF names in a "AF_NAME NUMBER," pattern
+-AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
+-
+-.PHONY: list_af_names
+-list_af_names:
+- @echo "$(AF_NAMES)"
+-
+ # =====================
+ # manpages
+ # =====================
+diff --git a/common/list_af_names.sh b/common/list_af_names.sh
+new file mode 100755
+index 00000000..d7987537
+--- /dev/null
++++ b/common/list_af_names.sh
+@@ -0,0 +1,19 @@
++#!/bin/bash -e
++
++# =====================
++# generate list of network protocols based on
++# sys/socket.h for use in multiple locations in
++# the source tree
++# =====================
++
++# It doesn't make sence for AppArmor to mediate PF_UNIX, filter it out. Search
++# for "PF_" constants since that is what is required in bits/socket.h, but
++# rewrite as "AF_".
++
++echo "#include <sys/socket.h>" | \
++ cpp -dM | \
++ LC_ALL=C sed -n \
++ -e '/PF_UNIX/d' \
++ -e 's/PF_LOCAL/PF_UNIX/' \
++ -e 's/^#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$/AF_\1 \2,/p' | \
++ sort -n -k2
+diff --git a/parser/Makefile b/parser/Makefile
+index 73e88f5c..c22d32da 100644
+--- a/parser/Makefile
++++ b/parser/Makefile
+@@ -281,10 +281,9 @@ parser_version.h: Makefile
+ # as well as the filtering that occurs for network protocols that
+ # apparmor should not mediate.
+
+-.PHONY: af_names.h
+-af_names.h:
+- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n\n/pg' > $@
+- echo "$(AF_NAMES)" | LC_ALL=C sed -n -e 's/.*,[ \t]\+AF_MAX[ \t]\+\([0-9]\+\),\?.*/#define AA_AF_MAX \1\n/p' >> $@
++af_names.h: ../common/list_af_names.sh
++ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/[ \t]\?AF_MAX[ \t]\+[0-9]\+,//g' -e 's/[ \t]\+\?AF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\),/#ifndef AF_\1\n# define AF_\1 \2\n#endif\nAA_GEN_NET_ENT("\L\1", \UAF_\1)\n/pg' > $@
++ ../common/list_af_names.sh | LC_ALL=C sed -n -e 's/AF_MAX[ \t]\+\([0-9]\+\),\?.*/\n#define AA_AF_MAX \1\n/p' >> $@
+ # cat $@
+
+ cap_names.h: /usr/include/linux/capability.h
+@@ -304,10 +303,7 @@ tests: apparmor_parser ${TESTS}
+ sh -e -c 'for test in ${TESTS} ; do echo "*** running $${test}" && ./$${test}; done'
+ $(Q)$(MAKE) -s -C tst tests
+
+-# always need to rebuild.
+-.SILENT: $(AAREOBJECT)
+-.PHONY: $(AAREOBJECT)
+-$(AAREOBJECT):
++$(AAREOBJECT): FORCE
+ $(MAKE) -C $(AAREDIR) CFLAGS="$(EXTRA_CXXFLAGS)"
+
+ .PHONY: install-rhel4
+@@ -408,3 +404,4 @@ clean: pod_clean
+ $(MAKE) -s -C po clean
+ $(MAKE) -s -C tst clean
+
++FORCE:
+diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
+index 10bd5b8d..fea134f6 100644
+--- a/utils/vim/create-apparmor.vim.py
++++ b/utils/vim/create-apparmor.vim.py
+@@ -57,7 +57,7 @@ for cap in capabilities:
+ benign_caps.append(cap)
+
+ # get network protos list
+-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
++(rc, output) = cmd(['../../common/list_af_names.sh'])
+ if rc != 0:
+ sys.stderr.write("make list_af_names failed: " + output)
+ exit(rc)
+--
+2.26.2
+
+
+From 69651fc6565cf033ab763a607d786eb14143b7c6 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen at canonical.com>
+Date: Fri, 14 Jun 2019 01:04:22 -0700
+Subject: [PATCH 2/4] Revert "utils/test-network.py: fix failing testcase"
+
+This reverts commit 378519d23f8b6e55b1c0741e8cd197863e0ff8a0.
