From d1d22e6713c601a72ff7329133cd86f30ac3d6ce Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 16 Oct 2020 10:14:32 -0500 Subject: meta-security: subtree update:d6baccc068..4c2f7ffd49 Adrian (1): gitignore added Armin Kuster (31): kas: build with ptest. remove apparmor softHSM: add pkg packagegroup-core-security: add softHSM libest: add recipe packagegroup-core-security: add libest package opendnssec: add recipe packagegroup-core-security: add opendnssec to pkg grp gitlab-ci: allow test to fail libseccomp: fix ptest failures. packagegroup-core-security-ptest: remove keyutils-ptest security-test-image: simplify packagegroup-core-security-ptest: remove apparmor: fix build issue with ptest enabled. security-test-image: tweak to get more tests to runn apparmor: update to 3.0 packagegroup-core-security: apparmor 3.0 ptest does not build suricata: fix compiling on gcc10 qemux86-test: add apparmor back apparmor: fix build for on musl ecryptfs-utils: fix musl build libest: fix musl build. sssd: update to latest ltm 1.16.5 packagegroup-core-security: remove clamav from musl image suricata: update to 4.1.9 kas: fixup alt configs gitlab-ci: add qemux86 and qemuarm64 musl builds tpm2-tss: update to 2.4.3 tpm2-totp: update to 0.2.1 tpm2-abrmd: update to 2.3.3 tpm2-tools: update to 4.3.0 tpm2-pkcs11: update to 1.4.0 Mingli Yu (1): scap-security-guide: add expat-native to DEPENDS Naveen Saini (3): initramfs-framework/dmverity: add retry loop for slow boot devices wic: add wks.in for intel dm-verity linux-%/5.x: Add dm-verity fragment as needed Signed-off-by: Andrew Geissler Change-Id: If3a721fdd99bb6e35c82cf4e7485f06cebaef905 --- .../recipes-mac/AppArmor/apparmor_2.13.4.bb | 201 --------------------- meta-security/recipes-mac/AppArmor/apparmor_3.0.bb | 193 ++++++++++++++++++++ ...iles-Update-make-check-to-select-tools-ba.patch | 91 ++++++++++ .../0001-aa_status-Fix-build-issue-with-musl.patch | 31 ++++ .../files/0001-apparmor-fix-manpage-order.patch | 43 +++++ ...pparmor-add-missing-include-for-socklen_t.patch | 36 ++++ ...file-dont-force-host-cpp-to-detect-reallo.patch | 37 ++++ ...-add-aa_features_new_from_file-to-public-.patch | 37 ++++ ...armor-add-_aa_asprintf-to-private-symbols.patch | 34 ++++ meta-security/recipes-mac/AppArmor/files/functions | 2 +- 10 files changed, 503 insertions(+), 202 deletions(-) delete mode 100644 meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb create mode 100644 meta-security/recipes-mac/AppArmor/apparmor_3.0.bb create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch create mode 100644 meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch (limited to 'meta-security/recipes-mac/AppArmor') diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb deleted file mode 100644 index dcdc1f7e6..000000000 --- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb +++ /dev/null @@ -1,201 +0,0 @@ -SUMMARY = "AppArmor another MAC control system" -DESCRIPTION = "user-space parser utility for AppArmor \ - This provides the system initialization scripts needed to use the \ - AppArmor Mandatory Access Control system, including the AppArmor Parser \ - which is required to convert AppArmor text profiles into machine-readable \ - policies that are loaded into the kernel for use with the AppArmor Linux \ - Security Module." -HOMEAPAGE = "http://apparmor.net/" -SECTION = "admin" - -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" - -DEPENDS = "bison-native apr gettext-native coreutils-native" - -SRC_URI = " \ - git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \ - file://disable_perl_h_check.patch \ - file://crosscompile_perl_bindings.patch \ - file://apparmor.rc \ - file://functions \ - file://apparmor \ - file://apparmor.service \ - file://0001-Makefile.am-suppress-perllocal.pod.patch \ - file://run-ptest \ - " - -SRCREV = "df0ac742f7a1146181d8734d03334494f2015134" -S = "${WORKDIR}/git" - -PARALLEL_MAKE = "" - -COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" - -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check -REQUIRED_DISTRO_FEATURES = "apparmor" - -PACKAGECONFIG ??