+this commit was meant for the 2.13 branch not master
+
+Signed-off-by: John Johansen <john.johansen at canonical.com>
+(cherry picked from commit 9144e39d252cd75dd2d6941154e014f7d46147ca)
+---
+ utils/test/test-network.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/test/test-network.py b/utils/test/test-network.py
+index 8605786d..73a6b9d1 100644
+--- a/utils/test/test-network.py
++++ b/utils/test/test-network.py
+@@ -31,7 +31,7 @@ exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
+
+ class NetworkKeywordsTest(AATest):
+ def test_network_keyword_list(self):
+- rc, output = cmd(['make', '-s', '--no-print-directory', 'list_af_names'])
++ rc, output = cmd('../../common/list_af_names.sh')
+ self.assertEqual(rc, 0)
+
+ af_names = []
+--
+2.26.2
+
+
+From 0d8e4cda3fb5194b82e288cadbcce98998064b7a Mon Sep 17 00:00:00 2001
+From: allgdante <allan.garret at gmail.com>
+Date: Mon, 23 Mar 2020 15:09:15 +0000
+Subject: [PATCH 3/4] Generate CAPABILITIES in a script due to make 4.3
+
+This way we could generate the capabilities in a way that works with
+every version of make.
+Changes to list_capabilities are intended to exactly replicate the old
+behavior.
+
+(cherry picked from commit e92da079ca12e776991bd36524430bd67c1cb72a)
+---
+ common/Make.rules | 13 -------------
+ common/list_capabilities.sh | 14 ++++++++++++++
+ parser/Makefile | 2 +-
+ utils/Makefile | 2 +-
+ utils/vim/create-apparmor.vim.py | 2 +-
+ 5 files changed, 17 insertions(+), 16 deletions(-)
+ create mode 100755 common/list_capabilities.sh
+
+diff --git a/common/Make.rules b/common/Make.rules
+index 357bdec8..ecc6181a 100644
+--- a/common/Make.rules
++++ b/common/Make.rules
+@@ -74,19 +74,6 @@ endif
+ pod_clean:
+ -rm -f ${MANPAGES} *.[0-9].gz ${HTMLMANPAGES} pod2htm*.tmp
+
+-# =====================
+-# generate list of capabilities based on
+-# /usr/include/linux/capabilities.h for use in multiple locations in
+-# the source tree
+-# =====================
+-
+-# emits defined capabilities in a simple list, e.g. "CAP_NAME CAP_NAME2"
+-CAPABILITIES=$(shell echo "\#include <linux/capability.h>" | cpp -dM | LC_ALL=C sed -n -e '/CAP_EMPTY_SET/d' -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LC_ALL=C sort)
+-
+-.PHONY: list_capabilities
+-list_capabilities: /usr/include/linux/capability.h
+- @echo "$(CAPABILITIES)"
+-
+ # =====================
+ # manpages
+ # =====================
+diff --git a/common/list_capabilities.sh b/common/list_capabilities.sh
+new file mode 100755
+index 00000000..4e37cda7
+--- /dev/null
++++ b/common/list_capabilities.sh
+@@ -0,0 +1,14 @@
++#!/bin/bash -e
++
++# =====================
++# generate list of capabilities based on
++# /usr/include/linux/capabilities.h for use in multiple locations in
++# the source tree
++# =====================
++
++echo "#include <linux/capability.h>" | \
++ cpp -dM | \
++ LC_ALL=C sed -n \
++ -e '/CAP_EMPTY_SET/d' \
++ -e 's/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$/CAP_\1/p' | \
++ LC_ALL=C sort
+diff --git a/parser/Makefile b/parser/Makefile
+index c22d32da..3e50125a 100644
+--- a/parser/Makefile
++++ b/parser/Makefile
+@@ -287,7 +287,7 @@ af_names.h: ../common/list_af_names.sh
+ # cat $@
+
+ cap_names.h: /usr/include/linux/capability.h
+- echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
++ ../common/list_capabilities.sh | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
+
+ tst_lib: lib.c parser.h $(filter-out lib.o, ${TEST_OBJECTS})
+ $(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS) $(TEST_LDLIBS)
+diff --git a/utils/Makefile b/utils/Makefile
+index 68f8c376..ea9e0601 100644
+--- a/utils/Makefile
++++ b/utils/Makefile
+@@ -80,7 +80,7 @@ clean: pod_clean
+ .SILENT: check_severity_db
+ check_severity_db: /usr/include/linux/capability.h severity.db
+ # The sed statement is based on the one in the parser's makefile
+- RC=0 ; for cap in ${CAPABILITIES} ; do \
++ RC=0 ; for cap in $(shell ../common/list_capabilities.sh) ; do \
+ if ! grep -q -w $${cap} severity.db ; then \
+ echo "Warning! capability $${cap} not found in severity.db" ; \
+ RC=1 ; \
+diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
+index fea134f6..6a5f02a2 100644
+--- a/utils/vim/create-apparmor.vim.py
++++ b/utils/vim/create-apparmor.vim.py
+@@ -45,7 +45,7 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s
+ return [sp.returncode, out + outerr]
+
+ # get capabilities list
+-(rc, output) = cmd(['make', '-s', '--no-print-directory', 'list_capabilities'])
++(rc, output) = cmd(['../../common/list_capabilities.sh'])
+ if rc != 0:
+ sys.stderr.write("make list_capabilities failed: " + output)
+ exit(rc)
+--
+2.26.2
+
+
+From af0c288fcd4b9ddbf3a062d6d0e1c9618e8f3c75 Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor at cboltz.de>
+Date: Sun, 29 Mar 2020 00:07:11 +0100
+Subject: [PATCH 4/4] fix capabilities in apparmor.vim
+
+https://gitlab.com/apparmor/apparmor/-/merge_requests/461 /
+e92da079ca12e776991bd36524430bd67c1cb72a changed creating the
+capabilities to use a script.
+
+A side effect is that the list is now separated by \n instead of
+spaces. Adjust create-apparmor.vim.py to the new output.
+
+(cherry picked from commit 60b005788e79c1be7276349242e0cc97b99f7118)
+---
+ utils/vim/create-apparmor.vim.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
+index 6a5f02a2..b5df957a 100644
+--- a/utils/vim/create-apparmor.vim.py
++++ b/utils/vim/create-apparmor.vim.py
+@@ -50,7 +50,7 @@ if rc != 0:
+ sys.stderr.write("make list_capabilities failed: " + output)
+ exit(rc)
+
+-capabilities = re.sub('CAP_', '', output.strip()).lower().split(" ")
++capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n')
+ benign_caps = []
+ for cap in capabilities:
+ if cap not in danger_caps:
+--
+2.26.2
+
Copied: apparmor/repos/extra-x86_64/apparmor-2.13.4-run_variable.patch (from rev 387759, apparmor/trunk/apparmor-2.13.4-run_variable.patch)
===================================================================
--- apparmor-2.13.4-run_variable.patch (rev 0)
+++ apparmor-2.13.4-run_variable.patch 2020-05-28 11:22:17 UTC (rev 387760)
@@ -0,0 +1,45 @@
+From 454fca7483eae7b7ee613343c2c02abaa20e37e3 Mon Sep 17 00:00:00 2001
+From: nl6720 <nl6720 at gmail.com>
+Date: Thu, 13 Feb 2020 09:58:33 +0200
+Subject: [PATCH] Add "run" variable
+
+Signed-off-by: nl6720 <nl6720 at gmail.com>
+(cherry picked from commit 452b5b8735e449cba29a1fb25c9bff38ba8763ec)
+---
+ parser/apparmor.d.pod | 1 +
+ profiles/apparmor.d/tunables/global | 1 +
+ profiles/apparmor.d/tunables/run | 1 +
+ 3 files changed, 3 insertions(+)
+ create mode 100644 profiles/apparmor.d/tunables/run
+
+diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod
+index 662830bd..59ac72c9 100644
+--- a/parser/apparmor.d.pod
++++ b/parser/apparmor.d.pod
+@@ -1279,6 +1279,7 @@ provided AppArmor policy:
+ @{apparmorfs}
+ @{sys}
+ @{tid}
++ @{run}
+ @{XDG_DESKTOP_DIR}
+ @{XDG_DOWNLOAD_DIR}
+ @{XDG_TEMPLATES_DIR}
+diff --git a/profiles/apparmor.d/tunables/global b/profiles/apparmor.d/tunables/global
+index 28d6fc6d..3b6f99cc 100644
+--- a/profiles/apparmor.d/tunables/global
++++ b/profiles/apparmor.d/tunables/global
+@@ -19,3 +19,4 @@
+ #include <tunables/kernelvars>