= "python perl aa-decode" -PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" -PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" -PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" -PACKAGECONFIG[apache2] = ",,apache2," -PACKAGECONFIG[aa-decode] = ",,,bash" - -PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" -HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" - -python() { - if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ - 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') -} - -DISABLE_STATIC = "" - -do_configure() { - cd ${S}/libraries/libapparmor - aclocal - autoconf --force - libtoolize --automake -c --force - automake -ac - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} -} - -do_compile () { - # Fixes: - # | sed -ie 's///g' Makefile.perl - # | sed: -e expression #1, char 0: no previous regular expression - #| Makefile:478: recipe for target 'Makefile.perl' failed - sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile - - - oe_runmake -C ${B}/libraries/libapparmor - oe_runmake -C ${B}/binutils - oe_runmake -C ${B}/utils - oe_runmake -C ${B}/parser - oe_runmake -C ${B}/profiles - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor - fi -} - -do_install () { - install -d ${D}/${INIT_D_DIR} - install -d ${D}/lib/apparmor - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install - oe_runmake -C ${B}/binutils DESTDIR="${D}" install - oe_runmake -C ${B}/utils DESTDIR="${D}" install - oe_runmake -C ${B}/parser DESTDIR="${D}" install - oe_runmake -C ${B}/profiles DESTDIR="${D}" install - - # If perl is disabled this script won't be any good - if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then - rm -f ${D}${sbindir}/aa-notify - fi - - if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then - rm -f ${D}${sbindir}/aa-decode - fi - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install - fi - - # aa-easyprof is installed by python-tools-setup.py, fix it up - sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof - chmod 0755 ${D}${bindir}/aa-easyprof - - install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor - install ${WORKDIR}/functions ${D}/lib/apparmor - sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions - sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} - fi -} - -#Building ptest on arm fails. -do_compile_ptest_aarch64 () { - : -} - -do_compile_ptest_arm () { - : -} - -do_compile_ptest () { - oe_runmake -C ${B}/tests/regression/apparmor - oe_runmake -C ${B}/parser/tst - oe_runmake -C ${B}/libraries/libapparmor -} - -do_install_ptest () { - t=${D}/${PTEST_PATH}/testsuite - install -d ${t} - install -d ${t}/tests/regression/apparmor - cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression - - install -d ${t}/parser/tst - cp -rf ${B}/parser/tst ${t}/parser - cp ${B}/parser/apparmor_parser ${t}/parser - cp ${B}/parser/frob_slack_rc ${t}/parser - - install -d ${t}/libraries/libapparmor - cp -rf ${B}/libraries/libapparmor ${t}/libraries - - install -d ${t}/common - cp -rf ${B}/common ${t} - - install -d ${t}/binutils - cp -rf ${B}/binutils ${t} -} - -#Building ptest on arm fails. -do_install_ptest_aarch64 () { - : -} - -do_install_ptest_arm() { - : -} - -pkg_postinst_ontarget_${PN} () { -if [ ! -d /etc/apparmor.d/cache ] ; then - mkdir /etc/apparmor.d/cache -fi -} - -# We need the init script so don't rm it -RMINITDIR_class-target_remove = " rm_sysvinit_initddir" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "apparmor" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE ?= "enable" - -PACKAGES += "mod-${PN}" - -FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" - -# Add coreutils and findutils only if sysvinit scripts are in use -RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" - -PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb new file mode 100644 index 000000000..35e95a0a2 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb @@ -0,0 +1,193 @@ +SUMMARY = "AppArmor another MAC control system" +DESCRIPTION = "user-space parser utility for AppArmor \ + This provides the system initialization scripts needed to use the \ + AppArmor Mandatory Access Control system, including the AppArmor Parser \ + which is required to convert AppArmor text profiles into machine-readable \ + policies that are loaded into the kernel for use with the AppArmor Linux \ + Security Module." +HOMEAPAGE = "http://apparmor.net/" +SECTION = "admin" + +LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" + +DEPENDS = "bison-native apr gettext-native coreutils-native swig-native" + +SRC_URI = " \ + git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \ + file://disable_perl_h_check.patch \ + file://crosscompile_perl_bindings.patch \ + file://apparmor.rc \ + file://functions \ + file://apparmor \ + file://apparmor.service \ + file://0001-Makefile.am-suppress-perllocal.pod.patch \ + file://run-ptest \ + file://0001-apparmor-fix-manpage-order.patch \ + file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \ + file://0001-libapparmor-add-missing-include-for-socklen_t.patch \ + file://0002-libapparmor-add-aa_features_new_from_file-to-public-.patch \ + file://0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch \ + file://0001-aa_status-Fix-build-issue-with-musl.patch \ + file://0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch \ + " + +SRCREV = "5d51483bfecf556183558644dc8958135397a7e2" +S = "${WORKDIR}/git" + +PARALLEL_MAKE = "" + +COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*" + +inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative cpan systemd features_check bash-completion + +REQUIRED_DISTRO_FEATURES = "apparmor" + +PACKAGECONFIG ?