+ #include <tunables/xdg-user-dirs>
+ #include <tunables/share>
++#include <tunables/run>
+diff --git a/profiles/apparmor.d/tunables/run b/profiles/apparmor.d/tunables/run
+new file mode 100644
+index 00000000..e535d2fe
+--- /dev/null
++++ b/profiles/apparmor.d/tunables/run
+@@ -0,0 +1 @@
++@{run}=/run /var/run
+--
+2.26.2
+
Copied: apparmor/repos/extra-x86_64/apparmor-2.13.4-vim_file.patch (from rev 387759, apparmor/trunk/apparmor-2.13.4-vim_file.patch)
===================================================================
--- apparmor-2.13.4-vim_file.patch (rev 0)
+++ apparmor-2.13.4-vim_file.patch 2020-05-28 11:22:17 UTC (rev 387760)
@@ -0,0 +1,83 @@
+From 9e7c4f88f9165725c384d4b3432014c6d37452f4 Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor at cboltz.de>
+Date: Sun, 5 Apr 2020 14:26:15 +0200
+Subject: [PATCH 1/2] create-apparmor.vim.py: split stdout and stderr
+
+This will prevent that stderr output ends up in apparmor.vim
+
+References:
+- https://gitlab.com/apparmor/apparmor/issues/75
+- https://bugs.archlinux.org/task/65450
+- https://bugs.launchpad.net/apparmor/+bug/1187437
+---
+ utils/vim/create-apparmor.vim.py | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py
+index b5df957a..8a17bb43 100644
+--- a/utils/vim/create-apparmor.vim.py
++++ b/utils/vim/create-apparmor.vim.py
+@@ -42,12 +42,12 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s
+ # Handle redirection of stderr
+ if outerr is None:
+ outerr = ''
+- return [sp.returncode, out + outerr]
++ return [sp.returncode, out, outerr]
+
+ # get capabilities list
+-(rc, output) = cmd(['../../common/list_capabilities.sh'])
++(rc, output, outerr) = cmd(['../../common/list_capabilities.sh'])
+ if rc != 0:
+- sys.stderr.write("make list_capabilities failed: " + output)
++ sys.stderr.write("make list_capabilities failed: " + output + outerr)
+ exit(rc)
+
+ capabilities = re.sub('CAP_', '', output.strip()).lower().split('\n')
+@@ -57,9 +57,9 @@ for cap in capabilities:
+ benign_caps.append(cap)
+
+ # get network protos list
+-(rc, output) = cmd(['../../common/list_af_names.sh'])
++(rc, output, outerr) = cmd(['../../common/list_af_names.sh'])
+ if rc != 0:
+- sys.stderr.write("make list_af_names failed: " + output)
++ sys.stderr.write("make list_af_names failed: " + output + outerr)
+ exit(rc)
+
+ af_names = []
+--
+2.26.2
+
+
+From 0f891ba30e32545d0f514ef8e3b1768f0b776fc2 Mon Sep 17 00:00:00 2001
+From: Christian Boltz <apparmor at cboltz.de>
+Date: Sun, 5 Apr 2020 14:31:33 +0200
+Subject: [PATCH 2/2] Delete (possibly broken) apparmor.vim on failure
+
+If create-apparmor.vim.py fails, an empty apparmor.vim gets created. The
+next "make" run will assume that apparmor.vim was already created (the
+file exists and has a new-enough timestamp) and will therefore skip the
+create-apparmor.vim.py run, keeping the broken apparmor.vim forever.
+
+Adjust the Makefile to delete apparmor.vim if the script fails. This
+ensures that make tries again in the next run.
+---
+ utils/vim/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/vim/Makefile b/utils/vim/Makefile
+index 9ffc301e..7d107dd0 100644
+--- a/utils/vim/Makefile
++++ b/utils/vim/Makefile
+@@ -9,7 +9,7 @@ VIM_INSTALL_PATH=${DESTDIR}/usr/share/apparmor
+ all: apparmor.vim manpages htmlmanpages
+
+ apparmor.vim: apparmor.vim.in Makefile create-apparmor.vim.py
+- ${PYTHON} create-apparmor.vim.py > apparmor.vim
++ ${PYTHON} create-apparmor.vim.py > apparmor.vim || { rm -f apparmor.vim ; exit 1; }
+
+ manpages: $(MANPAGES)
+
+--
+2.26.2
+
More information about the arch-commits
mailing list