= "python perl aa-decode" +PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages" +PACKAGECONFIG[python] = "--with-python, --without-python, python3 , python3-core python3-modules" +PACKAGECONFIG[perl] = "--with-perl, --without-perl, " +PACKAGECONFIG[apache2] = ",,apache2," +PACKAGECONFIG[aa-decode] = ",,,bash" + +python() { + if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ + 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): + raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') +} + +DISABLE_STATIC = "" + +do_configure() { + cd ${S}/libraries/libapparmor + aclocal + autoconf --force + libtoolize --automake -c --force + automake -ac + ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} +} + +do_compile () { + sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile + oe_runmake -C ${B}/libraries/libapparmor + oe_runmake -C ${B}/binutils + oe_runmake -C ${B}/utils + oe_runmake -C ${B}/parser + oe_runmake -C ${B}/profiles + + if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then + oe_runmake -C ${B}/changehat/mod_apparmor + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then + oe_runmake -C ${B}/changehat/pam_apparmor + fi +} + +do_install () { + install -d ${D}/${INIT_D_DIR} + install -d ${D}/lib/apparmor + oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install + oe_runmake -C ${B}/binutils DESTDIR="${D}" install + oe_runmake -C ${B}/utils DESTDIR="${D}" install + oe_runmake -C ${B}/parser DESTDIR="${D}" install + oe_runmake -C ${B}/profiles DESTDIR="${D}" install + + if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then + rm -f ${D}${sbindir}/aa-decode + fi + + if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then + oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then + install -d ${D}/lib/security + oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install + fi + + install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor + install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor + + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir} + fi +} + +#Building ptest on arm fails. +do_compile_ptest_aarch64 () { + : +} + +do_compile_ptest_arm () { + : +} + +do_compile_ptest () { + sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile + oe_runmake -C ${B}/tests/regression/apparmor USE_SYSTEM=0 + oe_runmake -C ${B}/libraries/libapparmor +} + +do_install_ptest () { + t=${D}/${PTEST_PATH}/testsuite + install -d ${t} + install -d ${t}/tests/regression/apparmor + cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression + + cp ${B}/parser/apparmor_parser ${t}/parser + cp ${B}/parser/frob_slack_rc ${t}/parser + + install -d ${t}/libraries/libapparmor + cp -rf ${B}/libraries/libapparmor ${t}/libraries + + install -d ${t}/common + cp -rf ${B}/common ${t} + + install -d ${t}/binutils + cp -rf ${B}/binutils ${t} +} + +#Building ptest on arm fails. +do_install_ptest_aarch64 () { + : +} + +do_install_ptest_arm() { + : +} + +pkg_postinst_ontarget_${PN} () { +if [ ! -d /etc/apparmor.d/cache ] ; then + mkdir /etc/apparmor.d/cache +fi +} + +# We need the init script so don't rm it +RMINITDIR_class-target_remove = " rm_sysvinit_initddir" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "apparmor" +INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE_${PN} = "apparmor.service" +SYSTEMD_AUTO_ENABLE ?= "enable" + +PACKAGES += "mod-${PN}" + +FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" +FILES_mod-${PN} = "${libdir}/apache2/modules/*" + +DEPENDS_append_libc-musl = " fts " +RDEPENDS_${PN}_libc-musl += "musl-utils" +RDEPENDS_${PN}_libc-glibc += "glibc-utils" + +# Add coreutils and findutils only if sysvinit scripts are in use +RDEPENDS_${PN} += "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}" +RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" +RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash" + +INSANE_SKIP_${PN} = "ldflags" +PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*" diff --git a/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch new file mode 100644 index 000000000..791437d1d --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch @@ -0,0 +1,91 @@ +From 5ed21abbef4d4c2983e70bd2868fb817150e883e Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Sat, 3 Oct 2020 11:26:46 -0700 +Subject: [PATCH] Revert "profiles: Update 'make check' to select tools based + on USE_SYSTEM" + +This reverts commit 6016f931ebf7b61e1358f19453ef262d9d184a4e. + +Upstream-Statue: OE specific +These changes cause during packaging with perms changing. + +Signed-off-by: Armin Kuster + +--- + profiles/Makefile | 50 ++++++++++------------------------------------- + 1 file changed, 10 insertions(+), 40 deletions(-) + +diff --git a/profiles/Makefile b/profiles/Makefile +index ba47fc16..5384cb05 100644 +--- a/profiles/Makefile ++++ b/profiles/Makefile +@@ -35,49 +35,9 @@ EXTRAS_SOURCE=./apparmor/profiles/extras/ + SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print) + TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*)) + +-ifdef USE_SYSTEM +- PYTHONPATH= +- PARSER?=apparmor_parser +- LOGPROF?=aa-logprof +-else +- # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am +- PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))") +- LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/ +- LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH) +- PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH) +- PARSER?=../parser/apparmor_parser +- # use ../utils logprof +- LOGPROF?=LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) PYTHONPATH=$(PYTHONPATH) $(PYTHON) ../utils/aa-logprof +-endif +- + # $(PWD) is wrong when using "make -C profiles" - explicitely set it here to get the right value + PWD=$(shell pwd) + +-.PHONY: test-dependencies +-test-dependencies: __parser __libapparmor +- +- +-.PHONY: __parser __libapparmor +-__parser: +-ifndef USE_SYSTEM +- @if [ ! -f $(PARSER) ]; then \ +- echo "error: $(PARSER) is missing. Pick one of these possible solutions:" 1>&2; \ +- echo " 1) Test using the in-tree parser by building it first and then trying again. See the top-level README for help." 1>&2; \ +- echo " 2) Test using the system parser by adding USE_SYSTEM=1 to your make command." 1>&2; \ +- exit 1; \ +- fi +-endif +- +-__libapparmor: +-ifndef USE_SYSTEM +- @if [ ! -f $(LIBAPPARMOR_PATH)libapparmor.so ]; then \ +- echo "error: $(LIBAPPARMOR_PATH)libapparmor.so is missing. Pick one of these possible solutions:" 1>&2; \ +- echo " 1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \ +- echo " 2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2; \ +- exit 1; \ +- fi +-endif +- + local: + for profile in ${TOPLEVEL_PROFILES}; do \ + fn=$$(basename $$profile); \ +@@ -109,6 +69,16 @@ else + Q= + endif + ++ifndef PARSER ++# use system parser ++PARSER=../parser/apparmor_parser ++endif ++ ++ifndef LOGPROF ++# use ../utils logprof ++LOGPROF=PYTHONPATH=../utils $(PYTHON) ../utils/aa-logprof ++endif ++ + .PHONY: docs + # docs: should we have some here? + docs: +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch new file mode 100644 index 000000000..239562a45 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch @@ -0,0 +1,31 @@ +From 2bf15cc68f31c9f41962bb60a669ab2b453a039b Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Wed, 7 Oct 2020 08:27:11 -0700 +Subject: [PATCH] aa_status: Fix build issue with musl + +add limits.h + +aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'? +| 269 | real_exe = calloc(PATH_MAX + 1, sizeof(char)); + +Upstream-Status: Pending +Signed-off-by: Armin Kuster +--- + binutils/aa_status.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/binutils/aa_status.c b/binutils/aa_status.c +index 78b03409..41f1954e 100644 +--- a/binutils/aa_status.c ++++ b/binutils/aa_status.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch new file mode 100644 index 000000000..9f3dce426 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch @@ -0,0 +1,43 @@ +From c9baef0c70122e1be33b627874772e6e9a5d7744 Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Fri, 2 Oct 2020 19:43:44 -0700 +Subject: [PATCH] apparmor: fix manpage order + +It trys to create a symlink before the man pages are installed. + + ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8 + | ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +... + +install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8; + +Signed-off-by: Armin Kuster +--- + binutils/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/binutils/Makefile b/binutils/Makefile +index 99e54875..3f1d0011 100644 +--- a/binutils/Makefile ++++ b/binutils/Makefile +@@ -156,12 +156,12 @@ install-arch: arch + install -m 755 -d ${SBINDIR} + ln -sf aa-status ${SBINDIR}/apparmor_status + install -m 755 ${SBINTOOLS} ${SBINDIR} +- ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 + + .PHONY: install-indep + install-indep: indep + $(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR} + $(MAKE) install_manpages DESTDIR=${DESTDIR} ++ ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8 + + ifndef VERBOSE + .SILENT: clean +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch new file mode 100644 index 000000000..2a56d8b85 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch @@ -0,0 +1,36 @@ +From 47263a3a74d7973e7a54b17db6aa903701468ffd Mon Sep 17 00:00:00 2001 +From: Patrick Steinhardt +Date: Sat, 3 Oct 2020 20:37:55 +0200 +Subject: [PATCH] libapparmor: add missing include for `socklen_t` + +While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't +include the `` header to make its declaration available. +While this works on systems using glibc via transitive includes, it +breaks compilation on musl libc. + +Fix the issue by including the header. + +Signed-off-by: Patrick Steinhardt + +Upstream-Status: Backport +Signed-off-by: Armin Kuster + +--- + libraries/libapparmor/include/sys/apparmor.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h +index 32892d06..d70eff94 100644 +--- a/libraries/libapparmor/include/sys/apparmor.h ++++ b/libraries/libapparmor/include/sys/apparmor.h +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + + #ifdef __cplusplus +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch new file mode 100644 index 000000000..9f7ad3c55 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch @@ -0,0 +1,37 @@ +From 965bb9c3e464f756b258a7c259a92bce3cde74e7 Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Wed, 7 Oct 2020 20:50:38 -0700 +Subject: [PATCH] parser/Makefile: dont force host cpp to detect reallocarray + +In cross build environments, using the hosts cpp gives incorrect +detection of reallocarray. Change cpp to a variable. + +fixes: +parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)': +| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope +| 297 | tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1); + +Signed-off-by: Armin Kuster + +Upstream-Status: Pending + +--- + parser/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser/Makefile b/parser/Makefile +index acef3d77..8250ac45 100644 +--- a/parser/Makefile ++++ b/parser/Makefile +@@ -54,7 +54,7 @@ endif + CPPFLAGS += -D_GNU_SOURCE + + STDLIB_INCLUDE:="\#include " +-HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true) ++HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true) + + WARNINGS = -Wall + CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS} +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch new file mode 100644 index 000000000..333f40fbd --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch @@ -0,0 +1,37 @@ +From c9255a03436e6a91bd4e410601da8d43a341ffc2 Mon Sep 17 00:00:00 2001 +From: Patrick Steinhardt +Date: Sat, 3 Oct 2020 20:58:45 +0200 +Subject: [PATCH] libapparmor: add `aa_features_new_from_file` to public + symbols + +With AppArmor release 3.0, a new function `aa_features_new_from_file` +was added, but not added to the list of public symbols. As a result, +it's not possible to make use of this function when linking against +libapparmor.so. + +Fix the issue by adding it to the symbol map. + +Signed-off-by: Patrick Steinhardt + +Upstream-Status: Backport +Signed-off-by: Armin Kuster + +--- + libraries/libapparmor/src/libapparmor.map | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map +index bbff51f5..1579509a 100644 +--- a/libraries/libapparmor/src/libapparmor.map ++++ b/libraries/libapparmor/src/libapparmor.map +@@ -117,6 +117,7 @@ APPARMOR_2.13.1 { + + APPARMOR_3.0 { + global: ++ aa_features_new_from_file; + aa_features_write_to_fd; + aa_features_value; + local: +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch new file mode 100644 index 000000000..543c7a185 --- /dev/null +++ b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch @@ -0,0 +1,34 @@ +From 9a8fee6bf1c79c261374d928b838b5eb9244ee9b Mon Sep 17 00:00:00 2001 +From: Patrick Steinhardt +Date: Sat, 3 Oct 2020 21:04:57 +0200 +Subject: [PATCH] libapparmor: add _aa_asprintf to private symbols + +While `_aa_asprintf` is supposed to be of private visibility, it's used +by apparmor_parser and thus required to be visible when linking. This +commit thus adds it to the list of private symbols to make it available +for linking in apparmor_parser. + +Signed-off-by: Patrick Steinhardt + +Upstream-Status: Backport +Signed-off-by: Armin Kuster + +--- + libraries/libapparmor/src/libapparmor.map | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map +index 1579509a..41e541ac 100644 +--- a/libraries/libapparmor/src/libapparmor.map ++++ b/libraries/libapparmor/src/libapparmor.map +@@ -127,6 +127,7 @@ APPARMOR_3.0 { + PRIVATE { + global: + _aa_is_blacklisted; ++ _aa_asprintf; + _aa_autofree; + _aa_autoclose; + _aa_autofclose; +-- +2.17.1 + diff --git a/meta-security/recipes-mac/AppArmor/files/functions b/meta-security/recipes-mac/AppArmor/files/functions index cef8cfe7d..e9e2bbfbf 100644 --- a/meta-security/recipes-mac/AppArmor/files/functions +++ b/meta-security/recipes-mac/AppArmor/files/functions @@ -144,7 +144,7 @@ clear_cache_var() { read_features_dir() { - for f in `ls -AU "$1"` ; do + for f in `ls -A "$1"` ; do if [ -f "$1/$f" ] ; then read -r KF < "$1/$f" || true echo -n "$f {$KF } " -- cgit v1.2.3